The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events.

From Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

Part of SRG-APP-000504-DNS-000082

Associated with: CCI-000172

SV-72985r5_rule The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events.

Vulnerability discussion

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.In order to compile an accurate risk assessment, it is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. It is important, therefore, to log all possible data related to events so that they can be correlated and analyzed to determine the risk.Data required to be captured include: whether an event was successful or failed, the event type or category, timestamps for when the event occurred, where the event originated, who/what initiated the event, affect the event had on the DNS implementation and any processes associated with the event.

Check content

Log on to the DNS server using the Domain Admin or Enterprise Admin account. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events. Verify following diagnostic events are set to "True": UseSystemEventLog Press “Windows Key + R”, execute “dnsmgmt.msc”. Right-click on the DNS server, select “Properties”. Click the “Event Logging” tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Run “eventvwr.msc” at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click on the DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click on Analytical and then click “Properties”. Confirm the "Enable logging" check box is selected. If the checkbox to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.

Fix text

Log on to the DNS server using the Domain Admin or Enterprise Admin account. If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen. On the opened “Server Manager” window, from the left pane, click to select DNS. From the right pane, under the “SERVERS” section, right-click the DNS server. From the displayed context menu, click the “DNS Manager” option. Click on the “Event Logging” tab. Select the "Errors and warnings" or "All events" option. Click on “Apply”. Click on “OK”. For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on “Properties”. Select the "Enable logging" check box. Click on “OK”.

Pro Tips

Powered by sagemincer