|
Name |
Guide
to Securing Microsoft Windows 2000 DNS |
|
Version |
v1.0 |
|
Status |
Final |
| Creation
Date |
2001-04-09 |
| Revision
Date |
|
| Product
Category |
Operating
System - DNS |
| Vendor |
|
| Product |
Microsoft
Windows 2000 Server DNS |
| Product
Version |
Microsoft Windows 2000 Server |
| Product
Role |
DNS
Server |
|
Checklist
Summary |
The
purpose of this guide is to inform the reader
about the available security settings for the
Windows 2000 Domain Name System (DNS) Server
Service, how to design a secure implementation
of the Windows 2000 DNS, and how to properly
implement that design. This guide provides step-by-step
instructions to perform many of the tasks recommended
to secure this service. This document recommends
security settings for individual DNS servers
and describes how to use the Microsoft Management
Console to implement these settings for the
DNS service. Because DNS implementations will
vary, this document is designed to provide system
administrators and network managers the ability
to choose appropriate security settings for
their environment. This guide presents detailed
information on how to secure this service in
a network environment by recommending security
settings for individual DNS servers and describes
how to use the Microsoft Management Console
to implement these settings for the DNS service.
In addition, this document contains a checklist
and flowchart to use when configuring a Windows
2000 DNS Server Service while following the
recommendations in this guide. Although this
document assumes the reader will be implementing
Windows 2000 DNS, the network planning sections
of this guide hold true for all domain name
servers that have the capability for dynamic
updates and server records. |
| Known
Issues |
Do
not attempt to implement any of the settings
in this guide without first testing in a non-operational
environment. This document is only a guide containing
recommended security settings. It is not meant
to replace well-structured policy or sound judgment.
Furthermore, this guide does not address site-specific
configuration issues. Care must be taken when
implementing
this guide to address local operational and
policy concerns. The security changes described
in this document only apply to Microsoft Windows
2000 systems and should not be applied to any
other Windows versions or operating systems.
|
| Target
Audience |
This
checklist has been created for IT professionals. |
| Target
Operational Environment |
Enterprise
wide distribution. |
| Checklist
Installation Tools |
|
| Rollback
Capability |
Not
Available. |
| Testing
Information |
The
security configuration guide has been extensively
tested in a lab and operational environment. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Prior
to loading Windows 2000 DNS, administrators
should perform a complete backup of the system
before implementing any of the recommendations
in this guide. Windows 2000 system administrators
should ensure that the latest Windows 2000 service
pack and hotfixes have been installed. Administrators
should configure routers and firewalls to allow
the appropriate traffic for the DNS Server.
Also, administrators should install the Microsoft
Windows 2000 DNS Server Service, if not already
installed. |
| Disclaimer |
Do
not attempt to implement any of the settings
in this guide without first testing them in
a non-operational environment. Security configuration
guides are provided for the Department of Defense
and other government agencies requiring security
configuration guidelines. The guides contain
recommended security settings. They are not
intended to replace well-structured policy or
sound judgment. The guides do not address site-specific
configuration issues. Care must be taken when
implementing the guides to address local operational
and policy concerns. All security changes described
in the guides are applicable only to specifically
identified operating systems or architecture
components and should not be applied to any
other operating system or architecture components. |
| Product
Support |
|
| Submitting
Organization/Authors |
National
Security Agency |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Refer
to the legal statement provided at:
http://www.nsa.gov/notices/notic00004.cfm?
Address=/snac/os/win2k/w2k_dns.pdf
|
| Checklist
Homepage |
http://www.nsa.gov/ia/ |
| Download
Package |
w2k_dns.pdf |
| Integrity |
SHA1
(w2k_dns.pdf) =
e0de22cd8513431f990b8cf9c8b1ba4fafb0d23c
SHA256 (w2k_dns.pdf) =
2178aeb4046a39a024e0e40c6fdabb6a78129b7
ed2ebd34b4f395f7924119b94 |
| Change
History |
v1.0,
2001-04-09
|
| Dependency/Requirement |
|
| References |
The
following references have been cited throughout
this document:
Albitz,
Paul and Cricket Liu, DNS and BIND, O'Reilly
& Associates, 1998.
Microsoft
Web site, http://www.microsoft.com/.
|
| NIST
Identifier |
1017 |
