The Windows DNS Server must require devices to reauthenticate for each dynamic update request connection attempt.
An XCCDF Rule
Description
<VulnDiscussion>Without reauthenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including but not limited to the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). Therefore, this requirement is applicable for every server-to-server transaction request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259362r945269_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press the Windows key + R and execute "dnsmgmt.msc".
On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones".