If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. Right-click Analytical and then click on Properties.Ĭonfirm the "Enable logging" check box is selected. Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".
In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. Run eventvwr.msc at an elevated command prompt. If any option other than "Errors and warnings" or "All events" is selected, this is a finding.įor Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. Verify "Errors and warnings" or "All events" is selected.
Press Windows Key + R, execute dnsmgmt.msc.įrom the right pane, under the SERVERS section, right-click the DNS server.įrom the displayed context menu, click the DNS Manager option.Ĭlick on the Event Logging tab. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide It is important, therefore, to log all possible data related to events so that they can be correlated and analyzed to determine the risk.ĭata required to be captured include: whether an event was successful or failed, the event type or category, timestamps for when the event occurred, where the event originated, who/what initiated the event, affect the event had on the DNS implementation and any processes associated with the event.
If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured DNS system. In order to compile an accurate risk assessment, it is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered. The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
0 kommentar(er)
