Update PowerSTIG to Parse/Apply U_MS_IIS_10-0_Y23M10_STIG #1280
This commit is contained in:
tfs\jhinders
Родитель
55db3d17d0
Коммит
0e59355475
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
* Update PowerSTIG to Parse/Apply U_MS_IIS_10-0_Y23M10_STIG: [#1280](https://github.com/microsoft/PowerStig/issues/1280)
|
||||
|
||||
## [4.18.0] - 2023-09-05
|
||||
|
||||
* Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG V3R12: [#1254](https://github.com/microsoft/PowerStig/issues/1254)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,97 +0,0 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.5">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-220739" PolicyValue="15" />
|
||||
<!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-220740" PolicyValue="3" />
|
||||
<!-- Ensure ''V-220741'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-220741" PolicyValue="15" />
|
||||
<!-- Ensure ''V-220742'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-220742" PolicyValue="24" />
|
||||
<!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-220743" PolicyValue="30" />
|
||||
<!-- Ensure ''V-220744'' -ge '1'-->
|
||||
<OrganizationalSetting id="V-220744" PolicyValue="1" />
|
||||
<!-- Ensure ''V-220745'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-220745" PolicyValue="14" />
|
||||
<!-- Ensure ''V-220779'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-220779" ValueData="32768" />
|
||||
<!-- Ensure ''V-220780'' -ge '1024000'-->
|
||||
<OrganizationalSetting id="V-220780" ValueData="1024000" />
|
||||
<!-- Ensure ''V-220781'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-220781" ValueData="32768" />
|
||||
<!-- Ensure ''V-220806'' -match '1|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220806" ValueData="1" />
|
||||
<!-- Ensure ''V-220811.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-220811.b" ValueData="1" />
|
||||
<!-- Ensure ''V-220813'' -match '1|3|8'-->
|
||||
<OrganizationalSetting id="V-220813" ValueData="1" />
|
||||
<!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220818" ValueData="1" />
|
||||
<!-- Ensure 'V-220836.b' -eq 1|2-->
|
||||
<OrganizationalSetting id="V-220836.b" ValueData="1" />
|
||||
<!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220837" ValueData="0" />
|
||||
<!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220838" ValueData="0" />
|
||||
<!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220839" ValueData="0" />
|
||||
<!-- Ensure ''V-220847'' -ge '6'-->
|
||||
<OrganizationalSetting id="V-220847" ValueData="6" />
|
||||
<!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220854" ValueData="0" />
|
||||
<!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220858" ValueData="0" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220905.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220905.b" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220906" Location="" />
|
||||
<!-- Ensure ''V-220911'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-220911" OptionValue="" />
|
||||
<!-- Ensure ''V-220912'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-220912" OptionValue="" />
|
||||
<!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-220918" ValueData="30" />
|
||||
<!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-220920" ValueData="450" />
|
||||
<!-- Ensure 'V-220921' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-220921" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-220922" ValueData="US Department of Defense Warning Statement" />
|
||||
<!-- Ensure ''V-220923'' -le '10'-->
|
||||
<OrganizationalSetting id="V-220923" ValueData="10" />
|
||||
<!-- Ensure ''V-220924'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-220924" ValueData="1" />
|
||||
<!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220955" ValueData="2" />
|
||||
<!-- Ensure ''V-252903'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-252903" ValueData="1" />
|
||||
</OrganizationalSettings>
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.8">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-220739" PolicyValue="" />
|
||||
<!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-220740" PolicyValue="" />
|
||||
<!-- Ensure ''V-220741'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-220741" PolicyValue="" />
|
||||
<!-- Ensure ''V-220742'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-220742" PolicyValue="" />
|
||||
<!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-220743" PolicyValue="" />
|
||||
<!-- Ensure ''V-220744'' -ge '1'-->
|
||||
<OrganizationalSetting id="V-220744" PolicyValue="" />
|
||||
<!-- Ensure ''V-220745'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-220745" PolicyValue="" />
|
||||
<!-- Ensure ''V-220779'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-220779" ValueData="" />
|
||||
<!-- Ensure ''V-220780'' -ge '1024000'-->
|
||||
<OrganizationalSetting id="V-220780" ValueData="" />
|
||||
<!-- Ensure ''V-220781'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-220781" ValueData="" />
|
||||
<!-- Ensure ''V-220806'' -match '3|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220806" ValueData="" />
|
||||
<!-- Ensure ''V-220811.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-220811.b" ValueData="" />
|
||||
<!-- Ensure ''V-220813'' -match '1|3|8'-->
|
||||
<OrganizationalSetting id="V-220813" ValueData="" />
|
||||
<!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220818" ValueData="" />
