Domain Name System
DNS servers and configuration
Score Breakdown
Percentages are open-rate values (`Open / Total`). Closed/compliance rate is `100% - open rate`.
Checklist Files Contributing to This Area (4)
These hostname + STIG combinations are mapped to this assessment area
| Checklist File | Hostname | STIG Benchmark | Version | Actions |
|---|---|---|---|---|
| MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | MONT-DC-003 | Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide | V2R4 | |
| MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | MONT-DC-003 | Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide | V2R3 Outdated: Latest V2R4 | |
| MONT-DC-003_ADForest_V3R2_20251023-171845.ckl | MONT-DC-003 | Active Directory Forest Security Technical Implementation Guide | V3R2 | |
| MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl | MONT-DC-003 | Active Directory Domain Security Technical Implementation Guide | V3R7 |
Open Findings (24)
Findings that remain open and contribute to the score
MONT-DC-003
Active Directory Domain Security Technical Implementation Guide MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
| Severity | Vuln ID | Rule Title | Status |
|---|---|---|---|
| CAT I | V-243466 | Membership to the Enterprise Admins group must be restricted to accounts used on... | Open (Open) |
| CAT I | V-243467 | Membership to the Domain Admins group must be restricted to accounts used only t... | Open (Open) |
| CAT I | V-243470 | Delegation of privileged accounts must be prohibited. | Open (Open) |
| CAT II | V-243468 | Administrators must have separate accounts specifically for managing domain memb... | Open (Open) |
| CAT II | V-243469 | Administrators must have separate accounts specifically for managing domain work... | Open (Open) |
| CAT II | V-243471 | Local administrator accounts on domain systems must not share the same password. | Open (Open) |
| CAT II | V-243472 | Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA... | Open (Open) |
| CAT II | V-243475 | Domain controllers must be blocked from Internet access. | Open (Open) |
| CAT II | V-243477 | User accounts with domain level administrative privileges must be members of the... | Open (Open) |
| CAT II | V-243487 | Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders... | Open (Open) |
| CAT II | V-269097 | Windows Server domain controllers must have Kerberos logging enabled with server... | Open (Open) |
MONT-DC-003
Active Directory Forest Security Technical Implementation Guide MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
| Severity | Vuln ID | Rule Title | Status |
|---|---|---|---|
| CAT II | V-243502 | Membership to the Schema Admins group must be limited. | Open (Open) |
| CAT II | V-243504 | The Windows Time Service on the forest root PDC Emulator must be configured to a... | Open (Open) |
MONT-DC-003
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
| Severity | Vuln ID | Rule Title | Status |
|---|---|---|---|
| CAT II | V-259342 | Forwarders on an authoritative Windows DNS Server, if enabled for external resol... | Open (Open) |
| CAT II | V-259357 | The Windows DNS Server authoritative for local zones must only point root hints ... | Open (Open) |
| CAT II | V-259367 | The Windows DNS Server must be configured to enforce authorized access to the co... | Open (Open) |
| CAT II | V-259405 | The Windows DNS Server must, when a component failure is detected, activate a no... | Open (Open) |
| CAT II | V-259407 | The Windows DNS Server must verify the correct operation of security functions u... | Open (Open) |
| CAT II | V-259411 | The DNS server implementation must employ strong authenticators in the establish... | Open (Open) |
| CAT II | V-259412 | In the event of a system failure, the Windows DNS Server must preserve any infor... | Open (Open) |
| CAT II | V-259415 | The Windows DNS Server audit records must be backed up at least every seven days... | Open (Open) |
| CAT II | V-259417 | Windows DNS response rate limiting (RRL) must be enabled. | Open (Open) |
MONT-DC-003 Outdated: V2R4
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
| Severity | Vuln ID | Rule Title | Status |
|---|---|---|---|
| CAT II | V-259369 | The Windows DNS Server permissions must be set so the key file can only be read ... | Open (Open) |
| CAT II | V-259413 | The DNS Name Server software must run with restricted privileges. | Open (Open) |