Check: WDNS-CM-000023
Microsoft Windows 2012 Server Domain Name System STIG:
WDNS-CM-000023
(in versions v2 r6 through v1 r13)
Title
The DNS name server software must be at the latest version. (Cat II impact)
Discussion
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. These vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version.
Check Content
Consult with the network IAVM scanner to confirm all Microsoft Operating System IAVMs have been applied to the Windows DNS server. If all Microsoft Operating System IAVMs have not been applied to the DNS server, this is a finding.
Fix Text
Apply all related Microsoft Operating System IAVM patches to the DNS server.
Additional Identifiers
Rule ID: SV-215592r879887_rule
Vulnerability ID: V-215592
Group Title: SRG-APP-000516-DNS-000103
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |