DnsStig.psm1
|
Function Set-DnsServerStig { <# .SYNOPSIS Implements all STIGs contained in this module within the specified forest. .DESCRIPTION The Set-DnsServerStig cmdlet implements all of the STIGs in this module. .PARAMETER Forest The DNS Forest to configure. .PARAMETER RemoveProhibitedRecords Option to remove found prohibited records of type HINFO, RP, TXT, and LOC. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerStig Implements all STIGs contained in this module within the specified forest, but does not removed prohibited record types. .EXAMPLE PS C:\>Set-DnsServerStig -RemoveProhibitedRecords Implements all STIG settings contained in this module and removes prohibited record types. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [switch]$RemoveProhibitedRecords = $false, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Starting DNS STIG" if ($RemoveProhibitedRecords) { Remove-DnsServerProhibitedRecords -Forest $Forest -Credential $Credential } else { Get-DnsServerProhibitedRecords -Forest $Forest -Credential $Credential | ForEach-Object { Write-Warning ($_.Record | Out-String) } } Get-DnsServersRunningIPv6 -Forest $Forest -Credential $Credential | ForEach-Object { Write-Warning $_.ComputerName } Get-InactiveDnsServers -Forest $Forest | ForEach-Object { Write-Warning "Inactive server: $_" } Set-DnsServerZoneSecureUpdates -Forest $Forest -Credential $Credential Set-DnsServerDisableRootHints -Forest $Forest -Credential $Credential Set-DnsServerRecursionAndForwarders -Forest $Forest -Credential $Credential Set-DnsServerCryptoFolderPermissions -Forest $Forest -Credential $Credential Set-DnsServerZoneTransfers -Forest $Forest -Credential $Credential Set-DnsServerLogPermissions -Forest $Forest -Credential $Credential Set-DnsServerLogging -Forest $Forest -Credential $Credential Set-DnsServerVersionQuery -Forest $Forest -Credential $Credential Remove-DnsServerZoneIPv6LinkLocalAddresses -Forest $Forest -Credential $Credential } End {} } Function Remove-DnsServerProhibitedRecords { <# .SYNOPSIS The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA. .DESCRIPTION The Remove-DnsServerProhibitedRecords cmdlet gets and then removes all prohibited records from each zone in the forest. .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Remove-DnsServerProhibitedRecords Removes all of the prohibited records in the current user forest. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-SI-000004 Rule ID SV-73169r1 Vuln ID V-58739 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter(Position=1)] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Removing DNS Server Prohibited Entries." Get-DnsServerProhibitedRecords -Forest $Forest -Credential $Credential | ForEach-Object { $Record = ($_.Record | Out-String) Write-Warning "Removing record $Record" try { $Server = Resolve-DnsName -Name $_.ZoneName -ErrorAction Stop | Select-Object -ExpandProperty PrimaryServer if ([System.String]::IsNullOrEmpty($Server)) { Write-Warning "PrimaryServer attribute was null, using the zone name for the server." $Server = $_.ZoneName } Remove-DnsServerResourceRecord -ZoneName $_.ZoneName -ComputerName $Server -InputObject $_.Record -Force -Confirm:$false } catch [Exception] { Write-Warning "Error removing record $Record`: $($_.ToString())" } } Write-Host "Removing prohibited entries complete." } End { } } Function Get-DnsServerProhibitedRecords { <# .SYNOPSIS The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA. .DESCRIPTION The Get-DnsServerProhibitedRecords cmdlet gets all prohibited records from each zone in the forest. .PARAMETER Forest The DNS Forest to search. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Get-DnsServerProhibitedRecords Gets all of the prohibited records in the current user forest. .INPUTS System.String .OUTPUTS PSObject[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-SI-000004 Rule ID SV-73169r1 Vuln ID V-58739 Severity CAT II #> Param( [Parameter(Position=0, ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { Write-Host "Getting DNS Server prohibited entries." $BadRecords = @() Get-ForestDnsZones -ZoneType All -LookupType Forward -Forest $Forest -Credential $Credential | ForEach-Object { try { Write-Host "Getting entries for zone $($_.ZoneName)" $Zone = $_.ZoneName $Server = Resolve-DnsName -Name $_.ZoneName -ErrorAction Stop | Select-Object -ExpandProperty PrimaryServer if ([System.String]::IsNullOrEmpty($Server)) { Write-Warning "PrimaryServer attribute was null, using the zone name for the server." $Server = $_.ZoneName } $Records = @(Get-DnsServerResourceRecord -ComputerName $Server -ZoneName $_.ZoneName | Where-Object {$_.RecordType -in @("Hinfo","RP","TXT","LOC")}) if ($Records.Count -gt 0) { foreach ($Record in $Records) { $BadRecords += @{Record=($Record);ZoneName=$_.ZoneName} } } } catch [Exception] { Write-Warning "Error getting resource records for $Zone : $($_.ToString())" } } Write-Output -InputObject $BadRecords } End { } } Function Get-DnsServersRunningIPv6 { <# .SYNOPSIS When IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records. .DESCRIPTION The Get-DnsServersRunningIPv6 checks each DNS server in the forest to see if it has IPv6 enabled. If it does, but does not host AAAA records, it is returned as part of an array. .PARAMETER Forest The DNS Forest to test. