WDNS-AC-000001 – The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
Details Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) on any system. A DNS...
- Home
- Security Hardening
- DISA Microsoft Windows 2012 Server DNS STIG V2R4
DISA Microsoft Windows 2012 Server DNS STIG V2R4
WDNS-AU-000001 – The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
Details Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the...WDNS-CM-000006 – The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
Details A potential vulnerability of DNS is that an attacker can poison a name server’s cache by sending queries that...WDNS-CM-000007 – The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
Details Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include,...WDNS-CM-000008 – The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
Details The best way for a zone administrator to minimize the impact of a key compromise is by limiting the...WDNS-AU-000003 – The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
Details Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The...WDNS-CM-000009 – NSEC3 must be used for all internal DNS zones.
Details NSEC records list the resource record types for the name, as well as the name of the next resource...WDNS-AU-000005 – The Windows 2012 DNS Server log must be enabled.
Details Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating...WDNS-CM-000010 – The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
Details Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able...WDNS-AU-000006 – The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
Details DNS server performance can be affected when additional logging is enabled, however the enhanced DNS logging and diagnostics feature...