WDNS-SI-000005 - The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.


Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared, and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system.

This can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures.

If a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly anyway in this state.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Implement a third-party monitoring system to detect and notify the system administrator upon component failure or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.

See Also


Item Details


References: 800-53|CM-6b., 800-53|SI-13(4)(b), CAT|II, CCI|CCI-000366, CCI|CCI-001328, Rule-ID|SV-215642r561297_rule, STIG-ID|WDNS-SI-000005, STIG-Legacy|SV-73141, STIG-Legacy|V-58711, Vuln-ID|V-215642

Plugin: Windows

Control ID: c28318993b9e67e1a734cd400aa639144fc73ea14e4322b1c4c3ea8e3a3c2791