III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-DNS-000114
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
<VulnDiscussion>The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be te...Rule Medium Severity -
SRG-APP-000516-DNS-000500
<GroupDescription></GroupDescription>Group -
Non-routable IPv6 link-local scope addresses must not be configured in any zone.
<VulnDiscussion>IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918 add...Rule Medium Severity -
SRG-APP-000516-DNS-000500
<GroupDescription></GroupDescription>Group -
AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
<VulnDiscussion>DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for...Rule Medium Severity -
SRG-APP-000142-DNS-000014
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity -
SRG-APP-000390-DNS-000048
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
<VulnDiscussion>Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity...Rule Medium Severity -
SRG-APP-000158-DNS-000015
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This...Rule Medium Severity -
SRG-APP-000394-DNS-000049
<GroupDescription></GroupDescription>Group -
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. D...Rule Medium Severity -
SRG-APP-000001-DNS-000001
<GroupDescription></GroupDescription>Group -
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
<VulnDiscussion>Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound con...Rule Medium Severity -
SRG-APP-000347-DNS-000041
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
<VulnDiscussion>Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. Th...Rule Medium Severity -
SRG-APP-000176-DNS-000017
<GroupDescription></GroupDescription>Group -
The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
<VulnDiscussion>The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, th...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.