III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-DNS-000114
Group -
The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more t...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
Non-routable IPv6 link-local scope addresses must not be configured in any zone.
IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918 addresses, if a link-local scope address is inserted into a zone provided t...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in ...Rule Medium Severity -
SRG-APP-000142-DNS-000014
Group -
The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-APP-000390-DNS-000048
Group -
The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the re-authentication requirements associated with ses...Rule Medium Severity -
SRG-APP-000158-DNS-000015
Group -
The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is pr...Rule Medium Severity -
SRG-APP-000394-DNS-000049
Group -
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage de...Rule Medium Severity -
SRG-APP-000001-DNS-000001
Group -
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Prima...Rule Medium Severity -
SRG-APP-000347-DNS-000041
Group -
The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. This requirement supports audit requirements that provide organizational p...Rule Medium Severity -
SRG-APP-000176-DNS-000017
Group -
The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.