Detections
Analytics
WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
Information
Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations:
(i) When authenticators change;
(ii) When roles change;
(iii) When security categories of information systems change;
(iv) After a fixed period of time; or
(v) Periodically.
DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.
Solution
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.
From the expanded list, click to select the zone.
Once selected, right-click the name of the zone, and from the displayed context menu, go to Properties.
On the opened domain's properties box, click the General tab.
If the Type: is not Active Directory-Integrated, configure the zone for AD-integration.
Select 'Secure only' from the Dynamic updates: drop-down list.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R7_STIG.zip
Item Details
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-11, CAT|II, CCI|CCI-002039, Rule-ID|SV-215599r982027_rule, STIG-ID|WDNS-IA-000001, STIG-Legacy|SV-73061, STIG-Legacy|V-58631, Vuln-ID|V-215599
Plugin: Windows
Control ID: b34aeb00ed6e1e801306514c1dd6d5a495324b39d3b90e8924354ee115e454ee