STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

V-259367

CAT II (Medium)

The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.

Rule ID

SV-259367r1192655_rule

STIG

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-000186

Discussion

The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, it will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable. Satisfies: SRG-APP-000176-DNS-000017, SRG-APP-000176-DNS-000019

Check Content

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto\Keys

Note: If the folder above does not exist, this is not applicable.

Verify the permissions on the folder, subfolders, and files are limited to SYSTEM and Administrators FULL CONTROL.

In File Explorer:

For each folder, subfolder, and file, view the Properties.

Select the "Security" tab, and then click "Advanced".

Default permissions:
C:\ProgramData\Microsoft\Crypto\Keys
Type - "Allow" for all
Inherited from - "None" for all

Principal - Access - Applies to

SYSTEM - Full control - This folder, subfolders and files
Administrators - Full control - This folder, subfolders and files
Everyone - Read  - This folder, subfolders, and files

Alternately, use icacls:

Open a command prompt and enter "icacls" followed by the directory. 
For each folder, subfolder, and file, view the Properties.

"icacls %ALLUSERSPROFILE%\Microsoft\Crypto\Keys"

C:\ProgramData\microsoft\crypto\keys
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Everyone:(OI)(CI)(R)
Successfully processed 1 files; Failed processing 0 files

If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto\Keys folder, subfolders, and files, this is a finding.

Fix Text

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto\Keys

Modify permissions on the keys folder, subfolders, and files to be limited to SYSTEM and Administrators FULL CONTROL, and to limit all other users/groups to READ. If additional permissions are needed, it must be documented and approved by the information system security officer (ISSO) or information system security manager (ISSM).