The Windows 2012 DNS Server log must be enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58549	WDNS-AU-000005	SV-72979r1_rule		Medium

Description
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.

STIG	Date
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide	2015-03-30

Details

Check Text ( C-59421r1_chk )
Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Confirm the "Enable logging" check box is selected. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Use the Get-DnsServerDiagnostics cmdlet to ensure the "EnableLogFileRollover" setting is configured to True. If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server and/or the "EnableLogFileRollover" is False, this is a finding.

Check Text ( C-59421r1_chk )

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the Get-DnsServerDiagnostics cmdlet to ensure the "EnableLogFileRollover" setting is configured to True.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server and/or the "EnableLogFileRollover" is False, this is a finding.

Fix Text (F-63933r1_fix)
Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. Right-click the DNS server, select Properties. Click on the Event Logging tab. By default, all events are logged. Select the "Errors and warnings" or "All events" option. Click on Apply. Click on OK. For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt. In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". Right-click Analytical and then click on Properties. Select the "Enable logging" check box. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Use the Set-DnsServerDiagnostics - EnableLogFileRollover $true cmdlet to ensure the "EnableLogFileRollover" setting is configured to True. Click on OK.

Fix Text (F-63933r1_fix)

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Select the "Errors and warnings" or "All events" option.

Click on Apply.

Click on OK.

For Windows 2012 R2 DNS Server, run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.
Select the "Enable logging" check box.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the Set-DnsServerDiagnostics - EnableLogFileRollover $true cmdlet to ensure the "EnableLogFileRollover" setting is configured to True.

Click on OK.