|
||||
<!-- Ensure 'V-220836.b' -eq 1|2-->
|
||||
<OrganizationalSetting id="V-220836.b" ValueData="" />
|
||||
<!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220837" ValueData="" />
|
||||
<!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220838" ValueData="" />
|
||||
<!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220839" ValueData="" />
|
||||
<!-- Ensure ''V-220847'' -ge '6'-->
|
||||
<OrganizationalSetting id="V-220847" ValueData="" />
|
||||
<!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220854" ValueData="" />
|
||||
<!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220858" ValueData="" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220905" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220906" Location="" />
|
||||
<!-- Ensure ''V-220911'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-220911" OptionValue="" />
|
||||
<!-- Ensure ''V-220912'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-220912" OptionValue="" />
|
||||
<!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-220918" ValueData="" />
|
||||
<!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-220920" ValueData="" />
|
||||
<!-- Ensure 'V-220921' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-220921" ValueData="" />
|
||||
<!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-220922" ValueData="" />
|
||||
<!-- Ensure ''V-220923'' -le '10'-->
|
||||
<OrganizationalSetting id="V-220923" ValueData="" />
|
||||
<!-- Ensure ''V-220924'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-220924" ValueData="" />
|
||||
<!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220955" ValueData="" />
|
||||
<!-- Ensure ''V-252903'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-252903" ValueData="" />
|
||||
</OrganizationalSettings>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 14 Nov 2022 3.4.0.34222 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.5" created="11/15/2022">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="11/17/2023">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1000,7 +1000,7 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
|
|||
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||
|
||||
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DesiredValue>10.0.190</DesiredValue>
|
||||
<DesiredValue>10.0.220</DesiredValue>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63349</LegacyId>
|
||||
|
|
@ -1013,15 +1013,14 @@ A separate servicing branch intended for special-purpose systems is the Long-Ter
|
|||
|
||||
If the "About Windows" dialog box does not display the following or greater, this is a finding:
|
||||
|
||||
"Microsoft Windows Version 20H2 (OS Build 190xx.x)"
|
||||
"Microsoft Windows Version 21H2 (OS Build 220xx.x)"
|
||||
|
||||
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
||||
|
||||
Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions:
|
||||
|
||||
v20H2 - 9 May 2023
|
||||
v21H1 - 13 Dec 2022
|
||||
v21H2 - 11 June 2024
|
||||
v22H2 - 14 Oct 2025
|
||||
v21H2 - 13 Jun 2024
|
||||
|
||||
No preview versions will be used in a production environment.
|
||||
|
||||
|
|
@ -1158,12 +1157,12 @@ Approval must be documented with the ISSO.</RawString>
|
|||
<LegacyId>V-102611</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Ensure there is a documented policy or procedure in place that non-persistent VM sessions do not exceed 24 hours.
|
||||
<RawString>Ensure there is a documented policy or procedure in place that nonpersistent VM sessions do not exceed 24 hours. If the system is NOT a nonpersistent VM, this is Not Applicable.
|
||||
|
||||
If there is no such documented policy or procedure in place, this is a finding.</RawString>
|
||||
If no such documented policy or procedure is in place, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220946" severity="medium" conversionstatus="pass" title="SRG-OS-000105-GPOS-00052" dscresource="None">
|
||||
<Description><VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.
|
||||
<Description><VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
|
||||
|
||||
All domain accounts must be enabled for multifactor authentication with the exception of local emergency accounts.
|
||||
|
||||
|
|
@ -1172,9 +1171,7 @@ Multifactor authentication requires using two or more factors to achieve authent
|
|||
Factors include:
|
||||
|
||||
1) Something a user knows (e.g., password/PIN);
|
||||
|
||||
2) Something a user has (e.g., cryptographic identification device, token); and
|
||||
|
||||
3) Something a user is (e.g., biometric).
|
||||
|
||||
A privileged account is defined as an information system account with authorizations of a privileged user.
|
||||
|
|
@ -1296,23 +1293,23 @@ If the operating system drive or any fixed data drives have "Turn on BitLocker",
|
|||
NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220705" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None">
|
||||
<Description><VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
<Description><VulnDiscussion>Utilizing an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63345</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems; for other systems this is NA.
|
||||
<RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universals apps installed by default on systems.
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application whitelisting program is not in use on the system, this is a finding.
