Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000158-DNS-000015
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This...Rule Medium Severity -
SRG-APP-000394-DNS-000049
<GroupDescription></GroupDescription>Group -
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. D...Rule Medium Severity -
SRG-APP-000001-DNS-000001
<GroupDescription></GroupDescription>Group -
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
<VulnDiscussion>Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound con...Rule Medium Severity -
SRG-APP-000347-DNS-000041
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
<VulnDiscussion>Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. Th...Rule Medium Severity -
SRG-APP-000176-DNS-000017
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
<VulnDiscussion>The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, th...Rule Medium Severity -
SRG-APP-000176-DNS-000018
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...Rule Medium Severity -
SRG-APP-000176-DNS-000019
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...Rule Medium Severity -
SRG-APP-000176-DNS-000094
<GroupDescription></GroupDescription>Group -
The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
<VulnDiscussion>The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys shoul...Rule Medium Severity -
SRG-APP-000401-DNS-000051
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer autho...Rule Medium Severity -
SRG-APP-000516-DNS-000077
<GroupDescription></GroupDescription>Group -
The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
<VulnDiscussion>The Name Resolution Policy Table (NRPT) is used to require DNSSEC validation. The NRPT can be configured in local Group Polic...Rule Medium Severity -
SRG-APP-000215-DNS-000026
<GroupDescription></GroupDescription>Group -
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
<VulnDiscussion>NSEC records list the resource record types for the name, as well as the name of the next resource record. With this informat...Rule Medium Severity -
SRG-APP-000213-DNS-000024
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
<VulnDiscussion>The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is ...Rule Medium Severity -
SRG-APP-000420-DNS-000053
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
<VulnDiscussion>The major threat associated with DNS forged responses or failures are the integrity of the DNS data returned in the response....Rule Medium Severity -
SRG-APP-000420-DNS-000053
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. ...Rule Medium Severity -
SRG-APP-000421-DNS-000054
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
<VulnDiscussion>The major threat associated with DNS forged responses or failures are the integrity of the DNS data returned in the response....Rule Medium Severity -
SRG-APP-000422-DNS-000055
<GroupDescription></GroupDescription>Group -
WINS lookups must be disabled on the Windows 2012 DNS Server.
<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. ...Rule Medium Severity -
SRG-APP-000422-DNS-000055
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. ...Rule Medium Severity -
SRG-APP-000214-DNS-000025
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.
<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely aff...Rule Medium Severity -
SRG-APP-000215-DNS-000003
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.
<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design...Rule Medium Severity -
SRG-APP-000215-DNS-000003
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely aff...Rule Medium Severity -
SRG-APP-000215-DNS-000026
<GroupDescription></GroupDescription>Group -
Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.
<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely aff...Rule Medium Severity -
SRG-APP-000215-DNS-000026
<GroupDescription></GroupDescription>Group -
Automatic Update of Trust Anchors must be enabled on key rollover.
<VulnDiscussion>A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with...Rule Medium Severity -
SRG-APP-000423-DNS-000056
<GroupDescription></GroupDescription>Group -
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...Rule Medium Severity -
SRG-APP-000424-DNS-000057
<GroupDescription></GroupDescription>Group -
The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...Rule Medium Severity -
SRG-APP-000425-DNS-000058
<GroupDescription></GroupDescription>Group -
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.