Skip to content

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000394-DNS-000049

    <GroupDescription></GroupDescription>
    Group
  • The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.

    &lt;VulnDiscussion&gt;Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Witho...
    Rule Medium Severity
  • SRG-APP-000001-DNS-000001

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.

    &lt;VulnDiscussion&gt;Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound con...
    Rule Medium Severity
  • SRG-APP-000347-DNS-000041

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).

    &lt;VulnDiscussion&gt;Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated. Thi...
    Rule Medium Severity
  • SRG-APP-000176-DNS-000017

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.

    &lt;VulnDiscussion&gt;The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, th...
    Rule Medium Severity
  • SRG-APP-000176-DNS-000018

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.

    &lt;VulnDiscussion&gt;To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...
    Rule Medium Severity
  • SRG-APP-000176-DNS-000019

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.

    &lt;VulnDiscussion&gt;To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every ...
    Rule Medium Severity
  • SRG-APP-000176-DNS-000094

    <GroupDescription></GroupDescription>
    Group
  • The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.

    &lt;VulnDiscussion&gt;The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the ...
    Rule Medium Severity
  • SRG-APP-000401-DNS-000051

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server must implement a local cache of revocation data for PKI authentication.

    &lt;VulnDiscussion&gt;Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked...
    Rule Medium Severity
  • SRG-APP-000516-DNS-000077

    <GroupDescription></GroupDescription>
    Group
  • The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.

    &lt;VulnDiscussion&gt;NSEC records list the resource record types for the name, as well as the name of the next resource record. With this informat...
    Rule Medium Severity
  • SRG-APP-000213-DNS-000024

    <GroupDescription></GroupDescription>
    Group
  • The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.

    &lt;VulnDiscussion&gt;The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules