Merge pull request #1367 from microsoft/hinderjd#1366
Update Powerstig to parse\apply Microsoft Windows 10 STIG - Ver 3, Rel 1 #1366
This commit is contained in:
Michael Rasmussen
GitHub
Коммит
19c7bf8c8a
|
|
@ -15,6 +15,8 @@
|
|||
|
||||
* Update Powerstig to parse\apply Microsoft Windows 11 STIG - Ver 2, Rel 1 [#1368](https://github.com/microsoft/PowerStig/issues/1368)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows 10 STIG - Ver 3, Rel 1 [#1366](https://github.com/microsoft/PowerStig/issues/1366)
|
||||
|
||||
## [4.22.0] - 2024-05-31
|
||||
|
||||
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.8">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="11/17/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/19/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -51,7 +51,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220742" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63415</LegacyId>
|
||||
|
|
@ -67,7 +67,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220743" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63419</LegacyId>
|
||||
|
|
@ -83,7 +83,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220744" severity="medium" conversionstatus="pass" title="SRG-OS-000075-GPOS-00043" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63421</LegacyId>
|
||||
|
|
@ -277,14 +277,14 @@ Use the AuditPol tool to review the current Audit Policy configuration:
|
|||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
Enter "AuditPol /get /category:*"
|
||||
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
|
||||
Detailed Tracking >> Plug and Play Events - Success</RawString>
|
||||
<Subcategory>Plug and Play Events</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-220754" severity="medium" conversionstatus="pass" title="SRG-OS-000365-GPOS-00152" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Success</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
||||
Process creation records events related to the creation of a process and the source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -299,7 +299,7 @@ Use the AuditPol tool to review the current Audit Policy configuration:
|
|||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
Enter "AuditPol /get /category:*".
|
||||
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
|
||||
Detailed Tracking >> Process Creation - Success</RawString>
|
||||
<Subcategory>Process Creation</Subcategory>
|
||||
|
|
@ -1000,7 +1000,7 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
|
|||
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||
|
||||
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DesiredValue>10.0.220</DesiredValue>
|
||||
<DesiredValue>10.0.19044</DesiredValue>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63349</LegacyId>
|
||||
|
|
@ -1013,7 +1013,7 @@ A separate servicing branch intended for special-purpose systems is the Long-Ter
|
|||
|
||||
If the "About Windows" dialog box does not display the following or greater, this is a finding:
|
||||
|
||||
"Microsoft Windows Version 21H2 (OS Build 220xx.x)"
|
||||
"Microsoft Windows Version 21H2 (OS Build 19044.x)"
|
||||
|
||||
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
||||
|
||||
|
|
@ -1062,14 +1062,14 @@ To support this requirement, the operating system may have an integrated solutio
|
|||
<LegacyId>V-63343</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
Note: Example of documentation can be a copy of the site's CCB approved Software Baseline with version of software noted or a memo from the ISSM stating current ESS software and version.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220711" severity="low" conversionstatus="pass" title="SRG-OS-000118-GPOS-00060" dscresource="None">
|
||||
<Description><VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63359</LegacyId>
|
||||
|
|
@ -1101,7 +1101,7 @@ Local administrator account
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220714" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="None">
|
||||
<Description><VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by Virtualization Based Security features such as Credential Guard on Windows 10; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1269,7 +1269,7 @@ Run "System Information".
|
|||
|
||||
Under "System Summary", if "Secure Boot State" does not display "On", this is finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220702" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Rule id="V-220702" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1301,9 +1301,7 @@ The organization must identify authorized software programs and only permit exec
|
|||
<LegacyId>V-63345</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
|
|
@ -1467,7 +1465,7 @@ All of the built-in accounts may not exist on a system, depending on the Windows
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Run "Computer Management".
|
||||
Navigate to System Tools >> Local Users and Groups >> Users.
|
||||
Double click each active account.
|
||||
Double-click each active account.
|
||||
|
||||
If "Password never expires" is selected for any account, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1639,7 +1637,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the standalone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1683,7 +1681,7 @@ These audit events can assist in understanding how a computer is being used and
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure".
|
||||
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation".
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2328,7 +2326,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Rule>
|
||||
</PermissionRule>
|
||||
<RegistryRule dscresourcemodule="PSDscResources">
|
||||
<Rule id="V-220703.a" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-220703.a" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2346,7 +2344,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseAdvancedStartup</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220703.b" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-220703.b" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2364,7 +2362,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseTPMPIN</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||
<Rule id="V-220704" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -3298,7 +3296,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220821" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3320,7 +3318,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220822" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4047,7 +4045,7 @@ Value: 6 (or greater)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220848" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4091,7 +4089,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220850" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4229,7 +4227,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220856" severity="medium" conversionstatus="pass" title="SRG-OS-000362-GPOS-00149" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4251,7 +4249,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220857" severity="high" conversionstatus="pass" title="SRG-OS-000362-GPOS-00149" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4475,7 +4473,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220867" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5206,7 +5204,7 @@ Value: 0x7ffffff8 (2147483640)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220937" severity="high" conversionstatus="pass" title="SRG-OS-000073-GPOS-00041" dscresource="Registry">
|
||||
<Description><VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5362,7 +5360,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220944" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5406,7 +5404,7 @@ Value: 2 (Prompt for consent on the secure desktop)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220947" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This ensures correct accounts are used on the system for privileged tasks to help mitigate credential theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This ensures correct accounts are used on the system for privileged tasks to help mitigate credential theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5472,7 +5470,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220950" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
Загрузка…
Ссылка в новой задаче