TickYouOff
Sign in
Back
🔒

Windows DNS STIG

Hard 18 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the Microsoft Windows Server DNS STIG into actionable steps for securing Windows DNS servers. It’s intended for system administrators and IT security staff who manage Active Directory–integrated, authoritative, or recursive Windows DNS servers.

Source: https://ncp.nist.gov/checklist/1080

Progress
0 / 18
  1. Apply latest Windows Server and DNS security patches — Install OS and DNS role updates from WSUS or Windows Update to address known vulnerabilities.
  2. Backup DNS zones and server configuration — Export zone files and registry settings or use server backup tools before changes.
  3. Disable recursion on authoritative DNS servers — Turn off recursion for servers that are authoritative only to prevent abuse.
  4. Restrict zone transfers to authorized IP addresses — Allow zone transfers only to specific secondary servers' IPs.
  5. Configure TSIG for authenticated zone transfers — Use TSIG shared secrets for secure zone transfers between servers.
  6. Enable DNSSEC for all zones — Plan and enable DNSSEC to ensure DNS data integrity and origin authentication.
  7. Generate and publish KSK and ZSK keys — Create appropriately sized KSK/ZSK per policy and store keys securely.
  8. Publish DS records to the parent zone — Submit DS records to the parent/registrar to enable chain of trust.
  9. Configure automatic key rollover (RFC5011) — Enable automated rollover to manage key lifecycles and reduce outages.
  10. Enable DNSSEC validation on recursive resolvers — Turn on validation to ensure clients receive authenticated DNS responses.
  11. Secure dynamic updates (allow only authenticated updates) — Require secure updates or AD-integrated zones to prevent unauthorized changes.
  12. Set ACLs and NTFS permissions on DNS files and folders — Limit write access to DNS files and DNS Admin group membership.
  13. Enable DNS server auditing and diagnostic logging — Activate event and debug logging to capture changes and suspicious activity.
  14. Configure response rate limiting (RRL) to mitigate abuse — Apply RRL settings to reduce amplification and reflected DDoS impact.
  15. Ensure time synchronization (NTP) across AD and DNS servers — Keep clocks synchronized to support DNSSEC and Kerberos operations.
  16. Harden DNS service account and limit administrative access — Apply least-privilege to service accounts and restrict DNS admin rights.
  17. Monitor DNS health and alerts (setup monitoring) — Create alerts for zone changes, failures, validation errors, and high query rates.
  18. Document DNS configuration, keys, and change control procedures — Record zone signing details, rollover schedule, and authorized transfer peers.
Sign in to save
📝 My Notes