Microsoft Windows 2012 Server Domain Name System STIG

Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

ID Vuln ID Title Cat Status
WDNS-CM-000029 V-215598 The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols. Cat II
WDNS-SC-000030 V-215636 The Windows 2012 DNS Server must maintain the integrity of information during reception. Cat II
WDNS-CM-000006 V-215576 The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records. Cat II
WDNS-SC-000028 V-215634 The Windows 2012 DNS Server must protect the integrity of transmitted information. Cat II
WDNS-CM-000028 V-215597 IPv6 protocol must be disabled unless the Windows 2012 DNS server is configured to answer for and hosting IPv6 AAAA records. Cat II
WDNS-CM-000003 V-215573 The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. Cat II
WDNS-CM-000015 V-215584 Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. Cat II
WDNS-CM-000018 V-215587 In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. Cat II
WDNS-CM-000020 V-215589 The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator. Cat II
WDNS-IA-000008 V-215606 The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software. Cat II
WDNS-CM-000012 V-215581 All authoritative name servers for a zone must be located on different network segments. Cat II
WDNS-SI-000007 V-215644 The Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. Cat II
WDNS-CM-000007 V-215577 The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). Cat II
WDNS-IA-000009 V-215607 The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates. Cat II
WDNS-SC-000019 V-215626 The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing. Cat II


Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.