Merge branch '4.23.0' into hinderjd#1364
This commit is contained in:
Michael Rasmussen
GitHub
Коммит
4c53d88d6e
15
CHANGELOG.md
15
CHANGELOG.md
|
|
@ -1,6 +1,21 @@
|
|||
# Versions
|
||||
|
||||
## [Unreleased]
|
||||
* Update Powerstig to parse\apply Oracle Linux 8 STIG - Ver 2, Rel 1 [#1380](https://github.com/microsoft/PowerStig/issues/1380)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows Server 2019 STIG - Ver 3, Rel 1 [#1369](https://github.com/microsoft/PowerStig/issues/1369)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows Server 2022 STIG - Ver 2, Rel 1 [#1370](https://github.com/microsoft/PowerStig/issues/1370)
|
||||
|
||||
* Update Powerstig to parse\apply U_MS_SQL_Server_2016_Instance_V3R1_Manual_STIG [#1373](https://github.com/microsoft/PowerStig/issues/1373)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft IIS 10.0 Server STIG [#1371](https://github.com/microsoft/PowerStig/issues/1371)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Office 365 ProPlus STIG - Ver 3, Rel 1 [#1372](https://github.com/microsoft/PowerStig/issues/1372)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows 11 STIG - Ver 2, Rel 1 [#1368](https://github.com/microsoft/PowerStig/issues/1368)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows 10 STIG - Ver 3, Rel 1 [#1366](https://github.com/microsoft/PowerStig/issues/1366)
|
||||
|
||||
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 2, Rel 1 [#1364](https://github.com/microsoft/PowerStig/issues/1350)
|
||||
|
||||
|
|
|
|||
|
|
@ -49,7 +49,9 @@ Describe 'Restore-StigSettings' {
|
|||
}
|
||||
|
||||
It 'Should not throw for Sql Server 2016' {
|
||||
|
||||
{Restore-StigSettings -StigName "SqlServer-2016-Instance-2.12.xml" -Confirm:$false} | Should -Not -Throw
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
# Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
# Licensed under the MIT License.
|
||||
|
||||
@{
|
||||
# Script module or binary module file associated with this manifest.
|
||||
RootModule = 'OracleLinux.schema.psm1'
|
||||
|
||||
# Version number of this module.
|
||||
ModuleVersion = '1.0.0.0'
|
||||
|
||||
# ID used to uniquely identify this module
|
||||
GUID = '4f0a89ac-6a05-4236-b054-3b25b9e3cba5'
|
||||
|
||||
# Author of this module
|
||||
Author = 'Microsoft Corporation'
|
||||
|
||||
# Company or vendor of this module
|
||||
CompanyName = 'Microsoft Corporation'
|
||||
|
||||
# Copyright statement for this module
|
||||
Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.'
|
||||
|
||||
# Description of the functionality provided by this module
|
||||
Description = 'Composite DSC Resource for managing Oracle Linux DISA STIGs'
|
||||
|
||||
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
|
||||
FunctionsToExport = @('OracleLinux')
|
||||
|
||||
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
|
||||
CmdletsToExport = @()
|
||||
|
||||
# Variables to export from this module
|
||||
VariablesToExport = ''
|
||||
|
||||
# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
|
||||
AliasesToExport = @()
|
||||
|
||||
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
|
||||
PrivateData = @{
|
||||
|
||||
PSData = @{
|
||||
|
||||
} # End of PSData hashtable
|
||||
|
||||
} # End of PrivateData hashtable
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
# Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
# Licensed under the MIT License.
|
||||
|
||||
using module ..\helper.psm1
|
||||
using module ..\..\PowerStig.psm1
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
A composite DSC resource to manage Oracle Linux STIG settings
|
||||
.PARAMETER OsVersion
|
||||
The version of Oracle Linux operating system STIG to apply and monitor
|
||||
.PARAMETER StigVersion
|
||||
Uses the OsVersion to select the version of the STIG to apply and monitor. If this parameter
|
||||
is not provided, the most recent version of the STIG is automatically selected.
|
||||
.PARAMETER Exception
|
||||
A hashtable of StigId=Value key pairs that are injected into the STIG data and applied to
|
||||
the target node. The title of STIG settings are tagged with the text 'Exception' to identify
|
||||
the exceptions to policy across the data center when you centralize DSC log collection.
|
||||
.PARAMETER OrgSettings
|
||||
The path to the xml file that contains the local organizations preferred settings for STIG
|
||||
items that have allowable ranges. The OrgSettings parameter also accepts a hashtable for
|
||||
values that need to be modified. When a hashtable is used, the specified values take
|
||||
presidence over the values defined in the org.default.xml file.
|
||||
.PARAMETER SkipRule
|
||||
The SkipRule Node is injected into the STIG data and applied to the taget node. The title
|
||||
of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the
|
||||
data center when you centralize DSC log collection.
|
||||
.PARAMETER SkipRuleType
|
||||
All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule
|
||||
function. Each rule follows the same process as the SkipRule parameter.
|
||||
#>
|
||||
configuration OracleLinux
|
||||
{
|
||||
[CmdletBinding()]
|
||||
param
|
||||
(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$OsVersion,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()]
|
||||
[version]
|
||||
$StigVersion,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()]
|
||||
[hashtable]
|
||||
$Exception,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()]
|
||||
[object]
|
||||
$OrgSettings,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()]
|
||||
[string[]]
|
||||
$SkipRule,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()]
|
||||
[string[]]
|
||||
$SkipRuleType,
|
||||
|
||||
[Parameter()]
|
||||
[ValidateSet('CAT_I', 'CAT_II', 'CAT_III')]
|
||||
[string[]]
|
||||
$SkipRuleSeverity
|
||||
)
|
||||
|
||||
##### BEGIN DO NOT MODIFY #####
|
||||
$stig = [STIG]::New('OracleLinux', $OsVersion, $StigVersion)
|
||||
$stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity)
|
||||
##### END DO NOT MODIFY #####
|
||||
|
||||
Import-DscResource -ModuleName nx -ModuleVersion 1.0
|
||||
. "$resourcePath\linux.nxPackage.ps1"
|
||||
. "$resourcePath\linux.nxFile.ps1"
|
||||
. "$resourcePath\linux.nxFileLine.ps1"
|
||||
. "$resourcePath\linux.nxService.ps1"
|
||||
. "$resourcePath\linux.nxScript.skip.ps1"
|
||||
}
|
||||
|
|
@ -64,6 +64,7 @@
|
|||
'McAfee',
|
||||
'Office',
|
||||
'OracleJRE',
|
||||
'OracleLinux',
|
||||
'SqlServer',
|
||||
'WindowsClient',
|
||||
'WindowsDefender',
|
||||
|
|
|
|||
|
|
@ -0,0 +1,235 @@
|
|||
V-248523::*::.
|
||||
V-248525::*::.
|
||||
V-248543::*::.
|
||||
V-248546::*::.
|
||||
V-248547::*::.
|
||||
V-248630::*::.
|
||||
V-248713::*::.
|
||||
V-248842::*::.
|
||||
V-248873::*::.
|
||||
V-248585::*::.
|
||||
V-248654::*::.
|
||||
V-252655::*::.
|
||||
V-248667::*::.
|
||||
V-248702::*::.
|
||||
V-248703::*::.
|
||||
V-248704::*::.
|
||||
V-248710::*::.
|
||||
V-248801::*::.
|
||||
V-252657::*::.
|
||||
V-248898::*::.
|
||||
V-248899::*::.
|
||||
V-248903::*::.
|
||||
V-252663::*::.
|
||||
V-248519::*::.
|
||||
V-248520::*::.
|
||||
V-248521::*::.
|
||||
V-248528::*::.
|
||||
V-248529::*::.
|
||||
V-248530::*::.
|
||||
V-248531::*::.
|
||||
V-248532::*::.
|
||||
V-248534::*::.
|
||||
V-248537::*::.
|
||||
V-248540::*::.
|
||||
V-248545::*::.
|
||||
V-248548::*::.
|
||||
V-248549::*::.
|
||||
V-248551::*::.
|
||||
V-248554::*::.
|
||||
V-248555::*::.
|
||||
V-248556::*::.
|
||||
V-248557::*::.
|
||||
V-248558::*::.
|
||||
V-248559::*::.
|
||||
V-248566::*::.
|
||||
V-248567::*::.
|
||||
V-248568::*::.
|
||||
V-248569::*::.
|
||||
V-248570::*::.
|
||||
V-248571::*::.
|
||||
V-248572::*::.
|
||||
V-248573::*::.
|
||||
V-248576::*::.
|
||||
V-248577::*::.
|
||||
V-248578::*::.
|
||||
V-248579::*::.
|
||||
V-248580::*::.
|
||||
V-248582::*::.
|
||||
V-248583::*::.
|
||||
V-248584::*::.
|
||||
V-248586::*::.
|
||||
V-248587::*::.
|
||||
V-248588::*::.
|
||||
V-248589::*::.
|
||||
V-248593::*::.
|
||||
V-248594::*::.
|
||||
V-248597::*::.
|
||||
V-248598::*::.
|
||||
V-248599::*::.
|
||||
V-248600::*::.
|
||||
V-248601::*::.
|
||||
V-248602::*::.
|
||||
V-248608::*::.
|
||||
V-248609::*::.
|
||||
V-248610::*::.
|
||||
V-248611::*::.
|
||||
V-248612::*::.
|
||||
V-248615::*::.
|
||||
V-248616::*::.
|
||||
V-248617::*::.
|
||||
V-248618::*::.
|
||||
V-248619::*::.
|
||||
V-248620::*::.
|
||||
V-248627::*::.
|
||||
V-248629::*::.
|
||||
V-248634::*::.
|
||||
V-248635::*::.
|
||||
V-248636::*::.
|
||||
V-248637::*::.
|
||||
V-248638::*::.
|
||||
V-248639::*::.
|
||||
V-248640::*::.
|
||||
V-248641::*::.
|
||||
V-248642::*::.
|
||||
V-248643::*::.
|
||||
V-248645::*::.
|
||||
V-248646::*::.
|
||||
V-248647::*::.
|
||||
V-248648::*::.
|
||||
V-248651::*::.
|
||||
V-248671::*::.
|
||||
V-248672::*::.
|
||||
V-248673::*::.
|
||||
V-248674::*::.
|
||||
V-248675::*::.
|
||||
V-248677::*::.
|
||||
V-248680::*::.
|
||||
V-248682::*::.
|
||||
V-248683::*::.
|
||||
V-248684::*::.
|
||||
V-248685::*::.
|
||||
V-248687::*::.
|
||||
V-248688::*::.
|
||||
V-248689::*::.
|
||||
V-248690::*::.
|
||||
V-248691::*::.
|
||||
V-248692::*::.
|
||||
V-248693::*::.
|
||||
V-248694::*::.
|
||||
V-248697::*::.
|
||||
V-248699::*::.
|
||||
V-248701::*::.
|
||||
V-248705::*::.
|
||||
V-248706::*::.
|
||||
V-248707::*::.
|
||||
V-248708::*::.
|
||||
V-248709::*::.
|
||||
V-248711::*::.
|
||||
V-248715::*::.
|
||||
V-248716::*::.
|
||||
V-248719::*::.
|
||||
V-248720::*::.
|
||||
V-248722::*::.
|
||||
V-248724::*::.
|
||||
V-248732::*::.
|
||||
V-248737::*::.
|
||||
V-248738::*::.
|
||||
V-248739::*::.
|
||||
V-248764::*::.
|
||||
V-248765::*::.
|
||||
V-248766::*::.
|
||||
V-248767::*::.
|
||||
V-248768::*::.
|
||||
V-248806::*::.
|
||||
V-248807::*::.
|
||||
V-248808::*::.
|
||||
V-248809::*::.
|
||||
V-248810::*::.
|
||||
V-248811::*::.
|
||||
V-248812::*::.
|
||||
V-248813::*::.
|
||||
V-248814::*::.
|
||||
V-248817::*::.
|
||||
V-248818::*::.
|
||||
V-248819::*::.
|
||||
V-248823::*::.
|
||||
V-248824::*::.
|
||||
V-248825::*::.
|
||||
V-248827::*::.
|
||||
V-248835::*::.
|
||||
V-248839::*::.
|
||||
V-248840::*::.
|
||||
V-248841::*::.
|
||||
V-248859::*::.
|
||||
V-248860::*::.
|
||||
V-248861::*::.
|
||||
V-248862::*::.
|
||||
V-248863::*::.
|
||||
V-248864::*::.
|
||||
V-248866::*::.
|
||||
V-248867::*::.
|
||||
V-248869::*::.
|
||||
V-248872::*::.
|
||||
V-248874::*::.
|
||||
V-248875::*::.
|
||||
V-248876::*::.
|
||||
V-248877::*::.
|
||||
V-248878::*::.
|
||||
V-248879::*::.
|
||||
V-248880::*::.
|
||||
V-248881::*::.
|
||||
V-248882::*::.
|
||||
V-248883::*::.
|
||||
V-248884::*::.
|
||||
V-248885::*::.
|
||||
V-248886::*::.
|
||||
V-248887::*::.
|
||||
V-248888::*::.
|
||||
V-248889::*::.
|
||||
V-248890::*::.
|
||||
V-248891::*::.
|
||||
V-248892::*::.
|
||||
V-248893::*::.
|
||||
V-248894::*::.
|
||||
V-248895::*::.
|
||||
V-248896::*::.
|
||||
V-248904::*::.
|
||||
V-248905::*::.
|
||||
V-248906::*::.
|
||||
V-248907::*::.
|
||||
V-252650::*::.
|
||||
V-252651::*::.
|
||||
V-252652::*::.
|
||||
V-252653::*::.
|
||||
V-252654::*::.
|
||||
V-252655::*::.
|
||||
V-252656::*::.
|
||||
V-252662::*::.
|
||||
V-256978::*::.
|
||||
V-256979::*::.
|
||||
V-248622::*::.
|
||||
V-248623::*::.
|
||||
V-248625::*::.
|
||||
V-248626::*::.
|
||||
V-248656::*::.
|
||||
V-248658::*::.
|
||||
V-248660::*::.
|
||||
V-248662::*::.
|
||||
V-248664::*::.
|
||||
V-248666::*::.
|
||||
V-248669::*::.
|
||||
V-248734::*::.
|
||||
V-248734::*::.
|
||||
V-248735::*::.
|
||||
V-248736::*::.
|
||||
V-248845::*::.
|
||||
V-248846::*::.
|
||||
V-248848::*::.
|
||||
V-248849::*::.
|
||||
V-248851::*::.
|
||||
V-248852::*::.
|
||||
V-248854::*::.
|
||||
V-248855::*::.
|
||||
V-248857::*::.
|
||||
V-248858::*::.
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -18,3 +18,4 @@ V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2
|
|||
V-254490::0x00000002 (2) (or if the Value Name does not exist)::2
|
||||
V-254499::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
|
||||
V-254254::CREATOR OWNER - Full Control - Subkeys::CREATOR OWNER - Full Control - Subkeys Only
|
||||
V-254254::Server Operators - Read - This Key and subkeys (Domain controllers only)::*
|
||||
|
|
|
|||
|
|
@ -18,3 +18,4 @@ V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2
|
|||
V-254490::0x00000002 (2) (or if the Value Name does not exist)::2
|
||||
V-254499::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
|
||||
V-254254::CREATOR OWNER - Full Control - Subkeys::CREATOR OWNER - Full Control - Subkeys Only
|
||||
V-254254::Server Operators - Read - This Key and subkeys (Domain controllers only)::*
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,9 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.9">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure ''V-218785'' LogFlags must contain at a minimum Date,Time,ClientIP,UserName,Method,UriQuery,HttpStatus,Referer'-->
|
||||
<OrganizationalSetting id="V-218785" LogCustomFieldEntry="" LogFlags="Date,Time,ClientIP,UserName,Method,UriQuery,HttpStatus,Referer" LogFormat="" LogPeriod="" LogTargetW3C="" />
|
||||
<!-- Ensure ''V-218805.a'' -le '00:20:00'-->
|
||||
<OrganizationalSetting id="V-218805.a" Value="00:20:00" />
|
||||
</OrganizationalSettings>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="IIS_10-0_Server_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_IIS_10-0_Server_STIG_V2R9_Manual-xccdf.xml" releaseinfo="Release: 9 Benchmark Date: 27 Apr 2023 3.4.0.34222 1.10.0" title="Microsoft IIS 10.0 Server Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.9" created="6/14/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="IIS_10-0_Server_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_IIS_10-0_Server_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft IIS 10.0 Server Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/20/2024">
|
||||
<DocumentRule dscresourcemodule="None">
|
||||
<Rule id="V-218792" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000015" dscresource="None">
|
||||
<Description><VulnDiscussion>User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks enterprise-wide, such as password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts.
|
||||
|
|
@ -544,15 +544,17 @@ If the paths of all log files are not part of the system backup and/or not backe
|
|||
|
||||
Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.
|
||||
|
||||
If, under the IIS installed features, "Application Request Routing Cache" is not present, this is not a finding.
|
||||
If, under the IIS installed features "Application Request Routing Cache" is not present, this is not a finding.
|
||||
|
||||
If, under the IIS installed features, "Application Request Routing Cache" is present, double-click the icon to open the feature.
|
||||
If, under the IIS installed features "Application Request Routing Cache" is present, double-click the icon to open the feature.
|
||||
|
||||
From the right "Actions" pane, under "Proxy", select "Server Proxy Settings...".
|
||||
From the right "Actions" pane under "Proxy", select "Server Proxy Settings...".
|
||||
|
||||
In the "Application Request Routing" settings window, verify whether "Enable proxy" is selected.
|
||||
|
||||
If “Enable proxy" is selected under the "Application Request Routing" settings, this is a finding.</RawString>
|
||||
If "Enable proxy" is selected under the "Application Request Routing" settings, this is a finding.
|
||||
|
||||
If the server has been approved to be a Proxy server, this requirement is Not Applicable.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-218795" severity="high" conversionstatus="pass" title="SRG-APP-000141-WSR-000077" dscresource="None">
|
||||
<Description><VulnDiscussion>Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -742,6 +744,7 @@ If passwords have not been changed from the default, this is a finding.</RawStri
|
|||
Note: If the Server is hosting Microsoft SharePoint, this is Not Applicable.
|
||||
Note: If the server is hosting WSUS, this is Not Applicable.
|
||||
Note: If the server is hosting Exchange, this is Not Applicable.
|
||||
Note: If the server is public facing, this is Not Applicable.
|
||||
|
||||
Open the IIS 10.0 Manager.
|
||||
|
||||
|
|
@ -1326,22 +1329,7 @@ If the "cookieless" is not set to "UseCookies", this is a finding.
|
|||
Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.</RawString>
|
||||
<Value>UseCookies</Value>
|
||||
</Rule>
|
||||
<Rule id="V-218805.a" severity="medium" conversionstatus="pass" title="SRG-APP-000223-WSR-000145" dscresource="xWebConfigKeyValue">
|
||||
<ConfigSection>/system.web/sessionState</ConfigSection>
|
||||
<Description><VulnDiscussion>ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session and provides the ability to persist variable values for the duration of that session.
|
||||
|
||||
When using the URI mode for cookie settings under session state, IIS will reject and reissue session IDs that do not have active sessions. Configuring IIS to expire session IDs and regenerate tokens gives a potential attacker less time to capture a cookie and gain access to server content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<Key>timeout</Key>
|
||||
<LegacyId>V-100145.a</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>'{0}' -le '00:20:00'</OrganizationValueTestString>
|
||||
<RawString>Under Time-out (in minutes), verify “20 minutes or less” is selected.</RawString>
|
||||
<Value>
|
||||
</Value>
|
||||
</Rule>
|
||||
<Rule id="V-218805.b" severity="medium" conversionstatus="pass" title="SRG-APP-000223-WSR-000145" dscresource="None">
|
||||
<Rule id="V-218805.a" severity="medium" conversionstatus="pass" title="SRG-APP-000223-WSR-000145" dscresource="None">
|
||||
<ConfigSection>/system.web/sessionState</ConfigSection>
|
||||
<Description><VulnDiscussion>ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session and provides the ability to persist variable values for the duration of that session.
|
||||
|
||||
|
|
@ -1349,7 +1337,7 @@ When using the URI mode for cookie settings under session state, IIS will reject
|
|||
<DuplicateOf>V-218804</DuplicateOf>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<Key>cookieless</Key>
|
||||
<LegacyId>V-100145.b</LegacyId>
|
||||
<LegacyId>V-100145.a</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.11">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure 'V-223282' is 2|3|4-->
|
||||
<OrganizationalSetting id="V-223282" ValueData="3" />
|
||||
<!-- Ensure 'V-223288' is 6-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Office_365_ProPlus_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Office_365_ProPlus_STIG_V2R11_Manual-xccdf.xml" releaseinfo="Release: 11 Benchmark Date: 25 Oct 2023 3.4.1.22916 1.10.0" title="Microsoft Office 365 ProPlus Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.11" created="11/16/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="MS_Office_365_ProPlus_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Office_365_ProPlus_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Office 365 ProPlus Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/20/2024">
|
||||
<DocumentRule dscresourcemodule="None">
|
||||
<Rule id="V-223296" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="None">
|
||||
<Description><VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes that user's type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -237,13 +237,13 @@ If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a f
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223281" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If users enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If users do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -501,7 +501,7 @@ If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.</RawStr
|
|||
|
||||
The Message Bar in Office 365 ProPlus applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer.
|
||||
|
||||
If this policy setting is enabled, Office 365 ProPlus applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is enabled, Office 365 ProPlus applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1455,13 +1455,13 @@ If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a f
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223337" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the ''Require that application add-ins are signed by Trusted Publisher'' policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the ''Require that application add-ins are signed by Trusted Publisher'' policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the ''Add-ins'' category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the ''Add-ins'' category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2171,13 +2171,13 @@ If the value EnableOneOffFormScripts is REG_DWORD = 0, this is not a finding.</R
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223365" severity="medium" conversionstatus="pass" title="SRG-APP-000488" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send protections. If you enable this policy setting, you can choose from four options to control how Outlook functions when a custom action is executed that uses the Outlook object model:
|
||||
<Description><VulnDiscussion>This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send protections. If this policy is enabled, four options are available to control how Outlook functions when a custom action is executed that uses the Outlook object model:
|
||||
- Prompt User
|
||||
- Automatically Approve
|
||||
- Automatically Deny
|
||||
- Prompt user based on computer security. This option enforces the default configuration in Outlook.
|
||||
|
||||
If you disable or do not configure this policy setting, when Outlook or another program initiates a custom action using the Outlook object model, users are prompted to allow or reject the action. If this configuration is changed, malicious code can use the Outlook object model to compromise sensitive information or otherwise cause data and computing resources to be at risk. This is the equivalent of choosing Enabled -- Prompt user based on computer security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy is disabled or not configured, when Outlook or another program initiates a custom action using the Outlook object model, users are prompted to allow or reject the action. If this configuration is changed, malicious code can use the Outlook object model to compromise sensitive information or otherwise cause data and computing resources to be at risk. This is the equivalent of choosing Enabled -- Prompt user based on computer security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2185,13 +2185,13 @@ If you disable or do not configure this policy setting, when Outlook or another
|
|||
<LegacyId>V-99805</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Security Form Settings >> Set Outlook object model custom actions execution prompt is set to "Enabled" and "Automatically Deny".
|
||||
<RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Security Form Settings >> Custom Form Security >> Set Outlook object model custom actions execution prompt is set to "Enabled" and "Automatically Deny".
|
||||
|
||||
Use the Windows Registry to navigate to the following key:
|
||||
|
||||
HKCU\software\policies\microsoft\office\16.0\outlook\security
|
||||
|
||||
If the value for promptoomcustomaction is set to REG_DWORD = 0, this is not a finding.</RawString>
|
||||
If the value for "promptoomcustomaction" is set to "REG_DWORD = 0", this is not a finding.</RawString>
|
||||
<ValueData>0</ValueData>
|
||||
<ValueName>promptoomcustomaction</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -2447,13 +2447,13 @@ If the value allownetworklocations is REG_DWORD = 0, this is not a finding.</Raw
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223375" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2687,11 +2687,13 @@ If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a f
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223384" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users. If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2877,13 +2879,13 @@ If the value automationsecuritypublisher is REG_DWORD = 2, this is not a finding
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223391" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2905,16 +2907,16 @@ If the value notbpromptunsignedaddin is REG_DWORD = 1, this is not a finding.</R
|
|||
<Rule id="V-223392" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
|
||||
|
||||
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
|
||||
If this policy setting is enabled, users can choose from four options for determining how the specified applications will warn the user about macros:
|
||||
|
||||
- Disable all with notification: The application displays the Trust Bar for all macros, whether signed or unsigned. This option enforces the default configuration in Office. This option also allows users to potentially enable unsigned/untrusted macros. If a site requires the use of macros, they must be signed /approved and added to appropriate locations listed in the Trust Center Settings.
|
||||
- Disable all with notification: The application displays the Trust Bar for all macros, whether signed or unsigned. This option enforces the default configuration in Office. This option also allows users to potentially enable unsigned/untrusted macros. If a site requires the use of macros, they must be signed/approved and added to appropriate locations listed in the Trust Center Settings.
|
||||
- Disable all except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified.
|
||||
- Disable all without notification: The application disables all macros, whether signed or unsigned, and does not notify users.
|
||||
- Enable all macros (not recommended): All macros are enabled, whether signed or unsigned. This option can significantly reduce security by allowing dangerous code to run undetected.
|
||||
|
||||
If you disable this policy setting, "Disable all with notification" will be the default setting.
|
||||
If this policy setting is disabled, "Disable all with notification" will be the default setting.
|
||||
|
||||
If you do not configure this policy setting, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking "Enable Content" on the Trust Bar. If the user clicks "Enable Content", then the document is added as a trusted document.
|
||||
If this policy setting is not configured, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking "Enable Content" on the Trust Bar. If the user clicks "Enable Content", then the document is added as a trusted document.
|
||||
|
||||
Important: If "Disable all except digitally signed macros" is selected, users will not be able to open unsigned Access databases.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -2924,13 +2926,13 @@ Important: If "Disable all except digitally signed macros" is selected, users wi
|
|||
<LegacyId>V-99861</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>{0} is 3|4</OrganizationValueTestString>
|
||||
<RawString>Set policy value for User Configuration >> Administrative Templates >> Microsoft Publisher 2016 >> Security >> Trust Center >> VBA Macro Notification Settings >> VBA Macro Notification Settings to "Enabled" "Disable all except digitally signed macros"
|
||||
<RawString>Set policy value for User Configuration >> Administrative Templates >> Microsoft Publisher 2016 >> Security >> Trust Center >> VBA Macro Notification Settings >> VBA Macro Notification Settings to "Enabled" "Disable all except digitally signed macros".
|
||||
|
||||
Use the Windows Registry Editor to navigate to the following key:
|
||||
|
||||
HKCU\software\policies\microsoft\office\16.0\publisher\security
|
||||
|
||||
If the value vbawarnings is REG_DWORD = 3, this is not a finding. A value of REG_DWORD = 4 is also acceptable. If the registry key does not exist or is not configured properly, this is a finding.</RawString>
|
||||
If the value vbawarnings is REG_DWORD = 3, this is not a finding. A value of REG_DWORD = 4 is also acceptable. If the registry key does not exist or is not configured properly, this is a finding.</RawString>
|
||||
<ValueData />
|
||||
<ValueName>vbawarnings</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -2999,13 +3001,13 @@ If the value for allownetworklocations is REG_DWORD = 0, this is not a finding.<
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223395" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3139,13 +3141,13 @@ If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a f
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223400" severity="medium" conversionstatus="pass" title="SRG-APP-000131" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this policy setting.
|
||||
<Description><VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this policy setting.
|
||||
|
||||
If you enable this policy setting, applications automatically disable unsigned add-ins without informing users.
|
||||
If this policy setting is enabled, applications automatically disable unsigned add-ins without informing users.
|
||||
|
||||
If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
If this policy setting is disabled, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.
|
||||
|
||||
If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
If this policy setting is not configured, the disable behavior applies, and in addition, users can configure this requirement themselves in the "Add-ins" category of the Trust Center for the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.1">
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248533" ContainsLine="ENCRYPT_METHOD = SHA512" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ClientAliveInterval" does not exist, does not have a product value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248553" ContainsLine="ClientAliveInterval 600" DoesNotContainPattern="^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.a" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.b" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.c" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.d" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.e" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248652.f" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") or is missing or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248653" ContainsLine="deny = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "maxlogins" item is missing or commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248681" ContainsLine="lock-after-time = 900" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is not "1" or greater or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248695" ContainsLine="PASS_MIN_DAYS 1" DoesNotContainPattern="^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248696" ContainsLine="PASS_MAX_DAYS 60" DoesNotContainPattern="^\s*PASS_MAX_DAYS\s*([6][1-9]|[7-9][0-9]|\d{3,})$|#\s*PASS_MAX_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_LEN" parameter value is less than "15" or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248700" ContainsLine="PASS_MIN_LEN = 15" DoesNotContainPattern="^\s*PASS_MIN_LEN\s*=\s*([0-9]|[1][1-4])$|#\s*PASS_MIN_LEN.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "FAIL_DELAY" is not set to "4" or greater or the line is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248712" ContainsLine="FAIL_DELAY 4" DoesNotContainPattern="^#\s*FAIL_DELAY.*|^FAIL_DELAY\s*(?!\d{2,})[1-3]" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "maxpoll" option is set to a number greater than "16" or the line is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-248820" ContainsLine="maxpoll = 16" DoesNotContainPattern="^\s*maxpoll\s*=\s*([0-9]|[1][1-5])$|#\s*maxpoll.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "retry" is set to "0" or greater than "3", this is a finding." -->
|
||||
<OrganizationalSetting id="V-252658" ContainsLine="retry = 3" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "retry" is set to "0" or greater than "3", this is a finding." -->
|
||||
<OrganizationalSetting id="V-252659" ContainsLine="retry = 3" DoesNotContainPattern="" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -5,9 +5,9 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.11">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure SQL authentication logins are populated from organizational settings.-->
|
||||
<OrganizationalSetting id="V-213964" Ensure="" Name="" />
|
||||
<!-- Ensure 'V-214029' is populated with a non-default SA account name-->
|
||||
<OrganizationalSetting id="V-214029" VariableValue="stig_sa" />
|
||||
<OrganizationalSetting id="V-214029" VariableValue="" />
|
||||
</OrganizationalSettings>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_SQL_Server_2016_Instance_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_SQL_Server_2016_Instance_STIG_V2R11_Manual-xccdf.xml" releaseinfo="Release: 11 Benchmark Date: 24 Jan 2024 3.4.1.22916 1.10.0" title="MS SQL Server 2016 Instance Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.11" created="2/6/2024">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="MS_SQL_Server_2016_Instance_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_SQL_Server_2016_Instance_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="MS SQL Server 2016 Instance Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/20/2024">
|
||||
<DocumentRule dscresourcemodule="None">
|
||||
<Rule id="V-213929" severity="medium" conversionstatus="pass" title="SRG-APP-000001-DB-000031" dscresource="None">
|
||||
<Description><VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQL Server could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.
|
||||
|
|
@ -579,17 +579,17 @@ To determine whether SQL Server is configured to use a fixed port or dynamic por
|
|||
If these are in conflict with PPSM guidance, and not explained and approved in the system documentation, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213965" severity="medium" conversionstatus="pass" title="SRG-APP-000164-DB-000401" dscresource="None">
|
||||
<Description><VulnDiscussion>OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.
|
||||
<Description><VulnDiscussion>OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable, and must be documented and Authorizing Official (AO)-approved.
|
||||
|
||||
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.
|
||||
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.
|
||||
|
||||
In such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
In such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79193</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Execute the following query to determine if Contained Databases are used:
|
||||
<RawString>Execute the following query to determine if contained databases are used:
|
||||
|
||||
SELECT * FROM sys.databases WHERE containment = 1
|
||||
|
||||
|
|
@ -664,21 +664,27 @@ For each user database where encryption is required, verify that encryption is i
|
|||
Verify that there are physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s). If not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213976" severity="medium" conversionstatus="pass" title="SRG-APP-000243-DB-000373" dscresource="None">
|
||||
<Description><VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.
|
||||
|
||||
When Instant File Initialization (IFI) is in use, the deleted disk content is overwritten only as new data is written to the files. For this reason, the deleted content might be accessed by an unauthorized principal until some other data writes on that specific area of the data file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79213</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review the system documentation to determine if Instant File Initialization (IFI) is required.
|
||||
<RawString>Review system configuration to determine whether IFI support has been enabled (by default in SQL Server 2016).
|
||||
|
||||
If IFI is documented as required, this is not a finding.
|
||||
Start >> Control Panel >> System and Security >> Administrative Tools >> Local Security Policy >> Local Policies >> User Rights Assignment >> Perform volume maintenance tasks
|
||||
|
||||
Review system configuration to determine whether IFI support has been enabled (by default in SQL Server 2016).
|
||||
The default SQL service account for a default instance is NT SERVICE\MSSQLSERVER or for a named instance is NT SERVICE\MSSQL$InstanceName.
|
||||
|
||||
Start >> Control Panel >> Administrative Tools >> Local Security Policy >> Local Policies >> User Rights Assignment
|
||||
If the SQL service account or SQL service SID has been granted "Perform volume maintenance tasks" Local Rights Assignment, this means that Instant File Initialization (IFI) is enabled.
|
||||
|
||||
If the SQL Service SID (Default instance: NT SERVICE\MSSQLSERVER. Named instance: NT SERVICE\MSSQL$InstanceName) has been granted "Perform volume maintenance tasks" Local Rights Assignment and if it is not documented in the system documentation, this is a finding.</RawString>
|
||||
Review the system documentation to determine if Instant File Initialization (IFI) is required.
|
||||
|
||||
If IFI is enabled but not documented as required, this is a finding.
|
||||
|
||||
If IFI is not enabled, this is not a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213977" severity="medium" conversionstatus="pass" title="SRG-APP-000243-DB-000374" dscresource="None">
|
||||
<Description><VulnDiscussion>SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -840,34 +846,6 @@ WHERE P.enabled = 1
|
|||
GO
|
||||
|
||||
If any Credentials or SQL Agent Proxy accounts are returned that are not documented and authorized, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213981" severity="medium" conversionstatus="pass" title="SRG-APP-000356-DB-000314" dscresource="None">
|
||||
<Description><VulnDiscussion>Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.
|
||||
|
||||
The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.
|
||||
|
||||
SQL Server may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79223</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.
|
||||
|
||||
If the SQL Server audit records are not written directly to or systematically transferred to a centralized log management system, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213982" severity="medium" conversionstatus="pass" title="SRG-APP-000356-DB-000315" dscresource="None">
|
||||
<Description><VulnDiscussion>If the configuration of SQL Server's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events.
|
||||
|
||||
SQL Server must provide a unified tool for audit configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79225</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.
|
||||
|
||||
If the SQL Server audit records (to include traces used for audit purposes) are not written directly to or systematically transferred to a centralized log management system, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213986" severity="medium" conversionstatus="pass" title="SRG-APP-000374-DB-000322" dscresource="None">
|
||||
<Description><VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
|
||||
|
|
@ -1288,7 +1266,7 @@ For SQLCMD, which cannot be configured not to accept a plain-text password, and
|
|||
|
||||
Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-259739" severity="high" conversionstatus="pass" title="SRG-APP-000456-DB-000400" dscresource="None">
|
||||
<Rule id="V-265870" severity="high" conversionstatus="pass" title="SRG-APP-000456-DB-000400" dscresource="None">
|
||||
<Description><VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.
|
||||
|
||||
Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
|
||||
|
|
@ -1539,35 +1517,35 @@ If any nodes have a certificate in use by SQL that is not issued or approved by
|
|||
</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213973" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
|
||||
<Description><VulnDiscussion>Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the first administrative actions performed on the server. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the first administrative actions performed on the server. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79207</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review procedures for, and evidence of backup of, the Server Service Master Key in the System Security Plan.
|
||||
<RawString>Review procedures for and evidence of backup of the Server Service Master Key in the System Security Plan.
|
||||
|
||||
If the procedures or evidence does not exist, this is a finding.
|
||||
|
||||
If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding.
|
||||
If the procedures or evidence does not exist, this is a finding.
|
||||
|
||||
If the procedures do not indicate that a backup of the Service Master Key is stored in a secure location that is not on the SQL Server, this is a finding.
|
||||
|
||||
If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213974" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
|
||||
<Description><VulnDiscussion>Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-79209</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding.
|
||||
<RawString>If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding.
|
||||
|
||||
Review procedures for, and evidence of backup of, the Master Key in the System Security Plan.
|
||||
Review procedures for and evidence of backup of the Master Key in the System Security Plan.
|
||||
|
||||
If the procedures or evidence does not exist, this is a finding.
|
||||
|
||||
If the procedures do not indicate offline and off-site storage of the Master Key, this is a finding.
|
||||
|
||||
If the procedures do not indicate that a backup of the Master Key is stored in a secure location that is not on the SQL Server, this is a finding.
|
||||
|
||||
If procedures do not indicate access restrictions to the Master Key backup, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-213978" severity="medium" conversionstatus="pass" title="SRG-APP-000267-DB-000163" dscresource="None">
|
||||
|
|
@ -2686,11 +2664,15 @@ If any of these databases exist, this is a finding.</RawString>
|
|||
</SqlDatabaseRule>
|
||||
<SqlLoginRule dscresourcemodule="SqlServerDsc">
|
||||
<Rule id="V-213964" severity="high" conversionstatus="pass" title="SRG-APP-000164-DB-000401" dscresource="SqlLogin">
|
||||
<Description><VulnDiscussion>OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.
|
||||
<Description><VulnDiscussion>Windows Authentication is the default authentication mode and is much more secure than SQL Server Authentication. Windows Authentication uses Kerberos security protocol, provides password policy enforcement with regard to complexity validation for strong passwords, provides support for account lockout, and supports password expiration. A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.
|
||||
|
||||
By using Windows Authentication, Windows groups can be created at the domain level, and a login can be created on SQL Server for the entire group. Managing access at the domain level can simplify account administration.
|
||||
|
||||
OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native SQL Server authentication may be used only when circumstances make it unavoidable and must be documented and Authorizing Official (AO)-approved.
|
||||
|
||||
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.
|
||||
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval.
|
||||
|
||||
In such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
In such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -2706,9 +2688,9 @@ In such cases, the DoD standards for password complexity and lifetime must be im
|
|||
|
||||
SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'SQL Server Authentication' END as [Authentication Mode]
|
||||
|
||||
If the returned value in the "[Authentication Mode]" column is "Windows Authentication", this is not a finding.
|
||||
If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding.
|
||||
|
||||
SQL Server should be configured to inherit password complexity and password lifetime rules from the operating system.
|
||||
If the returned value in the "Authentication Mode" column is "SQL Server Authentication", SQL Server should be configured to inherit password complexity and password lifetime rules from the operating system.
|
||||
|
||||
Review SQL Server to ensure logons are created with respect to the complexity settings and password lifetime rules by running the statement:
|
||||
|
||||
|
|
@ -2719,15 +2701,13 @@ Review any accounts returned by the query other than the disabled SA account, ##
|
|||
|
||||
If any account does not have both "is_expiration_checked" and "is_policy_checked" equal to “1”, this is a finding.
|
||||
|
||||
Review the Operating System settings relating to password complexity.
|
||||
Review the operating system settings relating to password complexity.
|
||||
|
||||
Determine whether the following rules are enforced. If any are not, this is a finding.
|
||||
To check the server operating system for password complexity:
|
||||
|
||||
Check the server operating system for password complexity:
|
||||
Navigate to Start >> All Programs >> Administrative Tools >> Local Security Policy, and to review the local policies on the machine, go to Account Policy >> Password Policy.
|
||||
|
||||
Navigate to Start >> All Programs >> Administrative Tools >> Local Security Policy, and to review the local policies on the machine, go to Account Policy >> Password Policy:.
|
||||
|
||||
Ensure the DISA Windows Password Policy is set on the SQL Server member server.</RawString>
|
||||
Ensure the DISA Windows Password Policy is set on the SQL Server member server. If any are not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
</SqlLoginRule>
|
||||
<SqlProtocolRule dscresourcemodule="SqlServerDsc">
|
||||
|
|
@ -2917,7 +2897,7 @@ If the calculated product of the "max_file_size" times the "max_rollover_files"
|
|||
<VariableValue />
|
||||
</Rule>
|
||||
<Rule id="V-213989" severity="medium" conversionstatus="pass" title="SRG-APP-000381-DB-000361" dscresource="SqlScriptQuery">
|
||||
<Description><VulnDiscussion>Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions.
|
||||
<Description><VulnDiscussion>Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions.
|
||||
|
||||
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.8">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="11/17/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/19/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -51,7 +51,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220742" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63415</LegacyId>
|
||||
|
|
@ -67,7 +67,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220743" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63419</LegacyId>
|
||||
|
|
@ -83,7 +83,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220744" severity="medium" conversionstatus="pass" title="SRG-OS-000075-GPOS-00043" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63421</LegacyId>
|
||||
|
|
@ -277,14 +277,14 @@ Use the AuditPol tool to review the current Audit Policy configuration:
|
|||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
Enter "AuditPol /get /category:*"
|
||||
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
|
||||
Detailed Tracking >> Plug and Play Events - Success</RawString>
|
||||
<Subcategory>Plug and Play Events</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-220754" severity="medium" conversionstatus="pass" title="SRG-OS-000365-GPOS-00152" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Success</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
||||
Process creation records events related to the creation of a process and the source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -299,7 +299,7 @@ Use the AuditPol tool to review the current Audit Policy configuration:
|
|||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
Enter "AuditPol /get /category:*".
|
||||
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding:
|
||||
|
||||
Detailed Tracking >> Process Creation - Success</RawString>
|
||||
<Subcategory>Process Creation</Subcategory>
|
||||
|
|
@ -1000,7 +1000,7 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
|
|||
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||
|
||||
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DesiredValue>10.0.220</DesiredValue>
|
||||
<DesiredValue>10.0.19044</DesiredValue>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63349</LegacyId>
|
||||
|
|
@ -1013,7 +1013,7 @@ A separate servicing branch intended for special-purpose systems is the Long-Ter
|
|||
|
||||
If the "About Windows" dialog box does not display the following or greater, this is a finding:
|
||||
|
||||
"Microsoft Windows Version 21H2 (OS Build 220xx.x)"
|
||||
"Microsoft Windows Version 21H2 (OS Build 19044.x)"
|
||||
|
||||
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
||||
|
||||
|
|
@ -1062,14 +1062,14 @@ To support this requirement, the operating system may have an integrated solutio
|
|||
<LegacyId>V-63343</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
Note: Example of documentation can be a copy of the site's CCB approved Software Baseline with version of software noted or a memo from the ISSM stating current ESS software and version.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220711" severity="low" conversionstatus="pass" title="SRG-OS-000118-GPOS-00060" dscresource="None">
|
||||
<Description><VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63359</LegacyId>
|
||||
|
|
@ -1101,7 +1101,7 @@ Local administrator account
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220714" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="None">
|
||||
<Description><VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by Virtualization Based Security features such as Credential Guard on Windows 10; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1269,7 +1269,7 @@ Run "System Information".
|
|||
|
||||
Under "System Summary", if "Secure Boot State" does not display "On", this is finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220702" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Rule id="V-220702" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1301,9 +1301,7 @@ The organization must identify authorized software programs and only permit exec
|
|||
<LegacyId>V-63345</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
|
|
@ -1467,7 +1465,7 @@ All of the built-in accounts may not exist on a system, depending on the Windows
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Run "Computer Management".
|
||||
Navigate to System Tools >> Local Users and Groups >> Users.
|
||||
Double click each active account.
|
||||
Double-click each active account.
|
||||
|
||||
If "Password never expires" is selected for any account, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1639,7 +1637,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the standalone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1683,7 +1681,7 @@ These audit events can assist in understanding how a computer is being used and
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure".
|
||||
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation".
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2328,7 +2326,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Rule>
|
||||
</PermissionRule>
|
||||
<RegistryRule dscresourcemodule="PSDscResources">
|
||||
<Rule id="V-220703.a" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-220703.a" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2346,7 +2344,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseAdvancedStartup</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220703.b" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-220703.b" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2364,7 +2362,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseTPMPIN</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220704" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||
<Rule id="V-220704" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="Registry">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -3298,7 +3296,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220821" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3320,7 +3318,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220822" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4047,7 +4045,7 @@ Value: 6 (or greater)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220848" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4091,7 +4089,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220850" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4229,7 +4227,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220856" severity="medium" conversionstatus="pass" title="SRG-OS-000362-GPOS-00149" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4251,7 +4249,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220857" severity="high" conversionstatus="pass" title="SRG-OS-000362-GPOS-00149" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4475,7 +4473,7 @@ Value: 0</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220867" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5206,7 +5204,7 @@ Value: 0x7ffffff8 (2147483640)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220937" severity="high" conversionstatus="pass" title="SRG-OS-000073-GPOS-00041" dscresource="Registry">
|
||||
<Description><VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5362,7 +5360,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220944" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5406,7 +5404,7 @@ Value: 2 (Prompt for consent on the secure desktop)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220947" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This ensures correct accounts are used on the system for privileged tasks to help mitigate credential theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This ensures correct accounts are used on the system for privileged tasks to help mitigate credential theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5472,7 +5470,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220950" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00157" dscresource="Registry">
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.5">
|
||||
<OrganizationalSettings fullversion="2.1">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-253261" ValueData="" />
|
||||
<!-- Ensure ''V-253297'' -ge '15' -or ''V-253297'' -eq '0'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V1R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.5" created="11/17/2023">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V2R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.1" created="7/20/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-253297" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -54,7 +54,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253300" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -71,7 +71,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253301" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -572,7 +572,7 @@ Auditing object access for removable media records events related to access atte
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the AuditPol tool to review the current Audit Policy configuration:
|
||||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
|
|
@ -1088,7 +1088,7 @@ To support this requirement, the operating system may have an integrated solutio
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
|
|
@ -1130,7 +1130,7 @@ Local administrator account
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253271" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00124" dscresource="None">
|
||||
<Description><VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by virtualization-based Security features such as Credential Guard on Windows 11; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1293,7 +1293,7 @@ Run "System Information".
|
|||
|
||||
Under "System Summary", if "Secure Boot State" does not display "On", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253259" severity="medium" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Rule id="V-253259" severity="high" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1326,9 +1326,7 @@ The organization must identify authorized software programs and only permit exec
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
|
|
@ -1776,7 +1774,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the standalone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1837,7 +1835,7 @@ These audit events can assist in understanding how a computer is being used and
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure".
|
||||
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation.
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2474,7 +2472,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Rule>
|
||||
</PermissionRule>
|
||||
<RegistryRule dscresourcemodule="PSDscResources">
|
||||
<Rule id="V-253260.a" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.a" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2493,7 +2491,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseAdvancedStartup</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-253260.b" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.b" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.8">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_DC_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_DC_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="12/22/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_DC_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_DC_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/20/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-205702" severity="medium" conversionstatus="pass" title="SRG-OS-000112-GPOS-00057" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.
|
||||
|
|
@ -82,7 +82,7 @@ Navigate to Computer Configuration >> Policies >> Windows Settings &
|
|||
If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205705" severity="medium" conversionstatus="pass" title="SRG-OS-000112-GPOS-00057" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.
|
||||
<Description><VulnDiscussion>This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.
|
||||
|
||||
Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -109,7 +109,7 @@ Navigate to Computer Configuration >> Policies >> Windows Settings &
|
|||
If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205706" severity="medium" conversionstatus="pass" title="SRG-OS-000112-GPOS-00057" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.
|
||||
<Description><VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. To prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.
|
||||
|
||||
Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -256,7 +256,7 @@ If the value is set to "0" (never expires), this is a finding.
|
|||
</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205660" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93479</LegacyId>
|
||||
|
|
@ -1465,7 +1465,7 @@ Exclude the following accounts:
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205728" severity="medium" conversionstatus="pass" title="SRG-OS-000191-GPOS-00080" dscresource="None">
|
||||
<Description><VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1474,7 +1474,7 @@ Inactive accounts that have been reviewed and deemed to be required must be docu
|
|||
<LegacyId>V-93567</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
|
|
@ -1755,7 +1755,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the stand alone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1799,7 +1799,7 @@ Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest)
|
|||
If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205661" severity="medium" conversionstatus="pass" title="SRG-OS-000078-GPOS-00046" dscresource="None">
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 14 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93461</LegacyId>
|
||||
|
|
@ -1807,7 +1807,7 @@ If any enabled user accounts are returned with a "PasswordExpires" status of "Fa
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Determine if manually managed application/service accounts exist. If none exist, this is NA.
|
||||
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length.
