The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
An XCCDF Rule
Description
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair (TSIG) or using PKI-based authentication (SIG(0)).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-215601r561297_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Sign, or re-sign, the hosted zone(s) on the DNS server being validated.
Log on to the DNS server using the account designated as Administrator or DNS Administrator.
If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.
Once the Server Manager window is initialized, from the left pane, click to select the DNS category.