Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
Automatic Update of Trust Anchors must be enabled on key rollover.
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is r...Rule Medium Severity -
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS Server must use an approved DOD PKI certificate authority.
Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insuff...Rule Medium Severity -
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may ...Rule Medium Severity -
The Windows DNS Server must maintain the integrity of information during preparation for transmission.
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and durin...Rule Medium Severity -
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system com...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.