From 53c4a9a7bc5a81a6e18c990c8bde237b8efdc2bd Mon Sep 17 00:00:00 2001 From: Automated Update Date: Fri, 26 Jan 2024 00:02:42 +0000 Subject: [PATCH] Update Benchmarks --- ...ver_v11_Windows_STIG_V2R3_Manual-xccdf.xml | 51 +- ...se_Advanced_3-x_STIG_V2R2_Manual-xccdf.xml | 47 +- ..._2016_Instance_STIG_V2R11_Manual-xccdf.xml | 263 +- ...dows_Server_DNS_STIG_V1R1_Manual-xccdf.xml | 2569 +++++++++++++++++ ...Logic_Server_v9_STIG_V2R2_Manual-xccdf.xml | 44 +- ...racle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml | 54 +- stigs.json | 50 +- 7 files changed, 2813 insertions(+), 265 deletions(-) create mode 100644 benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml diff --git a/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R3_Manual-xccdf.xml b/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R3_Manual-xccdf.xml index 529b099d4..4055192d9 100644 --- a/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R3_Manual-xccdf.xml +++ b/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R3_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedEDB Postgres Advanced Server v11 on Windows Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>EP11-00-000100The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.<VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. +acceptedEDB Postgres Advanced Server v11 on Windows Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>EP11-00-000100The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.<VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts and it does not deal with the total number of sessions across all accounts. @@ -3242,31 +3242,24 @@ openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] -fips_mode=yesSRG-APP-000456-DB-000400<GroupDescription></GroupDescription>EP11-00-013300EDB Postgres Advanced Server v11 products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. - -Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. - -When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target EDB Postgres Advanced Server v11 on WindowsDISADPMS TargetEDB Postgres Advanced Server v11 on Windows4107CCI-003376Remove or decommission all unsupported software products. - -Upgrade unsupported DBMS or unsupported components to a supported version of the product.If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: - -To list the version of installed PostgreSQL using psql: - -$ sudo su - postgres -$ psql --version - -To list the current version of software for RPM: - -$ rpm -qa | grep postgres - -To list the current version of software for APT: - -$ apt-cache policy postgres - -All versions of PostgreSQL will be listed here: -http://www.postgresql.org/support/versioning/ - -All security-relevant software updates for PostgreSQL will be listed here: -http://www.postgresql.org/support/security/ - -If PostgreSQL is not at the latest version, this is a finding. \ No newline at end of file +fips_mode=yesSRG-APP-000456-DB-000400<GroupDescription></GroupDescription>EP11-00-013300EDB Postgres Advanced Server v11 products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. + +Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. + +When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target EDB Postgres Advanced Server v11 on WindowsDISADPMS TargetEDB Postgres Advanced Server v11 on Windows4107CCI-003376Remove or decommission all unsupported software products. + +Upgrade unsupported DBMS or unsupported components to a supported version of the product.Review the system documentation and interview the database administrator. + +Identify all database software components. + +Review the current version and release information; execute the following SQL as enterprisedb: +SHOW SERVER_VERSION; +--OR-- +Using pgAdmin, once connected to the database, left click the "servers" tree to expand it. +Left-click on "PostgreSQL" under the "Servers" tree and then click on the "Properties" tab. +The Properties tab will have the currently installed Postgres version. + +Access the EDB website to validate that the version is currently supported: +https://www.enterprisedb.com/resources/platform-compatibility + +If the DBMS or any of the software components are not supported by the vendor, this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_MDB_Enterprise_Advanced_3-x_STIG_V2R2_Manual-xccdf.xml b/benchmarks/DISA/U_MDB_Enterprise_Advanced_3-x_STIG_V2R2_Manual-xccdf.xml index 1107ada8f..87f1ca474 100644 --- a/benchmarks/DISA/U_MDB_Enterprise_Advanced_3-x_STIG_V2R2_Manual-xccdf.xml +++ b/benchmarks/DISA/U_MDB_Enterprise_Advanced_3-x_STIG_V2R2_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMongoDB Enterprise Advanced 3.x Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000023-DB-000001<GroupDescription></GroupDescription>MD3X-00-000010MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.<VulnDiscussion>MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MongoDB Enterprise Advanced 3.xDISADPMS TargetMongoDB Enterprise Advanced 3.x4078SV-96557V-81843CCI-000015Edit the MongoDB configuration file (default location: /etc/mongod.con) to include the following: +acceptedMongoDB Enterprise Advanced 3.x Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000023-DB-000001<GroupDescription></GroupDescription>MD3X-00-000010MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.<VulnDiscussion>MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MongoDB Enterprise Advanced 3.xDISADPMS TargetMongoDB Enterprise Advanced 3.x4078SV-96557V-81843CCI-000015Edit the MongoDB configuration file (default location: /etc/mongod.con) to include the following: security: authorization: "enabled" @@ -950,31 +950,20 @@ If evidence of training does not exist, this is a finding.DPMS Target MongoDB Enterprise Advanced 3.xDISADPMS TargetMongoDB Enterprise Advanced 3.x4078SV-96643V-81929CCI-000366Configure MongoDB in accordance with security configuration settings by reviewing the Operation System and MongoDB documentation and applying the necessary configuration parameters to meet the configurations required by the STIG, NSA configuration guidelines, CTOs, DTMs, and IAVMs.Review the MongoDB documentation and configuration to determine it is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs. -If the MongoDB is not configured in accordance with security configuration settings, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>MD3X-00-001200MongoDB products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. - -Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. - -When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MongoDB Enterprise Advanced 3.xDISADPMS TargetMongoDB Enterprise Advanced 3.x4078CCI-003376Remove or decommission all unsupported software products. - -Upgrade unsupported DBMS or unsupported components to a supported version of the product.If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: - -To list the version of installed PostgreSQL using psql: - -$ sudo su - postgres -$ psql --version - -To list the current version of software for RPM: - -$ rpm -qa | grep postgres - -To list the current version of software for APT: - -$ apt-cache policy postgres - -All versions of PostgreSQL will be listed here: -http://www.postgresql.org/support/versioning/ - -All security-relevant software updates for PostgreSQL will be listed here: -http://www.postgresql.org/support/security/ - -If PostgreSQL is not at the latest version, this is a finding. \ No newline at end of file +If the MongoDB is not configured in accordance with security configuration settings, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>MD3X-00-001200MongoDB products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. + +Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. + +When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MongoDB Enterprise Advanced 3.xDISADPMS TargetMongoDB Enterprise Advanced 3.x4078CCI-003376Remove or decommission all unsupported software products. + +Upgrade unsupported DBMS or unsupported components to a supported version of the product.Review the system documentation and interview the database administrator. + +Identify all database software components. Review the version and release information. + +To determine the current running MongoDB server version, run the following command from the Mongo Shell: + +db.version() + +Access the MongoDB website (https://www.mongodb.com/support-policy/lifecycles) or use other means to verify the currently running MongoDB server version is still supported. + +If the DBMS or any of the software components are not supported by MongoDB, this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_MS_SQL_Server_2016_Instance_STIG_V2R11_Manual-xccdf.xml b/benchmarks/DISA/U_MS_SQL_Server_2016_Instance_STIG_V2R11_Manual-xccdf.xml index c3d441706..eaa19402e 100644 --- a/benchmarks/DISA/U_MS_SQL_Server_2016_Instance_STIG_V2R11_Manual-xccdf.xml +++ b/benchmarks/DISA/U_MS_SQL_Server_2016_Instance_STIG_V2R11_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMS SQL Server 2016 Instance Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 11 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>SQL6-D0-003600SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.<VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts; and it does not deal with the total number of sessions across all accounts. @@ -30,7 +30,7 @@ If (Select COUNT(1) from sys.dm_exec_sessions WHERE is_user_process = 1 AND orig END END; -Reference: https://msdn.microsoft.com/en-us/library/ms189799.aspxReview the system documentation to determine whether any limits have been defined. If it does not, assume a limit of 10 for database administrators and 2 for all other users. +Reference: https://msdn.microsoft.com/en-us/library/ms189799.aspxReview the system documentation to determine whether any limits have been defined. If it does not, assume a limit of 10 for database administrators and 2 for all other users. If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding. @@ -100,7 +100,7 @@ Click "Delete". To drop a user via a query: USE database_name; -DROP USER <user_name>;Determine whether SQL Server is configured to use only Windows authentication. +DROP USER <user_name>;Determine whether SQL Server is configured to use only Windows authentication. In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance. Select "Properties". @@ -159,7 +159,7 @@ setspn -S MSSQLSvc/<FQDN>:<TCP Port> <Service Account> Restart the SQL Server instance. More information regarding this process is available at: -https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections#ManualIf the SQL Server is not part of an Active Directory domain, this finding is Not Applicable. +https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections#ManualIf the SQL Server is not part of an Active Directory domain, this finding is Not Applicable. Obtain the fully qualified domain name of the SQL Server instance: @@ -226,7 +226,7 @@ Successful authentication must not automatically give an entity access to an ass Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. -This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93831V-79125CCI-000213Use GRANT, REVOKE, DENY, ALTER SERVER ROLE … ADD MEMBER … and/or ALTER SERVER ROLE …. DROP MEMBER statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login. +This requirement is applicable to access control enforcement applications, a category that includes database management systems. If SQL Server does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93831V-79125CCI-000213Use GRANT, REVOKE, DENY, ALTER SERVER ROLE … ADD MEMBER … and/or ALTER SERVER ROLE …. DROP MEMBER statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login. Review the permissions actually in place on the server. @@ -242,7 +242,7 @@ Build/configure applications to ensure successful individual authentication prio Ensure each user's identity is received and used in audit data in all relevant circumstances. -Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.Obtain the list of authorized SQL Server accounts in the system documentation. +Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.Obtain the list of authorized SQL Server accounts in the system documentation. Determine if any accounts are shared. A shared account is defined as a username and password that are used by multiple individuals to log into SQL Server. An example of a shared account is the SQL Server installation account. Windows Groups are not shared accounts as the group itself does not have a password. @@ -276,7 +276,7 @@ GO To grant permissions to services or applications, utilize the Service SID of the service or a domain service account. -Execute the following queries. The first query checks for Clustering and Availability Groups being provisioned in the Database Engine. The second query lists permissions granted to the Local System account. +Execute the following queries. The first query checks for Clustering and Availability Groups being provisioned in the Database Engine. The second query lists permissions granted to the Local System account. SELECT SERVERPROPERTY('IsClustered') AS [IsClustered], @@ -302,7 +302,7 @@ Non-repudiation protects against later claims by a user of not having created, m In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account. -If the computer account of a remote computer is granted access to SQL Server, any service or scheduled task running as NT AUTHORITY\SYSTEM or NT AUTHORITY\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93837V-79131CCI-000166Remove all logins that were returned in the check content.Execute the following query: +If the computer account of a remote computer is granted access to SQL Server, any service or scheduled task running as NT AUTHORITY\SYSTEM or NT AUTHORITY\NETWORK SERVICE can log into the instance and perform actions. These actions cannot be traced back to a specific user or process.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93837V-79131CCI-000166Remove all logins that were returned in the check content.Execute the following query: SELECT name FROM sys.server_principals @@ -335,7 +335,7 @@ DoD has defined the list of events for which SQL Server will provide an audit re (iii) All account creation, modification, disabling, and termination actions. -Organizations may define additional events requiring continuous or ad hoc auditing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93839V-79133CCI-000169Add all required audit events to the STIG Compliant audit specification server documentation.Review the server documentation to determine if any additional events are required to be audited. If no additional events are required, this is not a finding. +Organizations may define additional events requiring continuous or ad hoc auditing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93839V-79133CCI-000169Add all required audit events to the STIG Compliant audit specification server documentation.Review the server documentation to determine if any additional events are required to be audited. If no additional events are required, this is not a finding. Execute the following query to get all of the installed audits: @@ -374,7 +374,7 @@ Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements t ALTER SERVER ROLE SERVER_AUDIT_MAINTAINERS ADD MEMBER; GO -Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL SERVER, ALTER ANY DATABASE and CREATE ANY DATABASE permissions from logins that do not need them.Obtain the list of approved audit maintainers from the system documentation. +Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL SERVER, ALTER ANY DATABASE and CREATE ANY DATABASE permissions from logins that do not need them.Obtain the list of approved audit maintainers from the system documentation. Review the server roles and individual logins that have the following role memberships, all of which enable the ability to create and maintain audit definitions. @@ -450,7 +450,7 @@ This requirement addresses explicit requests for privilege/permission/role membe To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. -Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93845V-79139CCI-000172Deploy an audit to audit the retrieval of privilege/permission/role membership information. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. +Satisfies: SRG-APP-000091-DB-000066</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93845V-79139CCI-000172Deploy an audit to audit the retrieval of privilege/permission/role membership information. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit the retrieval of privilege/permission/role membership information. If SQL Server is not required to audit the retrieval of privilege/permission/role membership information, this is not a finding. @@ -486,7 +486,7 @@ SELECT name AS 'Audit Name', FROM sys.dm_server_audit_status WHERE status_desc = 'STARTED' -Ensure the SQL STIG Audit is configured to initiate session auditing upon startup.When Audits are enabled, they start up when the instance starts. +Ensure the SQL STIG Audit is configured to initiate session auditing upon startup.When Audits are enabled, they start up when the instance starts. https://msdn.microsoft.com/en-us/library/cc280386.aspx#Anchor_2 Check if an audit is configured and enabled. @@ -505,7 +505,7 @@ The organization must determine what additional information is required for comp Examples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of shared account users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93851V-79145CCI-000135Design and deploy an Audit that captures all auditable events and data items. In the event a third-party tool is used for auditing it must contain all the required information including but not limited to events, type, location, subject, date and time and by whom the change occurred. -Implement additional custom audits to capture the additional organizational required information.If a SQL Server Audit is not in use for audit purposes, this is a finding unless a third-party product is being used that can perform detailed auditing for SQL Server. +Implement additional custom audits to capture the additional organizational required information.If a SQL Server Audit is not in use for audit purposes, this is a finding unless a third-party product is being used that can perform detailed auditing for SQL Server. Review system documentation to determine whether SQL Server is required to audit any events, and any fields, in addition to those in the standard audit. @@ -526,7 +526,7 @@ GO ALTER SERVER AUDIT [AuditNameHere] WITH (ON_FAILURE = SHUTDOWN); GO ALTER SERVER AUDIT [AuditNameHere] WITH (STATE = ON); -GOIf the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). +GOIf the system documentation indicates that availability takes precedence over audit trail completeness, this is not applicable (NA). If SQL Server Audit is in use, review the defined server audits by running the statement: @@ -551,7 +551,7 @@ GO ALTER SERVER AUDIT [AuditName] to file (max_rollover_files = IntegerValue); GO ALTER SERVER AUDIT [AuditName] WITH (STATE = ON); -GOIf the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). +GOIf the system documentation indicates that availability does not take precedence over audit trail completeness, this is not applicable (NA). Execute the following query: @@ -610,7 +610,7 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l 7.b.i) Type "NT SERVICE\SQL" and click "Check Names". 7.b.ii) Select the "SQLAgent$" user and click "OK". 8) Click "OK". -9) Permission like a normal user from here.If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is N/A. +9) Permission like a normal user from here.If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is N/A. Obtain the SQL Server audit file location(s) by running the following SQL script: @@ -642,7 +642,7 @@ Satisfies: SRG-APP-000121-DB-000202, SRG-APP-000123-DB-000204</VulnDiscussion USE master; DENY [ALTER ANY SERVER AUDIT] TO [User]; -GOCheck the server documentation for a list of approved users with access to SQL Server Audits. +GOCheck the server documentation for a list of approved users with access to SQL Server Audits. To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. @@ -659,7 +659,7 @@ If unauthorized accounts have these privileges, this is a finding.DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93869V-79163CCI-001499Change the ownership of all shared software libraries on disk to the authorized account. Remove any modify permissions granted to unauthorized users or groups.Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk. +Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93869V-79163CCI-001499Change the ownership of all shared software libraries on disk to the authorized account. Remove any modify permissions granted to unauthorized users or groups.Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk. If any unauthorized users are granted modify rights or the owner is incorrect, this is a finding. @@ -675,7 +675,7 @@ A PowerShell based hashing solution is one such process. The Get-FileHash comman Using the Export-Clixml command (https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Export-Clixml), a baseline can be established and exported to a file. -Using the Compare-Object command (https://technet.microsoft.com/en-us/library/ee156812.aspx), a comparison of the latest baseline versus the original baseline can be used to expose the differences.Review server documentation to determine the process by which shared software libraries are monitored for change. Ensure the process alerts for changes in a file's ownership, modification dates, and hash value at a minimum. +Using the Compare-Object command (https://technet.microsoft.com/en-us/library/ee156812.aspx), a comparison of the latest baseline versus the original baseline can be used to expose the differences.Review server documentation to determine the process by which shared software libraries are monitored for change. Ensure the process alerts for changes in a file's ownership, modification dates, and hash value at a minimum. If alerts do not at least hash their value, this is a finding. @@ -689,7 +689,7 @@ If the system were to allow any user to make changes to software libraries, then DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on SQL Server security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93873V-79167CCI-001499From a command prompt, open lusrmgr.msc. Navigate to Users and right-click Individual User. Select Properties >> Member Of. -Configure SQL Server and OS settings and access controls to restrict user access to objects and data that the user is authorized to view/use.From the system documentation, obtain the list of accounts authorized to install/update SQL Server. Run the following PowerShell command to list all users who have installed/modified SQL Server 2016 software and compare the list against those persons who are qualified and authorized to use the software. +Configure SQL Server and OS settings and access controls to restrict user access to objects and data that the user is authorized to view/use.From the system documentation, obtain the list of accounts authorized to install/update SQL Server. Run the following PowerShell command to list all users who have installed/modified SQL Server 2016 software and compare the list against those persons who are qualified and authorized to use the software. sl "C:\program files\microsoft sql server\130\setup bootstrap\Log" Get-ChildItem -Recurse | Select-String -Pattern "LogonUser = " @@ -700,7 +700,7 @@ Multiple applications can provide a cumulative negative effect. A vulnerability Relocate or reinstall other application software that currently shares directories with SQL Server components. -Separate from the operating system and/or temporary storage.Determine the directory in which SQL Server has been installed: +Separate from the operating system and/or temporary storage.Determine the directory in which SQL Server has been installed: Using SQL Server Management Studio's Object Explorer: - Right-click [SQL Server Instance] @@ -740,7 +740,7 @@ It is detrimental for software products to provide, or install by default, funct DBMSs must adhere to the principles of least functionality by providing only essential capabilities. -Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to SQL Server and host system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93877V-79171CCI-000381Remove all demonstration or sample databases from production instances.Review the server documentation, if this system is identified as a development or test system, this check is Not Applicable. +Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to SQL Server and host system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93877V-79171CCI-000381Remove all demonstration or sample databases from production instances.Review the server documentation, if this system is identified as a development or test system, this check is Not Applicable. If this system is identified as production, gather a listing of databases from the server and look for any matching the following general demonstration database names: @@ -753,7 +753,7 @@ If any of these databases exist, this is a finding.DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93879V-79173CCI-000381Remove all features that are not required.From the server documentation, obtain a listing of required components. +DBMSs must adhere to the principles of least functionality by providing only essential capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93879V-79173CCI-000381Remove all features that are not required.From the server documentation, obtain a listing of required components. Generate a listing of components installed on the server. @@ -767,7 +767,7 @@ It is detrimental for software products to provide, or install by default, funct DBMSs must adhere to the principles of least functionality by providing only essential capabilities. -Unused, unnecessary DBMS components increase the attack vector for SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled. The techniques available for disabling components will vary by DBMS product, OS, and the nature of the component and may include DBMS configuration settings, OS service settings, OS file access security, and DBMS user/role permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93881V-79175CCI-000381Disable any unused components or features that cannot be uninstalled.From the server documentation, obtain a listing of required components. +Unused, unnecessary DBMS components increase the attack vector for SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled. The techniques available for disabling components will vary by DBMS product, OS, and the nature of the component and may include DBMS configuration settings, OS service settings, OS file access security, and DBMS user/role permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93881V-79175CCI-000381Disable any unused components or features that cannot be uninstalled.From the server documentation, obtain a listing of required components. Generate a listing of components installed on the server. @@ -798,7 +798,7 @@ GO  EXEC sp_configure 'xp_cmdshell', 0;  GO  RECONFIGURE;  -GO??The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity. +GO??The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity. To determine if xp_cmdshell is enabled, execute the following commands: @@ -829,7 +829,7 @@ GO RECONFIGURE; GO -For any approved CLR code with Unsafe or External permissions, use the ALTER ASSEMBLY to change the Permission set for the Assembly and ensure a certificate is configured.The common language runtime (CLR) component of the .NET Framework for Microsoft Windows in SQL Server allows you to write stored procedures, triggers, user-defined types, user-defined functions, user-defined aggregates, and streaming table-valued functions, using any .NET Framework language, including Microsoft Visual Basic .NET and Microsoft Visual C#. CLR packing assemblies can access resources protected by .NET Code Access Security when it runs managed code. Specifying UNSAFE enables the code in the assembly complete freedom to perform operations in the SQL Server process space that can potentially compromise the robustness of SQL Server. UNSAFE assemblies can also potentially subvert the security system of either SQL Server or the common language runtime. +For any approved CLR code with Unsafe or External permissions, use the ALTER ASSEMBLY to change the Permission set for the Assembly and ensure a certificate is configured.The common language runtime (CLR) component of the .NET Framework for Microsoft Windows in SQL Server allows you to write stored procedures, triggers, user-defined types, user-defined functions, user-defined aggregates, and streaming table-valued functions, using any .NET Framework language, including Microsoft Visual Basic .NET and Microsoft Visual C#. CLR packing assemblies can access resources protected by .NET Code Access Security when it runs managed code. Specifying UNSAFE enables the code in the assembly complete freedom to perform operations in the SQL Server process space that can potentially compromise the robustness of SQL Server. UNSAFE assemblies can also potentially subvert the security system of either SQL Server or the common language runtime. To determine if CLR is enabled, execute the following commands: @@ -859,7 +859,7 @@ SQL Server may spawn additional external processes to execute procedures that ar Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API. Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93887V-79181CCI-000381Remove any Non-Standard extended stored procedures that are not documented and approved. -sp_dropextendedproc 'proc name'Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API. +sp_dropextendedproc 'proc name'Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API. Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible. @@ -889,7 +889,7 @@ sp_dropserver 'LinkedServerName', 'droplogins'; To remove a login from a linked server run the following: -EXEC sp_droplinkedsrvlogin 'LoginName', NULL;A linked server allows for access to distributed, heterogeneous queries against OLE DB data sources. After a linked server is created, distributed queries can be run against this server, and queries can join tables from more than one data source. If the linked server is defined as an instance of SQL Server, remote stored procedures can be executed. +EXEC sp_droplinkedsrvlogin 'LoginName', NULL;A linked server allows for access to distributed, heterogeneous queries against OLE DB data sources. After a linked server is created, distributed queries can be run against this server, and queries can join tables from more than one data source. If the linked server is defined as an instance of SQL Server, remote stored procedures can be executed. To obtain a list of linked servers, execute the following command: @@ -911,7 +911,7 @@ Applications are capable of providing a wide variety of functions and services. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of protocols to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. -SQL Server using protocols deemed unsafe is open to attack through those protocols. This can allow unauthorized access to the database and through the database to other components of the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93891V-79185CCI-000382In SQL Server Configuration Manager >> SQL Server Network Configuration >> Protocols, right-click on each listed protocol that is enabled but not authorized and Select "Disable".To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for ". The right-hand pane displays the protocols enabled for the instance. +SQL Server using protocols deemed unsafe is open to attack through those protocols. This can allow unauthorized access to the database and through the database to other components of the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93891V-79185CCI-000382In SQL Server Configuration Manager >> SQL Server Network Configuration >> Protocols, right-click on each listed protocol that is enabled but not authorized and Select "Disable".To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for ". The right-hand pane displays the protocols enabled for the instance. If Named Pipes is enabled and not specifically required and authorized, this is a finding. @@ -921,7 +921,7 @@ Applications are capable of providing a wide variety of functions and services. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. -SQL Server using ports deemed unsafe is open to attack through those ports. This can allow unauthorized access to the database and through the database to other components of the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93893V-79187CCI-000382Use SQL Server Configuration to change the ports used by SQL Server to comply with PPSM guidance, or document the need for other ports, and obtain written approval. Close ports no longer needed.Review SQL Server Configuration for the ports used by SQL Server. +SQL Server using ports deemed unsafe is open to attack through those ports. This can allow unauthorized access to the database and through the database to other components of the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93893V-79187CCI-000382Use SQL Server Configuration to change the ports used by SQL Server to comply with PPSM guidance, or document the need for other ports, and obtain written approval. Close ports no longer needed.Review SQL Server Configuration for the ports used by SQL Server. To determine whether SQL Server is configured to use a fixed port or dynamic ports, in the right-hand pane double-click on the TCP/IP entry, to open the Properties dialog. (The default fixed port is 1433.) @@ -934,7 +934,7 @@ Organizational users include organizational employees or individuals the organiz Configure applications to ensure successful individual authentication prior to shared account access. -Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. (This does not include the case where SQL Server has a guest or public account that is providing access to publicly available information.) +Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. (This does not include the case where SQL Server has a guest or public account that is providing access to publicly available information.) If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to SQL Server using a standard, shared account, ensure that it also captures the individual user identification and passes it to SQL Server. @@ -951,7 +951,7 @@ In such cases, the DoD standards for password complexity and lifetime must be im 2. Ensure SQL Server is configured to inherit password complexity rules from the operating system for SQL logins. Ensure check of policy and expiration are enforced when SQL logins are created. CREATE LOGIN <login_name> WITH PASSWORD= <enterStrongPasswordHere>, CHECK_EXPIRATION = ON, CHECK_POLICY = ON; -Check for use of SQL Server Authentication: +Check for use of SQL Server Authentication: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'SQL Server Authentication' END as [Authentication Mode] @@ -980,7 +980,7 @@ Ensure the DISA Windows Password Policy is set on the SQL Server member server.< The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. -In such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93899V-79193CCI-000192Configure the SQL Server contained databases to have users originating from Windows principals. Remove any users not created from Windows principals.Execute the following query to determine if Contained Databases are used: +In such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93899V-79193CCI-000192Configure the SQL Server contained databases to have users originating from Windows principals. Remove any users not created from Windows principals.Execute the following query to determine if Contained Databases are used: SELECT * FROM sys.databases WHERE containment = 1 @@ -1017,7 +1017,7 @@ For clustered instances install the certificate after setting "Force Encryption" 5. If the SQL virtual server is currently on this node, failover to another node in your cluster, and then reboot the node where the registry change occurred. 6. Repeat this procedure on all the nodes. -From a command prompt, open SQL Server Configuration Manager by typing "sqlservermanager13.msc", and pressing "ENTER". +From a command prompt, open SQL Server Configuration Manager by typing "sqlservermanager13.msc", and pressing "ENTER". Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right-click on Protocols, where there is a placeholder for the SQL Server instance name, and click on “Properties”. @@ -1124,7 +1124,7 @@ Disable unwanted SSL/TLS protocol versions: 10.Repeat steps 3 – 9 for the "Server" subkey. 11.Repeat steps 1 – 10 for "TLS 1.1", "SSL 2.0", and "SSL 3.0". -Access the SQL Server. +Access the SQL Server. Access an administrator command prompt. Type "regedit" to launch the Registry Editor. @@ -1156,7 +1156,7 @@ Start >> Control Panel >> Administrative Tools >> Local Securi Double-click "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing." -Click Enabled >> Apply.Review system configuration to determine whether FIPS compliant support has been enabled. +Click Enabled >> Apply.Review system configuration to determine whether FIPS compliant support has been enabled. Start >> Control Panel >> Administrative Tools >> Local Security Policy >> Local Policies >> Security Options @@ -1178,7 +1178,7 @@ https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated More information on the FIPS 140-3 transition can be found here: https://csrc.nist.gov/Projects/fips-140-3-transition-effort/</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93905V-79199CCI-000803In Windows, open Administrative Tools >> Local Security Policy. Expand Local Policies >> Security Options. In the right-side pane, double-click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". -In the dialog box that appears, if the radio buttons are active, click "Enabled", and then click "Apply". If the radio buttons are grayed out, use Group Policy Management (on the appropriate server for this domain) to enforce the Enabled policy, and deploy it to the server(s) running SQL Server.In Windows, open Administrative Tools >> Local Security Policy. Expand Local Policies >> Security Options. In the right-side pane, find "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". +In the dialog box that appears, if the radio buttons are active, click "Enabled", and then click "Apply". If the radio buttons are grayed out, use Group Policy Management (on the appropriate server for this domain) to enforce the Enabled policy, and deploy it to the server(s) running SQL Server.In Windows, open Administrative Tools >> Local Security Policy. Expand Local Policies >> Security Options. In the right-side pane, find "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If, in the "Security Setting" column, the value is "Disabled," this is a finding. @@ -1188,7 +1188,7 @@ Non-organizational users must be uniquely identified and authenticated for all a Accordingly, a risk assessment is used in determining the authentication needs of the organization. -Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93907V-79201CCI-000804Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts. Verify server documentation to ensure accounts are documented and unique.Review documentation, SQL Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. +Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93907V-79201CCI-000804Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts. Verify server documentation to ensure accounts are documented and unique.Review documentation, SQL Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. Execute the following query to obtain a list of logins on the SQL Server and ensure all accounts are uniquely identifiable: @@ -1204,7 +1204,7 @@ The preferred technique for thwarting guesses at Session IDs is the generation o However, it is recognized that available DBMS products do not all implement the preferred technique yet may have other protections against session hijacking. Therefore, other techniques are acceptable, provided they are demonstrated to be effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93909V-79203CCI-001188Configure Windows to require the use of FIPS compliant algorithms. -Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsVerify that Windows is configured to require the use of FIPS compliant algorithms. +Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsVerify that Windows is configured to require the use of FIPS compliant algorithms. Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." @@ -1216,7 +1216,7 @@ If the confidentiality and integrity of SQL Server data is not protected, the da To enable database encryption, create a master key, create a database encryption key, and protect it by using mechanisms tied to the master key, and then set encryption on. -Implement physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s).Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category II. +Implement physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s).Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category II. If the application owner and Authorizing Official have determined that encryption of data at rest is required, ensure the data on secondary devices is encrypted. @@ -1247,7 +1247,7 @@ Verify that there are physical security measures, operating system access contro BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file' ENCRYPTION BY PASSWORD = 'password'; -As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.Review procedures for, and evidence of backup of, the Server Service Master Key in the System Security Plan. +As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.Review procedures for, and evidence of backup of, the Server Service Master Key in the System Security Plan. If the procedures or evidence does not exist, this is a finding. @@ -1258,7 +1258,7 @@ If procedures do not indicate access restrictions to the Service Master Key back BACKUP MASTER KEY TO FILE = 'path_to_file' ENCRYPTION BY PASSWORD = 'password'; -As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding. +As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding. Review procedures for, and evidence of backup of, the Master Key in the System Security Plan. @@ -1275,7 +1275,7 @@ GO sp_configure 'common criteria compliance enabled', 1; GO RECONFIGURE -GOReview system documentation to determine if Common Criteria Compliance is not required due to potential impact on system performance. +GOReview system documentation to determine if Common Criteria Compliance is not required due to potential impact on system performance. SQL Server Residual Information Protection (RIP) requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. Meeting the RIP standard can contribute to improved security; however, overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting occurs. @@ -1290,7 +1290,7 @@ If "value_in_use" is set to "1" this is not a finding. If "value_in_use" is set to "0" this is a finding. NOTE: Enabling this feature may impact performance on highly active SQL Server instances. If an exception justifying setting SQL Server Residual Information Protection (RIP) to disabled (value_in_use set to "0") has been documented and approved, then this may be downgraded to a CAT III finding. -SRG-APP-000243-DB-000373<GroupDescription></GroupDescription>SQL6-D0-009900SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93919V-79213CCI-001090If IFI is not documented as being required, disable instant file initialization for the instance of SQL Server by removing the SQL Service SID and/or service account from the "Perform volume maintenance tasks" Local Rights Assignment.Review the system documentation to determine if Instant File Initialization (IFI) is required. +SRG-APP-000243-DB-000373<GroupDescription></GroupDescription>SQL6-D0-009900SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93919V-79213CCI-001090If IFI is not documented as being required, disable instant file initialization for the instance of SQL Server by removing the SQL Service SID and/or service account from the "Perform volume maintenance tasks" Local Rights Assignment.Review the system documentation to determine if Instant File Initialization (IFI) is required. If IFI is documented as required, this is not a finding. @@ -1301,7 +1301,7 @@ Start >> Control Panel >> Administrative Tools >> Local Securi If the SQL Service SID (Default instance: NT SERVICE\MSSQLSERVER. Named instance: NT SERVICE\MSSQL$InstanceName) has been granted "Perform volume maintenance tasks" Local Rights Assignment and if it is not documented in the system documentation, this is a finding.SRG-APP-000243-DB-000374<GroupDescription></GroupDescription>SQL6-D0-010000Access to database files must be limited to relevant processes and to authorized, administrative users.<VulnDiscussion>SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93921V-79215CCI-001090Remove any unauthorized permission grants from SQL Server data, log, and backup directories. 1) On the "Security" tab, highlight the user entry. -2) Click "Remove".Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. +2) Click "Remove".Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql". @@ -1339,7 +1339,7 @@ If any non-authorized users have access to the SQL Server Error Log located at P Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. -Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance.Error messages within applications, custom database code (stored procedures, triggers) must be enforced by guidelines and code reviews practices. +Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance.Error messages within applications, custom database code (stored procedures, triggers) must be enforced by guidelines and code reviews practices. SQL Server generates certain system events and user-defined events to the SQL Server error log. The SQL Server error log can be viewed using SQL Server Management Studio GUI. All users granted the security admin or sysadmin level of permission are able to view the logs. Review the users returned in the following script: @@ -1381,7 +1381,7 @@ UPDATE without a WHERE clause; Any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal. -Depending on the capabilities of SQL Server and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93925V-79219CCI-002235Restrict the granting of permissions to server-level securables to only those authorized. Most notably, members of sysadmin and securityadmin built-in instance-level roles, CONTROL SERVER permission, and use of the GRANT with GRANT permission.Review server-level securables and built-in role membership to ensure only authorized users have privileged access and the ability to create server-level objects and grant permissions to themselves or others. +Depending on the capabilities of SQL Server and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93925V-79219CCI-002235Restrict the granting of permissions to server-level securables to only those authorized. Most notably, members of sysadmin and securityadmin built-in instance-level roles, CONTROL SERVER permission, and use of the GRANT with GRANT permission.Review server-level securables and built-in role membership to ensure only authorized users have privileged access and the ability to create server-level objects and grant permissions to themselves or others. Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login. @@ -1457,7 +1457,7 @@ GO USE [msdb] EXEC sp_delete_proxy @proxy_name = '<Proxy Name>' -GOReview the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes. +GOReview the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes. SELECT C.name AS credential_name, C.credential_identity FROM sys.credentials C @@ -1473,11 +1473,11 @@ If any Credentials or SQL Agent Proxy accounts are returned that are not documen The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. -SQL Server may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93929V-79223CCI-001844Configure and/or deploy software tools to ensure that SQL Server audit records are written directly to or systematically transferred to a centralized log management system.Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed. +SQL Server may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93929V-79223CCI-001844Configure and/or deploy software tools to ensure that SQL Server audit records are written directly to or systematically transferred to a centralized log management system.Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed. If the SQL Server audit records are not written directly to or systematically transferred to a centralized log management system, this is a finding.SRG-APP-000356-DB-000315<GroupDescription></GroupDescription>SQL6-D0-010800SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.<VulnDiscussion>If the configuration of SQL Server's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events. -SQL Server must provide a unified tool for audit configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93931V-79225CCI-001844Configure and/or deploy software tools to ensure that SQL Server audit records (to include traces used for audit purposes) are written directly to or systematically transferred to a centralized log management system.Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed. +SQL Server must provide a unified tool for audit configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93931V-79225CCI-001844Configure and/or deploy software tools to ensure that SQL Server audit records (to include traces used for audit purposes) are written directly to or systematically transferred to a centralized log management system.Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed. If the SQL Server audit records (to include traces used for audit purposes) are not written directly to or systematically transferred to a centralized log management system, this is a finding.SRG-APP-000357-DB-000316<GroupDescription></GroupDescription>SQL6-D0-010900SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism. @@ -1489,7 +1489,7 @@ Configure the maximum number of audit log files that are to be generated, stayin Update the "max_files" parameter of the audits to ensure the correct number of files is defined. -If writing to application event logs or security logs, space considerations are covered in the Windows Server STIGs. Be sure to reference these depending on the OS in use.If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is N/A. +If writing to application event logs or security logs, space considerations are covered in the Windows Server STIGs. Be sure to reference these depending on the OS in use.If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is N/A. Check the server documentation for the SQL Audit file size configurations. Locate the Audit file path and drive. @@ -1504,7 +1504,7 @@ If support personnel are not notified immediately upon storage volume utilizatio The appropriate support staff include, at a minimum, the ISSO and the DBA/SA. -Monitoring of free space can be accomplished using Microsoft System Center or a third-party monitoring tool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93935V-79229CCI-001855Utilize operating system alerting mechanisms, SQL Agent, Operations Management tools, and/or third-party tools to configure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75%.The operating system and SQL Server offer a number of methods for checking the drive or volume free space. Locate the destination drive where SQL Audits are stored and review system configuration. +Monitoring of free space can be accomplished using Microsoft System Center or a third-party monitoring tool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93935V-79229CCI-001855Utilize operating system alerting mechanisms, SQL Agent, Operations Management tools, and/or third-party tools to configure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75%.The operating system and SQL Server offer a number of methods for checking the drive or volume free space. Locate the destination drive where SQL Audits are stored and review system configuration. If no alert exist to notify support staff in the event the SQL Audit drive reaches 75%, this is a finding.SRG-APP-000360-DB-000320<GroupDescription></GroupDescription>SQL6-D0-011100SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -1512,13 +1512,13 @@ The appropriate support staff include, at a minimum, the ISSO and the DBA/SA. A failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions -Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Alerts can be generated using tools like the SQL Server Agent Alerts and Database Mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93937V-79231CCI-001858Configure the system to provide immediate real-time alerts to appropriate support staff when an audit log failure occurs.Review SQL Server settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason. +Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Alerts can be generated using tools like the SQL Server Agent Alerts and Database Mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93937V-79231CCI-001858Configure the system to provide immediate real-time alerts to appropriate support staff when an audit log failure occurs.Review SQL Server settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason. If real-time alerts are not sent upon auditing failure, this is a finding.SRG-APP-000374-DB-000322<GroupDescription></GroupDescription>SQL6-D0-011200SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by SQL Server must include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93939V-79233CCI-001890Where possible, configure the operating system to automatic synchronize with an official time server, using NTP. -Where there is reason not to implement automatic synchronization with an official time server, using NTP, document the reason, and the procedure for maintaining the correct time, and obtain AO approval. Enforce the procedure.SQL Server audits store the timestamp in UTC time. +Where there is reason not to implement automatic synchronization with an official time server, using NTP, document the reason, and the procedure for maintaining the correct time, and obtain AO approval. Enforce the procedure.SQL Server audits store the timestamp in UTC time. Determine if the computer is joined to a domain. @@ -1550,7 +1550,7 @@ Remove unauthorized logins from roles. ALTER SERVER ROLE DROP MEMBER login; -https://technet.microsoft.com/en-us/library/ee677634.aspxObtain a list of logins who have privileged permissions and role memberships in SQL. +https://technet.microsoft.com/en-us/library/ee677634.aspxObtain a list of logins who have privileged permissions and role memberships in SQL. Execute the following query to obtain a list of logins and roles and their respective permissions assignment: @@ -1577,7 +1577,7 @@ Check the server documentation to verify the logins and roles returned are autho When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. -Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93943V-79237CCI-001813Remove users from the local Administrators group who are not authorized.Obtain a list of users who have privileged access to the server via the local Administrators group. +Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93943V-79237CCI-001813Remove users from the local Administrators group who are not authorized.Obtain a list of users who have privileged access to the server via the local Administrators group. Launch lusrmgr.msc Select Groups @@ -1631,7 +1631,7 @@ GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); GO -Determine if an audit is configured to capture denied actions and started by executing the following query: +Determine if an audit is configured to capture denied actions and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -1724,7 +1724,7 @@ To disable a server network protocol for an instance: 2. In the console pane, click "Protocols" for <instance name>. 3. In the details pane, right-click the protocol you want to change, and then click "Enable" or "Disable". 4. In the console pane, click "SQL Server Services". -5. In the details pane, right-click "SQL Server (<instance name>)", and then click "Restart", to stop and restart the SQL Server service.SQL Server must only use approved network communication libraries, ports, and protocols. +5. In the details pane, right-click "SQL Server (<instance name>)", and then click "Restart", to stop and restart the SQL Server service.SQL Server must only use approved network communication libraries, ports, and protocols. Obtain a list of all approved network libraries, communication ports, and protocols from the server documentation. @@ -1740,7 +1740,7 @@ EXEC sp_configure 'clr enabled', 0 GO RECONFIGURE -GOReview the server documentation to determine whether use of CLR assemblies is required. Run the following query to determine whether CLR is enabled for the instance: +GOReview the server documentation to determine whether use of CLR assemblies is required. Run the following query to determine whether CLR is enabled for the instance: SELECT name, value, value_in_use FROM sys.configurations @@ -1752,7 +1752,7 @@ For non-domain servers, consider using virtual service accounts (VSA). See https For standalone, domain-joined servers, consider using managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#MSA for more information. -For clustered instances, consider using group managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#GMSA or https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/ for more information.Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. +For clustered instances, consider using group managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#GMSA or https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/ for more information.Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. Click Start >> Type "SQL Server Configuration Manager" >> Launch the program >> Click SQL Server Services tree node. Review the "Log On As" column for each service. @@ -1760,7 +1760,7 @@ If any services are configured with the same service account or are configured w Some DBMSs' installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules. -A transition period may be necessary when both the old and the new software are required. This should be taken into account in the planning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93953V-79247CCI-002617Remove all features that are not required.From the server documentation, obtain a listing of required components. +A transition period may be necessary when both the old and the new software are required. This should be taken into account in the planning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93953V-79247CCI-002617Remove all features that are not required.From the server documentation, obtain a listing of required components. Generate a listing of components installed on the server. @@ -1772,7 +1772,7 @@ Organization-defined time periods for updating security-relevant software may va This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. -SQL Server will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93955V-79249CCI-002605Upgrade SQL Server to the Microsoft-supported version. Institute and adhere to policies and procedures to ensure that patches are consistently applied to SQL Server within the time allowed.Obtain evidence that software patches are consistently applied to SQL Server within the time frame defined for each patch. To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerability. Review the Support dates at: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates +SQL Server will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93955V-79249CCI-002605Upgrade SQL Server to the Microsoft-supported version. Institute and adhere to policies and procedures to ensure that patches are consistently applied to SQL Server within the time allowed.Obtain evidence that software patches are consistently applied to SQL Server within the time frame defined for each patch. To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerability. Review the Support dates at: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates Check the SQL Server version by running the following script: Print @@version @@ -1793,7 +1793,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio Satisfies: SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93957V-79251CCI-000172Deploy an audit to audit the retrieval of privilege/permission/role membership information when successful and unsuccessful attempts to access security objects occur. -See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. +See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit the retrieval of when security objects are accessed. If this is not required, this is not a finding. @@ -1825,7 +1825,7 @@ For detailed information on categorizing information, refer to FIPS Publication To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. -Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93963V-79257CCI-000172Deploy an audit to audit when data classifications are both successfully and unsuccessfully retrieved. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. +Satisfies: SRG-APP-000494-DB-000344</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93963V-79257CCI-000172Deploy an audit to audit when data classifications are both successfully and unsuccessfully retrieved. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are both successfully and unsuccessfully retrieved. If this is not required, this is not a finding. @@ -1874,7 +1874,7 @@ SERVER_ROLE_MEMBER_CHANGE_GROUP See the supplemental file "SQL 2016 Audit.sql". Reference: -https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. +https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -1942,7 +1942,7 @@ SERVER_ROLE_MEMBER_CHANGE_GROUP See the supplemental file "SQL 2016 Audit.sql". Reference: -https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. +https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query: @@ -2004,7 +2004,7 @@ GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); GO -See supplemental script "SQL 2016 Audit.sql".Determine if an audit is configured and started by executing the following query: +See supplemental script "SQL 2016 Audit.sql".Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2030,7 +2030,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. -Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93979V-79273CCI-000172Deploy an audit to audit when data classifications are unsuccessfully modified. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. +Satisfies: SRG-APP-000498-DB-000346</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93979V-79273CCI-000172Deploy an audit to audit when data classifications are unsuccessfully modified. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully and unsuccessfully modified. If this is not required, this is not a finding. @@ -2077,7 +2077,7 @@ SERVER_ROLE_MEMBER_CHANGE_GROUP See the supplemental file "SQL 2016 Audit.sql". Reference: -https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. +https://msdn.microsoft.com/en-us/library/cc280663.aspxCheck that SQL Server Audit is being used for the STIG compliant audit. Determine if an audit is configured and started by executing the following query. If no records are returned, this is a finding. SELECT name AS 'Audit Name', @@ -2139,7 +2139,7 @@ GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); GO -See the supplemental script "SQL 2016 Audit.sql" for complete script.Determine if an audit is configured and started by executing the following query: +See the supplemental script "SQL 2016 Audit.sql" for complete script.Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2165,7 +2165,7 @@ To aid in diagnosis, it is necessary to keep track of failed attempts in additio For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. -Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93991V-79285CCI-000172Deploy an audit to audit when data classifications are unsuccessfully deleted. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully andn unsuccessfully deleted. +Satisfies: SRG-APP-000502-DB-000348</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-93991V-79285CCI-000172Deploy an audit to audit when data classifications are unsuccessfully deleted. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when data classifications are successfully andn unsuccessfully deleted. If this is not required, this is not a finding. @@ -2216,7 +2216,7 @@ Right-click on the instance. - Select "Properties". - Select "Security" on the left-hand side. - Select "Both failed and successful logins". -- Click "OK".Determine if an audit is configured and started by executing the following query: +- Click "OK".Determine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2310,7 +2310,7 @@ ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION ADD (USER_CHANG GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); -GODetermine if an audit is configured and started by executing the following query: +GODetermine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2416,7 +2416,7 @@ GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); GO -Determine if an audit is configured and started by executing the following query. +Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2515,7 +2515,7 @@ ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION ADD (LOGOUT_GRO GO ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = ON); -GODetermine if an audit is configured and started by executing the following query: +GODetermine if an audit is configured and started by executing the following query: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2620,7 +2620,7 @@ GO Alternatively, enable "Both failed and successful logins" In SQL Management Studio: -Right-click on the instance >> Select "Properties" >> Select "Security" on the left hand side >> Select "Both failed and successful logins" >> Click "OK"Determine if an audit is configured and started by executing the following query. +Right-click on the instance >> Select "Properties" >> Select "Security" on the left hand side >> Select "Both failed and successful logins" >> Click "OK"Determine if an audit is configured and started by executing the following query. SELECT name AS 'Audit Name', status_desc AS 'Audit Status', @@ -2658,7 +2658,7 @@ EXECUTE To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. -Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94007V-79301CCI-000172Deploy an audit to audit when successful and unsuccessful accesses to objects occur. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. +Satisfies: SRG-APP-000507-DB-000356</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94007V-79301CCI-000172Deploy an audit to audit when successful and unsuccessful accesses to objects occur. See the supplemental file "SQL 2016 Audit.sql".Review the system documentation to determine if SQL Server is required to audit when successful and unsuccessful accesses to objects occur. If this is not required, this is not a finding. @@ -2684,7 +2684,7 @@ JOIN sys.server_audits a ON s.audit_guid = a.audit_guid JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id WHERE a.is_state_enabled = 1 AND d.audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP' -If the "SCHEMA_OBJECT_ACCESS_GROUP" is not returned in an active audit, this is a finding.SRG-APP-000508-DB-000358<GroupDescription></GroupDescription>SQL6-D0-015500SQL Server must generate audit records for all direct access to the database(s).<VulnDiscussion>In this context, direct access is any query, command, or call to SQL Server that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94009V-79303CCI-000172Check the system documentation for required SQL Server Audits. Remove any Audit filters that exclude or reduce required auditing. Update filters to ensure administrative activity is not excluded.Determine whether any Server Audits are configured to filter records. From SQL Server Management Studio execute the following query: +If the "SCHEMA_OBJECT_ACCESS_GROUP" is not returned in an active audit, this is a finding.SRG-APP-000508-DB-000358<GroupDescription></GroupDescription>SQL6-D0-015500SQL Server must generate audit records for all direct access to the database(s).<VulnDiscussion>In this context, direct access is any query, command, or call to SQL Server that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94009V-79303CCI-000172Check the system documentation for required SQL Server Audits. Remove any Audit filters that exclude or reduce required auditing. Update filters to ensure administrative activity is not excluded.Determine whether any Server Audits are configured to filter records. From SQL Server Management Studio execute the following query: SELECT name AS AuditName, predicate AS AuditFilter FROM sys.server_audits @@ -2698,7 +2698,7 @@ For detailed information, refer to NIST FIPS Publication 140-2 or Publication 14 Expand Local Policies >> Security Options. -In the right-side pane, double-click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing."Verify that Windows is configured to require the use of FIPS compliant algorithms. +In the right-side pane, double-click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing."Verify that Windows is configured to require the use of FIPS compliant algorithms. Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." @@ -2706,7 +2706,7 @@ If the Security Setting for this option is "Disabled" this is a finding.DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94013V-79307CCI-002450Configure Windows to require the use of FIPS compliant algorithms. -Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsVerify that Windows is configured to require the use of FIPS-compliant algorithms. +Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsVerify that Windows is configured to require the use of FIPS-compliant algorithms. Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." @@ -2716,7 +2716,7 @@ It is the responsibility of the data owner to assess the cryptography requiremen For detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94015V-79309CCI-002450Configure Windows to require the use of FIPS compliant algorithms for the unclassified information that requires it. -Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsReview the server documentation, if this system does not contain data that must be encrypted, this finding is NA. +Click Start >> Type "Local Security Policy" >> Press Enter >> Expand "Local Policies" >> Select "Security Options" >> Locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." >> Change the Setting option to "Enabled" >> Restart WindowsReview the server documentation, if this system does not contain data that must be encrypted, this finding is NA. Verify that Windows is configured to require the use of FIPS compliant algorithms for the unclassified information that requires it. @@ -2726,7 +2726,7 @@ If "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, Off-loading is a common process in information systems with limited audit storage capacity. -The system SQL Server may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94017V-79311CCI-001851Configure the system or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection.Review the system documentation for a description of how audit records are off-loaded. +The system SQL Server may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94017V-79311CCI-001851Configure the system or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection.Review the system documentation for a description of how audit records are off-loaded. If the system has a continuous network connection to the centralized log management system, but the DBMS audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding. @@ -2737,7 +2737,7 @@ To enable participation in the CEIP program, change the value of the following r HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE\CustomerFeedback HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE\EnableErrorReporting HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130\CustomerFeedback -HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130\EnableErrorReportingLaunch "Registry Editor" +HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130\EnableErrorReportingLaunch "Registry Editor" Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE Review the following values: CustomerFeedback, EnableErrorReporting @@ -2768,7 +2768,7 @@ Set the "UserRequestedLocalAuditDirectory" key value to the path of the telemetr Set the telemetry service to start automatically. Restart the service. - For Database Engine, use SQL Server CEIP service (<INSTANCENAME>). -- For Analysis Services, use SQL Server Analysis Services CEIP (<INSTANCENAME>).Review the server documentation to determine if auditing of the telemetry data is required. If auditing of telemetry data is not required, this is not a finding. +- For Analysis Services, use SQL Server Analysis Services CEIP (<INSTANCENAME>).Review the server documentation to determine if auditing of the telemetry data is required. If auditing of telemetry data is not required, this is not a finding. If auditing of telemetry data is required, determine the telemetry service user name by executing the following query: @@ -2814,7 +2814,7 @@ Some applications that run on SQL Server require the [sa] account to be enabled USE master; GO ALTER LOGIN [sa] DISABLE; -GOCheck SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: +GOCheck SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; GO @@ -2832,7 +2832,7 @@ Since the SQL Server [sa] is administrative in nature, the compromise of a defau USE master; GO ALTER LOGIN [sa] WITH NAME = <new name> -GOVerify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: +GOVerify the SQL Server default [sa] (system administrator) account name has been changed by executing the following query: USE master; GO @@ -2845,7 +2845,7 @@ If the login account name "SA" or "sa" appears in the query output, this is a fi When 'Scan for startup procs' is enabled, SQL Server scans for and runs all automatically run stored procedures defined on the server. The execution of start-up stored procedures will be done under a high privileged context, therefore it is a commonly used post-exploitation vector.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94027V-79321CCI-002233To disable start up stored procedure(s), run the following in Master for each undocumented procedure: -sp_procoption @procname = '<procedure name>', @OptionName = 'Startup', @optionValue = 'Off'Review the system documentation to obtain a listing of documented stored procedures used by SQL Server during start up. Execute the following query: +sp_procoption @procname = '<procedure name>', @OptionName = 'Startup', @optionValue = 'Off'Review the system documentation to obtain a listing of documented stored procedures used by SQL Server during start up. Execute the following query: Select [name] as StoredProc From sys.procedures @@ -2859,7 +2859,7 @@ SQL Mirroring endpoints support different encryption algorithms, including no-en ALTER ENDPOINT <Endpoint Name> FOR DATABASE_MIRRORING -(ENCRYPTION = REQUIRED ALGORITHM AES)If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, and the requirement is documented and authorized, this is not a finding. +(ENCRYPTION = REQUIRED ALGORITHM AES)If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, and the requirement is documented and authorized, this is not a finding. If Database Mirroring is in use, run the following to check for encrypted transmissions:   @@ -2875,7 +2875,7 @@ SQL Server Service Broker endpoints support different encryption algorithms, inc ALTER ENDPOINT <EndpointName> FOR SERVICE_BROKER -(ENCRYPTION = REQUIRED ALGORITHM AES)If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, and the requirement is documented and authorized, this is not a finding. +(ENCRYPTION = REQUIRED ALGORITHM AES)If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, and the requirement is documented and authorized, this is not a finding. If SQL Service Broker is in use, run the following to check for encrypted transmissions:   @@ -2897,7 +2897,7 @@ USE master GO REVOKE EXECUTE ON [<procedureName>] FROM [<principal>] GO -To determine if permissions to execute registry extended stored procedures have been revoked from all users (other than dbo), execute the following command: +To determine if permissions to execute registry extended stored procedures have been revoked from all users (other than dbo), execute the following command: SELECT OBJECT_NAME(major_id) AS [Stored Procedure] ,dpr.NAME AS [Principal] @@ -2937,7 +2937,7 @@ The most significant potential for attacking an instance is through the use of f 5. Disable FILESTREAM. EXEC sp_configure filestream_access_level, 0 RECONFIGURE -6. Restart the SQL ServiceReview the system documentation to see if FileStream is in use. If in use authorized, this is not a finding. +6. Restart the SQL ServiceReview the system documentation to see if FileStream is in use. If in use authorized, this is not a finding. If FileStream is not documented as being authorized, execute the following query. EXEC sp_configure 'filestream access level' @@ -2977,7 +2977,7 @@ GO sp_configure 'Ole Automation Procedures', 0; GO RECONFIGURE; -GOTo determine if "Ole Automation Procedures" option is enabled, execute the following query: +GOTo determine if "Ole Automation Procedures" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -2996,7 +2996,7 @@ GO sp_configure 'user options', 0; GO RECONFIGURE; -GOTo determine if "User Options" option is enabled, execute the following query: +GOTo determine if "User Options" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3023,7 +3023,7 @@ GO sp_configure 'remote access', 0; GO RECONFIGURE; -GOTo determine if "Remote Access" option is enabled, execute the following query: +GOTo determine if "Remote Access" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3050,7 +3050,7 @@ GO sp_configure 'hadoop connectivity', 0; GO RECONFIGURE; -GOTo determine if "Hadoop Connectivity" option is enabled, execute the following query: +GOTo determine if "Hadoop Connectivity" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3077,7 +3077,7 @@ GO sp_configure 'allow polybase export', 0; GO RECONFIGURE; -GOTo determine if "Allow Polybase Export" option is enabled, execute the following query: +GOTo determine if "Allow Polybase Export" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3104,7 +3104,7 @@ GO sp_configure 'remote data archive', 0; GO RECONFIGURE; -GOTo determine if "Remote Data Archive" option is enabled, execute the following query: +GOTo determine if "Remote Data Archive" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3123,7 +3123,7 @@ GO sp_configure 'external scripts enabled', 0; GO RECONFIGURE; -GOTo determine if "External Scripts Enabled" option is enabled, execute the following query: +GOTo determine if "External Scripts Enabled" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3139,7 +3139,7 @@ This requirement is not intended to prohibit use of the Browser service in any c Where SQL Server Browser is judged unnecessary, the Service can be disabled. -To disable, in the Services tool, double-click "SQL Server Browser". Set "Startup Type" to "Disabled". If "Service Status" is "Running", click on "Stop". Click on "OK".If the need for the SQL Server Browser service is documented and authorized, this is not a finding. +To disable, in the Services tool, double-click "SQL Server Browser". Set "Startup Type" to "Disabled". If "Service Status" is "Running", click on "Stop". Click on "OK".If the need for the SQL Server Browser service is documented and authorized, this is not a finding. Open the Services tool. @@ -3158,7 +3158,7 @@ GO sp_configure 'replication xps', 0; GO RECONFIGURE; -GOTo determine if the "Replication Xps" option is enabled, execute the following query: +GOTo determine if the "Replication Xps" option is enabled, execute the following query: EXEC SP_CONFIGURE 'show advanced options', '1'; RECONFIGURE WITH OVERRIDE; @@ -3172,7 +3172,7 @@ This convenience also presents the possibility of unauthorized individuals gaini This requirement is not intended to prohibit use of the Browser service in any circumstances.  It calls for administrators and management to consider whether the benefits of its use outweigh the potential negative consequences of it being used by an attacker to browse the current infrastructure and retrieve a list of running SQL Server instances. In order to prevent this, the SQL instance(s) can be hidden.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94059V-79353CCI-000366If SQL Server Browser is needed, document the justification and obtain the appropriate authorization. -To hide the SQL instance, in SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <server instance>, select "Properties", on the "Flags" tab, select "Yes" in the "HideInstance" box, then click "OK".  The change takes effect immediately for new connections.If the need for the SQL Server Browser service is documented and authorized, check to make sure the SQL Instances that do not require use of the SQL Browser Service are hidden with the following query: +To hide the SQL instance, in SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <server instance>, select "Properties", on the "Flags" tab, select "Yes" in the "HideInstance" box, then click "OK".  The change takes effect immediately for new connections.If the need for the SQL Server Browser service is documented and authorized, check to make sure the SQL Instances that do not require use of the SQL Browser Service are hidden with the following query: DECLARE @HiddenInstance INT EXEC master.dbo.Xp_instance_regread @@ -3205,7 +3205,7 @@ GO If mixed-mode authentication is necessary, then for SQLCMD, which cannot be configured not to accept a plain-text password when mixed-mode authentication is enabled, and any other essential tool with the same limitation: 1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. -2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden.Run this query to determine whether SQL Server authentication is enabled: +2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden.Run this query to determine whether SQL Server authentication is enabled: EXEC master.sys.xp_loginconfig 'login mode'; If the config_value returned is "Windows NT Authentication", this is not a finding. @@ -3218,33 +3218,34 @@ Obfuscation of user-provided information when typed into the system is a method For example, displaying asterisks when a user types in a password or PIN, is an example of obscuring feedback of authentication information. -Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice must be prohibited and disabled to prevent shoulder surfing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94063V-79357CCI-000206Configure or modify applications to prohibit display of passwords in clear text.Determine whether any applications that access the database allow for entry of the account name and password, or PIN. +Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice must be prohibited and disabled to prevent shoulder surfing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993SV-94063V-79357CCI-000206Configure or modify applications to prohibit display of passwords in clear text.Determine whether any applications that access the database allow for entry of the account name and password, or PIN. -If any do, determine whether these applications obfuscate authentication data; if they do not, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>SQL6-D0-018300Microsoft SQL Server products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. - -Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. - -When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993CCI-003376Remove or decommission all unsupported software products. - -Upgrade unsupported DBMS or unsupported components to a supported version of the product.If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: - -To list the version of installed PostgreSQL using psql: - -$ sudo su - postgres -$ psql --version - -To list the current version of software for RPM: - -$ rpm -qa | grep postgres - -To list the current version of software for APT: - -$ apt-cache policy postgres - -All versions of PostgreSQL will be listed here: -http://www.postgresql.org/support/versioning/ - -All security-relevant software updates for PostgreSQL will be listed here: -http://www.postgresql.org/support/security/ - -If PostgreSQL is not at the latest version, this is a finding. \ No newline at end of file +If any do, determine whether these applications obfuscate authentication data; if they do not, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>SQL6-D0-018300Microsoft SQL Server products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. + +Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. + +When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MS SQL Server 2016 InstanceDISADPMS TargetMS SQL Server 2016 Instance3993CCI-003376Remove or decommission all unsupported software products. + +Upgrade unsupported DBMS or unsupported components to a supported version of the product. + +More information can be found here: +https://learn.microsoft.com/en-us/sql/sql-server/end-of-support/sql-server-end-of-support-overview?view=sql-server-ver16Review the system documentation and interview the database administrator. + +Identify all database software components. + +Review the version and release information. + +Verify the SQL Server version via one of the following methods: +Connect to the server by using Object Explorer in SQL Server Management Studio. After Object Explorer is connected, it will show the version information in parentheses, together with the user name that is used to connect to the specific instance of SQL Server. + +Or, from SQL Server Management Studio: + +SELECT @@VERSION; + +More information for finding the version is available at the following link: +https://learn.microsoft.com/en-us/troubleshoot/sql/releases/find-my-sql-version + +Access the vendor website or use other means to verify the version is still supported. +https://learn.microsoft.com/en-us/lifecycle/products/sql-server-2016 + +If the installed version or any of the software components are not supported by the vendor, this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml new file mode 100644 index 000000000..ff37cd202 --- /dev/null +++ b/benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml @@ -0,0 +1,2569 @@ +acceptedMicrosoft Windows Server Domain Name System (DNS) Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 18 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001-DNS-000115<GroupDescription></GroupDescription>WDNS-22-000001The Windows DNS Server must restrict incoming dynamic update requests to known clients.<VulnDiscussion>Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) on any system. + +A DNS server's function requires it to be able to handle multiple sessions at a time, so limiting concurrent sessions could impact availability. + +Primary name servers must be configured to limit the actual hosts from which they will accept dynamic updates and zone transfer requests, and all name servers should be configured to limit the hosts from/to which they receive/send zone transfers. Restricting sessions to known hosts will mitigate the DoS vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000054Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone. + +From the displayed context menu, click the "Properties" option. + +On the opened domain's properties box, click the "General" tab. + +If the "Type:" is not "Active Directory-Integrated", configure the zone for Active Directory integration. + +Select "Secure only" from the "Dynamic updates:" drop-down list.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone. + +From the displayed context menu, click the "Properties" option. + +On the opened domain's properties box, click the "General" tab. + +Verify the "Type:" is "Active Directory-Integrated". + +Verify "Dynamic updates" has "Secure only" selected. + +If the zone is "Active Directory-Integrated" and "Dynamic updates" are not configured for "Secure only", this is a finding.SRG-APP-000348-DNS-000042<GroupDescription></GroupDescription>WDNS-22-000002The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.<VulnDiscussion>Without a means for identifying the individual that produced the information, the information cannot be relied on. Identifying the validity of information may be delayed or deterred. + +This requirement ensures organizational personnel have a means to identify who produced or changed specific information in transfers, zone information, or DNS configuration changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-001902Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. + +On the opened "Server Manager" window, from the left pane, click to select "DNS". + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the displayed context menu, click the "DNS Manager" option. + +Click the "Event Logging" tab. + +Select the "Errors and warnings" or "All events" option. + +Click "Apply". + +Click "OK".Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +Right-click the DNS server and select "Properties". + +Click the "Event Logging" tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding.SRG-APP-000350-DNS-000044<GroupDescription></GroupDescription>WDNS-22-000003The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.<VulnDiscussion>Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, using cryptographic checksums. Validations must be performed automatically. + +At a minimum, the application must log the validation error. However, more stringent actions can be taken based on the security posture and value of the information. The organization should consider the system's environment and impact of the errors when defining the actions. Additional examples of actions include automated notification to administrators, halting system process, or halting the specific operation. + +The DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG/SIG(0). The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-001906To detect and notify the administrator, configure a third-party event monitoring system or, at a minimum, document and implement a procedure to require the administrator to check the DNS logs on a routine, daily basis.Windows DNS Servers hosting Active Directory (AD)-integrated zones transfer zone information via AD replication. Windows DNS Servers hosting non-AD-integrated zones as a secondary name server and/or not hosting AD-integrated zones use zone transfer to sync zone data. + +If the Windows DNS Server hosts only AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable. + +If the Windows DNS Server is not an Active Directory Domain Controller or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable. + +Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis. + +If a third-party event monitoring system is not configured or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.SRG-APP-000089-DNS-000004<GroupDescription></GroupDescription>WDNS-22-000004The Windows DNS Server log must be enabled.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000169Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +Right-click the DNS server and select "Properties". + +Click the "Event Logging" tab. By default, all events are logged. + +Select the "Errors and warnings" or "All events" option. + +Click "Apply". + +Click "OK".Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +Right-click the DNS server and select "Properties". + +Click the "Event Logging" tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding.SRG-APP-000516-DNS-000500<GroupDescription></GroupDescription>WDNS-22-000006The "Manage auditing and security log" user right must be assigned only to authorized personnel.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server. + +Because the configuration of the audit logs on the DNS server dictates which events are logged to correlate events, the permissions for configuring the audit logs must be restricted to only those with the role of information system security manager (ISSM) or those appointed by the ISSM.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Configure the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtxVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators +Auditors (if the site has an Auditors group that further limits this privilege) + +If an application requires this user right, this is not a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords. + +Verify the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx + +Using the file explorer tool, navigate to the DNS server log file. + +Right-click on the log file and select the "Security" tab. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +If the permissions for these files are not as restrictive as the access control lists above, this is a finding.SRG-APP-000214-DNS-000079<GroupDescription></GroupDescription>WDNS-22-000007The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week.<VulnDiscussion>The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a zone signing key (ZSK) can use that key only during the key signing key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. + +To prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001179Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click on the zone and choose DNSSEC >> Properties. + +On the ZSK tab, for DS signature validity period (hours), choose more than 48 and less than 168.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +View the validity period for the DS RR. + +If the validity period for the DS RR for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding.SRG-APP-000218-DNS-000027<GroupDescription></GroupDescription>WDNS-22-000008The Windows DNS name servers for a zone must be geographically dispersed.<VulnDiscussion>In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located in the same building. One approach is to locate some authoritative name servers in their own premises and others in their internet service provider's data centers or in partnering organizations. + +A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside in the same building as the hidden primary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366For non-AD integrated Windows DNS Servers, distribute secondary authoritative servers to be in different buildings from the primary authoritative server.Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the AD services. + +If all the Windows DNS Servers are AD integrated, this check is not applicable. + +If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. + +If any or all of the authoritative name servers are located in the same building as the primary authoritative name server and the primary authoritative name server is not "hidden", this is a finding.SRG-APP-000383-DNS-000047<GroupDescription></GroupDescription>WDNS-22-000009The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. + +To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". + +Click the "Forwarders" tab. + +If forwarders are not being used, click the "Advanced" tab. + +Select the "Disable recursion (also disables forwarders)" check box.Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. + +In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-22-000012. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". + +Click the "Forwarders" tab. + +If forwarders are enabled and configured, this check is not applicable. + +If forwarders are not enabled, click the "Advanced" tab and verify the "Disable recursion (also disables forwarders)" check box is selected. + +If forwarders are not enabled and configure, and the "Disable recursion (also disables forwarders)" check box in the "Advanced" tab is not selected, this is a finding.SRG-APP-000383-DNS-000047<GroupDescription></GroupDescription>WDNS-22-000010Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. + +To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". + +Click the "Forwarders" tab. + +Replace the forwarders being used with another DOD-managed DNS server or the DOD ERS. + +Deselect "Use root hints if no forwarders are available".Note: If the Windows DNS Server is in the classified network, this check is not applicable. If forwarders are not being used, this is not applicable. + +Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". + +Click the "Forwarders" tab. + +Review the IP address(es) for the forwarder(s) use. + +If the DNS server does not forward to another DOD-managed DNS server or to the DOD ERS, this is a finding. + +If "Use root hints if no forwarders are available" is selected, this is a finding.SRG-APP-000383-DNS-000047<GroupDescription></GroupDescription>WDNS-22-000011The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. + +To guard against poisoning, name servers specifically fulfilling the role of providing recursive query responses for external zones must be segregated from name servers authoritative for internal zones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Implement DNSSEC on all non-AD-integrated, standalone, caching Windows DNS Servers to ensure the caching server validates signed zones when resolving and caching.Note: Sinkhole name servers host records that are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from reaching a destination by directing the query to a sinkhole. If the sinkhole name server is not authoritative for any zones and serves only as a caching/forwarding name server, this check is not applicable. + +The non-Active Directory (AD)-integrated, standalone, caching Windows DNS Server must be configured to be DNSSEC aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key (ZSK) DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. + +If the non-AD-integrated, standalone, caching Windows DNS Server is not configured to be DNSSEC aware, this is a finding.SRG-APP-000440-DNS-000065<GroupDescription></GroupDescription>WDNS-22-000013The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.<VulnDiscussion>Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. + +Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002421Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: If the Windows DNS Server hosts only Active Directory (AD)-integrated zones and does not host any file-based zones, this is not applicable. + +Note: This requirement does not apply for classified environments. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 AM +Signed: 10/22/2022 10:22:28 AM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000516-DNS-000078<GroupDescription></GroupDescription>WDNS-22-000014The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.<VulnDiscussion>The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a zone signing key (ZSK) can use that key only during the key signing key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the Delegation Signer (DS) Resource Record (RR) in the delegating parent. These validity periods should be short, which will require frequent re-signing. + +To minimize the impact of a compromised ZSK, a zone administrator should set a signature validity period of one week for RRSIGs covering the DNSKEY RRSet in the zone (the RRSet that contains the ZSK and KSK for the zone). The DNSKEY RRSet can be re-signed without performing a ZSK rollover, but scheduled ZSK rollovers should still be performed at regular intervals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone and select DNSSEC >> Properties. + +Select the "KSK" tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48 and 168 hours. + +Select the "ZSK" tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48 and 168 hours.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or Windows DNS Servers on a classified network. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone and select DNSSEC >> Properties. + +Select the "KSK" tab. + +Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. + +Select the "ZSK" tab. + +Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. + +If either the "KSK" or "ZSK" tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.SRG-APP-000516-DNS-000084<GroupDescription></GroupDescription>WDNS-22-000015NSEC3 must be used for all internal DNS zones.<VulnDiscussion>NSEC records list the resource record types for the name, as well as the name of the next resource record. This information reveals that the resource record type for the name queried, or the resource record name requested, does not exist. + +NSEC uses the actual resource record names, whereas NSEC3 uses a one-way hash of the name. In this way, walking zone data from one record to the next is prevented at the expense of some CPU cycles on the authoritative server and the resolver. To prevent giving access to an entire zone file, NSEC3 should be configured. To use NSEC3, RSA/SHA-1 should be used as the algorithm, as some resolvers that understand RSA/SHA-1 might not understand NSEC3. Using RSA/SHA-256 is a safe alternative.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone and select DNSSEC >> Sign the Zone. + +Re-sign the zone using an NSEC3 algorithm (RSA/SHA-1 (NSEC3), RSA/SHA-256, RSA/SHA-512).Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Type the following command, where example.com is replaced with the zone hosted on the DNS Server: + +PS C:\> Get-DnsServerResourceRecord -ZoneName example.com <enter> + +All of the zone's resource records will be returned. This should include the NSEC3 RRs, as depicted below. + +If NSEC3 RRs are not returned for the zone, this is a finding. + +2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] +7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C]SRG-APP-000516-DNS-000085<GroupDescription></GroupDescription>WDNS-22-000016The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.<VulnDiscussion>Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. + +The list of secondary servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of secondaries. If a secondary server has been retired or is not operational but remains on the list, an adversary might have a greater opportunity to impersonate that secondary without detection, rather than if the secondary was online. For example, the adversary may be able to spoof the retired secondary's IP address without an IP address conflict, which would not be likely to occur if the true secondary were active.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366If DNS servers are Active Directory (AD) integrated, troubleshoot and remedy the replication problem where the nonresponsive name server is not being updated. + +If DNS servers are not AD integrated, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the NS records for the zone. + +Select the NS record for the nonresponsive name server and remove the record.Note: This check is not applicable if Windows DNS Server is only serving as a caching server and does not host any zones authoritatively. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the NS records for the zone. + +Verify each of the name servers, represented by the NS records, is active. + +At a command prompt on any system, type: + +nslookup <enter>; + +At the nslookup prompt, type: + +server ###.###.###.### <enter>; +(where the ###.###.###.### is replaced by the IP of each NS record) + +Enter a FQDN for a known host record in the zone. + +If the NS server does not respond at all or responds with a nonauthoritative answer, this is a finding.SRG-APP-000516-DNS-000087<GroupDescription></GroupDescription>WDNS-22-000017All authoritative name servers for a zone must be located on different network segments.<VulnDiscussion>Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular router or switch fails but also during events involving an attack on an entire network segment. + +A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside on the same network as the hidden primary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366For non-AD-integrated Windows DNS Servers, distribute secondary authoritative servers on separate network segments from the primary authoritative server.Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the Active Directory services. + +If all of the Windows DNS Servers are AD integrated, this check is not applicable. + +If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. + +If all of the authoritative name servers are located on the same network segment and the primary authoritative name server is not "hidden", this is a finding.SRG-APP-000516-DNS-000088<GroupDescription></GroupDescription>WDNS-22-000018All authoritative name servers for a zone must have the same version of zone information.<VulnDiscussion>The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends on the database of constraints built into the checker. The deployment process consists of developing these constraints with the right logic, and the only determinant of the truth value of these logical predicates is the parameter values for certain key fields in the format of various RRTypes. + +The serial number in the SOA RDATA is used to indicate to secondary name servers that a change to the zone has occurred and a zone transfer should be performed. It should always be increased whenever a change is made to the zone data. DNS NOTIFY must be enabled on the primary authoritative name server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366If all DNS servers are AD integrated, determine why the replication is not taking place to the out-of-sync secondary name servers and mitigate the issue. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Initiate a zone transfer to all secondary name servers for the zone.Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via Active Directory (AD) replication, this check is not applicable for AD-integrated zones. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the SOA information for the zone and obtain the Serial Number. + +Access each secondary name server for the same zone and review the SOA information. + +Verify the Serial Number is the same on all authoritative name servers. + +If the Serial Number is not the same on one or more authoritative name servers, this is a finding.SRG-APP-000516-DNS-000089<GroupDescription></GroupDescription>WDNS-22-000019The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).<VulnDiscussion>The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. DNSSEC mechanisms involve two main processes: sign and serve and verify signature. + +Before a DNSSEC-signed zone can be deployed, a name server must be configured to enable DNSSEC processing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select each zone. + +Review the RRs for each zone and verify all of the DNSSEC record types are included for the zone. + +Note: The DS (Delegation Signer) record should also exist but the requirement for it is validated under WDNS-22-000054. + +RRSIG (Resource Read Signature) +DNSKEY (Public Key) +NSEC3 (Next Secure 3) + +If the zone does not show all the DNSSEC record types, this is a finding.SRG-APP-000516-DNS-000090<GroupDescription></GroupDescription>WDNS-22-000020The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.<VulnDiscussion>The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: +- Digital Signature Algorithm (DSA). +- RSA. +- Elliptic Curve DSA (ECDSA). + +Of these three algorithms, RSA and DSA are more widely available and hence are considered candidates of choice for DNSSEC. Both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. + +RSA is the recommended algorithm for this guideline. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at a minimum. It is suggested that at least one zone signing key (ZSK) for a zone use the RSA algorithm. + +NIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS (FIPS186). It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before 30 September 2015.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right windowpane. + +Review the DNSKEY encryption in the Data column. Example: [DNSKEY][RsaSha1][31021] + +Confirm the encryption algorithm specified in the DNSKEY's data is at RsaSha1, at a minimum. + +If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding.SRG-APP-000516-DNS-000091<GroupDescription></GroupDescription>WDNS-22-000021For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.<VulnDiscussion>Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. + +External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.). + +Internal clients need to receive RRs pertaining to public services as well as internal hosts. + +The zone information that serves the RRs on both the inside and the outside of a firewall should be split into different physical files for these two types of clients (one file for external clients and one file for internal clients).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Remove any RRs from the internal zones for which the resolution is for an external IP address. + +Remove any RRs from the external zones for which the resolution is for an internal IP address.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +For each zone, review the records. + +If any RRs on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding. + +If any RRs on an external DNS server resolve to IP addresses located inside the network, this is a finding.SRG-APP-000516-DNS-000092<GroupDescription></GroupDescription>WDNS-22-000022In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.<VulnDiscussion>Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. + +One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide business-to-consumer services, mail servers, etc.). + +The other set, called internal name servers, is to be located within the firewall and should be configured so the servers are not reachable from outside and hence provide naming services exclusively to internal clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Configure the external DNS server's firewall policy, or the network firewall, to block queries from internal hosts.Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network. + +If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.SRG-APP-000516-DNS-000095<GroupDescription></GroupDescription>WDNS-22-000024Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.<VulnDiscussion>Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources. + +Based on the need to know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers should be restricted to secondary name servers. The zone transfer should be completely disabled in the secondary name servers. The address match list argument for the allow-transfer substatement should consist of IP addresses of secondary name servers and stealth secondary name servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone and select "Properties". + +Select the "Zone Transfers" tab. + +Select the "Only to servers listed on the Name Server tab" or "Only to the following servers" check box or deselect the "Allow zone transfers" check box. + +Click "OK".Determine if the authoritative primary name server is Active Directory (AD) integrated. + +Determine if all secondary name servers for every zone for which the primary name server is authoritative are AD-integrated in the same Active Directory. + +If the authoritative primary name server is AD integrated and all secondary name servers are part of the same AD, this check is not a finding because AD handles the replication of DNS data. + +If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone and select "Properties". + +Select the "Zone Transfers" tab. + +If the "Allow zone transfers:" check box is not selected, this is not a finding. + +If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. + +If the "To any server" option is selected, this is a finding.SRG-APP-000516-DNS-000099<GroupDescription></GroupDescription>WDNS-22-000025The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.<VulnDiscussion>Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. In a DNS implementation, DAC should be granted to a minimal number of individuals and objects because DNS does not interact directly with users and users do not store and share data with the DNS application directly. + +The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able to create and modify resource records, and name servers should only accept updates from authoritative primary servers for the relevant zones. Integrity is best ensured through authentication and access control features within the name server software and the file system the name server resides on. To protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls must be implemented on files, and rights should not be easily propagated to other users. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers and creates the potential for a denial of service to network resources. + +DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. DAC models have the potential for the access controls to propagate without limit, resulting in unauthorized access to objects. + +When applications provide a DAC mechanism, the DNS implementation must be able to limit the propagation of those access rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366For a file-back Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select each zone. + +Right-click each zone and select "Properties". + +Select the "Security" tab. + +Downgrade to READ privileges any group or user that has greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running.For an Active Directory (AD)-integrated DNS implementation, this is not applicable by virtue of being compliant with the Windows 2022 AD STIG because DNS data within an AD-integrated zone is kept within the Active Directory. + +For a file-based Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select each zone. + +Right-click each zone and select "Properties". + +Select the "Security" tab. + +Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running. + +If any other account/group has greater than READ privileges, this is a finding.SRG-APP-000516-DNS-000101<GroupDescription></GroupDescription>WDNS-22-000026The Windows DNS Server must implement internal/external role separation.<VulnDiscussion>DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks, including the internet). + +The set of clients that can access an authoritative DNS server in a particular role is specified by the organization using address ranges, explicit access control lists, etc. To protect internal DNS resource information, it is important to isolate the requests to internal DNS servers. Separating internal and external roles in DNS prevents address space that is private (e.g., 10.0.0.0/24) or otherwise concealed by some form of Network Address Translation from leaking into the public DNS system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Configure separate DNS servers for each of the external and internal networks.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, review each zone. + +Consult with the DNS Admin to determine if any of the zones also have hostnames that need to be resolved from the external network. + +If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network. + +If internal and external DNS servers have not been implemented for zones that require resolution from both the internal and external networks, this is a finding.SRG-APP-000516-DNS-000102<GroupDescription></GroupDescription>WDNS-22-000027The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.<VulnDiscussion>All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. + +The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can be configured to either return a referral to the root servers or refuse to answer the query. + +The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources fulfilling its intended purpose of answering authoritatively for its zone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +Right-click the DNS server and select "Properties". + +Select the "Root Hints" tab. + +Remove the root hints from the DNS Manager, the CACHE.DNS file, and from Active Directory for name servers outside the internal network. + +Replace the existing root hints with new root hints of internal servers. + +If the DNS server is forwarding, click to select the "Do not use recursion for this domain"" check box on the "Forwarders" tab in DNS Manager to ensure the root hints will not be used.Note: If the Windows DNS Server is in the classified network, this check is not applicable. + +Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +Right-click the DNS server and select "Properties". + +Select the "Root Hints" tab. + +Verify "Root Hints" is empty or only has entries for internal zones under "Name servers:". All internet root server entries must be removed. + +If "Root Hints" is not empty or entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.SRG-APP-000516-DNS-000113<GroupDescription></GroupDescription>WDNS-22-000029The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.<VulnDiscussion>If a name server could claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resolution beyond the scope of that name server (i.e., by claiming authority for records outside of that server's zones). Fortunately, all but the oldest versions of BIND and most other DNS implementations do not allow for this behavior. The best way to eliminate this risk is to eliminate from the zone files any records for hosts in another zone. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party content delivery networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Remove any resource records in a zone file if the resource record resolves to a fully qualified domain name residing in another zone.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. + +If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with a documented and approved mission need, this is a finding.SRG-APP-000516-DNS-000114<GroupDescription></GroupDescription>WDNS-22-000030The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.<VulnDiscussion>The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more than six months. + +When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. In the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers, which compounds the vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Remove any zone-spanning CNAME records that have been active for more than six months, which are not supporting zone delegations, CNAME records supporting a system migration, or CNAME records pointing to third-party CDNs or cloud computing platforms. + +In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement).Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the resource records to confirm there are no CNAME records older than six months. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. (Authorizing Official approval of use of a commercial cloud offering would satisfy this requirement.) Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. + +If there are zone-spanning (i.e., zones of lesser security) CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with an AO-approved and documented mission need, this is a finding.SRG-APP-000516-DNS-000500<GroupDescription></GroupDescription>WDNS-22-000031Nonroutable IPv6 link-local scope addresses must not be configured in any zone.<VulnDiscussion>IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clients, most routers will not forward this traffic beyond the local subnet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Remove any link-local addresses and replace with appropriate Site-Local or Global scope addresses.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Expand the "Forward Lookup Zones" folder. + +Expand each zone folder and examine the host record entries. The third column titled "Data" will display the IP. + +Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB". + +If any nonroutable IPv6 link-local scope addresses are in any zone, this is a finding.SRG-APP-000516-DNS-000500<GroupDescription></GroupDescription>WDNS-22-000032AAAA addresses must not be configured in a zone for hosts that are not IPv6 aware.<VulnDiscussion>DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. + +A denial of service could easily be implemented for an application that is not IPv6 aware. When the application receives an IP address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Remove any IPv6 records for hosts that are not IPv6 aware.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, select each zone and examine the host record entries. The third column titled "Data" will display the IP. + +Determine if any contain both IPv4 and IPv6 addresses. + +If any hostnames contain both IPv4 and IPv6 addresses, confirm with the system administrator that the actual hosts are IPv6 aware. + +If any zones contain hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6 aware, this is a finding.SRG-APP-000390-DNS-000048<GroupDescription></GroupDescription>WDNS-22-000034The Windows DNS Server must require devices to reauthenticate for each dynamic update request connection attempt.<VulnDiscussion>Without reauthenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including but not limited to the following other situations: +(i) When authenticators change; +(ii) When roles change; +(iii) When security categories of information systems change; +(iv) After a fixed period of time; or +(v) Periodically. + +DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). Therefore, this requirement is applicable for every server-to-server transaction request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002039Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone, and from the displayed context menu, go to "Properties". + +On the opened domain's properties box, click the "General" tab. + +If the "Type:" is not "Active Directory-Integrated", configure the zone for Active Directory integration. + +Select "Secure only" from the "Dynamic updates:" drop-down list.Authentication of dynamic updates is accomplished in Windows Server DNS by configuring the zones to accept only secure dynamic updates. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone, and from the displayed context menu, go to "Properties". + +On the opened domain's properties box, click the "General" tab. + +Verify the "Type:" is "Active Directory-Integrated". + +Verify the "Dynamic updates" has "Secure only" selected. + +If the zone is Active Directory-Integrated and the "Dynamic updates" are not configured for "Secure only", this is a finding.SRG-APP-000158-DNS-000015<GroupDescription></GroupDescription>WDNS-22-000035The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely identifying the other server. + +TSIG and SIG(0) are not configurable in Windows DNS Server. + +To meet the requirement for authentication between Windows DNS Servers, IPsec will be implemented between the Windows DNS Servers that host any non-Active Directory (AD)-integrated zones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000778Complete the following procedures twice for each pair of name servers. + +Create a rule for TCP connections. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Right-click "Connection Security Rules" and select "New". + +For "Rule Type", select the "Server-to-server" radio button and click "Next". + +For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". + +For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". + +For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". + +From the "Certificate store type:" drop-down, select "Root CA (default)". + +From the "CA name:", click "Browse", select the certificate for the CA, and click "Next". + +On "Profile", accept default selections and click "Next". + +On "Name", enter a name applicable to the rule's function. + +Click "Finish".Note: This requirement applies to any Windows DNS Server that hosts non-AD-integrated zones, even if the DNS servers host AD-integrated zones, too. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click "Connection Security Rules". + +Confirm at least one rule is configured for TCP 53. + +Double-click on each rule to verify the following: + +On the "Authentication" tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +The "Signing Algorithm" is set to "RSA (default)". + +On the "Remote Computers" tab, "Endpoint1" and "Endpoint2" are configured with the IP addresses of all DNS servers. + +On the "Protocols and Ports" tab, "Protocol type:" is set to either TCP (depending on which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53". + +If no rules are configured with the specified requirements, this is a finding.SRG-APP-000394-DNS-000049<GroupDescription></GroupDescription>WDNS-22-000036The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.<VulnDiscussion>Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. + +This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001958Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.For zones that are completely AD-integrated, this check is not a finding. + +For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 12/21/2022 10:215:28 AM +Signed: 11/22/2022 10:15:28 AM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding.SRG-APP-000001-DNS-000001<GroupDescription></GroupDescription>WDNS-22-000037The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.<VulnDiscussion>Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in a denial of service to legitimate users. + +Active Directory (AD)-integrated DNS servers replicate zone information via AD replication. Non-AD-integrated DNS servers replicate zone information via zone transfers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000054Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +From the displayed context menu, click the "Properties" option. + +On the opened zone's properties box, go to the "Zone Transfers" tab. + +On the displayed interface, select the "Allow zone transfers" check box. + +Select the "Only to servers listed on the Name Servers tab" radio button OR select the "Only to the following servers" radio button. + +Click "Apply". + +Click "OK".If the DNS server hosts only AD-integrated zones and there are no non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server: + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click the "Properties" option. + +On the opened zone's properties box, go to the "Zone Transfers" tab. + +On the displayed interface, determine if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is not selected, this is not a finding. + +If the "Allow zone transfers" check box is selected, determine if either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected. + +If the "To any server" radio button is selected, this is a finding.SRG-APP-000347-DNS-000041<GroupDescription></GroupDescription>WDNS-22-000038The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).<VulnDiscussion>Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated. + +This requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations and/or data owners determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. + +DNSSEC and TSIG/SIG(0) both use digital signatures to establish the identity of the producer of pieces of information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-001901Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000176-DNS-000017<GroupDescription></GroupDescription>WDNS-22-000039The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.<VulnDiscussion>The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. + +SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000186Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Modify permissions on the keys folder, subfolders, and files to be limited to SYSTEM and Administrators FULL CONTROL to limit all other users/groups to READ.Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Note: If the folder above does not exist, this check is not applicable. + +Verify the permissions on the keys folder, subfolders, and files are limited to SYSTEM and Administrators FULL CONTROL. + +If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders and files, this is a finding.SRG-APP-000176-DNS-000018<GroupDescription></GroupDescription>WDNS-22-000040The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. Transaction Signature (TSIG) is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000186Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. + +Click "Change" next to the listed Owner and change to be the account under which the DNS Server Service is running.Access Services on the Windows DNS Server and locate the DNS Server Service. + +Determine the account under which the DNS Server Service is running. + +Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Note: If the folder above does not exist, this check is not applicable. + +Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. + +Verify the Owner on the folder, subfolders, and files is the account under which the DNS Server Service is running. + +If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.SRG-APP-000176-DNS-000019<GroupDescription></GroupDescription>WDNS-22-000041The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. Transaction Signature (TSIG) is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000186Access Windows Explorer. + +Navigate to the following location: +%ALLUSERSPROFILE%\Microsoft\Crypto + +Modify permissions on the folder, subfolders, and files to "FULL CONTROL" for "SYSTEM" and Administrators and to "READ" for all other users/groups.Access Windows Explorer. + +Navigate to the following location: +%ALLUSERSPROFILE%\Microsoft\Crypto + +Note: If the folder above does not exist, this check is not applicable. + +Verify the permissions on the folder, subfolders, and files are limited to "SYSTEM" and Administrators for "FULL CONTROL". + +If any other user or group has greater than READ permissions to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.SRG-APP-000176-DNS-000094<GroupDescription></GroupDescription>WDNS-22-000042The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.<VulnDiscussion>The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file primary copy. + +This strategy is not feasible in situations in which the DNSSEC-aware name server must support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone signing key (ZSK-private) online to immediately update the signatures for the updated resource record (RR) sets. The private key corresponding to the key signing key (KSK-private) can still be kept offline.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000186Ensure the private key corresponding to the ZSK is only stored on the name server accepting dynamic updates.Note: This check is not applicable for Windows DNS Servers that host only Active Directory (AD)-integrated zones or for Windows DNS Servers on a classified network. + +Note: This requirement is not applicable to servers with only a caching role. + +For AD-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through AD replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the AD database file, the signed copy of the zone remains in memory for AD-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server. + +If all DNS servers are AD integrated, this check is not applicable. + +If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates, and has a copy of the private key corresponding to the ZSK, this is a finding.SRG-APP-000401-DNS-000051<GroupDescription></GroupDescription>WDNS-22-000043The Windows DNS Server must implement a local cache of revocation data for PKI authentication.<VulnDiscussion>Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates). + +SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001991Configure local revocation data to be used in the event access to Certificate Authorities is hindered.Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup. + +If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. + +If there is no local cache of revocation data, this is a finding.SRG-APP-000516-DNS-000077<GroupDescription></GroupDescription>WDNS-22-000044The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.<VulnDiscussion>NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, or the resource record name requested, does not exist. + +NSEC uses the actual resource record names, whereas NSEC3 uses a one-way hash of the name. In this way, walking zone data from one record to the next is prevented, at the expense of some CPU cycles on the authoritative server and the resolver. To prevent giving access to an entire zone file, NSEC3 should be configured. To use NSEC3, RSA/SHA-1 should be used as the algorithm, as some resolvers that understand RSA/SHA-1 might not understand NSEC3. Using RSA/SHA-256 is a safe alternative.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters. + +Revalidate the NSEC3PARAM Inception date and time against the DNSKEY date and time.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +In Windows, the NSEC3 salt values are automatically changed when the zone is re-signed. + +To validate: +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right windowpane. + +Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same. + +If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception date and time, this is a finding.SRG-APP-000213-DNS-000024<GroupDescription></GroupDescription>WDNS-22-000045The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.<VulnDiscussion>The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure valid data has originated from the right source. Establishing trust in the source is called data origin authentication. + +The security objectives, and consequently the security services, that are required for securing the DNS query/response transaction are data origin authentication and data integrity verification. + +The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001178Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by Windows DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000420-DNS-000053<GroupDescription></GroupDescription>WDNS-22-000046The Windows DNS Server's IP address must be statically defined and configured locally on the server.<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. + +Ensuring all name servers have static IP addresses makes it possible to configure restricted DNS communication, such as with DNSSEC, between the name servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-002463Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". + +Click "Change adapter settings". + +Right-click on the Ethernet and click "Properties". + +Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". + +Select "Use the following IP address" and populate with an IP address, subnet mask, and default gateway.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". + +Click "Change adapter settings". + +Right-click on the Ethernet and click "Properties". + +Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". + +Verify the "Use the following IP address" is selected, with an IP address, subnet mask, and default gateway assigned. + +If the "Use the following IP address" is not selected with a configured IP address, subnet mask, and default gateway, this is a finding.SRG-APP-000420-DNS-000053<GroupDescription></GroupDescription>WDNS-22-000047The Windows DNS Server must return data information in response to internal name/address resolution queries.<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-002463Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Because this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000421-DNS-000054<GroupDescription></GroupDescription>WDNS-22-000048The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. + +In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-002464Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000422-DNS-000055<GroupDescription></GroupDescription>WDNS-22-000049WINS lookups must be disabled on the Windows DNS Server.<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. + +In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries. + +If/when WINS lookups are enabled, the validity of the data becomes questionable because the WINS data is provided to the requestor unsigned and invalidated. To ensure only the DNSSEC-signed data is being returned, WINS lookups must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002462Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click each zone and then click "Properties". + +In the "Properties" dialog box for the zone, click the "WINS" tab. + +Uncheck the "Use WINS forward" lookup check box. + +Click "OK".Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click each zone and then click "Properties". + +In the "Properties" dialog box for the zone, click the "WINS" tab. + +Verify the "Use WINS forward lookup" check box is not selected. + +If the "Use WINS forward lookup" check box is selected, this is a finding.SRG-APP-000422-DNS-000055<GroupDescription></GroupDescription>WDNS-22-000050The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. + +In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002462Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000214-DNS-000025<GroupDescription></GroupDescription>WDNS-22-000051The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone.<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of DS records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain from the top of the DNS hierarchy down. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. + +In DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. A certification path starts with the subject certificate and proceeds through several intermediate certificates up to a trusted root certificate. In DNS, a trust anchor is a DNSKEY that is placed into a validating resolver so the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor). + +One way to indicate the security status of child subspaces is through the use of DS RRs in the DNS. + +Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Without path validation and a chain of trust, there can be no trust that the data integrity authenticity has been maintained during a transaction.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001179Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000215-DNS-000003<GroupDescription></GroupDescription>WDNS-22-000052The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. + +Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). + +Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. + +Within the context of DNS, this is applicable in terms of controlling the flow of DNS information between systems, such as DNS zone transfers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001663Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the records for the zone and ensure the complete RRSet of records is present: RRSIG, NSEC3, DNSKEY, indicating DNSSEC compliance. + +If the RRSet of records is not in the zone, this is a finding.SRG-APP-000215-DNS-000003<GroupDescription></GroupDescription>WDNS-22-000053The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.<VulnDiscussion>The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001663Implement this fix for configuring name resolvers, including DNS servers configured for the caching role only. + +On Domain Controller, on the Server Manager menu bar, click "Tools" and then click "Group Policy Management". + +In the Group Policy Management console tree, under Domains >> domainname >> Group Policy Objects, right-click "Default Domain Policy" and then click "Edit". + +In the Group Policy Management Editor console tree, navigate to Computer Configuration >> Policies >> Windows Settings >> Name Resolution Policy. + +In the details pane, under "Create Rules" and "to which part of the namespace does this rule apply", choose "Suffix" from the drop-down list and type "domain.mil" next to "Suffix". + +On the "DNSSEC" tab, select "Enable DNSSEC" in this rule check box and then under "Validation", select the check box for "Require DNS clients to check that name and address data has been validated by the DNS server". + +In the bottom right corner, click "Create" and then verify that a rule for domain.mil was added under the NRPT. + +Click "Apply" and then close the Group Policy Management Editor. + +Open a Windows PowerShell prompt and enter the following commands: +gpupdate /force <enter> +get-dnsclientnrptpolicy <enter> + +In the results, select "True" for the "DnsSecValidationRequired" setting for the domain.mil namespace.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +The NRPT is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +At the Windows PowerShell prompt, type the following command: + +get-dnsclientnrptpolicy <enter> + +In the results, verify the "DnsSecValidationRequired" is "True". + +If there are no results to the "get-dnsclientnrptpolicy" cmdlet or the "DnsSecValidationRequired" is not "True", this is a finding.SRG-APP-000215-DNS-000026<GroupDescription></GroupDescription>WDNS-22-000054The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. + +Like the DNSKEY resource record, the DS Resource Record (RR) can be used to create a trust anchor for a signed zone. The DS record is smaller in size than a DNSKEY record because it contains only a hash of the public key. + +The DS record is not added to a zone during the signing process like some DNSSEC-related RRs, even if a delegation already exists in the zone. To add a DS record, it must be manually added or imported. Fortunately, the DS resource record set (DSSET) is automatically added as a file to the Key Primary when a zone is signed. The DSSET file can be used with the "Import-DnsServerResourceRecordDS" cmdlet to import DS records to the parent zone. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. + +DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the DS RRs in the DNS, the security status of a child domain can be validated. The DS RR is used to identify the DNSSEC signing key of a delegated zone. + +Starting from a trusted name server (such as the root name server) and down to the current source of response through successive verifications of signature of the public key of a child by its parent, the chain of trust is established. The public key of the trusted name servers is called the trust anchor. + +After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. + +This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be ensured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001663A DS record must be added manually or imported. + +The DSSET is automatically added as a file to the Key primary when a zone is signed. + +This file can be used with the "Import-DnsServerResourceRecordDS" cmdlet to import DS records to the parent zone. + +Example: +PS C:\> Import-DnsServerResourceRecordDS -ZoneName adatum.com -DSSetFile "c:\windows\system32\dns\dsset-corp.adatum.com"Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: + +PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS + +Replace "adatum.com" with the parent zone on the DNS server being evaluated. + +HostName RecordType Timestamp TimeToLive RecordData +-------- ---------- --------- ---------- ---------- +corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3] + +If the results do not show the DS records for the child domain(s), this is a finding. + +In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key primary for the child zone. + +If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.SRG-APP-000215-DNS-000026<GroupDescription></GroupDescription>WDNS-22-000055Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its sub domain, from the top of the DNS hierarchy down. + +A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. + +DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the DS Resource Records (RRs) in the DNS, the security status of a child domain can be validated. The DS RR is used to identify the DNSSEC signing key of a delegated zone. + +Starting from a trusted name server (such as the root name server) and down to the current source of response through successive verifications of signature of the public key of a child by its parent, the chain of trust is established. The public key of the trusted name servers is called the trust anchor. + +After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. + +This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured. + +A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named "TrustAnchors.dns". A DNS server running Windows Server also displays configured trust anchors in the DNS Manager console tree in the Trust Points container. Trust anchors can also be viewed by executing Windows PowerShell commands or "Dnscmd.exe" at a Windows command prompt.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001663Log onto the primary DNS server and click Windows Explorer on the taskbar. + +Navigate to C:\Windows\System32, right-click the DNS folder, point to "Share with", and then click "Advanced sharing". + +In the "DNS Properties" dialog box, click "Advanced Sharing", select the "Share this folder" check box, verify the Share name is "DNS", and then click "OK". + +Click "Close" and then close Windows Explorer. + +Log on to each of the validating Windows DNS Servers. + +In the DNS Manager console tree, navigate to the "Trust Points" folder. + +Right-click "Trust Points", point to "Import", and then click "DNSKEY". + +In the "Import DNSKEY" dialog box, type \\primaryhost\dns\keyset-domain.mil (where primaryhost represent the FQDN of the Primary DNS Server and domain.mil represents the zone or zones). + +Click "OK".Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log onto each of the validating Windows DNS Servers. + +In the DNS Manager console tree, navigate to each hosted zone under the "Trust Points" folder. + +Two DNSKEY trust points should be displayed, one for the active key and one for the standby key. + +If each validating Windows DNS Server does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.SRG-APP-000215-DNS-000026<GroupDescription></GroupDescription>WDNS-22-000056Automatic Update of Trust Anchors must be enabled on key rollover.<VulnDiscussion>A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. + +On standalone DNS servers, trust anchors are stored in a file named "TrustAnchors.dns". A DNS server running Windows Server also displays configured trust anchors in the DNS Manager console tree in the "Trust Points" container. Trust anchors can also be viewed by executing Windows PowerShell commands or "Dnscmd.exe" at a Windows command prompt.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001663Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click DNSSEC >> Properties. + +Click the "KSK" tab. + +For each KSK that is listed under key signing keys (KSKs), click the KSK, click "Edit", and in the "Key Rollover" section, select the "Enable automatic rollover" check box.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click DNSSEC >> Properties. + +Click the "KSK" tab. + +For each KSK that is listed under Key signing keys (KSKs), click the KSK, click "Edit", and in the "Key Rollover" section, verify the "Enable automatic rollover" check box is selected. + +If the "Enable automatic rollover" check box is not selected for every KSK listed, this is a finding.SRG-APP-000423-DNS-000056<GroupDescription></GroupDescription>WDNS-22-000057The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication must be performed to thwart these types of attacks. + +Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002465Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator or Local Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 10 or higher client. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 PM +Signed: 10/22/2022 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000424-DNS-000057<GroupDescription></GroupDescription>WDNS-22-000058The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. + +Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002466Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 PM +Signed: 10/22/2022 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000425-DNS-000058<GroupDescription></GroupDescription>WDNS-22-000059The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. + +Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002467Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000426-DNS-000059<GroupDescription></GroupDescription>WDNS-22-000060The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication verification must be performed to thwart these types of attacks. + +Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002468Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 PM +Signed: 10/22/2022 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000219-DNS-000028<GroupDescription></GroupDescription>WDNS-22-000061The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely identifying the other server. + +TSIG and SIG(0) are not configurable in Windows DNS Server. + +To meet the requirement for authentication between Windows DNS Servers, IPsec will be implemented between the Windows DNS Servers that hosts any non-Active Directory (AD)-integrated zones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001184Complete the following procedures twice for each pair of name servers. + +Create a rule for UDP connections and then create a rule for TCP connections. + +Refer to the Microsoft Windows Server DNS Overview.pdf for Microsoft links for this procedure. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object. + +Right-click "Connection Security Rules" and select "New". + +For "Rule Type", select the "Server-to-server" radio button and click "Next". + +For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". + +For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". + +For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". + +From the "Certificate store type:" drop-down, select "Root CA (default). + +From "CA name:", click "Browse" and select the certificate generated by the internally managed server performing the AD CS role. Click "Next". + +On "Profile", accept the default selections and click "Next". + +On "Name", enter a name applicable to the rule's function (i.e., DNSSEC UDP). + +Click "Finish".Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too. + +If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable. + +To protect authenticity of zone transfers between Windows DNS Servers with file-based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object. + +Click Connection Security Rules. + +Consult with the SA to determine which Rules meet the intent of the server-to-server authentication. + +If Rules exist, double-click on each Rule to verify the following: + +For the "Authentication:" tab, click on the "Customize..." button. + +On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", ensure the "Advanced:" radio button is selected. + +Click the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. + +If rules do not exist for server-to-server authentication, this is a finding. + +If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding.SRG-APP-000219-DNS-000029<GroupDescription></GroupDescription>WDNS-22-000062The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. + +The combination of signing DNS zones by DNSSEC and requiring clients to send their dynamic updates securely ensures the authenticity of those DNS records when providing query responses for them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001184Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC if the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer, and signature, similar to the following: + +Name : www.zonename.mil +QueryType : RRSIG +TTL : 189 +Section : Answer +TypeCovered : CNAME +Algorithm : 8 +LabelCount : 3 +OriginalTtl : 300 +Expiration : 11/21/2014 10:22:28 PM +Signed : 10/22/2014 10:22:28 PM +Signer : zonename.mil +Signature : {87, 232, 34, 134...} + +Name : origin-www.zonename.mil +QueryType : A +TTL : 201 +Section : Answer +IP4Address : 156.112.108.76 + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000219-DNS-000030<GroupDescription></GroupDescription>WDNS-22-000063The Windows DNS Server must protect the authenticity of query responses via DNSSEC.<VulnDiscussion>The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001184Sign or re-sign the hosted zone(s) on the DNS server being validated. + +In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000427-DNS-000060<GroupDescription></GroupDescription>WDNS-22-000064The Windows DNS Server must use an approved DOD PKI certificate authority.<VulnDiscussion>Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. + +The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. + +TSIG and SIG(0) are not configurable in Windows DNS Server. To meet the requirement for authentication between Windows DNS Servers, IPsec must be implemented between the Windows DNS Servers. + +Note: If multiple certificates from the same CA are present on the DNS server, IPsec authentication might fail due to an incorrect certificate being chosen. For this purpose, an Active Directory Certificate Services (AD CS) role must be installed and configured as an Enterprise certificate authority (CA). + +Refer to the Microsoft Windows Server DNS Overview.pdf for references on deploying certificates for this procedure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002470Complete the following procedures twice for each pair of name servers. + +Create a rule for UDP connections and then create a rule for TCP connections. + +Refer to the Microsoft Windows Server DNS Overview.pdf for Microsoft links for this procedure. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Right-click "Connection Security Rules" and select "New". + +For "Rule Type", select the "Server-to-server" radio button and click "Next". + +For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". + +For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". + +For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". + +From the "Certificate store type:" drop-down, select "Root CA (default)". + +From the "CA name:", click "Browse" and select the certificate generated by the internally managed server performing the AD CS role. Click "Next". + +On "Profile", accept the default selections and click "Next". + +On "Name", enter a name applicable to the rule's function (i.e., DNSSEC UDP). + +Click "Finish".Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. + +This requirement is not applicable to servers with only a caching role. + +If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. + +In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". + +Click "Default Domain Controllers Policy" and click "OK". + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click "Connection Security Rules". + +Consult with the system administrator to determine which Rules meet the intent of DNSSEC server-to-server authentication. + +Double-click on each "Rule" to verify the following: + +For the "Authentication" tab, click on the "Customize..." button. + +On the "Authentication" tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", verify the "Advanced:" radio button is selected. Click the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally managed server performing the AD CS role. + +If the certificate used does not meet the requirements, this is a finding.SRG-APP-000231-DNS-000033<GroupDescription></GroupDescription>WDNS-22-000065The Windows DNS Server must protect secret/private cryptographic keys while at rest.<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use. + +The DNS server must protect the confidentiality and integrity of shared keys for TSIG and private keys for SIG(0) and must protect the integrity of DNS information. There is no need to protect the confidentiality of DNS information because it is accessible by all devices that can contact the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001199To ensure the cryptographic keys are protected after being backed up to tape or other medium, develop a backup policy that includes the protection of backup date at or above the level as the DNS server.To verify the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the system administrator to determine the backup policy in place for the DNS server. + +If a backup policy does not exist or the backup policy does not specify the protection required for the backup medium to be at or above the level as the server, this is a finding.SRG-APP-000428-DNS-000061<GroupDescription></GroupDescription>WDNS-22-000066The Windows DNS Server must only contain zone records that have been validated annually.<VulnDiscussion>If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adversary could potentially use their existence for improper purposes. A standard operating procedure detailing this process can resolve this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002475Create a separate database to maintain record documentation for non-AD-integrated zones. + +Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Select the zone records that have not been validated in more than a year and revalidate.This requirement is not applicable for a Windows DNS Server that is hosting only Active Directory (AD)-integrated zones. + +For a Windows DNS Server that hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. Verify that the record's last verified date is less than one year prior to the date of the review. + +If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding. + +If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained. + +Determine if any records have not been validated in more than a year. + +If zone records exist that have not been validated in more than a year, this is a finding.SRG-APP-000246-DNS-000035<GroupDescription></GroupDescription>WDNS-22-000067The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.<VulnDiscussion>Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic, so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001094Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Allow log on through Remote Desktop Services to include only the following accounts or groups: + +Administrators + +Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny access to this computer from the network to include the following: + +Guests Group + +Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on locally to include the following: + +Guests GroupReview the DNS server to confirm the server restricts direct and remote console access to users other than Administrators. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Guests Group + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Guests GroupSRG-APP-000247-DNS-000036<GroupDescription></GroupDescription>WDNS-22-000068The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.<VulnDiscussion>In the case of application DoS attacks, care must be taken when designing the application to ensure it makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001095Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +In the list of hosts, review the NS records. Determine if any of the hosts listed as NS records are non-AD-integrated servers. + +If the DNS server hosts only AD-integrated zones and no non-AD-integrated DNS servers are acting as secondary DNS servers for the zones, this is not applicable. + +For a non-AD-integrated DNS server, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click the "Properties" option. + +On the opened zone's properties box, go to the "Zone Transfers" tab. + +On the displayed interface, determine if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is selected, click the "Notify" button and enable Notify to the non-AD-integrated DNS servers.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-Active Directory (AD)-integrated servers. + +If the DNS server hosts only AD-integrated zones and no non-AD-integrated DNS servers are acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server, right-click on the "Forward Lookup Zone" and select "Properties". + +On the opened zone's properties box, go to the "Zone Transfers" tab. + +On the displayed interface, determine if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is selected, click the "Notify" button and verify "Automatically notify with Servers" is listed on the "Name Servers" tab. + +If the "Notify" button is not enabled for non-AD-integrated DNS servers, this is a finding.SRG-APP-000439-DNS-000063<GroupDescription></GroupDescription>WDNS-22-000069The Windows DNS Server must protect the integrity of transmitted information.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. + +Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002418Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000441-DNS-000066<GroupDescription></GroupDescription>WDNS-22-000070The Windows DNS Server must maintain the integrity of information during preparation for transmission.<VulnDiscussion>Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002420Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000442-DNS-000067<GroupDescription></GroupDescription>WDNS-22-000071The Windows DNS Server must maintain the integrity of information during reception.<VulnDiscussion>Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002422Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the Windows DNS Server using the Domain Admin or Enterprise Admin account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 PM +Signed: 10/22/2022 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000514-DNS-000075<GroupDescription></GroupDescription>WDNS-22-000072The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: +- Digital Signature Algorithm (DSA). +- RSA. +- Elliptic Curve DSA (ECDSA). + +Of these three algorithms, RSA and DSA are more widely available and considered candidates of choice for DNSSEC. Both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. RSA is the recommended algorithm for this guideline. + +RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e., RSA/SHA-256, ECDSA) are also specified. + +It can be expected that name servers and clients will be able to use the RSA algorithm at a minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm. + +NIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS (FIPS186). It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before 30 September 2015.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002450Sign or re-sign, the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.Note: This requirement applies to any Windows DNS Server that hosts non-Active Directory (AD)-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server hosts only AD-integrated zones and does not host any file-based zones, this is not applicable. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000251-DNS-000037<GroupDescription></GroupDescription>WDNS-22-000073The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.<VulnDiscussion>DNS zone data for which a Windows DNS Server is authoritative should represent the network for which it is responsible. If a Windows DNS Server hosts zone records for other networks or environments, the records could become invalid or stale or be redundant/conflicting with a DNS server truly authoritative for the other network environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001310Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. + +Once the "Server Manager" window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +Remove any zone information that is not part of the environment.Consult with the system administrator to determine the IP ranges for the environment. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. + +Once the "Server Manager" window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the "SERVERS" section, right-click the DNS server. + +From the context menu that appears, click "DNS Manager". + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". + +From the expanded list, click to select and then right-click the zone name. + +Review the zone information and compare it to the IP ranges for the environment. + +If any zone information is for a different IP range or domain, this is a finding.SRG-APP-000451-DNS-000069<GroupDescription></GroupDescription>WDNS-22-000074The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.<VulnDiscussion>Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shutdown processes, restart the system, or contact designated organizational personnel). + +If a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-002775AD-integrated DNS servers will handle the promotion of a secondary DNS server when a primary DNS server loses functionality. + +Develop, test, and implement documented procedures to re-role a non-AD-integrated secondary name server to a master name server role if a master name server loses functionality.Active Directory (AD)-integrated DNS servers will handle the promotion of a secondary DNS server when a primary DNS server loses functionality. + +If all of the DNS servers are AD integrated, this is not a finding. + +Consult with the system administrator to determine if there are documented procedures to re-role a non-AD-integrated secondary name server to a master name server role if a master name server loses functionality. + +If there are no documented procedures to re-role a non-AD-integrated secondary name server to primary if a master name server loses functionality, this is a finding.SRG-APP-000333-DNS-000104<GroupDescription></GroupDescription>WDNS-22-000075The DNS Name Server software must be configured to refuse queries for its version information.<VulnDiscussion>Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address those vulnerabilities. The vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. + +In some installations, it may not be possible to switch to the latest version of name server software immediately. If the version of the name server software is revealed in queries, this information may be used by attackers looking for a specific version of the software that has a discovered weakness. To prevent information about which version of name server software is running on a system, name servers should be configured to refuse queries for its version information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002201To disable the version being returned in queries, execute the following command: + +dnscmd /config /EnableVersionQuery 0 <enter>The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to "CHAOS" and type set to "TXT" is received. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Open a command window and execute the command: + +nslookup <enter> +Note: Confirm the Default Server is the DNS server on which the command is being run. + +At the nslookup prompt, type: + +set type=TXT <enter> +set class=CHAOS <enter> +version.bind <enter> + +If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding.SRG-APP-000333-DNS-000107<GroupDescription></GroupDescription>WDNS-22-000076The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.<VulnDiscussion>Several types of resource records (RRs) in the DNS are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) (RFC1035). Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an operating system or platform known to have exploits. + +Therefore, great care should be taken before including these record types in a zone. They are best left out completely. + +More careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RRs to store email sender policy information such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis. + +A DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS. + +RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002201Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Remove all HINFO, RP, TXT, and LOC RRs from all zones hosted by the DNS server.Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, click to select the zone. + +Review the zone's RRs and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization that could be used for malicious purposes. + +If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS server, this is a finding.SRG-APP-000268-DNS-000039<GroupDescription></GroupDescription>WDNS-22-000077The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.<VulnDiscussion>Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared, and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. + +This can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. + +If a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366CCI-001328Implement a third-party monitoring system to detect and notify the system administrator upon component failure or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.Notification to the system administrator is not configurable in Windows DNS Server. For system administrators to be notified when a component fails, the system administrator would have to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures, and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.SRG-APP-000473-DNS-000072<GroupDescription></GroupDescription>WDNS-22-000078The Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days.<VulnDiscussion>Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Without verification, security functions may not operate correctly, and this failure may go unnoticed. + +Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. + +The DNS server should perform self-tests, such as at server startup, to confirm that its security functions are working properly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002699Sign or re-sign the hosted zone(s) on the DNS server being validated. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Press the Windows key + R and execute "dnsmgmt.msc". + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". + +From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.Note: This requirement applies to any Windows DNS Server that hosts non-Active Directory (AD)-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server hosts only AD-integrated zones and does not host any file-based zones, this is not applicable. + +Validate this check from the Windows DNS Server being configured/reviewed. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2022 10:22:28 AM +Signed: 10/22/2022 10:22:28 AM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding.SRG-APP-000473-DNS-000072<GroupDescription></GroupDescription>WDNS-22-000079The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.<VulnDiscussion>Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Without verification, security functions may not operate correctly, and this failure may go unnoticed. + +Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. + +The DNS server should perform self-tests, such as at server startup, to confirm that its security functions are working properly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002699Install an approved DOD system monitoring solution.This functionality should be performed by an approved and properly configured DOD system monitoring solution. + +If all required DOD products are not installed and /or the installed productions are not enabled, this is a finding.SRG-APP-000474-DNS-000073<GroupDescription></GroupDescription>WDNS-22-000080The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.<VulnDiscussion>Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. + +If anomalies are not acted on, security functions may fail to secure the system. + +The DNS server does not have the capability of shutting down or restarting the information system. The DNS server can be configured to generate audit records when anomalies are discovered, and the operating system/network device manager can then trigger notification messages to the system administrator based on the presence of those audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-002702Implement a third-party monitoring system to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.Note: If the only zones hosted are AD-integrated zones, this check is not applicable. + +Notification to the system administrator is not configurable in Windows. For the administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.SRG-APP-000275-DNS-000040<GroupDescription></GroupDescription>WDNS-22-000081The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.<VulnDiscussion>Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. If personnel are not notified of failed security verification tests, they will not be able to take corrective action, and the unsecure condition(s) will remain. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. + +The DNS server should be configured to generate audit records whenever a self-test fails. The operating system/network device manager is responsible for generating notification messages related to this audit record.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001294Implement a third-party monitoring system to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.Note: This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network. + +Notification to the system administrator is not configurable in Windows DNS Server. For the ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.SRG-APP-000176-DNS-000076<GroupDescription></GroupDescription>WDNS-22-000090A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.<VulnDiscussion>To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string generated by most key generation utilities used with DNSSEC is Base64 encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000186Regenerate a unique TSIG key for each pair of communicating hosts within the DNS architecture.Review the DNS implementation. Verify that each pair of communicating hosts has a unique TSIG key (i.e., a separate key for each secondary name server to authenticate transactions with the primary name server, etc.). + +If a unique TSIG key has not been generated for each pair of communicating hosts, this is a finding.SRG-APP-000185-DNS-000021<GroupDescription></GroupDescription>WDNS-22-000092The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.<VulnDiscussion>If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. + +Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, public key infrastructure (PKI) where certificates are stored on a token protected by a password, passphrase, or biometric. + +This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping", "ls", or "ipconfig" or the hardware and software implementing the monitoring port of an Ethernet switch). + +Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and enforce the organization's security policy. Authorization for access to any network element requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: + +(i) something the user knows (e.g., password/PIN); +(ii) something the user has (e.g., cryptographic identification device, token); or +(iii) something the user is (e.g., biometric).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000877Configure the DNS system to use multifactor authentication for nonlocal access for maintenance and diagnostics.Review the DNS implementation's authentication methods and settings to determine if multifactor authentication is used to gain nonlocal access for maintenance and diagnostics. + +If multifactor authentication is not used, this is a finding.SRG-APP-000226-DNS-000032<GroupDescription></GroupDescription>WDNS-22-000094In the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001665Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System with "Failure" selected.Use the AuditPol tool to review the current Audit Policy configuration: + +Open a Command Prompt with elevated privileges ("Run as Administrator"). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> File System - FailureSRG-APP-000516-DNS-000105<GroupDescription></GroupDescription>WDNS-22-000102The DNS Name Server software must run with restricted privileges.<VulnDiscussion>Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. + +Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). + +If the name server software is run as a privileged user (e.g., root in Unix systems), any break-in into the software can have disastrous consequences in terms of resources resident in the name server platform. Specifically, a hacker who breaks into the software acquires unrestricted access and therefore can execute any commands or modify or delete any files. It is necessary to run the name server software as a nonprivileged user with access restricted to specified directories to contain damages resulting from break-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Configure the permissions of the account being used to run the DNS software to have the least privileges required to run the DNS software.Review the account under which the DNS software is running and determine the permissions that account has been assigned. + +If the account under which the DNS software is running has not been restricted to the least privileged permissions required for the purpose of running the software, this is a finding.SRG-APP-000516-DNS-000112<GroupDescription></GroupDescription>WDNS-22-000107The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.<VulnDiscussion>The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. + +This strategy is not feasible in situations in which the DNSSEC-aware name server must support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone signing key (ZSK-private) online to immediately update the signatures for the updated Resource Record Sets. The private key corresponding to the key signing key (KSK-private) can still be kept offline.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Store the private keys of the ZSK and KSK offline in an encrypted file system.Review the DNS name server and documentation to determine if it accepts dynamic updates. + +If dynamic updates are not accepted, verify the private keys corresponding to both the ZSK and KSK are not located on the name server. + +If the private keys to the ZSK and/or the KSK are located on the name server, this is a finding.SRG-APP-000125-DNS-000012<GroupDescription></GroupDescription>WDNS-22-000115The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.<VulnDiscussion>Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto media separate from the system being audited on a defined frequency helps to ensure the audit records will be retained in the event of a catastrophic system failure. + +This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. + +This requirement applies only to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001348Document and implement a backup policy to back up the DNS server's audit records at least every seven days.Consult with the system administrator to determine the backup policy in place for Windows DNS Server. + +Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days. + +If the organization does not have a backup policy in place for backing up the Windows DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding.SRG-APP-000516-DNS-000093<GroupDescription></GroupDescription>WDNS-22-000119In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.<VulnDiscussion>Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. + +One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide business-to-consumer services, mail servers, etc.). + +The other set, called internal name servers, is to be located within the firewall and should be configured so the servers are not reachable from outside and hence provide naming services exclusively to internal clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-000366Configure the internal DNS server's firewall policy, or the network firewall, to block queries from external hosts.Consult with the system administrator to review the internal Windows DNS Server's firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server. + +If the firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding.SRG-APP-000247-DNS-000036<GroupDescription></GroupDescription>WDNS-22-000120Windows DNS response rate limiting (RRL) must be enabled.<VulnDiscussion>This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS server using the IP address of a third computer as the requestor. Without RRL, the DNS servers might respond to all the requests, flooding the third computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server Domain Name System DISADPMS TargetMicrosoft Windows Server Domain Name System 5576CCI-001095As an administrator, run PowerShell and enter the command "Set-DnsServerResponseRateLimiting" to apply default values or "Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8". + +These settings are just an example. For more information, go to: +https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverresponseratelimiting?view=windowsserver2022-psAs an administrator, run PowerShell and enter the following command: +"Get-DnsServerResponseRateLimiting". + +If "Mode" is not set to "Enable", this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V2R2_Manual-xccdf.xml b/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V2R2_Manual-xccdf.xml index 461fb81f2..b8af992d4 100644 --- a/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V2R2_Manual-xccdf.xml +++ b/benchmarks/DISA/U_MarkLogic_Server_v9_STIG_V2R2_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMarkLogic Server v9 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>ML09-00-000100MarkLogic Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.<VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts and it does not deal with the total number of sessions across all accounts. @@ -1954,31 +1954,23 @@ If the MarkLogic Server instance is not monitored by a third-party audit managem In addition to this SRG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The DBMS must be configured in compliance with guidance from all such relevant sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MarkLogic Server v9DISADPMS TargetMarkLogic Server v94064SV-110183V-101079CCI-000366From the list of applicable DoD security configuration and implementation guidance, address the items that the MarkLogic Server configuration does not meet.Determine the applicable DoD security configuration and implementation guidance for the deployment environment. Asses the MarkLogic Server documentation and configuration in accordance with the applicable guidance. -If MarkLogic is not configured in accordance with security configuration settings, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>ML09-00-012500MarkLogic Server must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. +If MarkLogic is not configured in accordance with security configuration settings, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>ML09-00-012500MarkLogic Server must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. -When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MarkLogic Server v9DISADPMS TargetMarkLogic Server v94064CCI-003376Remove or decommission all unsupported software products. - -Upgrade unsupported DBMS or unsupported components to a supported version of the product.If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: - -To list the version of installed PostgreSQL using psql: - -$ sudo su - postgres -$ psql --version - -To list the current version of software for RPM: - -$ rpm -qa | grep postgres - -To list the current version of software for APT: - -$ apt-cache policy postgres - -All versions of PostgreSQL will be listed here: -http://www.postgresql.org/support/versioning/ - -All security-relevant software updates for PostgreSQL will be listed here: -http://www.postgresql.org/support/security/ - -If PostgreSQL is not at the latest version, this is a finding. \ No newline at end of file +When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target MarkLogic Server v9DISADPMS TargetMarkLogic Server v94064CCI-003376Remove or decommission all unsupported software products. + +Upgrade unsupported DBMS or unsupported components to a supported version of the product.Review the system documentation and interview the database administrator. + +Identify all database software components. + +Review the current version and release information; execute the following from the query console: +xdmp:version(); +--OR-- +Perform the check from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges. +Version is displayed in the upper left corner of the console. + +Access the MarkLogic website to validate that the version is currently supported: +https://developer.marklogic.com/products/support-matrix/ + +If the DBMS or any of the software components are not supported by the vendor, this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml b/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml index 6029ef3d9..fbfb00625 100644 --- a/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml +++ b/benchmarks/DISA/U_Oracle_MySQL_8-0_STIG_V1R5_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedOracle MySQL 8.0 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000023-DB-000001<GroupDescription></GroupDescription>MYS8-00-000100MySQL Database Server 8.0 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.<VulnDiscussion>Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. +acceptedOracle MySQL 8.0 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000023-DB-000001<GroupDescription></GroupDescription>MYS8-00-000100MySQL Database Server 8.0 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.<VulnDiscussion>Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. @@ -4324,31 +4324,27 @@ ALTER TABLE <table_name> To determine if table check constraints that have been put in place: SELECT * FROM INFORMATION_SCHEMA.TABLE_CONSTRAINTS; -If input validation is required beyond those enforced by the datatype and no constraints exist for data input, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>MYS8-00-012600MySQL database products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. - -Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. - -When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle MySQL 8.0DISADPMS TargetOracle MySQL 8.05277CCI-003376Remove or decommission all unsupported software products. - -Upgrade unsupported DBMS or unsupported components to a supported version of the product.If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: - -To list the version of installed PostgreSQL using psql: - -$ sudo su - postgres -$ psql --version - -To list the current version of software for RPM: - -$ rpm -qa | grep postgres - -To list the current version of software for APT: - -$ apt-cache policy postgres - -All versions of PostgreSQL will be listed here: -http://www.postgresql.org/support/versioning/ - -All security-relevant software updates for PostgreSQL will be listed here: -http://www.postgresql.org/support/security/ - -If PostgreSQL is not at the latest version, this is a finding. \ No newline at end of file +If input validation is required beyond those enforced by the datatype and no constraints exist for data input, this is a finding.SRG-APP-000456-DB-000400<GroupDescription></GroupDescription>MYS8-00-012600MySQL database products must be a version supported by the vendor.<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. + +Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. + +When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle MySQL 8.0DISADPMS TargetOracle MySQL 8.05277CCI-003376Remove or decommission all unsupported software products. + +Upgrade unsupported DBMS or unsupported components to a supported version of the product. + +Oracle supported platforms can be found here: +https://www.mysql.com/support/supportedplatforms/database.htmlReview the version and release information. + +To check the version of the installed MySQL, run the following SQL statement: + +select @@version; + +The result will show the version. For example: +8.0.22-commercial + +Access the vendor website or use other means to verify the version is still supported. +Oracle lifetime support: +https://www.oracle.com/us/assets/lifetime-support-technology-069183.pdf +Scroll down to Oracle MySQL Releases (approximately page 28). + +If the Oracle MySQL version or any of the software components are not supported by the vendor, this is a finding. \ No newline at end of file diff --git a/stigs.json b/stigs.json index c6527d1ea..a14378fc6 100644 --- a/stigs.json +++ b/stigs.json @@ -88,12 +88,12 @@ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_NDM_STIG_V1R1_Manual-xccdf.xml" }, { - "id": "Akamai_KSD_Service_IL2_ALG_STIG", + "id": "Akamai_KSD_Service_IL2_NDM_STIG", "name": "Akamai KSD Service IL2 STIG Overview", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Akamai_KSD_Service_IL2_V1R1_Overview.zip", "size": "136.95 KB", "version": "V1R1", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_ALG_STIG_V1R1_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Akamai_KSD_Service_IL2_NDM_STIG_V1R1_Manual-xccdf.xml" }, { "id": "APACHE_SITE_2.2_UNIX", @@ -352,12 +352,12 @@ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_NDM_STIG_V2R3_Manual-xccdf.xml" }, { - "id": "Cisco_IOS-XE_Router_NDM_STIG", + "id": "Cisco_IOS-XE_Router_RTR_STIG", "name": "Cisco IOS XE Router STIG for Ansible - Ver 2, Rel 1", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_XE_Router_V2R1_STIG_Ansible.zip", "size": "713.94 KB", "version": "V2R1", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml" }, { "id": "Oracle_HTTP_Server_12-1-3_STIG", @@ -515,7 +515,7 @@ "id": "EDB_Postgres_Advanced_Server_v11_on_Windows_STIG", "name": "EDB Postgres Advanced Server v11 for Windows STIG - Ver 2, Rel 3", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v11_Windows_V2R3_STIG.zip", - "size": "1.81 MB", + "size": "1.38 MB", "version": "V2R3", "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_EDB_PGS_Advanced_Server_v11_Windows_STIG_V2R3_Manual-xccdf.xml" }, @@ -2068,12 +2068,12 @@ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SDN_Controller_SRG_V1R2_Manual-xccdf.xml" }, { - "id": "SEL-2740S_NDM_STIG", + "id": "SEL-2740S_L2S_STIG", "name": "SEL-2740S STIG Ver 1 Rel 1", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SEL-2740S_V1R1_STIG.zip", "size": "1.5 MB", "version": "V1R1", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SEL-2740S_NDM_STIG_V1R1_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_SEL-2740S_L2S_STIG_V1R1_Manual-xccdf.xml" }, { "id": "SuSe_zLinux", @@ -2402,12 +2402,12 @@ "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_IOS_XE_Release_3_NDM_STIG_V1R5_Manual-xccdf.xml" }, { - "id": "Cisco_ISE_NDM_STIG", + "id": "Cisco_ISE_NAC_STIG", "name": "Sunset - Cisco IOS XE Release 3 Router Overview - Ver 1, Rel 4", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Release_3_Router_V1R4_Overview.zip", "size": "236.14 KB", "version": "V1R4", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_ISE_NDM_STIG_V1R4_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Cisco_ISE_NAC_STIG_V1R4_Manual-xccdf.xml" }, { "id": "Cisco_IOS_XE_Release_3_RTR_STIG", @@ -2464,12 +2464,12 @@ "version": "V4R5" }, { - "id": "Enclave_-_Zone_B", + "id": "Enclave_-_Zone_C", "name": "Sunset - Enclave Test and Development STIG - Ver 1, Rel 6", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Enclave_T-D_V1R6_STIG.zip", "size": "703.24 KB", "version": "V1R6", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Enclave_T-D_Zone-B_STIG_V1R6_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Enclave_T-D_Zone-C_STIG_V1R6_Manual-xccdf.xml" }, { "id": "Google_Android_9-x_STIG", @@ -3874,12 +3874,12 @@ "size": "1.32 MB" }, { - "id": "Juniper_EX_NDM_STIG", + "id": "Juniper_EX_RTR_STIG", "name": "Kubernetes STIG Benchmark - Ver 1, Rel 3", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R3_STIG_SCAP_1-2_Benchmark.zip", "size": "32.17 KB", "version": "V1R3", - "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Juniper_EX_Switches_NDM_STIG_V1R3_Manual-xccdf.xml" + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Juniper_EX_Switches_RTR_STIG_V1R3_Manual-xccdf.xml" }, { "id": "TOSS_4_STIG", @@ -4448,7 +4448,7 @@ "id": "a2302cda-9247-4d53-ac15-f31db5f5219d", "name": "Compilation - SRG-STIG Library", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SRG-STIG_Library.zip", - "size": "321.34 MB" + "size": "337.46 MB" }, { "id": "MS_Windows_Server_2022_DNS_STIG", @@ -4614,18 +4614,26 @@ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip", "size": "3.55 MB" }, - { - "id": "c3a7afb2-a1b6-4f75-b556-fe0af284016d", - "name": "Sunset - HP-UX 11.31 STIG Benchmark - Ver 1, Rel 17", - "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPUX_11-31_V1R17_STIG_SCAP_1-2_Benchmark.zip", - "size": "109.21 KB", - "version": "V1R17" - }, { "id": "a2b9e4a7-6040-4262-837f-ab28c20e34c3", "name": "z/OS SRR Scripts - Ver 6, Rel 59", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R59_SRR.zip", "size": "1.89 MB", "version": "V6R59" + }, + { + "id": "MS_Windows_Server_2022_DNS_STIG", + "name": "Microsoft Windows Server DNS - Ver 1, Rel 1", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_DNS_V1R1_STIG.zip", + "size": "2 MB", + "version": "V1R1", + "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MS_Windows_Server_DNS_STIG_V1R1_Manual-xccdf.xml" + }, + { + "id": "8ad38312-0b95-4dd7-9d94-cbc7b02d6201", + "name": "z/OS RACF Products - Ver 6, Rel 59", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R59_Products.zip", + "size": "8.96 MB", + "version": "V6R59" } ] \ No newline at end of file