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Get-DnsServersRunningIPv6 Gets all of the DNS servers in the forest running IPv6 and not hosting AAAA records. .INPUTS System.String .OUTPUTS PSObject[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-CM-000028 Rule ID SV-73057r1 Vuln ID V-58627 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { Write-Host "Getting DNS Servers running IPv6 and not hosting AAAA records." #0xFFFFFFFF - IPv6 Disabled On All Interfaces #0xFFFFFFFE - IPv6 Enabled only on tunnel interfaces #0xFFFFFFEF - IPv6 Disabled On Tunnel Interfaces, Enabled On All Others #0xFFFFFFEE - IPv6 Disabled On Loopback Interface, Enabled On All Others #0xFFFFFFDF - IPv6 Disabled, Prefer IPv6 over IpV4 #0xFFFFFFDE - IPv6 Enabled Only On Tunnel Interfaces, Prefer IPv6 of IPv4 #0xFFFFFFCF - IPv6 Enabled On All Non Tunnel Interfaces, Prefer IPv6 over IPv4 #0xFFFFFFCE - IPv6 Disabled On Loopback Interface, Prefer IPv6 over IPv4 #0x000000FF - IPv6 Disabled On All Interfaces #0x00000020 - IPv6 Prefer IPv4 over IPv6 by changing entries in prefix policy table = 100000 #0x00000010 - IPv6 Disabled on LAN and PPP interfaces = 010000 #0x00000008 - Disable Teredo = 001000 #0x00000004 - Disable ISATAP = 000100 #0x00000002 - Disable 6to4 = 000010 #0x00000001 - IPv6 Disabled on Tunnel Interfaces including ISATAP, 6to4 and Teredo = 000001 $DnsServers = Get-ForestDnsServers -Forest $Forest -Credential $Credential $Zones = Get-ForestDnsZones -Forest $Forest -LookupType Forward -Credential $Credential $BadZones = @() foreach ($Server in $DnsServers) { $RegPropertyExists = Invoke-Command -ComputerName $Server -ScriptBlock ${function:Test-RegistryEntry} -ArgumentList "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters","DisabledComponents" -Credential $Credential if ($RegPropertyExists) { $State = Invoke-Command -ComputerName $Server -ScriptBlock {Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name DisabledComponents} -Credential $Credential $DisabledValues = @([System.Convert]::ToString(0xFFFFFFFF, 16), [System.Convert]::ToString(0xFFFFFFFE, 16), [System.Convert]::ToString(0x00000011, 16)) } #If IPv6 isn't disabled on the entire system check each individual adapter if (-not $RegPropertyExists -or (-not $DisabledValues.Contains([System.Convert]::ToString($State.DisabledComponents, 16)))) { #Will return the number of network adapters with IPv6 Binding enabled $Adapters = @(Invoke-Command -ComputerName $Server -ScriptBlock {Get-NetAdapter | Where-Object{ (Get-NetAdapterBinding -InterfaceDESCRIPTION $_.InterfaceDESCRIPTION -ErrorAction SilentlyContinue | Where-Object {$_.ComponentID -eq "ms_tcpip6" -and $_.Enabled -eq $true})}} -Credential $Credential) if ($Adapters.Count -gt 0) { Get-SpecificServerDnsZones -ComputerName $Server -LookupType Forward | ForEach-Object { if (@(Get-DnsServerResourceRecord -ComputerName $Server -RRType AAAA -ZoneName $_.ZoneName).Count -eq 0) { $BadZones += @{ComputerName = $Server;ZoneName=$_.ZoneName;Adapters=$Adapters} } } } } } if ($BadZones.Count -gt 0) { Write-Warning "Found servers without AAAA records that have IPv6 enabled." } Write-Output -InputObject $BadZones } End { } } Function Set-DnsServerNotifySecondaryServers { <# .SYNOPSIS The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload. .DESCRIPTION The Set-DnsServerNotifySecondaryServers cmdlet ensures the Notify secondary servers is enabled for any DNS zone that allows zone transfers. .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerNotifySecondaryServers Ensures Notify is enabled for any DNS servers allowing zone transfers to secondaries. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 12/8/2015 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-SC-000027 Rule ID SV-73129r1 Vuln ID V-58699 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting secondary server notification settings." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential foreach ($Server in $Servers) { Get-SpecificServerDnsZones -ComputerName $Server -ZoneType Primary -Credential $Credential | ForEach-Object { if ($_.SecureSecondaries -ne "NoTransfer") { Set-DnsServerPrimaryZone -Name $_.ZoneName -ComputerName $Server -Notify Notify } } } Write-Host "Completed setting secondary server notification settings." } End { } } Function Remove-DnsServerWINSForwardLookup { <# .SYNOPSIS WINS lookups must be disabled on the Windows 2012 DNS Server. .DESCRIPTION The Remove-DnsServerWINSForwardLookup disabled WINS forward lookup on each DNS server in the forest. .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Remove-DnsServerWINSForwardLookup Disables WINS lookups on all DNS servers in the forest. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-SC-000006 Rule ID SV-73091r1 Vuln ID V-58661 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting WINS server settings." $Servers = Get-ForestDnsServers -Forest $Forest foreach ($Server in $Servers) { Get-SpecificServerDnsZones -ComputerName $Server -ZoneType Primary -LookupType Forward | ForEach-Object { #TODO: Set WINS Setting } } Write-Host "Completed WINS server settings." } End { } } Function Set-DnsServerCryptoFolderPermissions { <# .SYNOPSIS The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key. .DESCRIPTION The Set-DnsServerCryptoFolderPermissions sets %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files to Full Control for SYSTEM and Administrators and removes all other privileges. The owner for the folder, subfolders, and files is also set to BUILTIN\Administrators. .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerCryptoFolderPermissions Sets The permissions and owner for the crypto directory. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-IA-000006 WDNS-IA-000007 WDNS-IA-000008 Rule ID SV-73071r1 SV-73073r1 SV-73075r1 Vuln ID V-58641 V-58643 V-58645 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting Dns Server crypto folder owner and permissions." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential $Path = "$env:ALLUSERSPROFILE\Microsoft\Crypto" [System.Security.AccessControl.FileSystemAccessRule[]]$Rules = New-CryptoFolderAccessRuleSet foreach ($Server in $Servers) { Write-Host "Setting file permissions on $Server" $ServerPath = "\\$Server\" + $Path.Replace(":\","$\") Set-FileSecurity -Path $ServerPath -AccessRules $Rules -ReplaceAll -ForceChildInheritance Write-Host "Setting folder owner on $Server" Invoke-Command -ComputerName $Server -Scriptblock ${function:Set-Owner} -ArgumentList @($Path,"BUILTIN\Administrators",$true) } Write-Host "Completed setting crypto folder owner and permissions." } End { } } Function Set-DnsServerLogPermissions { <# .SYNOPSIS The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. .DESCRIPTION The cmdlet assigns specific access permissions for the DNS server logs The command must be run with Enterprise Admin credentials. .PARAMETER Forest The Forest in which to configure DNS servers. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerLogPermissions Sets the c:\windows\system32\winevt folder to the default permissions and forces inheritance on all log files. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-AU-000007 Rule ID SV-72983r1 Vuln ID V-58553 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting Dns Server log permissions." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential $Path = "$env:SYSTEMROOT\System32\Winevt\Logs" $Rules = New-EventLogAccessRuleSet foreach ($Server in $Servers) { Write-Host $Server $ServerPath = "\\$Server\" + $Path.Replace(":\","$\") Set-FileSecurity -Path $ServerPath -AccessRules $Rules -ReplaceAll -ForceChildInheritance } Write-Host "Completed setting Dns Server log permissions." } End { } } Function Set-DnsServerZoneTransfers { <# .SYNOPSIS The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. .DESCRIPTION The Set-DnsServerZoneTransfers cmdlet checks each DNS server in the forest to see if it has zone transfers enabled. If it does and are allowed "To any server", then the setting is changed to "Only to servers on the Name Servers tab". .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerZoneTransfers Sets all DNS servers in the forest that have zone transfers enabled to any server to only servers on the Name Servers tab. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-IA-000004 Rule ID SV-73067r1 Vuln ID V-58637 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting DNS Server Zone Transfer settings." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential foreach ($Server in $Servers) { Get-SpecificServerDnsZones -ComputerName $Server -ZoneType Primary | ForEach-Object { if ($_.SecureSecondaries -eq "TransferAnyServer") { Write-Warning "DNS Server $Server was set to transfer to any server, fixing..." Set-DnsServerPrimaryZone -Name $_.ZoneName -ComputerName $Server -SecureSecondaries TransferToZoneNameServer Write-Host "Done fixing $Server." } } } Write-Host "Completed setting DNS Server zone transfer settings" } End { } } Function Remove-DnsServerZoneIPv6LinkLocalAddresses { <# .SYNOPSIS Non-routable IPv6 link-local scope addresses must not be configured in any zone. .DESCRIPTION The Remove-DnsServerZoneIPv6LinkLocalAddresses cmdlet gets all AAAA records in each zone and removes any link-local scope addresses. .PARAMETER Forest The DNS Forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Remove-DnsServerZoneIPv6LinkLocalAddresses Removes all IPv6 link-local addresses from all DNS Zones .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-CM-000026 Rule ID SV-73053r1 Vuln ID V-58623 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Removing IPv6 link local addresses from DNS." $Zones = @() Get-ForestDNSServers -Forest $Forest -Credential $Credential | ForEach-Object { $Zones += Get-DnsServerZone -ComputerName $_ -WarningAction SilentlyContinue | Where-Object {$_.IsReverseLookupZone -eq $false} } $Zones | Group-Object -Property ZoneName | ForEach-Object { $Zone = $_.Name $Zone try { $Server = Resolve-DnsName -Name $Zone -ErrorAction Stop | Select-Object -ExpandProperty PrimaryServer if ([System.String]::IsNullOrEmpty($Server)) { Write-Warning "PrimaryServer attribute was null, using the zone name for the server." $Server = $Zone } $RemovedRecords = Get-DnsServerResourceRecord -ZoneName $Zone -RRType AAAA -ComputerName $Server | Where-Object {$_.RecordData -match "^FE[89AB].*$"} | Remove-DnsServerResourceRecord -ComputerName $Zone -ZoneName $Zone -Force -Confirm:$false -PassThru if ($RemovedRecords.Count -gt 0) { Write-Warning "Removed the following records:" Write-Warning $RemovedRecords } else { Write-Host "No records to remove." } } catch [Exception] { Write-Warning "Could not get records for zone: $Zone`: $($_.ToString())" } } Write-Host "Completed removing IPv6 link local addresses." } End { } } Function Get-InactiveDnsServers { <# .SYNOPSIS The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record. .DESCRIPTION The Get-InactiveDnsServers cmdlet gets all NS records for a forest and then tries to resolve the NS record hostname on that NS server. Any non-active DNS servers are returned. .PARAMETER Forest The DNS Forest to test against. .EXAMPLE PS C:\>Get-InactiveDnsServers Returns a list of any non-active DNS servers in the forest. .INPUTS System.String .OUTPUTS System.String[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-CM-000010 Rule ID SV-73023r1 Vuln ID V-58593 Severity CAT I #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty ) Begin { } Process { $InactiveServers = @() Write-Host "Getting all inactive DNS servers." Get-ForestDnsServers -Forest $Forest | ForEach-Object { $Server = $_ try { Resolve-DnsName -Name $_ -Server $_ -ErrorAction Stop | Out-Null } catch [Exception] { $InactiveServers += $Server } } Write-Output -InputObject $InactiveServers } End { } } Function Set-DnsServerDisableRootHints { <# .SYNOPSIS Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS). .DESCRIPTION The Set-DnsServerDisableRootHints cmdlet removes all root hints and disables using root hints on each DNS server in the forest. The command must be run with Enterprise Admin credentials. .PARAMETER Forest The DNS Forest to set the root hints settings on. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerDisableRootHints Disables root hints on all servers and removes root hints on all servers. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-CM-000004 WDNS-CM-000022 Rule ID SV-73011r1 SV-73045r1 Vuln ID V-58581 V-58615 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Disabling all DNS server root hints." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential foreach ($Server in $Servers) { Get-DnsServerRootHint -ComputerName $Server | Remove-DnsServerRootHint -ComputerName $Server -Force -Confirm:$false Invoke-Command -ComputerName $Server -ScriptBlock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters" -Name "IsSlave" -Value 1 } -Credential $Credential } } End { } } Function Set-DnsServerRecursionAndForwarders { <# .SYNOPSIS The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. .DESCRIPTION The Set-DnsServerRecursionAndForwarders cmdlet checks to see if forwarders are disabled, if they are it also disables recursion. The command must be run with Enterprise Admin credentials. .PARAMETER Forest The DNS Forest to set the recursion setting on. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerRecursionAndForwarders Disables recursion on all DNS servers without forwarders .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-CM-000003 Rule ID SV-73009r1 Vuln ID V-58579 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting DNS recursion and forwarders settings." $Servers = Get-ForestDnsServers -Forest $Forest -Credential $Credential foreach ($Server in $Servers) { $Forwarders = Get-DnsServerForwarder -ComputerName $Server if ($Forwarders.IPAddress.Count -eq 0) { Set-DnsServerRecursion -ComputerName $Server -Enable $false } } Write-Host "Completed setting recursions and forwarders." } End { } } Function Set-DnsServerZoneSecureUpdates { <# .SYNOPSIS The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients. .DESCRIPTION The Set-DnsServerZoneSecureUpdates cmdlet turns on secure updates only for all DNS servers in the forest. The command must be run with Enterprise Admin credentials. .PARAMETER Forest The DNS Forest to set secure updates on. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerZoneSecureUpdates Enforces secure updates on each primary zone in the current user forest. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-AC-000001 WDNS-IA-000001 Rule ID SV-72667r1 SV-73061r1 Vuln ID V-58237 V-58631 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting secure updates on Dns Servers." Get-ForestDnsZones -Forest $Forest -ZoneType Primary -DsIntegration DsIntegrated -Credential $Credential | ForEach-Object { Write-Host "Configuring secure dynamic updates on $($_.ZoneName)" $Zone = $_.ZoneName try { $Server = Resolve-DnsName -Name $_.ZoneName -ErrorAction Stop | Select-Object -ExpandProperty PrimaryServer if ([System.String]::IsNullOrEmpty($Server)) { Write-Warning "PrimaryServer attribute was null, using the zone name for the server." $Server = $_.ZoneName } Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -ComputerName $Server } catch [Exception] { Write-Warning "Error setting secure dynamic updates on $Zone`: $($_.ToString())" } } Write-Host "Completed setting secure updates." } End { } } Function Set-DnsServerLogging { <# .SYNOPSIS The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information. .DESCRIPTION The cmdlet turns on logging and log rollover on every DNS server in the forest. The command must be run with Enterprise Admin credentials. .PARAMETER Forest The DNS Forest to set secure updates on. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerLogging Enables logging on every DNS server in the current user's forest. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-AU-000001 WDNS-AU-000005 WDNS-AU-000006 WDNS-AU-000007 WDNS-AU-000008 WDNS-AU-000010 WDNS-AU-000011 WDNS-AU-000012 WDNS-AU-000013 WDNS-AU-000014 WDNS-AU-000015 WDNS-SI-000009 Rule ID SV-72973r1 SV-72979r1 SV-72981r1 SV-72983r1 SV-72985r1 SV-72991r1 SV-72993r1 SV-72995r1 SV-72997r1 SV-72999r1 SV-73001r1 SV-73149r1 Vuln ID V-58543 V-58549 V-58551 V-58553 V-58555 V-58561 V-58563 V-58565 V-58567 V-58569 V-58571 V-58719 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting Dns Server logging." Get-ForestDnsServers -Forest $Forest -Credential $Credential | ForEach-Object { Write-Host $_ Set-DnsServerDiagnostics -ComputerName $_ -All $true Set-DnsServerDiagnostics -EnableLogFileRollover $true } Write-Host "Completed setting Dns Server logging." } End { } } Function Set-DnsServerVersionQuery { <# .SYNOPSIS The DNS Name Server software must be configured to refuse queries for its version information. .DESCRIPTION The Set-DnsServerVersionQuery cmdlet disables returning version information from a DNS query on all DNS servers in the Forest. The command must be run with Enterprise Admin credentials. .PARAMETER Forest The forest to configure. .PARAMETER Credential The credential to use, requires Enterprise Admin rights. .EXAMPLE PS C:\>Set-DnsServerVersionQuery Disables the return of version information from DNS queries. .INPUTS System.String .OUTPUTS None .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 .FUNCTIONALITY STIG Microsoft Windows 2012 Server DNS V1R2 STIG ID WDNS-SI-000003 Rule ID SV-73167r1 Vuln ID V-58737 Severity CAT II #> Param( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { if (!(Test-IsEnterpriseAdmin -Credential $Credential)) { Write-Error "The cmdlet must be run with Enterprise Admin credentials." Exit 1 } Write-Host "Setting Dns Server version query settings." Get-ForestDnsServers -Forest $Forest -Credential $Credential | ForEach-Object { $Server = $_ Write-Host $Server try { Invoke-Command -ComputerName $_ -ScriptBlock {Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters" -Name "EnableVersionQuery" -Value 0} -Credential $Credential } catch [Exception] { Write-Host "Error on $Server`: $($_.ToString())" } } Write-Host "Completed setting Dns Server version query settings." } End { } } Function Get-ForestDnsServers { <# .SYNOPSIS Finds all of the DNS servers for the current forest. .DESCRIPTION Finds all of the DNS servers registered as NS servers in the forest and returns an array of DNS names. .PARAMETER Forest Specify the forest to get the name servers from. .PARAMETER Credential The credential to use to query for the current AD Forest object. .EXAMPLE PS C:\>Get-ForestDnsServers Gets all of the DNS server in the current forest. .INPUTS System.String .OUTPUTS System.String[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> Param ( [Parameter(Position=0,ValueFromPipeline=$true)] [string]$Forest = [System.String]::Empty, [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { try { Import-Module ActiveDirectory } catch [Exception] { Write-Warning "This cmdlet requires the Active Directory module." Exit 1 } } Process { if ($Forest -eq [System.String]::Empty) { if ($Credential -ne [PSCredential]::Empty) { $RootDomain = (Get-ADForest -Current $Credential.UserName -Credential $Credential).RootDomain } else { $RootDomain = (Get-ADForest -Current LoggedOnUser).RootDomain } } else { $RootDomain = $Forest } Write-Output -InputObject (Resolve-DnsName -Name $RootDomain -Type NS | Where-Object {![System.String]::IsNullOrEmpty($_.NameHost)} | Select-Object -ExpandProperty NameHost) } End { } } Function Get-ForestDnsZones { <# .SYNOPSIS Get all of the forward lookup zones in a forest. .DESCRIPTION The Get-ForestDnsZones cmdlet gets all of the primary forward lookup zones for a forest. .PARAMETER Forest The DNS Forest to search. .PARAMETER ZoneType Select from All, Primary, Seconday, or Stub. Defaults to All. .PARAMETER DsIntegration Select from All, DsIntegrated, or NonDsIntegrated. Defaults to All. .PARAMETER LookupType Select from All, Forward, or Reverse. Defaults to All. .PARAMETER Credential The credential to use. .EXAMPLE PS C:\>Get-ForestDnsZones Gets all of the dns zones in the current user's forest. .EXAMPLE PS C:\>Get-ForestDnzZones -ZoneType Primary -DsIntegration DsIntegrated -LookupType Forward Gets all primary, Active Directory integrated, forward lookup zones in the current user forest. .INPUTS None .OUTPUTS PSObject[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> Param( [Parameter(Position=0)] [string]$Forest = [System.String]::Empty, [Parameter(Position=1)] [ValidateSet("All","Primary","Secondary","Stub")] [string]$ZoneType = "All", [Parameter(Position=2)] [ValidateSet("All","DsIntegrated","NonDsIntegrated")] [string]$DsIntegration = "All", [Parameter(Position=3)] [ValidateSet("All","Forward","Reverse")] [string]$LookupType = "All", [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential = [System.Management.Automation.PSCredential]::Empty ) Begin { } Process { $Zones = @() Get-ForestDNSServers -Forest $Forest -Credential $Credential | ForEach-Object { $Zones += Get-SpecificServerDnsZones -ComputerName $_ -ZoneType $ZoneType -DsIntegration $DsIntegration -LookupType $LookupType | Where-Object {-not $_.ZoneName.StartsWith("_")} } $Zones | Group-Object -Property ZoneName | Select-Object -Property Group | ForEach-Object { Write-Output -InputObject ($_.Group | Select-Object -First 1) } } End { } } Function Get-SpecificServerDnsZones { <# .SYNOPSIS Get all of the forward lookup zones in a forest. .DESCRIPTION The Get-ForestDnsZones cmdlet gets all of the primary forward lookup zones for a forest. .PARAMETER Forest The DNS Forest to search. .PARAMETER ZoneType Select from All, Primary, Seconday, or Stub. Defaults to All. .PARAMETER DsIntegration Select from All, DsIntegrated, or NonDsIntegrated. Defaults to All. .PARAMETER LookupType Select from All, Forward, or Reverse. Defaults to All. .EXAMPLE PS C:\>Get-SpecificServerDnsZones Gets all of the dns zones on the localhost. .EXAMPLE PS C:\>Get-SpecificServerDnsZones -ComputerName server01 Gets all of the dns zones on server01. .EXAMPLE PS C:\>Get-SpecificServerDnsZones -ComputerName server01 -ZoneType Primary -DsIntegration DsIntegrated -LookupType Forward Gets all primary, Active Directory integrated, forward lookup zones on server01. .INPUTS None .OUTPUTS PSObject[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> Param( [Parameter(Position=0)] [string]$ComputerName ="localhost", [Parameter(Position=1)] [ValidateSet("All","Primary","Secondary","Stub")] [string]$ZoneType = "All", [Parameter(Position=2)] [ValidateSet("All","DsIntegrated","NonDsIntegrated")] [string]$DsIntegration = "All", [Parameter(Position=3)] [ValidateSet("All","Forward","Reverse")] [string]$LookupType = "All" ) Begin {} Process { switch (($ZoneType + $DsIntegration + $LookupType)) { default {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue)} "AllAllAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue)} "AllAllForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsReverseLookupzone -eq $false})} "AllAllReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsReverseLookupzone -eq $true})} "AllDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $true})} "AllDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $false})} "AllDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $true -and $_.IsReverseLookupzone -eq $true})} "AllNonDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $false})} "AllNonDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $false -and $_.IsReverseLookupZone -eq $false})} "AllNonDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.IsDsIntegrated -eq $false -and $_.IsReverseLookupzone -eq $true})} "PrimaryAllAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary"})} "PrimaryAllForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsReverseLookup -eq $false})} "PrimaryAllReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsReverseLookup -eq $true})} "PrimaryDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $true})} "PrimaryDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $false})} "PrimaryDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} "PrimaryNonDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $false})} "PrimaryNonDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $false -and $_.IsReverseLookupZone -eq $false})} "PrimaryNonDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Primary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} "SecondaryAllAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary"})} "SecondaryAllForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsReverseLookup -eq $false})} "SecondaryAllReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsReverseLookup -eq $true})} "SecondaryDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $true})} "SecondaryDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $false})} "SecondaryDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} "SecondaryNonDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $false})} "SecondaryNonDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $false -and $_.IsReverseLookupZone -eq $false})} "SecondaryNonDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Secondary" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} "StubAllAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub"})} "StubAllForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsReverseLookup -eq $false})} "StubAllReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsReverseLookup -eq $true})} "StubDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $true})} "StubDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $false})} "StubDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} "StubNonDsIntegratedAll" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $false})} "StubNonDsIntegratedForward" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $false -and $_.IsReverseLookupZone -eq $false})} "StubNonDsIntegratedReverse" {Write-Output (Get-DnsServerZone -ComputerName $ComputerName -WarningAction SilentlyContinue | Where-Object {$_.ZoneType -eq "Stub" -and $_.IsDsIntegrated -eq $true -and $_.IsReverseLookupZone -eq $true})} } } End {} } Function Set-ForestDnsServerScavenging { <# .SYNOPSIS Sets DNS record scavenging for all zones in the Forest. .DESCRIPTION Creates the File Access Rules for EventLog, System, and Administrators. .PARAMETER RefreshInterval Specifies the refresh interval as a TimeSpan object. During this interval, a DNS server can refresh a resource record that has a non-zero time stamp. Zones on the server inherit this value automatically. If a DNS server does not refresh a resource record that has a non-zero time stamp, the DNS server can remove that record during the next scavenging. Do not select a value smaller than the longest refresh period of a resource record registered in the zone. The minimum value is 0. The maximum value is 8760 hours (seven days). The default value is 7 days. .PARAMETER ScavengingInterval Specifies a length of time as a TimeSpan object. ScavengingInterval determines whether the scavenging feature for the DNS server is enabled and sets the number of hours between scavenging cycles. The default setting is 7. A setting greater than 0 enables scavenging for the server and sets the number of days, hours, minutes, and seconds (formatted as dd.hh:mm:ss) between scavenging cycles. The minimum value is 0. The maximum value is 365.00:00:00 (1 year). .EXAMPLE PS C:\>Set-ForestDnsServerScavenging Enables stale record scavenging .INPUTS System.TimeSpan, System.TimeSpan .OUTPUTS Microsoft.Management.Infrastructure.CimInstance#DnsServerScavenging[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> [CmdletBinding()] Param( [Parameter(Position=0)] [System.TimeSpan]$RefreshInterval = [System.TimeSpan]::FromDays(7), [Parameter(Position=1)] [System.TimeSpan]$ScavengingInterval = [System.TimeSpan]::FromDays(7), [Parameter()] [switch]$PassThru ) Begin { } Process { $Forest = Get-ADForest Write-Host "Setting DNS Server Scavenging." foreach ($Domain in $Forest.Domains) { Write-Host $Domain $Context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext([System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $Domain) $Servers = [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($Context) foreach ($Server in $Servers) { Write-Host $Server.Name try { $Scavenging = Set-DnsServerScavenging -ScavengingState $true -ApplyOnAllZones -ComputerName $Server.Name -RefreshInterval ([System.TimeSpan]::FromDays(7)) -ScavengingInterval ([System.TimeSpan]::FromDays(7)) -PassThru if ($PassThru) { Write-Output $Scavenging } } catch [Exception] { Write-Warning $_.Exception.Message } } } } End { } } Function New-EventLogAccessRuleSet { <# .SYNOPSIS Creates the File Access Rules for EventLog, System, and Administrators. .DESCRIPTION Creates the File Access Rules for EventLog, System, and Administrators. .EXAMPLE PS C:\>New-EventLogAccessRuleSet Creates the rule set. .INPUTS None .OUTPUTS System.Security.AccessControl.FileSystemAccessRule[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> [CmdletBinding()] Param( ) Begin { } Process { # NT Service\EventLog = S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122 [System.Security.Principal.SecurityIdentifier]$NTServiceEventLogSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122") $Administrators = New-Object Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid, $null) $EventLog = New-Object Security.Principal.SecurityIdentifier($NTServiceEventLogSid) $System = New-Object Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null) $AdministratorAce = New-Object System.Security.AccessControl.FileSystemAccessRule($Administrators, [System.Security.AccessControl.FileSystemRights]::FullControl, @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) $EventLogAce = New-Object System.Security.AccessControl.FileSystemAccessRule($EventLog, [System.Security.AccessControl.FileSystemRights]::FullControl, @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) $SystemAce = New-Object System.Security.AccessControl.FileSystemAccessRule($System, [System.Security.AccessControl.FileSystemRights]::FullControl, @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) [System.Security.AccessControl.FileSystemAccessRule[]]$Rules = @($AdministratorAce, $EventLogAce, $SystemAce) Write-Output -InputObject $Rules } End { } } Function New-CryptoFolderAccessRuleSet { <# .SYNOPSIS Creates the File Access Rules for System and Administrators. .DESCRIPTION Creates the File Access Rules for System and Administrators. .EXAMPLE PS C:\>New-CryptoFolderAccessRuleSet Creates the rule set. .INPUTS None .OUTPUTS System.Security.AccessControl.FileSystemAccessRule[] .NOTES AUTHOR: Michael Haken LAST UPDATE: 2/28/2016 #> [CmdletBinding()] Param() Begin { } Process { [System.Security.Principal.SecurityIdentifier]$NTServiceEventLogSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122") $Administrators = New-Object Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid, $null) $System = New-Object Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null) $AdministratorAce = New-Object System.Security.AccessControl.FileSystemAccessRule($Administrators, [System.Security.AccessControl.FileSystemRights]::FullControl, @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) $SystemAce = New-Object System.Security.AccessControl.FileSystemAccessRule($System, [System.Security.AccessControl.FileSystemRights]::FullControl, @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) [System.Security.AccessControl.FileSystemAccessRule[]] $Rules = @($AdministratorAce, $SystemAce) Write-Output -InputObject $Rules } End { } } |