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length.
|
||||
|
||||
If such a policy does not exist or has not been implemented, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2057,7 +2057,7 @@ The quotes are required and dc=[forest-name] is the fully qualified LDAP name of
|
|||
|
||||
If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205727" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Rule id="V-205727" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
|
||||
|
||||
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
|
||||
|
|
@ -3093,7 +3093,9 @@ Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion
|
|||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<Path>%windir%\SYSTEM32\eventvwr.exe</Path>
|
||||
<RawString>Navigate to "%SystemRoot%\System32".
|
||||
<RawString>This is not applicable for Windows Core Editions
|
||||
|
||||
Navigate to "%SystemRoot%\System32".
|
||||
|
||||
View the permissions on "Eventvwr.exe".
|
||||
|
||||
|
|
@ -3645,7 +3647,7 @@ Inherited from - "None" for all
|
|||
Principal - Access - Applies to
|
||||
SYSTEM - Full Control - This key and subkeys
|
||||
Administrators - Special - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -3726,7 +3728,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - This key and subkeys
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -3807,7 +3809,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - Subkeys only
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -6580,15 +6582,15 @@ Verify if Windows Defender is in use or enabled:
|
|||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName”
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Verify if third-party anti-virus is in use or enabled:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayNameâ€
|
||||
</RawString>
|
||||
<ServiceName>
|
||||
</ServiceName>
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.8">
|
||||
<OrganizationalSettings fullversion="3.1">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V2R8_Manual-xccdf.xml" releaseinfo="Release: 8 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.8" created="12/22/2023">
|
||||
<DISASTIG version="3" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V3R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="3.1" created="7/20/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-205629" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -121,7 +121,7 @@ If the value is set to "0" (never expires), this is a finding.
|
|||
</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205660" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93479</LegacyId>
|
||||
|
|
@ -1178,7 +1178,7 @@ Exclude the following accounts:
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205728" severity="medium" conversionstatus="pass" title="SRG-OS-000191-GPOS-00080" dscresource="None">
|
||||
<Description><VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1187,7 +1187,7 @@ Inactive accounts that have been reviewed and deemed to be required must be docu
|
|||
<LegacyId>V-93567</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
|
|
@ -1269,7 +1269,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the stand alone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1313,7 +1313,7 @@ Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest)
|
|||
If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205661" severity="medium" conversionstatus="pass" title="SRG-OS-000078-GPOS-00046" dscresource="None">
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 14 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93461</LegacyId>
|
||||
|
|
@ -1321,7 +1321,7 @@ If any enabled user accounts are returned with a "PasswordExpires" status of "Fa
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Determine if manually managed application/service accounts exist. If none exist, this is NA.
|
||||
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length.
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length.
|
||||
|
||||
If such a policy does not exist or has not been implemented, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1437,7 +1437,7 @@ Select the "Security" tab.
|
|||
|
||||
If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205727" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Rule id="V-205727" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
|
||||
|
||||
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
|
||||
|
|
@ -2003,7 +2003,9 @@ Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion
|
|||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<Path>%windir%\SYSTEM32\eventvwr.exe</Path>
|
||||
<RawString>Navigate to "%SystemRoot%\System32".
|
||||
<RawString>This is not applicable for Windows Core Editions
|
||||
|
||||
Navigate to "%SystemRoot%\System32".
|
||||
|
||||
View the permissions on "Eventvwr.exe".
|
||||
|
||||
|
|
@ -2555,7 +2557,7 @@ Inherited from - "None" for all
|
|||
Principal - Access - Applies to
|
||||
SYSTEM - Full Control - This key and subkeys
|
||||
Administrators - Special - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -2636,7 +2638,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - This key and subkeys
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -2717,7 +2719,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - Subkeys only
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -5515,15 +5517,15 @@ Verify if Windows Defender is in use or enabled:
|
|||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName”
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Verify if third-party anti-virus is in use or enabled:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayNameâ€
|
||||
</RawString>
|
||||
<ServiceName>
|
||||
</ServiceName>
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.4">
|
||||
<OrganizationalSettings fullversion="2.1">
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-254248" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_Server_2022_DC_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2022_DC_STIG_V1R4_Manual-xccdf.xml" releaseinfo="Release: 4 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows Server 2022 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.4" created="12/22/2023">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_Server_2022_DC_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2022_DC_STIG_V2R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows Server 2022 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.1" created="7/20/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-254386" severity="medium" conversionstatus="pass" title="SRG-OS-000112-GPOS-00057" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented.
|
||||
|
|
@ -113,7 +113,7 @@ Navigate to Computer Configuration >> Policies >> Windows Settings &
|
|||
If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-254390" severity="medium" conversionstatus="pass" title="SRG-OS-000112-GPOS-00057" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.
|
||||
<Description><VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. To prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.
|
||||
|
||||
Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -201,7 +201,7 @@ If the "Reset account lockout counter after" value is less than "15" minutes, th
|
|||
</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-254288" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -1523,7 +1523,7 @@ The PowerShell command "Get-WindowsFeature" will list all roles and features wit
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site Information System Security Manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
|
|
@ -1724,7 +1724,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the stand alone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1777,7 +1777,7 @@ Verify users with accounts in the Backup Operators group have a separate user ac
|
|||
If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-254242" severity="medium" conversionstatus="pass" title="SRG-OS-000078-GPOS-00046" dscresource="None">
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 14 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -1786,7 +1786,7 @@ If users with accounts in the Backup Operators group do not have separate accoun
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Determine if manually managed application/service accounts exist. If none exist, this is NA.
|
||||
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length.
|
||||
Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length.
|
||||
|
||||
If such a policy does not exist or has not been implemented, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2004,7 +2004,7 @@ Select the "Security" tab.
|
|||
|
||||
If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-254262" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Rule id="V-254262" severity="high" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.
|
||||
|
||||
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
|
||||
|
|
@ -3605,7 +3605,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Type>
|
||||
<Principal>CREATOR OWNER</Principal>
|
||||
<ForcePrincipal>False</ForcePrincipal>
|
||||
<Inheritance>Subkeys Only</Inheritance>
|
||||
<Inheritance>This Key and Subkeys</Inheritance>
|
||||
<Rights>FullControl</Rights>
|
||||
</Entry>
|
||||
<Entry>
|
||||
|
|
@ -3656,7 +3656,7 @@ Principal - Access - Applies to
|
|||
Users - Read - This key and subkeys
|
||||
Administrators - Full Control - This key and subkeys
|
||||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - Subkeys
|
||||
CREATOR OWNER - Full Control - This key and Subkeys
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators - Read - This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where nonprivileged groups have greater than Read permission.
|
||||
|
|
@ -3888,7 +3888,9 @@ Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion
|
|||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<Path>%windir%\SYSTEM32\eventvwr.exe</Path>
|
||||
<RawString>Navigate to "%SystemRoot%\System32".
|
||||
<RawString>This is not applicable for Windows Core Edition.
|
||||
|
||||
Navigate to "%SystemRoot%\System32".
|
||||
|
||||
View the permissions on "Eventvwr.exe".
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_Server_2022_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2022_MS_STIG_V1R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 15 May 2024 3.4.1.22916 1.10.0" title="Microsoft Windows Server 2022 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.5" created="5/4/2024">
|
||||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_Server_2022_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2022_MS_STIG_V1R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 15 May 2024 3.4.1.22916 1.10.0" title="Microsoft Windows Server 2022 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.5" created="6/18/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-254285" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -2531,15 +2531,6 @@ If the defaults have not been changed, these are not a finding.
|
|||
<Inheritance>This Key and Subkeys</Inheritance>
|
||||
<Rights>ReadKey</Rights>
|
||||
</Entry>
|
||||
<Entry>
|
||||
<Type>
|
||||
</Type>
|
||||
<Principal>Server Operators</Principal>
|
||||
<ForcePrincipal>False</ForcePrincipal>
|
||||
<Inheritance>
|
||||
</Inheritance>
|
||||
<Rights>ReadKey</Rights>
|
||||
</Entry>
|
||||
<Entry>
|
||||
<Type>
|
||||
</Type>
|
||||
|
|
@ -2573,7 +2564,6 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - This key and Subkeys
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators - Read - This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where nonprivileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2022 to the following SID. This is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.4">
|
||||
<OrganizationalSettings fullversion="2.1">
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-254248" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
Загрузка…
Ссылка в новой задаче