III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-DNS-000500
Group -
Nonroutable IPv6 link-local scope addresses must not be configured in any zone.
IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clien...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
AAAA addresses must not be configured in a zone for hosts that are not dual stack.
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. A denial of s...Rule Medium Severity -
SRG-APP-000158-DNS-000015
Group -
The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is pr...Rule Medium Severity -
SRG-APP-000394-DNS-000049
Group -
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices, unidentified or unknown devices may be introd...Rule Medium Severity -
SRG-APP-000001-DNS-000001
Group -
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Prima...Rule Medium Severity -
SRG-APP-000347-DNS-000041
Group -
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated. This requirement supports audit requirements that provide organizational pe...Rule Medium Severity -
SRG-APP-000176-DNS-000017
Group -
The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation ...Rule Medium Severity -
SRG-APP-000176-DNS-000018
Group -
The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transa...Rule Medium Severity -
SRG-APP-000176-DNS-000019
Group -
The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transa...Rule Medium Severity -
SRG-APP-000176-DNS-000094
Group -
The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-faci...Rule Medium Severity -
SRG-APP-000401-DNS-000051
Group -
The Windows DNS Server must implement a local cache of revocation data for PKI authentication.
Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for ...Rule Medium Severity -
SRG-APP-000516-DNS-000077
Group -
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, o...Rule Medium Severity -
SRG-APP-000213-DNS-000024
Group -
The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objecti...Rule Medium Severity -
SRG-APP-000420-DNS-000053
Group -
The Windows DNS Server's IP address must be statically defined and configured locally on the server.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000420-DNS-000053
Group -
The Windows DNS Server must return data information in response to internal name/address resolution queries.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000421-DNS-000054
Group -
The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000422-DNS-000055
Group -
WINS lookups must be disabled on the Windows DNS Server.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000422-DNS-000055
Group -
The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000214-DNS-000025
Group -
The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone.
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of DS records associated with child zones ...Rule Medium Severity -
SRG-APP-000215-DNS-000003
Group -
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
SRG-APP-000215-DNS-000003
Group -
The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.Rule Medium Severity -
SRG-APP-000215-DNS-000026
Group -
The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associat...Rule Medium Severity -
SRG-APP-000215-DNS-000026
Group -
Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associat...Rule Medium Severity -
SRG-APP-000215-DNS-000026
Group -
Automatic Update of Trust Anchors must be enabled on key rollover.
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is r...Rule Medium Severity -
SRG-APP-000423-DNS-000056
Group -
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.