The Windows 2012 DNS Server must generate audit records for the success and failure of start and stop of the DNS Server service.

From Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

Part of SRG-APP-000504-DNS-000074

Associated with: CCI-002702

SV-73149r3_rule The Windows 2012 DNS Server must generate audit records for the success and failure of start and stop of the DNS Server service.

Vulnerability discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, to recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.

Check content

Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Confirm the "Enable logging" check box is selected. If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.

Fix text

Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Select the "Errors and warnings" or "All events" option. Click on Apply. Click on OK. For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Select the "Enable logging" check box. Click on OK.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer