Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
Automatic Update of Trust Anchors must be enabled on key rollover.
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is r...Rule Medium Severity -
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS Server must use an approved DOD PKI certificate authority.
Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insuff...Rule Medium Severity -
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may ...Rule Medium Severity -
The Windows DNS Server must maintain the integrity of information during preparation for transmission.
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and durin...Rule Medium Severity -
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system com...Rule Medium Severity -
The DNS Name Server software must be configured to refuse queries for its version information.
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address ...Rule Medium Severity -
The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data ...Rule Medium Severity -
The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data ...Rule Medium Severity -
The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access ...Rule Medium Severity -
SRG-APP-000348-DNS-000042
Group -
SRG-APP-000350-DNS-000044
Group -
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, using cryptographic checksums. ...Rule Medium Severity -
SRG-APP-000089-DNS-000004
Group -
The Windows DNS Server log must be enabled.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.