The Windows DNS Server must only contain zone records that have been validated annually.

An XCCDF Rule

Description

<VulnDiscussion>If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adversary could potentially use their existence for improper purposes. A standard operating procedure detailing this process can resolve this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259394r945334_rule
Severity: Medium
References: CCI-002475
Updated: 8 months ago

Create a separate database to maintain record documentation for non-AD-integrated zones.

Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Select the zone records that have not been validated in more than a year and revalidate.

The Windows DNS Server must only contain zone records that have been validated annually.

Description

Remediation - Manual Procedure