Documentation - V-259394

V-259394

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

CAT II

Title

The Windows DNS Server must only contain zone records that have been validated annually.

Description

<VulnDiscussion>If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adversary could potentially use their existence for improper purposes. A standard operating procedure detailing this process can resolve this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOve...

Fix Text (Documentation Requirement)

Create a separate database to maintain record documentation for non-AD-integrated zones. Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Select the zone records that have not been validated in more than a year and revalidate.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel