Merge branch 'rsanderson8310-Win10V2R9' into 4.22.0
This commit is contained in:
Коммит
04063b34be
|
@ -4,6 +4,7 @@
|
||||||
|
|
||||||
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
|
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
|
||||||
* Update PowerSTIG to Parse/Apply Microsoft Windows 11 STIG - Ver 1, Rel 6 [#1341](https://github.com/microsoft/PowerStig/issues/1341)
|
* Update PowerSTIG to Parse/Apply Microsoft Windows 11 STIG - Ver 1, Rel 6 [#1341](https://github.com/microsoft/PowerStig/issues/1341)
|
||||||
|
* Update PowerSTIG to Parse/Apply Microsoft Windows 10 STIG - Ver 2, Rel 9 [#1342](https://github.com/microsoft/PowerStig/issues/1342)
|
||||||
* Update Powerstig to parse/apply Microsoft Office System 2016 STIG - Ver 2, Rel 3 [#1352](https://github.com/microsoft/PowerStig/issues/1352)
|
* Update Powerstig to parse/apply Microsoft Office System 2016 STIG - Ver 2, Rel 3 [#1352](https://github.com/microsoft/PowerStig/issues/1352)
|
||||||
* Update Powerstig to parse/apply Microsoft Office 365 ProPlus STIG - Ver 2, Rel 12 [#1351](https://github.com/microsoft/PowerStig/issues/1351)
|
* Update Powerstig to parse/apply Microsoft Office 365 ProPlus STIG - Ver 2, Rel 12 [#1351](https://github.com/microsoft/PowerStig/issues/1351)
|
||||||
* Update Powerstig to parse/apply Microsoft .Net Framework 4.0 STIG - Ver 2, Rel 4 [#1349](https://github.com/microsoft/PowerStig/issues/1349)
|
* Update Powerstig to parse/apply Microsoft .Net Framework 4.0 STIG - Ver 2, Rel 4 [#1349](https://github.com/microsoft/PowerStig/issues/1349)
|
||||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -5,7 +5,7 @@
|
||||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||||
associated comment.
|
associated comment.
|
||||||
-->
|
-->
|
||||||
<OrganizationalSettings fullversion="2.7">
|
<OrganizationalSettings fullversion="2.9">
|
||||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
|
@ -1,4 +1,4 @@
|
||||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R7_Manual-xccdf.xml" releaseinfo="Release: 7 Benchmark Date: 07 Jun 2023 3.4.0.34222 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.7" created="6/5/2023">
|
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R9_Manual-xccdf.xml" releaseinfo="Release: 9 Benchmark Date: 15 May 2024 3.4.1.22916 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.9" created="5/4/2024">
|
||||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||||
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
|
@ -1000,7 +1000,7 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
|
||||||
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||||
|
|
||||||
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DesiredValue>10.0.190</DesiredValue>
|
<DesiredValue>10.0.19044</DesiredValue>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||||
<LegacyId>V-63349</LegacyId>
|
<LegacyId>V-63349</LegacyId>
|
||||||
|
@ -1013,15 +1013,14 @@ A separate servicing branch intended for special-purpose systems is the Long-Ter
|
||||||
|
|
||||||
If the "About Windows" dialog box does not display the following or greater, this is a finding:
|
If the "About Windows" dialog box does not display the following or greater, this is a finding:
|
||||||
|
|
||||||
"Microsoft Windows Version 20H2 (OS Build 190xx.x)"
|
"Microsoft Windows Version 21H2 (OS Build 19044.x)"
|
||||||
|
|
||||||
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
||||||
|
|
||||||
Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions:
|
Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions:
|
||||||
|
|
||||||
v20H2 - 9 May 2023
|
v22H2 - 14 Oct 2025
|
||||||
v21H1 - 13 Dec 2022
|
v21H2 - 13 Jun 2024
|
||||||
v21H2 - 11 June 2024
|
|
||||||
|
|
||||||
No preview versions will be used in a production environment.
|
No preview versions will be used in a production environment.
|
||||||
|
|
||||||
|
@ -1172,9 +1171,7 @@ Multifactor authentication requires using two or more factors to achieve authent
|
||||||
Factors include:
|
Factors include:
|
||||||
|
|
||||||
1) Something a user knows (e.g., password/PIN);
|
1) Something a user knows (e.g., password/PIN);
|
||||||
|
|
||||||
2) Something a user has (e.g., cryptographic identification device, token); and
|
2) Something a user has (e.g., cryptographic identification device, token); and
|
||||||
|
|
||||||
3) Something a user is (e.g., biometric).
|
3) Something a user is (e.g., biometric).
|
||||||
|
|
||||||
A privileged account is defined as an information system account with authorizations of a privileged user.
|
A privileged account is defined as an information system account with authorizations of a privileged user.
|
||||||
|
@ -1191,7 +1188,7 @@ Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPO
|
||||||
<LegacyId>V-102627</LegacyId>
|
<LegacyId>V-102627</LegacyId>
|
||||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||||
<OrganizationValueTestString />
|
<OrganizationValueTestString />
|
||||||
<RawString>If the system is a member of a domain, this is Not Applicable.
|
<RawString>If the system is not a member of a domain, this is Not Applicable.
|
||||||
|
|
||||||
If one of the following settings does not exist and is not populated, this is a finding:
|
If one of the following settings does not exist and is not populated, this is a finding:
|
||||||
|
|
||||||
|
@ -1272,7 +1269,7 @@ Run "System Information".
|
||||||
|
|
||||||
Under "System Summary", if "Secure Boot State" does not display "On", this is finding.</RawString>
|
Under "System Summary", if "Secure Boot State" does not display "On", this is finding.</RawString>
|
||||||
</Rule>
|
</Rule>
|
||||||
<Rule id="V-220702" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
<Rule id="V-220702" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||||
|
@ -1304,9 +1301,7 @@ The organization must identify authorized software programs and only permit exec
|
||||||
<LegacyId>V-63345</LegacyId>
|
<LegacyId>V-63345</LegacyId>
|
||||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||||
<OrganizationValueTestString />
|
<OrganizationValueTestString />
|
||||||
<RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
|
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||||
|
|
||||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
|
||||||
|
|
||||||
If an application allowlisting program is not in use on the system, this is a finding.
|
If an application allowlisting program is not in use on the system, this is a finding.
|
||||||
|
|
||||||
|
@ -1638,15 +1633,25 @@ Windows LAPS must be used to change the built-in Administrator account password
|
||||||
<LegacyId>V-99555</LegacyId>
|
<LegacyId>V-99555</LegacyId>
|
||||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||||
<OrganizationValueTestString />
|
<OrganizationValueTestString />
|
||||||
<RawString>Review the password last set date for the enabled local Administrator account.
|
<RawString>If there are no enabled local Administrator accounts, this is Not Applicable.
|
||||||
|
|
||||||
On the local domain-joined workstation:
|
Review the password last set date for the enabled local Administrator account.
|
||||||
|
|
||||||
|
On the stand alone or domain-joined workstation:
|
||||||
|
|
||||||
Open "PowerShell".
|
Open "PowerShell".
|
||||||
|
|
||||||
Enter "Get-LocalUser –Name * | Select-Object *".
|
Enter "Get-LocalUser -Name * | Select-Object *".
|
||||||
|
|
||||||
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.</RawString>
|
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.
|
||||||
|
|
||||||
|
Verify LAPS is configured and operational.
|
||||||
|
|
||||||
|
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding.
|
||||||
|
|
||||||
|
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Name of administrator Account to manage >> Set to enabled >> Administrator account name is populated. If it is not, this is a finding.
|
||||||
|
|
||||||
|
Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.</RawString>
|
||||||
</Rule>
|
</Rule>
|
||||||
<Rule id="V-256894" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
<Rule id="V-256894" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||||
<Description><VulnDiscussion>Internet Explorer 11 (IE11) is no longer supported on Windows 10 semi-annual channel. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>Internet Explorer 11 (IE11) is no longer supported on Windows 10 semi-annual channel. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
|
@ -1664,6 +1669,39 @@ If IE11 is installed on a unsupported operating system and is enabled or install
|
||||||
|
|
||||||
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
|
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
|
||||||
</Rule>
|
</Rule>
|
||||||
|
<Rule id="V-257589" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="None">
|
||||||
|
<Description><VulnDiscussion>When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
|
||||||
|
|
||||||
|
These audit events can assist in understanding how a computer is being used and tracking user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
|
<DuplicateOf />
|
||||||
|
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||||
|
<LegacyId>
|
||||||
|
</LegacyId>
|
||||||
|
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||||
|
<OrganizationValueTestString />
|
||||||
|
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||||
|
|
||||||
|
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation".
|
||||||
|
|
||||||
|
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||||
|
</Rule>
|
||||||
|
<Rule id="V-257593" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||||
|
<Description><VulnDiscussion>Having portproxy enabled or configured in Windows 10 could allow a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
|
<DuplicateOf />
|
||||||
|
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||||
|
<LegacyId>
|
||||||
|
</LegacyId>
|
||||||
|
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||||
|
<OrganizationValueTestString />
|
||||||
|
<RawString>Check the registry key for existence of proxied ports:
|
||||||
|
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\.
|
||||||
|
|
||||||
|
If the key contains v4tov4\tcp\ or is populated v4tov4\tcp\, this is a finding.
|
||||||
|
|
||||||
|
Run "netsh interface portproxy show all".
|
||||||
|
|
||||||
|
If the command displays any results, this is a finding.</RawString>
|
||||||
|
</Rule>
|
||||||
</ManualRule>
|
</ManualRule>
|
||||||
<PermissionRule dscresourcemodule="AccessControlDsc">
|
<PermissionRule dscresourcemodule="AccessControlDsc">
|
||||||
<Rule id="V-220717.a" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00122" dscresource="NTFSAccessEntry">
|
<Rule id="V-220717.a" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00122" dscresource="NTFSAccessEntry">
|
||||||
|
@ -1719,9 +1757,9 @@ For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/int
|
||||||
<Path>%SystemDrive%\</Path>
|
<Path>%SystemDrive%\</Path>
|
||||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||||
Viewing in File Explorer:
|
Viewing in File Explorer:
|
||||||
Select the "Security" tab, and the "Advanced" button.
|
Select the "Security" tab and the "Advanced" button.
|
||||||
C:\
|
C:\
|
||||||
Type - "Allow" for all
|
Type - "Allow" for all
|
||||||
Inherited from - "None" for all
|
Inherited from - "None" for all
|
||||||
|
@ -1819,9 +1857,9 @@ Alternately use icacls.
|
||||||
<Path>%ProgramFiles%</Path>
|
<Path>%ProgramFiles%</Path>
|
||||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||||
Viewing in File Explorer:
|
Viewing in File Explorer:
|
||||||
Select the "Security" tab, and the "Advanced" button.
|
Select the "Security" tab and the "Advanced" button.
|
||||||
\Program Files
|
\Program Files
|
||||||
Type - "Allow" for all
|
Type - "Allow" for all
|
||||||
Inherited from - "None" for all
|
Inherited from - "None" for all
|
||||||
|
@ -1923,9 +1961,9 @@ Alternately use icacls.
|
||||||
<Path>%Windir%</Path>
|
<Path>%Windir%</Path>
|
||||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||||
Viewing in File Explorer:
|
Viewing in File Explorer:
|
||||||
Select the "Security" tab, and the "Advanced" button.
|
Select the "Security" tab and the "Advanced" button.
|
||||||
\Windows
|
\Windows
|
||||||
Type - "Allow" for all
|
Type - "Allow" for all
|
||||||
Inherited from - "None" for all
|
Inherited from - "None" for all
|
||||||
|
@ -2288,7 +2326,7 @@ If the defaults have not been changed, these are not a finding.
|
||||||
</Rule>
|
</Rule>
|
||||||
</PermissionRule>
|
</PermissionRule>
|
||||||
<RegistryRule dscresourcemodule="PSDscResources">
|
<RegistryRule dscresourcemodule="PSDscResources">
|
||||||
<Rule id="V-220703.a" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
<Rule id="V-220703.a" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<Ensure>Present</Ensure>
|
<Ensure>Present</Ensure>
|
||||||
|
@ -2306,7 +2344,7 @@ Value: 0x00000001 (1)</RawString>
|
||||||
<ValueName>UseAdvancedStartup</ValueName>
|
<ValueName>UseAdvancedStartup</ValueName>
|
||||||
<ValueType>Dword</ValueType>
|
<ValueType>Dword</ValueType>
|
||||||
</Rule>
|
</Rule>
|
||||||
<Rule id="V-220703.b" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
<Rule id="V-220703.b" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<Ensure>Present</Ensure>
|
<Ensure>Present</Ensure>
|
||||||
|
@ -2324,7 +2362,7 @@ Value: 0x00000001 (1)</RawString>
|
||||||
<ValueName>UseTPMPIN</ValueName>
|
<ValueName>UseTPMPIN</ValueName>
|
||||||
<ValueType>Dword</ValueType>
|
<ValueType>Dword</ValueType>
|
||||||
</Rule>
|
</Rule>
|
||||||
<Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
<Rule id="V-220704" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<Ensure>Present</Ensure>
|
<Ensure>Present</Ensure>
|
||||||
|
@ -3556,7 +3594,7 @@ Value: 0x00000001 (1)</RawString>
|
||||||
<ValueType>Dword</ValueType>
|
<ValueType>Dword</ValueType>
|
||||||
</Rule>
|
</Rule>
|
||||||
<Rule id="V-220834" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
<Rule id="V-220834" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||||
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||||
<DuplicateOf />
|
<DuplicateOf />
|
||||||
<Ensure>Present</Ensure>
|
<Ensure>Present</Ensure>
|
||||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||||
|
@ -3575,7 +3613,7 @@ Type: REG_DWORD
|
||||||
Value: 0x00000000 (0) (Security)
|
Value: 0x00000000 (0) (Security)
|
||||||
0x00000001 (1) (Basic)
|
0x00000001 (1) (Basic)
|
||||||
|
|
||||||
If an organization is using v1709 or later of Windows 10 this may be configured to "Enhanced" to support Windows Analytics. V-82145 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString>
|
If an organization is using v1709 or later of Windows 10, this may be configured to "Enhanced" to support Windows Analytics. V-220833 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString>
|
||||||
<ValueData>0</ValueData>
|
<ValueData>0</ValueData>
|
||||||
<ValueName>AllowTelemetry</ValueName>
|
<ValueName>AllowTelemetry</ValueName>
|
||||||
<ValueType>Dword</ValueType>
|
<ValueType>Dword</ValueType>
|
Загрузка…
Ссылка в новой задаче