Rsanderson8310 win11 v1 r6 (#1359)
* Win11V1R6 * Win11V1R6 Convert * ChangeLog * org defaults --------- Co-authored-by: ruandersMSFT <russell@russellanderson.net>
This commit is contained in:
Eric Jenkins
GitHub
Родитель
e6d601d790
Коммит
b866f954d1
|
|
@ -3,6 +3,7 @@
|
|||
## [Unreleased]
|
||||
|
||||
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
|
||||
* Update PowerSTIG to Parse/Apply Microsoft Windows 11 STIG - Ver 1, Rel 6 [#1341](https://github.com/microsoft/PowerStig/issues/1341)
|
||||
* Update Powerstig to parse/apply Microsoft Office System 2016 STIG - Ver 2, Rel 3 [#1352](https://github.com/microsoft/PowerStig/issues/1352)
|
||||
* Update Powerstig to parse/apply Microsoft Office 365 ProPlus STIG - Ver 2, Rel 12 [#1351](https://github.com/microsoft/PowerStig/issues/1351)
|
||||
* Update Powerstig to parse/apply Microsoft .Net Framework 4.0 STIG - Ver 2, Rel 4 [#1349](https://github.com/microsoft/PowerStig/issues/1349)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.4">
|
||||
<OrganizationalSettings fullversion="1.6">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-253261" ValueData="" />
|
||||
<!-- Ensure ''V-253297'' -ge '15' -or ''V-253297'' -eq '0'-->
|
||||
|
|
@ -56,6 +56,8 @@
|
|||
<OrganizationalSetting id="V-253427.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-253427.c" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 6 O certificate is present-->
|
||||
<OrganizationalSetting id="V-253427.d" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-253429.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V1R4_Manual-xccdf.xml" releaseinfo="Release: 4 Benchmark Date: 07 Jun 2023 3.4.0.34222 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.4" created="6/5/2023">
|
||||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V1R6_Manual-xccdf.xml" releaseinfo="Release: 6 Benchmark Date: 15 May 2024 3.4.1.22916 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.6" created="5/4/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-253297" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -572,7 +572,7 @@ Auditing object access for removable media records events related to access atte
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the AuditPol tool to review the current Audit Policy configuration:
|
||||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
|
|
@ -1293,7 +1293,7 @@ Run "System Information".
|
|||
|
||||
Under "System Summary", if "Secure Boot State" does not display "On", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253259" severity="medium" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Rule id="V-253259" severity="high" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1326,9 +1326,7 @@ The organization must identify authorized software programs and only permit exec
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
|
|
@ -1765,22 +1763,32 @@ If one of the following settings does not exist and is not populated, this is a
|
|||
<Rule id="V-253476" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
|
||||
|
||||
Windows LAPS must be used to change the built-in Administrator account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
Windows LAPS must be used to change the built-in Administrator account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Review the password last set date for the enabled local Administrator account.
|
||||
<RawString>If there are no enabled local Administrator accounts, this is Not Applicable.
|
||||
|
||||
On the local domain joined workstation:
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the standalone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "Get-LocalUser -Name * | Select-Object *".
|
||||
|
||||
If the "PasswordLastSet" date is greater than 60 days old for the local Administrator account for administering the computer/domain, this is a finding.</RawString>
|
||||
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.
|
||||
|
||||
Verify LAPS is configured and operational.
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding.
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Name of administrator Account to manage >> Set to enabled >> Administrator account name is populated. If it is not, this is a finding.
|
||||
|
||||
Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-256893" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>Internet Explorer 11 (IE11) is not supported on Windows 11 semi-annual channel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1798,6 +1806,39 @@ If IE11 is installed on an unsupported operating system and is enabled or instal
|
|||
|
||||
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-257592" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Having portproxy enabled or configured in Windows 10 could allow a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Check the registry key for existence of proxied ports:
|
||||
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\.
|
||||
|
||||
If the key contains v4tov4\tcp\ or is populated v4tov4\tcp\, this is a finding.
|
||||
|
||||
Run "netsh interface portproxy show all".
|
||||
|
||||
If the command displays any results, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-257770" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="None">
|
||||
<Description><VulnDiscussion>When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
|
||||
|
||||
These audit events can assist in understanding how a computer is being used and tracking user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation.
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
</ManualRule>
|
||||
<PermissionRule dscresourcemodule="AccessControlDsc">
|
||||
<Rule id="V-253274.a" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00122" dscresource="NTFSAccessEntry">
|
||||
|
|
@ -2431,7 +2472,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Rule>
|
||||
</PermissionRule>
|
||||
<RegistryRule dscresourcemodule="PSDscResources">
|
||||
<Rule id="V-253260.a" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.a" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2450,7 +2491,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseAdvancedStartup</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-253260.b" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.b" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -5676,6 +5717,19 @@ Value: 0x00000002 (2) (or if the Value Name does not exist)</RawString>
|
|||
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
|
||||
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-253427.d" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 6 O</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Root CA 6 O certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Root CA 6 OU=PKI,D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF</RawString>
|
||||
<Thumbprint>D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-253429.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
Загрузка…
Ссылка в новой задаче