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
Configuration of whitelisting applications will vary by the program.
|
||||
Configuration of allowlisting applications will vary by the program.
|
||||
|
||||
AppLocker is a whitelisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
AppLocker is an allowlisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
|
||||
If AppLocker is used, perform the following to view the configuration of AppLocker:
|
||||
Run "PowerShell".
|
||||
|
|
@ -1322,9 +1319,9 @@ Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
|
|||
|
||||
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
|
||||
|
||||
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
|
||||
Implementation guidance for AppLocker is available at the following link:
|
||||
|
||||
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString>
|
||||
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220707" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1438,13 +1435,16 @@ If the group contains any accounts, the accounts must be specifically for backup
|
|||
If the group contains any standard user accounts used for performing normal user tasks, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220715" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log onto workstations in a domain with their domain accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63367</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Run "Computer Management".
|
||||
<RawString>For standalone or nondomain-joined systems, this is Not Applicable.
|
||||
|
||||
Run "Computer Management".
|
||||
|
||||
Navigate to System Tools >> Local Users and Groups >> Users.
|
||||
|
||||
If local users other than the accounts listed below exist on a workstation in a domain, this is a finding.
|
||||
|
|
@ -1592,10 +1592,6 @@ Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Su
|
|||
|
||||
If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US
|
||||
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
|
||||
NotAfter: 3/30/2028
|
||||
|
||||
Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US
|
||||
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
|
||||
NotAfter: 12/30/2029
|
||||
|
|
@ -1624,34 +1620,89 @@ Select the "Details" Tab.
|
|||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the ECA Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
ECA Root CA 2
|
||||
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
|
||||
Valid to: Thursday, March 30, 2028
|
||||
If the ECA Root CA certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
ECA Root CA 4
|
||||
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
|
||||
Valid to: Sunday, December 30, 2029</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220952" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
|
||||
|
||||
It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default. The AO still has the overall authority to use another equivalent capability to accomplish the check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
Windows LAPS must be used to change the built-in Administrator account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-99555</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review the password last set date for the enabled local Administrator account.
|
||||
<RawString>If there are no enabled local Administrator accounts, this is Not Applicable.
|
||||
|
||||
On the local domain joined workstation:
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "Get-LocalUser –Name * | Select-Object *”
|
||||
Enter "Get-LocalUser -Name * | Select-Object *".
|
||||
|
||||
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.</RawString>
|
||||
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.
|
||||
|
||||
Verify LAPS is configured and operational.
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding.
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Name of administrator Account to manage >> Set to enabled >> Administrator account name is populated. If it is not, this is a finding.
|
||||
|
||||
Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-256894" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>Internet Explorer 11 (IE11) is no longer supported on Windows 10 semi-annual channel. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Determine if IE11 is installed or enabled on Windows 10 semi-annual channel.
|
||||
|
||||
If IE11 is installed or not disabled on Windows 10 semi-annual channel, this is a finding.
|
||||
|
||||
If IE11 is installed on a unsupported operating system and is enabled or installed, this is a finding.
|
||||
|
||||
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-257589" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="None">
|
||||
<Description><VulnDiscussion>When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
|
||||
|
||||
These audit events can assist in understanding how a computer is being used and tracking user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure".
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-257593" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Having portproxy enabled or configured in Windows 10 could allow a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Check the registry key for existence of proxied ports:
|
||||
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\.
|
||||
|
||||
If the key contains v4tov4\tcp\ or is populated v4tov4\tcp\, this is a finding.
|
||||
|
||||
Run "netsh interface portproxy show all".
|
||||
|
||||
If the command displays any results, this is a finding.</RawString>
|
||||
</Rule>
|
||||
</ManualRule>
|
||||
<PermissionRule dscresourcemodule="AccessControlDsc">
|
||||
|
|
@ -1708,9 +1759,9 @@ If the "PasswordLastSet" date is greater than "60" days old for the local Admini
|
|||
<Path>%SystemDrive%\</Path>
|
||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Viewing in File Explorer:
|
||||
Select the "Security" tab, and the "Advanced" button.
|
||||
Select the "Security" tab and the "Advanced" button.
|
||||
C:\
|
||||
Type - "Allow" for all
|
||||
Inherited from - "None" for all
|
||||
|
|
@ -1808,9 +1859,9 @@ Alternately use icacls.
|
|||
<Path>%ProgramFiles%</Path>
|
||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Viewing in File Explorer:
|
||||
Select the "Security" tab, and the "Advanced" button.
|
||||
Select the "Security" tab and the "Advanced" button.
|
||||
\Program Files
|
||||
Type - "Allow" for all
|
||||
Inherited from - "None" for all
|
||||
|
|
@ -1912,9 +1963,9 @@ Alternately use icacls.
|
|||
<Path>%Windir%</Path>
|
||||
<RawString>The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160).
|
||||
If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding.
|
||||
Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Verify the default permissions for the sample directories below. Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.)
|
||||
Viewing in File Explorer:
|
||||
Select the "Security" tab, and the "Advanced" button.
|
||||
Select the "Security" tab and the "Advanced" button.
