Scan Information
- Ship
- USNS MONTFORD POINT
- Hull Number
- T-ESD-1
- Scan Date
- 2026-01-14
- Source File
- MONT-DC-003 WinServerDNS 20251023-172313
- Source Tool
- Evaluate-STIG
- Imported
- 2026-01-14 17:57
- Hostname (from CKL asset — override if blank or incorrect)
STIG Benchmark
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Version
V2R4
Score
86.4%
Total
83
Open
11
OCA Technology Area
Assign this checklist to an OCA assessment area for scoring
- Hostname
- MONT-DC-003
- STIG Benchmark
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Current Area:
Domain Name System
STIG Rule Mapping
83
Mapped to STIG
0
Unmapped
83
Total Findings
All findings mapped to STIG rules.
Checklist Scoring
| Severity | Not a Finding | Not Applicable | Open | Not Reviewed | Total |
|---|---|---|---|---|---|
| CAT I | 1 | 4 | 0 | 0 | 5 |
| CAT II | 21 | 44 | 11 | 2 | 78 |
| CAT III | 0 | 0 | 0 | 0 | 0 |
| Total | 22 | 48 | 11 | 2 | 83 |
Filter:
0 selected
Vuln IDs (83)
V-259334
The Windows DNS Server must restrict incoming dyna...
V-259335
The Windows DNS Server must be configured to recor...
V-259336
The Windows DNS Server must notify the DNS adminis...
V-259337
The Windows DNS Server log must be enabled.
V-259338
The "Manage auditing and security log" user right ...
V-259339
The validity period for the Resource Record Signat...
V-259340
The Windows DNS name servers for a zone must be ge...
V-259341
The Windows DNS Server must prohibit recursion on ...
V-259342
Forwarders on an authoritative Windows DNS Server,...
V-259343
The Windows DNS Server with a caching name server ...
V-259344
The Windows DNS Server must implement cryptographi...
V-259345
The validity period for the Resource Record Signat...
V-259346
NSEC3 must be used for all internal DNS zones.
V-259347
The Windows DNS Server's zone files must have NS r...
V-259348
All authoritative name servers for a zone must be ...
V-259349
All authoritative name servers for a zone must hav...
V-259350
The Windows DNS Server must be configured to enabl...
V-259351
The digital signature algorithm used for DNSSEC-en...
V-259352
For zones split between the external and internal ...
V-259353
In a split DNS configuration between the external ...
V-259354
Primary authoritative name servers must be configu...
V-259355
The Windows DNS Servers zone database files must n...
V-259356
The Windows DNS Server must implement internal/ext...
V-259357
The Windows DNS Server authoritative for local zon...
V-259358
The Windows DNS Servers zone files must not includ...
V-259359
The Windows DNS Server's zone files must not inclu...
V-259360
Nonroutable IPv6 link-local scope addresses must n...
V-259361
AAAA addresses must not be configured in a zone fo...
V-259363
The Windows DNS Server must uniquely identify the ...
V-259364
The secondary Windows DNS name servers must crypto...
V-259365
The Windows DNS primary server must only send zone...
V-259366
The Windows DNS Server must provide its identity w...
V-259367
The Windows DNS Server must be configured to enfor...
V-259368
The Windows DNS Server key file must be owned by t...
V-259369
The Windows DNS Server permissions must be set so ...
V-259370
The private key corresponding to the zone signing ...
V-259371
The Windows DNS Server must implement a local cach...
V-259372
The salt value for zones signed using NSEC3 resour...
V-259373
The Windows DNS Server must include data origin wi...
V-259374
The Windows DNS Server's IP address must be static...
V-259375
The Windows DNS Server must return data informatio...
V-259376
The Windows DNS Server must use DNSSEC data within...
V-259377
WINS lookups must be disabled on the Windows DNS S...
V-259378
The Windows DNS Server must use DNSSEC data within...
V-259379
The Windows DNS Server must be configured with the...
V-259380
The Windows DNS Server must enforce approved autho...
V-259381
The Name Resolution Policy Table (NRPT) must be co...
V-259382
The Windows DNS Server must be configured to valid...
V-259383
Trust anchors must be exported from authoritative ...
V-259384
Automatic Update of Trust Anchors must be enabled ...
V-259385
The Windows DNS secondary servers must request dat...
V-259386
The Windows DNS secondary server must request data...
V-259387
The Windows DNS secondary server must validate dat...
V-259388
The Windows DNS secondary server must validate dat...
V-259389
The Windows DNS Server must protect the authentici...
V-259390
The Windows DNS Server must protect the authentici...
V-259391
The Windows DNS Server must protect the authentici...
V-259392
The Windows DNS Server must use an approved DOD PK...
V-259393
The Windows DNS Server must protect secret/private...
V-259394
The Windows DNS Server must only contain zone reco...
V-259395
The Windows DNS Server must restrict individuals f...
V-259396
The Windows DNS Server must use DNS Notify to prev...
V-259397
The Windows DNS Server must protect the integrity ...
V-259398
The Windows DNS Server must maintain the integrity...
V-259399
The Windows DNS Server must maintain the integrity...
V-259400
The Windows DNS Server must implement NIST FIPS-va...
V-259401
The Windows DNS Server must be configured to only ...
V-259402
The Windows DNS Server must follow procedures to r...
V-259403
The DNS Name Server software must be configured to...
V-259404
The HINFO, RP, TXT, and LOC RR types must not be u...
V-259405
The Windows DNS Server must, when a component fail...
V-259406
The Windows DNS Server must verify the correct ope...
V-259407
The Windows DNS Server must verify the correct ope...
V-259408
The Windows DNS Server must log the event and noti...
V-259409
The Windows DNS Server must be configured to notif...
V-259410
A unique Transaction Signature (TSIG) key must be ...
V-259411
The DNS server implementation must employ strong a...
V-259412
In the event of a system failure, the Windows DNS ...
V-259413
The DNS Name Server software must run with restric...
V-259414
The private keys corresponding to both the zone si...
V-259415
The Windows DNS Server audit records must be backe...
V-259416
In a split DNS configuration, where separate name ...
V-259417
Windows DNS response rate limiting (RRL) must be e...
Vulnerability Details
Click a Vuln ID on the left to view details.
Status & Comments
Select a finding to edit.