Skip to content

The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.

An XCCDF Rule

Description

<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. The combination of signing DNS zones by DNSSEC and requiring clients to send their dynamic updates securely assures the authenticity of those DNS records when providing query responses for them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-215627r561297_rule
Severity
High
References
Updated



Remediation - Manual Procedure

Sign, or re-sign, the hosted zone(s) on the DNS server being validated.

Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.

If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.