|
||||
\Windows
|
||||
Type - "Allow" for all
|
||||
Inherited from - "None" for all
|
||||
|
|
@ -2314,7 +2365,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the pin length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2849,7 +2900,7 @@ Value: NistP384 NistP256</RawString>
|
|||
<ValueType>MultiString</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220806" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less-preferred connection (typically wireless) will be disconnected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less-preferred connection (typically wireless) will be disconnected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3017,13 +3068,14 @@ Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Confirm Credential Guard is running on domain-joined systems.
|
||||
|
||||
For those devices that support Credential Guard, this feature must be enabled. Organizations need to take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled.
|
||||
For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled.
|
||||
|
||||
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
|
||||
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
|
||||
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable.
|
||||
|
||||
Run "PowerShell" with elevated privileges (run as administrator).
|
||||
|
||||
Enter the following:
|
||||
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard"
|
||||
|
||||
|
|
@ -3032,8 +3084,10 @@ If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), t
|
|||
Alternately:
|
||||
|
||||
Run "System Information".
|
||||
|
||||
Under "System Summary", verify the following:
|
||||
If "Device Guard Security Services Running" does not list "Credential Guard", this is finding.
|
||||
|
||||
If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding.
|
||||
|
||||
The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.
|
||||
|
||||
|
|
@ -3042,9 +3096,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\
|
|||
|
||||
Value Name: LsaCfgFlags
|
||||
Value Type: REG_DWORD
|
||||
Value: 0x00000001 (1) (Enabled with UEFI lock)
|
||||
|
||||
</RawString>
|
||||
Value: 0x00000001 (1) (Enabled with UEFI lock)</RawString>
|
||||
<ValueData>1</ValueData>
|
||||
<ValueName>LsaCfgFlags</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -3544,7 +3596,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220834" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3563,7 +3615,7 @@ Type: REG_DWORD
|
|||
Value: 0x00000000 (0) (Security)
|
||||
0x00000001 (1) (Basic)
|
||||
|
||||
If an organization is using v1709 or later of Windows 10 this may be configured to "Enhanced" to support Windows Analytics. V-82145 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString>
|
||||
If an organization is using v1709 or later of Windows 10, this may be configured to "Enhanced" to support Windows Analytics. V-220833 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).</RawString>
|
||||
<ValueData>0</ValueData>
|
||||
<ValueName>AllowTelemetry</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -5621,7 +5673,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
<RootCertificateRule dscresourcemodule="CertificateDsc">
|
||||
<Rule id="V-220903.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 3</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.a</LegacyId>
|
||||
|
|
@ -5633,7 +5685,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
</Rule>
|
||||
<Rule id="V-220903.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 4</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.b</LegacyId>
|
||||
|
|
@ -5645,7 +5697,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
</Rule>
|
||||
<Rule id="V-220903.c" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 5</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.c</LegacyId>
|
||||
|
|
@ -5655,28 +5707,60 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
|
||||
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220905.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-220905" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63587.a</LegacyId>
|
||||
<LegacyId>V-63587</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,AC06108CA348CC03B53795C64BF84403C1DBD341</RawString>
|
||||
<Thumbprint>AC06108CA348CC03B53795C64BF84403C1DBD341</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220905.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63587.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,49CBE933151872E17C8EAE7F0ABA97FB610F6477</RawString>
|
||||
<RawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.
|
||||
|
||||
Run "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
NotAfter: 11/16/2024
|
||||
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates", click "Add".
|
||||
|
||||
Select "Computer account", click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)", click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Issued To: DoD Root CA 3
|
||||
Issued By: DoD Interoperability Root CA 2
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
Valid to: Wednesday, November 16, 2024</RawString>
|
||||
<Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220906" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
|
|
@ -5696,14 +5780,14 @@ Execute the following command:
|
|||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding.
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US
|
||||
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9
|
||||
NotAfter: 8/26/2022 9:07:50 AM
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM
|
||||
|
||||
Alternately use the Certificates MMC snap-in:
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
|
|
@ -5717,7 +5801,7 @@ Select "Local computer: (the computer this console is running on)", click "Finis
|
|||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates".
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
|
||||
|
||||
|
|
@ -5730,10 +5814,10 @@ Scroll to the bottom and select "Thumbprint".
|
|||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US
|
||||
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9
|
||||
NotAfter: 8/26/2022 9:07:50 AM</RawString>
|
||||
<Thumbprint>AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</Thumbprint>
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM</RawString>
|
||||
<Thumbprint>9B74964506C7ED9138070D08D5F8B969866560C8</Thumbprint>
|
||||
</Rule>
|
||||
</RootCertificateRule>
|
||||
<SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
|
||||
Загрузка…
Ссылка в новой задаче