Title

Zone transfers are not prohibited or a VPN solution is not implemented that requires cryptographic authentication of communicating devices and is used exclusively by name servers authoritative for the zone. (Cat I impact)

Discussion

If zone transfers are not cryptographically authenticated, then there is the potential for an adversary to masquerade as a legitimate zone partner and update zone records without authorization.

Check Content

The reviewer will validate zone transfers are prohibited. The reviewer will ensure the "Allow zone transfers" check box is not selected on the “Zone Transfers” tab of the name server properties. If zone transfers are allowed, then this is a finding. Windows allows for two ways of synchronizing zone data across name servers: (1) traditional RFC-compliant DNS zone transfers; and (2) AD-replication. The latter only works when Windows DNS is integrated with AD, which makes each of the DNS records an AD object. The Windows 2000/2003 DNS implementation of traditional zone transfers does not meet the STIG requirement that the transfers be cryptographically authenticated using a technology such as TSIG. Fortunately, AD-replication is cryptographically authenticated. Therefore, the solution in a pure Windows 2000/2003 DNS implementation is to integrate DNS with AD and disable zone transfers

Fix Text

Working with relevant DNS administrators, the SA should configure Windows DNS to rely on Active Directory to replicate zone data whenever possible. If this is not feasible, then the SA must establish an IPSEC VPN between relevant zone partners or implement a satisfactory alternative encryption-based authentication technology.

Additional Identifiers

Rule ID: SV-4502r1_rule

Vulnerability ID: V-4502

Group Title: Zone transfers are not prohibited.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.