Check: WDNS-IA-000011
Microsoft Windows 2012 Server Domain Name System STIG:
WDNS-IA-000011
(in versions v2 r6 through v1 r5)
Title
The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible. (Cat II impact)
Discussion
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. So, in cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.
Check Content
Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup. If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. If there is no local cache of revocation data, this is a finding.
Fix Text
Configure local revocation data to be used in the event access to Certificate Authorities is hindered.
Additional Identifiers
Rule ID: SV-215608r879774_rule
Vulnerability ID: V-215608
Group Title: SRG-APP-000401-DNS-000051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |