Merge branch '4.17.0' into MrAutomer#1242
This commit is contained in:
Eric Jenkins
GitHub
Коммит
f7ce121487
11
CHANGELOG.md
11
CHANGELOG.md
|
|
@ -3,6 +3,17 @@
|
|||
## [Unreleased]
|
||||
|
||||
* Update PowerSTIG to Parse/Apply Microsoft IIS 10.0 STIG Server V2R9 Site V2R8: [#1242](https://github.com/microsoft/PowerStig/issues/1242)
|
||||
* Update PowerSTIG to Parse/Apply SQL Server 2016 Instance STIG V2R9: [#1245](https://github.com/microsoft/PowerStig/issues/1245)
|
||||
* Update PowerSTIG to Parse/Apply Windows Server 2022 STIG V1R3: [#1231](https://github.com/microsoft/PowerStig/issues/1231)
|
||||
* Update PowerSTIG to Parse/Apply Windows Server 2019 STIG V2R7: [#1230](https://github.com/microsoft/PowerStig/issues/1230)
|
||||
* Update PowerSTIG to Parse/Apply Microsoft Windows 11 STIG V1R4: [#1232](https://github.com/microsoft/PowerStig/issues/1232)
|
||||
* Update PowerSTIG to Parse/Apply Microsoft Windows 10 STIG V2R7: [#1233](https://github.com/microsoft/PowerStig/issues/1233)
|
||||
* Update PowerSTIG to Parse/Apply Microsoft Office 365 ProPlus V2R9 #1221: [#1221](https://github.com/microsoft/PowerStig/issues/1221)
|
||||
* Update PowerSTIG to Parse/Apply Windows Server 2019 STIG V2R6 [#1219](https://github.com/microsoft/PowerStig/issues/1219)
|
||||
* Update PowerSTIG to Parse/Apply Microsoft Office 365 ProPlus V2R9 #1221: [#1221](https://github.com/microsoft/PowerStig/issues/1221)
|
||||
* Update PowerSTIG to Parse/Apply SQL Server 2016 Instance STIG V2R9: [#1223](https://github.com/microsoft/PowerStig/issues/1223)
|
||||
* Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG V3R11: [#1243](https://github.com/microsoft/PowerStig/issues/1243)
|
||||
* Update PowerSTIG to Parse/Apply CAN_Ubuntu_18-04_LTS_V2R11_STIG: [#1239](https://github.com/microsoft/PowerStig/issues/1239)
|
||||
|
||||
## [4.16.0] - 2023-03-16
|
||||
|
||||
|
|
|
|||
|
|
@ -145,6 +145,6 @@ We are especially thankful for those who have contributed pull requests to the c
|
|||
* [@stevehose](https://github.com/stevehose) (Steve Hose)
|
||||
* [@winthrop28](https://github.com/winthrop28) (Drew Taylor)
|
||||
* [@mikedzikowski](https://github.com/mikedzikowski) (Mike Dzikowski)
|
||||
* [@togriffith](https://github.com/mikedzikowski) (Tony Griffith)
|
||||
* [@pgc1a](https://github.com/pgc1a) (Tony Griffith)
|
||||
* [@hinderjd](https://github.com/hinderjd) (James Hinders)
|
||||
* [@ruandersMSFT](https://github.com/ruandersMSFT) (Russell Anderson)
|
||||
|
|
|
|||
|
|
@ -11,15 +11,15 @@ Describe 'Backup-StigSettings' {
|
|||
Mock Invoke-DscResource -MockWith { return $get }
|
||||
|
||||
It 'Should not throw WindowsServer' {
|
||||
{Backup-StigSettings -StigName "WindowsServer-2019-MS-2.4.xml"} | Should -not -Throw
|
||||
{Backup-StigSettings -StigName "WindowsServer-2019-MS-2.7.xml"} | Should -not -Throw
|
||||
}
|
||||
|
||||
It 'Should not throw WindowsClient' {
|
||||
{Backup-StigSettings -StigName "WindowsClient-10-2.2.xml"} | Should -not -Throw
|
||||
{Backup-StigSettings -StigName "WindowsClient-10-2.7.xml"} | Should -not -Throw
|
||||
}
|
||||
|
||||
It 'Should not throw Sql Server 2016' {
|
||||
{Backup-StigSettings -StigName "SqlServer-2016-Instance-2.3.xml"} | Should -not -Throw
|
||||
{Backup-StigSettings -StigName "SqlServer-2016-Instance-2.8.xml"} | Should -not -Throw
|
||||
}
|
||||
|
||||
It 'Should return string with valid STIGs' {
|
||||
|
|
@ -41,15 +41,15 @@ Describe 'Restore-StigSettings' {
|
|||
Mock -CommandName Invoke-DscResource -MockWith {return $get}
|
||||
|
||||
It 'Should not throw for Server' {
|
||||
{Restore-StigSettings -StigName "WindowsServer-2019-MS-2.4.xml" -Confirm:$false} | Should -Not -Throw
|
||||
{Restore-StigSettings -StigName "WindowsServer-2019-MS-2.7.xml" -Confirm:$false} | Should -Not -Throw
|
||||
}
|
||||
|
||||
It 'Should not throw for Client' {
|
||||
{Restore-StigSettings -StigName "WindowsClient-10-2.2.xml" -Confirm:$false} | Should -Not -Throw
|
||||
{Restore-StigSettings -StigName "WindowsClient-10-2.7.xml" -Confirm:$false} | Should -Not -Throw
|
||||
}
|
||||
|
||||
It 'Should not throw for Sql Server 2016' {
|
||||
{Restore-StigSettings -StigName "SqlServer-2016-Instance-2.3.xml" -Confirm:$false} | Should -Not -Throw
|
||||
{Restore-StigSettings -StigName "SqlServer-2016-Instance-2.8.xml" -Confirm:$false} | Should -Not -Throw
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ function Backup-StigSettings
|
|||
if ($validStigs.Name -notContains $StigName.Trim())
|
||||
{
|
||||
$errorArray = $validStigs.Name -join("`n")
|
||||
Write-Host "StigName not valid, options are :`n$errorArray"
|
||||
Write-Host "StigName '$($StigName.Trim())' not valid, options are :`n$errorArray"
|
||||
break
|
||||
}
|
||||
|
||||
|
|
@ -429,7 +429,7 @@ function Restore-StigSettings
|
|||
if ($validStigs.Name -notContains $StigName.Trim())
|
||||
{
|
||||
$errorArray = $validStigs.Name -join("`n")
|
||||
Write-Host "StigName not valid, options are :`n$errorArray"
|
||||
Write-Host "StigName '$($StigName.Trim())' not valid, options are :`n$errorArray"
|
||||
break
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -40,4 +40,4 @@ V-237635::*::HardCodedRule(nxFileRule)@{DscResource = 'nxFile'; Contents = $null
|
|||
V-244557::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/boot/grub2/grub.cfg'; OrganizationValueTestString = '"set superusers =" is set to a unique name in /boot/grub2/grub.cfg'}
|
||||
V-244558::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/boot/efi/EFI/redhat/grub.cfg'; OrganizationValueTestString = '"set superusers =" is set to a unique name in /boot/efi/EFI/redhat/grub.cfg'}
|
||||
V-250314::*::HardCodedRule(nxFileRule)@{DscResource = 'nxFile'; Contents = '%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL'; FilePath = '/etc/sudoers.d/250314-powerstig.conf'}
|
||||
V-251704::*::.
|
||||
V-255926::*::HardCodedRule(nxPackageRule)@{DscResource = 'nxPackage'; Ensure = 'Present'; Name = $null; OrganizationValueTestString = 'Specify either tmux or screen depending on preference'}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,20 +1,11 @@
|
|||
V-219152::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/etc/audit/auditd.conf'; OrganizationValueTestString = 'the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO). If the space_left_action parameter is set to "exec", make sure the command being execute notifies the System Administrator (SA) and Information System Security Officer (ISSO).'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/etc/audit/auditd.conf'; OrganizationValueTestString = 'the following statement is true when leveraging the correct nxFileLine ContainsLine format: Set the space_left parameter to be, at least, 25% of the repository maximum audit record storage capacity. '}
|
||||
V-219153::*::HardCodedRule(nxPackageRule)@{DscResource = 'nxPackage'; Ensure = 'Present'; Name = 'audispd-plugins'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'active = yes'; DoesNotContainPattern = '\s*active\s*=\s*no|active=yes|#\s*active\s*=.*'; FilePath = '/etc/audisp/plugins.d/au-remote.conf'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/etc/audisp/audisp-remote.conf'; OrganizationValueTestString = 'the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding i.e.: remote_server = <your remote audit log server ip>'}
|
||||
V-219159::*::''
|
||||
V-219163::*::''
|
||||
V-219167::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = '[org/gnome/login-screen]'; DoesNotContainPattern = '^#\s*\[org\/gnome\/login-screen\]'; FilePath = '/etc/gdm3/greeter.dconf-defaults'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'banner-message-enable=true'; DoesNotContainPattern = '^#\s*banner-message-enable=.*|^\s*banner-message-enable\s*=\s*false'; FilePath = '/etc/gdm3/greeter.dconf-defaults'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = "banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'"; DoesNotContainPattern = '^#\s*banner-message-text.*'; FilePath = '/etc/gdm3/greeter.dconf-defaults'}
|
||||
V-219186::*::HardCodedRule(nxPackageRule)@{DscResource = 'nxPackage'; Ensure = 'Present'; Name = 'libpam-pwquality'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'enforcing = 1'; DoesNotContainPattern = '^\s*enforcing\s*=\s*((?!1)|[1]\d+)\d*$|#\s*enforcing.*'; FilePath = '/etc/security/pwquality.conf'}
|
||||
V-219227::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/etc/audit/auditd.conf'; OrganizationValueTestString = 'the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. '}
|
||||
V-219228::*::''
|
||||
V-219229::*::''
|
||||
V-219230::*::''
|
||||
V-219233::*::''
|
||||
V-219231::*::''
|
||||
V-219232::*::''
|
||||
V-219233::*::''
|
||||
V-219301::$ grep::# grep
|
||||
V-219303::*::HardCodedRule(nxFileRule)@{DscResource = 'nxFile'; FilePath = '/etc/profile.d/autologout.sh'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = $null; DoesNotContainPattern = $null; FilePath = '/etc/profile.d/autologout.sh'; OrganizationValueTestString = 'the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'readonly TMOUT'; DoesNotContainPattern = '^\s*readonly\s+(?!TMOUT\b).*$|^\s*#\s*readonly.*$'; FilePath = '/etc/profile.d/autologout.sh'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'export TMOUT'; DoesNotContainPattern = '^\s*export\s+(?!TMOUT\b).*$|^\s*#\s*export.*$'; FilePath = '/etc/profile.d/autologout.sh'}
|
||||
V-219306::*::HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'auth.*,authpriv.* /var/log/secure'; DoesNotContainPattern = '#\s*auth\.\*,\s*authpriv\.\*.*'; FilePath = '/etc/rsyslog.d/50-default.conf'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'daemon.notice /var/log/messages'; DoesNotContainPattern = '#\sdaemon.*'; FilePath = '/etc/rsyslog.d/50-default.conf'}
|
||||
V-219307::Ciphers aes256-ctr,aes192-ctr, aes128-ctr::Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
||||
V-219330::*::''
|
||||
V-219339::*::HardCodedRule(nxFileRule)@{DscResource = 'nxFile'; FilePath = '/etc/modprobe.d/DISASTIG.conf'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'install usb-storage /bin/true'; DoesNotContainPattern = '#\s*install\s*usb-storage\s*/bin/true'; FilePath = '/etc/modprobe.d/DISASTIG.conf'}<splitRule>HardCodedRule(nxFileLineRule)@{DscResource = 'nxFileLine'; ContainsLine = 'blacklist usb-storage'; DoesNotContainPattern = '#\s*blacklist\s*usb-storage'; FilePath = '/etc/modprobe.d/DISASTIG.conf'}
|
||||
V-219343::*::HardCodedRule(nxPackageRule)@{DscResource = 'nxPackage'; Ensure = 'Present'; Name = 'aide'}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,12 @@
|
|||
V-253303::"Minimum password length,"::"Minimum password length"
|
||||
V-253305::"Store password using reversible encryption"::"Store passwords using reversible encryption"
|
||||
V-253395::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = 'Block'; ValueName = 'ShellSmartScreenLevel'; ValueType = 'String'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = '1'; ValueName = 'EnableSmartScreen'; ValueType = 'Dword'}
|
||||
V-253414::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
|
||||
V-253363::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\
|
||||
V-253261::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '}
|
||||
V-253423::Value data: 0::Value: 0x00000000 (0)
|
||||
V-253424::Value data: 1::Value: 0x00000001 (1)
|
||||
V-253484::NT SERVICE\autotimesvc is added in v1909 cumulative update.::NT SERVICE\autotimesvc
|
||||
V-253446::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"}
|
||||
V-253445::assistants. Such communications and work product are private and confidential. See::assistants. Such communications and work product are private and confidential. See
|
||||
V-253351::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam'; ValueData = "Deny"; ValueName = 'Value'; ValueType = 'String'}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,19 @@
|
|||
V-254248::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct AntiVirus service information'}
|
||||
V-254255::*::''
|
||||
V-254265::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'}
|
||||
V-254291::"Minimum password length,"::"Minimum password length"
|
||||
V-254356::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0 or 1
|
||||
V-254357::0x00000000 (0) - No peering (HTTP Only)::0, 1, 2, 99 or 100
|
||||
V-254362::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254363::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254364::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254371::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254375::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254443::DoD Root CA 3- DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477::DoD Root CA 3 - DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
V-254443::Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US::Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
V-254443::Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02::Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
V-254443::NotAfter: 8/26/2022 9:25:51 AM::NotAfter: 11/16/2024
|
||||
V-254458::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"}
|
||||
V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2
|
||||
V-254490::0x00000002 (2) (or if the Value Name does not exist)::2
|
||||
V-254499::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,19 @@
|
|||
V-254248::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct AntiVirus service information'}
|
||||
V-254255::*::''
|
||||
V-254265::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'}
|
||||
V-254291::"Minimum password length,"::"Minimum password length"
|
||||
V-254356::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0 or 1
|
||||
V-254357::0x00000000 (0) - No peering (HTTP Only)::0, 1, 2, 99 or 100
|
||||
V-254362::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254363::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254364::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254371::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254375::0x00000000 (0) (or if the Value Name does not exist)::0
|
||||
V-254443::DoD Root CA 3- DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477::DoD Root CA 3 - DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
V-254443::Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US::Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
V-254443::Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02::Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
V-254443::NotAfter: 8/26/2022 9:25:51 AM::NotAfter: 11/16/2024
|
||||
V-254458::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"}
|
||||
V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2
|
||||
V-254490::0x00000002 (2) (or if the Value Name does not exist)::2
|
||||
V-254499::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.7">
|
||||
<OrganizationalSettings fullversion="2.9">
|
||||
<!-- Ensure 'V-223282' is 2|3|4-->
|
||||
<OrganizationalSetting id="V-223282" ValueData="3" />
|
||||
<!-- Ensure 'V-223288' is 6-->
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
<!-- Ensure 'V-223333' is 1|DoesNotExist-->
|
||||
<OrganizationalSetting id="V-223333" ValueData="1" />
|
||||
<!-- Ensure 'V-223335' is 1|DoesNotExist-->
|
||||
<OrganizationalSetting id="V-223335" ValueData="1" />
|
||||
<OrganizationalSetting id="V-223335" ValueData="1" />
|
||||
<!-- Ensure 'V-223340' is 0|DoesNotExist-->
|
||||
<OrganizationalSetting id="V-223340" ValueData="0" />
|
||||
<!-- Ensure 'V-223341' is 0|DoesNotExist-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Office_365_ProPlus_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Office_365_ProPlus_STIG_V2R7_Manual-xccdf.xml" releaseinfo="Release: 7 Benchmark Date: 27 Oct 2022 3.4.0.34222 1.10.0" title="Microsoft Office 365 ProPlus Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.7" created="12/14/2022">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Office_365_ProPlus_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Office_365_ProPlus_STIG_V2R9_Manual-xccdf.xml" releaseinfo="Release: 9 Benchmark Date: 27 Apr 2023 3.4.0.34222 1.10.0" title="Microsoft Office 365 ProPlus Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.9" created="5/17/2023">
|
||||
<DocumentRule dscresourcemodule="None">
|
||||
<Rule id="V-223296" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="None">
|
||||
<Description><VulnDiscussion>Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes that user's type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer and the operating systems for user computers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1107,12 +1107,12 @@ Use the Windows Registry Editor to navigate to the following key:
|
|||
|
||||
HKCU\software\policies\microsoft\office\16.0\excel\security\fileblock
|
||||
|
||||
If the value for xl9597workbooksandtemplates is REG_DWORD = 2, this is not a finding.</RawString>
|
||||
If the value for xl95workbooks is REG_DWORD = 2, this is not a finding.</RawString>
|
||||
<ValueData>2</ValueData>
|
||||
<ValueName>xl9597workbooksandtemplates</ValueName>
|
||||
<ValueName>xl95workbooks</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-223324" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="None">
|
||||
<Rule id="V-223324" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can be selected are below. Note: Not all options may be available for this policy setting.
|
||||
|
||||
- Do not block: The file type will not be blocked.
|
||||
|
|
@ -1123,7 +1123,7 @@ If the value for xl9597workbooksandtemplates is REG_DWORD = 2, this is not a fin
|
|||
- Allow editing and open in Protected View: Both opening and saving of the file type will be blocked, and the option to edit will be enabled.
|
||||
|
||||
If you disable or do not configure this policy setting, the file type will not be blocked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf>V-223323</DuplicateOf>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\excel\security\fileblock</Key>
|
||||
|
|
@ -1370,7 +1370,7 @@ Use the Windows Registry Editor to navigate to the following key:
|
|||
|
||||
HKCU\software\policies\microsoft\office\16.0\excel\security
|
||||
|
||||
If the value excelbypassencryptiedmacrosscan does not exist, this is not a finding.
|
||||
If the value excelbypassencryptedmacroscan does not exist, this is not a finding.
|
||||
|
||||
If the value for excelbypassencryptedmacroscan is REG_DWORD = 0, this is not a finding.</RawString>
|
||||
<ValueData />
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="3.9">
|
||||
<OrganizationalSettings fullversion="3.11">
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "difok" is set to less than "8", this is a finding." -->
|
||||
<OrganizationalSetting id="V-204411" ContainsLine="difok = 8" DoesNotContainPattern="#\s*difok\s*=.*|^\s*difok\s*=\s*(-|)[0-7]$" />
|
||||
<!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "minclass" is set to less than "4", this is a finding." -->
|
||||
|
|
@ -50,4 +50,6 @@
|
|||
<OrganizationalSetting id="V-244557" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure "set superusers =" is set to a unique name in /boot/efi/EFI/redhat/grub.cfg-->
|
||||
<OrganizationalSetting id="V-244558" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure Specify either tmux or screen depending on preference-->
|
||||
<OrganizationalSetting id="V-255926" Name="" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.7">
|
||||
<OrganizationalSettings fullversion="2.9">
|
||||
<!-- Ensure SQL authentication logins are populated from organizational settings.-->
|
||||
<OrganizationalSetting id="V-213964" Ensure="" Name="" />
|
||||
<!-- Ensure 'V-214029' is populated with a non-default SA account name-->
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -1,43 +1,43 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.9">
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO). If the space_left_action parameter is set to "exec", make sure the command being execute notifies the System Administrator (SA) and Information System Security Officer (ISSO).-->
|
||||
<OrganizationalSetting id="V-219152.a" ContainsLine="space_left_action = email" DoesNotContainPattern="^#\s*space_left_action.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: Set the space_left parameter to be, at least, 25% of the repository maximum audit record storage capacity. -->
|
||||
<OrganizationalSetting id="V-219152.b" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding i.e.: remote_server = <your remote audit log server ip>-->
|
||||
<OrganizationalSetting id="V-219153.c" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ucredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219172" ContainsLine="ucredit=-1" DoesNotContainPattern="^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "lcredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219173" ContainsLine="lcredit=-1" DoesNotContainPattern="^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "dcredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219174" ContainsLine="dcredit=-1" DoesNotContainPattern="^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "difok" parameter is less than "8", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219175" ContainsLine="difok=8" DoesNotContainPattern="^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219176" ContainsLine="ENCRYPT_METHOD SHA512" DoesNotContainPattern="#\s*ENCRYPT_METHOD\s*SHA512" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is less than 1, or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219178" ContainsLine="PASS_MIN_DAYS 1" DoesNotContainPattern="^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is less than 60, or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219179" ContainsLine="PASS_MAX_DAYS 60" DoesNotContainPattern="^\s*PASS_MAX_DAYS\s*([6][1-9]|[7-9][0-9]|\d{3,})$|#\s*PASS_MAX_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "minlen" parameter value is not 15 or higher, or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219181" ContainsLine="minlen=15" DoesNotContainPattern="^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ocredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219210" ContainsLine="ocredit=-1" DoesNotContainPattern="^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219226" ContainsLine="action_mail_acct = root" DoesNotContainPattern="#\s*action_mail_acct\s*=\s*root" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. -->
|
||||
<OrganizationalSetting id="V-219227" ContainsLine="disk_full_action = HALT" DoesNotContainPattern="#\s*disk_full_action.*|^\s*disk_full_action\s*=\s*(?!HALT\b)\w+" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "maxlogins" item is missing, or the value is not set to 10 or less, or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219301" ContainsLine="* hard maxlogins 10" DoesNotContainPattern="^\s*\*\s*hard\s*maxlogins\s*([1][1-9]|[2-9]\d+|[1-9][0-9]\d+)$|^#\s*\*\s*hard\s*maxlogins." />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.-->
|
||||
<OrganizationalSetting id="V-219303.b" ContainsLine="TMOUT=900" DoesNotContainPattern="^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219311" ContainsLine="ClientAliveInterval 600" DoesNotContainPattern="^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$" />
|
||||
</OrganizationalSettings>
|
||||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.11">
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO). If the space_left_action parameter is set to "exec", make sure the command being execute notifies the System Administrator (SA) and Information System Security Officer (ISSO).-->
|
||||
<OrganizationalSetting id="V-219152.a" ContainsLine="space_left_action = email" DoesNotContainPattern="^#\s*space_left_action.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: Set the space_left parameter to be, at least, 25% of the repository maximum audit record storage capacity. -->
|
||||
<OrganizationalSetting id="V-219152.b" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding i.e.: remote_server = <your remote audit log server ip>-->
|
||||
<OrganizationalSetting id="V-219153.c" ContainsLine="" DoesNotContainPattern="" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ucredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219172" ContainsLine="ucredit=-1" DoesNotContainPattern="^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "lcredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219173" ContainsLine="lcredit=-1" DoesNotContainPattern="^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "dcredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219174" ContainsLine="dcredit=-1" DoesNotContainPattern="^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "difok" parameter is less than "8", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219175" ContainsLine="difok=8" DoesNotContainPattern="^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219176" ContainsLine="ENCRYPT_METHOD SHA512" DoesNotContainPattern="#\s*ENCRYPT_METHOD\s*SHA512" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is less than 1, or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219178" ContainsLine="PASS_MIN_DAYS 1" DoesNotContainPattern="^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is less than 60, or commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219179" ContainsLine="PASS_MAX_DAYS 60" DoesNotContainPattern="^\s*PASS_MAX_DAYS\s*([6][1-9]|[7-9][0-9]|\d{3,})$|#\s*PASS_MAX_DAYS.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "minlen" parameter value is not 15 or higher, or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219181" ContainsLine="minlen=15" DoesNotContainPattern="^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ocredit" parameter is greater than "-1", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219210" ContainsLine="ocredit=-1" DoesNotContainPattern="^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219226" ContainsLine="action_mail_acct = root" DoesNotContainPattern="#\s*action_mail_acct\s*=\s*root" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. -->
|
||||
<OrganizationalSetting id="V-219227" ContainsLine="disk_full_action = HALT" DoesNotContainPattern="#\s*disk_full_action.*|^\s*disk_full_action\s*=\s*(?!HALT\b)\w+" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "maxlogins" item is missing, or the value is not set to 10 or less, or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219301" ContainsLine="* hard maxlogins 10" DoesNotContainPattern="^\s*\*\s*hard\s*maxlogins\s*([1][1-9]|[2-9]\d+|[1-9][0-9]\d+)$|^#\s*\*\s*hard\s*maxlogins." />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.-->
|
||||
<OrganizationalSetting id="V-219303.b" ContainsLine="TMOUT=900" DoesNotContainPattern="^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*" />
|
||||
<!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding." -->
|
||||
<OrganizationalSetting id="V-219311" ContainsLine="ClientAliveInterval 600" DoesNotContainPattern="^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.4">
|
||||
<OrganizationalSettings fullversion="2.7">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-220704" ValueData="" />
|
||||
<!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
|
||||
|
|
@ -28,8 +28,8 @@
|
|||
<OrganizationalSetting id="V-220780" ValueData="1024000" />
|
||||
<!-- Ensure ''V-220781'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-220781" ValueData="32768" />
|
||||
<!-- Ensure ''V-220806'' -match '1|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220806" ValueData="1" />
|
||||
<!-- Ensure ''V-220806'' -match '3|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-220806" ValueData="3" />
|
||||
<!-- Ensure ''V-220811.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-220811.b" ValueData="1" />
|
||||
<!-- Ensure ''V-220813'' -match '1|3|8'-->
|
||||
|
|
@ -57,9 +57,7 @@
|
|||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-220903.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220905.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220905.b" Location="" />
|
||||
<OrganizationalSetting id="V-220905" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-220906" Location="" />
|
||||
<!-- Ensure ''V-220911'' -ne 'Administrator'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R4_Manual-xccdf.xml" releaseinfo="Release: 4 Benchmark Date: 31 May 2022 3.3.0.27375 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.4" created="10/11/2022">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Windows_10_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_10_STIG_V2R7_Manual-xccdf.xml" releaseinfo="Release: 7 Benchmark Date: 07 Jun 2023 3.4.0.34222 1.10.0" title="Microsoft Windows 10 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.7" created="6/5/2023">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-220739" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -997,9 +997,9 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
|
|||
<Rule id="V-220706" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="AuditSetting">
|
||||
<Description><VulnDiscussion>Windows 10 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.
|
||||
|
||||
New versions with feature updates are planned to be released on a semi-annual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||
New versions with feature updates are planned to be released on a semiannual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions.
|
||||
|
||||
A separate servicing branch intended for special purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
A separate servicing branch intended for special-purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB), which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DesiredValue>10.0.190</DesiredValue>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1017,13 +1017,11 @@ If the "About Windows" dialog box does not display the following or greater, thi
|
|||
|
||||
Note: Microsoft has extended support for previous versions, providing critical and important updates for Windows 10 Enterprise.
|
||||
|
||||
Microsoft scheduled end of support dates for current Semi-Annual Channel versions:
|
||||
Microsoft scheduled end-of-support dates for current Semi-Annual Channel versions:
|
||||
|
||||
v1909 - 10 May 2022
|
||||
v2004 - 14 December 2021
|
||||
v20H2 – 9 May 2023
|
||||
v21H1 -13 Dec 2022
|
||||
v21H2 - 11 June 2024
|
||||
v20H2 - 9 May 2023
|
||||
v21H1 - 13 Dec 2022
|
||||
v21H2 - 11 June 2024
|
||||
|
||||
No preview versions will be used in a production environment.
|
||||
|
||||
|
|
@ -1160,12 +1158,12 @@ Approval must be documented with the ISSO.</RawString>
|
|||
<LegacyId>V-102611</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Ensure there is a documented policy or procedure in place that non-persistent VM sessions do not exceed 24 hours.
|
||||
<RawString>Ensure there is a documented policy or procedure in place that nonpersistent VM sessions do not exceed 24 hours. If the system is NOT a nonpersistent VM, this is Not Applicable.
|
||||
|
||||
If there is no such documented policy or procedure in place, this is a finding.</RawString>
|
||||
If no such documented policy or procedure is in place, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220946" severity="medium" conversionstatus="pass" title="SRG-OS-000105-GPOS-00052" dscresource="None">
|
||||
<Description><VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.
|
||||
<Description><VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
|
||||
|
||||
All domain accounts must be enabled for multifactor authentication with the exception of local emergency accounts.
|
||||
|
||||
|
|
@ -1193,7 +1191,7 @@ Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPO
|
|||
<LegacyId>V-102627</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>If the system is not a member of a domain, this is Not Applicable.
|
||||
<RawString>If the system is a member of a domain, this is Not Applicable.
|
||||
|
||||
If one of the following settings does not exist and is not populated, this is a finding:
|
||||
|
||||
|
|
@ -1203,7 +1201,7 @@ Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards</R
|
|||
</DocumentRule>
|
||||
<ManualRule dscresourcemodule="None">
|
||||
<Rule id="V-220697" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Features such as Credential Guard use virtualization-based security to protect information that could be used in credential theft attacks if compromised. A number of system requirements must be met for Credential Guard to be configured and enabled properly. Virtualization-based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63319</LegacyId>
|
||||
|
|
@ -1211,7 +1209,7 @@ Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards</R
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version.
|
||||
|
||||
For standalone systems, this is NA.
|
||||
For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Open "Settings".
|
||||
|
||||
|
|
@ -1222,7 +1220,7 @@ If "Edition" is not "Windows 10 Enterprise", this is a finding.
|
|||
If "System type" is not "64-bit operating system…", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220698" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Credential Guard uses virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Credential Guard uses virtualization-based security to protect information that could be used in credential theft attacks if compromised. A number of system requirements must be met for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63323</LegacyId>
|
||||
|
|
@ -1230,9 +1228,9 @@ If "System type" is not "64-bit operating system…", this is a finding.</RawStr
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Verify domain-joined systems have a TPM enabled and ready for use.
|
||||
|
||||
For standalone systems, this is NA.
|
||||
For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
|
||||
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
|
||||
|
||||
|
|
@ -1298,23 +1296,23 @@ If the operating system drive or any fixed data drives have "Turn on BitLocker",
|
|||
NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220705" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None">
|
||||
<Description><VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
<Description><VulnDiscussion>Utilizing an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63345</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems; for other systems this is NA.
|
||||
<RawString>This is applicable to unclassified systems; for other systems, this is Not Applicable.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universals apps installed by default on systems.
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application whitelisting program is not in use on the system, this is a finding.
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
Configuration of whitelisting applications will vary by the program.
|
||||
Configuration of allowlisting applications will vary by the program.
|
||||
|
||||
AppLocker is a whitelisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
AppLocker is an allowlisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
|
||||
If AppLocker is used, perform the following to view the configuration of AppLocker:
|
||||
Run "PowerShell".
|
||||
|
|
@ -1324,9 +1322,9 @@ Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
|
|||
|
||||
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
|
||||
|
||||
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
|
||||
Implementation guidance for AppLocker is available at the following link:
|
||||
|
||||
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString>
|
||||
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220707" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1440,13 +1438,16 @@ If the group contains any accounts, the accounts must be specifically for backup
|
|||
If the group contains any standard user accounts used for performing normal user tasks, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220715" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
|
||||
<Description><VulnDiscussion>To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log onto workstations in a domain with their domain accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63367</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Run "Computer Management".
|
||||
<RawString>For standalone or nondomain-joined systems, this is Not Applicable.
|
||||
|
||||
Run "Computer Management".
|
||||
|
||||
Navigate to System Tools >> Local Users and Groups >> Users.
|
||||
|
||||
If local users other than the accounts listed below exist on a workstation in a domain, this is a finding.
|
||||
|
|
@ -1594,10 +1595,6 @@ Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Su
|
|||
|
||||
If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US
|
||||
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
|
||||
NotAfter: 3/30/2028
|
||||
|
||||
Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US
|
||||
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
|
||||
NotAfter: 12/30/2029
|
||||
|
|
@ -1626,20 +1623,16 @@ Select the "Details" Tab.
|
|||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the ECA Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
ECA Root CA 2
|
||||
Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4
|
||||
Valid to: Thursday, March 30, 2028
|
||||
If the ECA Root CA certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
ECA Root CA 4
|
||||
Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582
|
||||
Valid to: Sunday, December 30, 2029</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-220952" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure.
|
||||
|
||||
It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default. The AO still has the overall authority to use another equivalent capability to accomplish the check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
Windows LAPS must be used to change the built-in Administrator account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-99555</LegacyId>
|
||||
|
|
@ -1647,14 +1640,30 @@ It is highly recommended to use Microsoft's Local Administrator Password Solutio
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain joined workstation:
|
||||
On the local domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "Get-LocalUser –Name * | Select-Object *”
|
||||
Enter "Get-LocalUser –Name * | Select-Object *".
|
||||
|
||||
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-256894" severity="medium" conversionstatus="pass" title="SRG-OS-000185-GPOS-00079" dscresource="None">
|
||||
<Description><VulnDiscussion>Internet Explorer 11 (IE11) is no longer supported on Windows 10 semi-annual channel. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Determine if IE11 is installed or enabled on Windows 10 semi-annual channel.
|
||||
|
||||
If IE11 is installed or not disabled on Windows 10 semi-annual channel, this is a finding.
|
||||
|
||||
If IE11 is installed on a unsupported operating system and is enabled or installed, this is a finding.
|
||||
|
||||
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
|
||||
</Rule>
|
||||
</ManualRule>
|
||||
<PermissionRule dscresourcemodule="AccessControlDsc">
|
||||
<Rule id="V-220717.a" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00122" dscresource="NTFSAccessEntry">
|
||||
|
|
@ -2851,19 +2860,19 @@ Value: NistP384 NistP256</RawString>
|
|||
<ValueType>MultiString</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220806" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less preferred connection (typically wireless) will be disconnected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less-preferred connection (typically wireless) will be disconnected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy</Key>
|
||||
<LegacyId>V-63581</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>'{0}' -match '1|ShouldBeAbsent'</OrganizationValueTestString>
|
||||
<OrganizationValueTestString>'{0}' -match '3|ShouldBeAbsent'</OrganizationValueTestString>
|
||||
<RawString>The default behavior for "Minimize the number of simultaneous connections to the Internet or a Windows Domain" is "Enabled".
|
||||
|
||||
If the registry value name below does not exist, this is not a finding.
|
||||
|
||||
If it exists and is configured with a value of "1", this is not a finding.
|
||||
If it exists and is configured with a value of "3", this is not a finding.
|
||||
|
||||
If it exists and is configured with a value of "0", this is a finding.
|
||||
|
||||
|
|
@ -2873,7 +2882,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\
|
|||
Value Name: fMinimizeConnections
|
||||
|
||||
Value Type: REG_DWORD
|
||||
Value: 1 (or if the Value Name does not exist)</RawString>
|
||||
Value: 3 (or if the Value Name does not exist)</RawString>
|
||||
<ValueData />
|
||||
<ValueName>fMinimizeConnections</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -3019,13 +3028,14 @@ Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Confirm Credential Guard is running on domain-joined systems.
|
||||
|
||||
For those devices that support Credential Guard, this feature must be enabled. Organizations need to take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled.
|
||||
For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled.
|
||||
|
||||
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.
|
||||
|
||||
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.
|
||||
For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable.
|
||||
|
||||
Run "PowerShell" with elevated privileges (run as administrator).
|
||||
|
||||
Run "PowerShell" with elevated privileges (run as administrator).
|
||||
Enter the following:
|
||||
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard"
|
||||
|
||||
|
|
@ -3034,8 +3044,10 @@ If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), t
|
|||
Alternately:
|
||||
|
||||
Run "System Information".
|
||||
|
||||
Under "System Summary", verify the following:
|
||||
If "Device Guard Security Services Running" does not list "Credential Guard", this is finding.
|
||||
|
||||
If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding.
|
||||
|
||||
The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.
|
||||
|
||||
|
|
@ -3044,9 +3056,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\
|
|||
|
||||
Value Name: LsaCfgFlags
|
||||
Value Type: REG_DWORD
|
||||
Value: 0x00000001 (1) (Enabled with UEFI lock)
|
||||
|
||||
</RawString>
|
||||
Value: 0x00000001 (1) (Enabled with UEFI lock)</RawString>
|
||||
<ValueData>1</ValueData>
|
||||
<ValueName>LsaCfgFlags</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
|
|
@ -3181,7 +3191,7 @@ Value: 1</RawString>
|
|||
<LegacyId>V-63627</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>'{0}' -match '1|ShouldBeAbsent'</OrganizationValueTestString>
|
||||
<RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA.
|
||||
<RawString>This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
The default behavior for "Support device authentication using certificate" is "Automatic".
|
||||
|
||||
|
|
@ -3224,7 +3234,7 @@ Value: 1</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220820" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3232,7 +3242,7 @@ Value: 1</RawString>
|
|||
<LegacyId>V-63633</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA.
|
||||
<RawString>This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -3571,7 +3581,7 @@ If an organization is using v1709 or later of Windows 10 this may be configured
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220835.a" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the internet. This is part of the Windows Update trusted process; however, to minimize outside exposure, obtaining updates from or sending to systems on the internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -3589,7 +3599,7 @@ Value: 0x00000000 (0) - No peering (HTTP Only)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-220835.b" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the internet. This is part of the Windows Update trusted process; however, to minimize outside exposure, obtaining updates from or sending to systems on the internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5516,7 +5526,7 @@ Value: 0x00000002 (2) (or if the Value Name does not exist)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-250319.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5534,7 +5544,7 @@ Value: RequireMutualAuthentication=1, RequireIntegrity=1</RawString>
|
|||
<ValueType>String</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-250319.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5623,7 +5633,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
<RootCertificateRule dscresourcemodule="CertificateDsc">
|
||||
<Rule id="V-220903.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 3</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.a</LegacyId>
|
||||
|
|
@ -5635,7 +5645,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
</Rule>
|
||||
<Rule id="V-220903.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 4</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.b</LegacyId>
|
||||
|
|
@ -5647,7 +5657,7 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
</Rule>
|
||||
<Rule id="V-220903.c" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Root CA 5</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63579.c</LegacyId>
|
||||
|
|
@ -5657,28 +5667,60 @@ Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled witho
|
|||
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
|
||||
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220905.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-220905" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63587.a</LegacyId>
|
||||
<LegacyId>V-63587</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,AC06108CA348CC03B53795C64BF84403C1DBD341</RawString>
|
||||
<Thumbprint>AC06108CA348CC03B53795C64BF84403C1DBD341</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220905.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-63587.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,49CBE933151872E17C8EAE7F0ABA97FB610F6477</RawString>
|
||||
<RawString>Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates.
|
||||
|
||||
Run "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
NotAfter: 11/16/2024
|
||||
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates", click "Add".
|
||||
|
||||
Select "Computer account", click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)", click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Issued To: DoD Root CA 3
|
||||
Issued By: DoD Interoperability Root CA 2
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
Valid to: Wednesday, November 16, 2024</RawString>
|
||||
<Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-220906" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
|
|
@ -5698,14 +5740,14 @@ Execute the following command:
|
|||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding.
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US
|
||||
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9
|
||||
NotAfter: 8/26/2022 9:07:50 AM
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM
|
||||
|
||||
Alternately use the Certificates MMC snap-in:
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
|
|
@ -5719,7 +5761,7 @@ Select "Local computer: (the computer this console is running on)", click "Finis
|
|||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates".
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
|
||||
|
||||
|
|
@ -5732,10 +5774,10 @@ Scroll to the bottom and select "Thumbprint".
|
|||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S.Government, C=US
|
||||
Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9
|
||||
NotAfter: 8/26/2022 9:07:50 AM</RawString>
|
||||
<Thumbprint>AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</Thumbprint>
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM</RawString>
|
||||
<Thumbprint>9B74964506C7ED9138070D08D5F8B969866560C8</Thumbprint>
|
||||
</Rule>
|
||||
</RootCertificateRule>
|
||||
<SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
|
||||
|
|
@ -6157,11 +6199,11 @@ Note: "Local account" is a built-in security group used to assign user rights an
|
|||
</Rule>
|
||||
<Rule id="V-220969" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="UserRightsAssignment">
|
||||
<Constant>SeDenyBatchLogonRight</Constant>
|
||||
<Description><VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.
|
||||
<Description><VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
|
||||
|
||||
The "Deny log on as a batch job" right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler.
|
||||
|
||||
In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks that could lead to the compromise of an entire domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DisplayName>Deny log on as a batch job</DisplayName>
|
||||
<DuplicateOf />
|
||||
<Force>False</Force>
|
||||
|
|
@ -6170,14 +6212,14 @@ In an Active Directory Domain, denying logons to the Enterprise Admins and Domai
|
|||
<LegacyId>V-63873</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA.
|
||||
<RawString>This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
Run "gpedit.msc".
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
|
||||
|
||||
If the following groups or accounts are not defined for the "Deny log on as a batch job" right, this is a finding:
|
||||
If the following groups or accounts are not defined for the "Deny log on as a batch job" right, this is a finding.
|
||||
|
||||
Domain Systems Only:
|
||||
Enterprise Admin Group
|
||||
|
|
@ -6200,14 +6242,14 @@ Incorrect configurations could prevent services from starting and result in a Do
|
|||
<LegacyId>V-63875</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This requirement is applicable to domain-joined systems, for standalone systems this is NA.
|
||||
<RawString>This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
Run "gpedit.msc".
|
||||
|
||||
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
|
||||
|
||||
If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding:
|
||||
If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding.
|
||||
|
||||
Domain Systems Only:
|
||||
Enterprise Admins Group
|
||||
|
|
@ -0,0 +1,97 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.4">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-253261" ValueData="" />
|
||||
<!-- Ensure ''V-253297'' -ge '15' -or ''V-253297'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-253297" PolicyValue="15" />
|
||||
<!-- Ensure ''V-253298'' -le '3' -and ''V-253298'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-253298" PolicyValue="3" />
|
||||
<!-- Ensure ''V-253299'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-253299" PolicyValue="15" />
|
||||
<!-- Ensure ''V-253300'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-253300" PolicyValue="24" />
|
||||
<!-- Ensure ''V-253301'' -le '60' -and ''V-253301'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-253301" PolicyValue="30" />
|
||||
<!-- Ensure ''V-253302'' -ge '1'-->
|
||||
<OrganizationalSetting id="V-253302" PolicyValue="1" />
|
||||
<!-- Ensure ''V-253303'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-253303" PolicyValue="14" />
|
||||
<!-- Ensure ''V-253337'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-253337" ValueData="32768" />
|
||||
<!-- Ensure ''V-253338'' -ge '1024000'-->
|
||||
<OrganizationalSetting id="V-253338" ValueData="1024000" />
|
||||
<!-- Ensure ''V-253339'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-253339" ValueData="32768" />
|
||||
<!-- Ensure ''V-253364'' -match '3|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253364" ValueData="3" />
|
||||
<!-- Ensure ''V-253369.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-253369.b" ValueData="1" />
|
||||
<!-- Ensure ''V-253371'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-253371" ValueData="1" />
|
||||
<!-- Ensure ''V-253372'' -match '1|3|8'-->
|
||||
<OrganizationalSetting id="V-253372" ValueData="1" />
|
||||
<!-- Ensure ''V-253377'' -match '1|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253377" ValueData="1" />
|
||||
<!-- Ensure ''V-253396'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253396" ValueData="0" />
|
||||
<!-- Ensure ''V-253397'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253397" ValueData="0" />
|
||||
<!-- Ensure ''V-253398'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253398" ValueData="0" />
|
||||
<!-- Ensure ''V-253401'' -ge '6'-->
|
||||
<OrganizationalSetting id="V-253401" ValueData="6" />
|
||||
<!-- Ensure ''V-253408'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253408" ValueData="0" />
|
||||
<!-- Ensure ''V-253412'' -match '0|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253412" ValueData="0" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-253427.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-253427.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-253427.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-253429.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-253429.b" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-253430.a" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2,Thumbprint: 9 certificate is present-->
|
||||
<OrganizationalSetting id="V-253430.b" Location="" />
|
||||
<!-- Ensure ''V-253435'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-253435" OptionValue="" />
|
||||
<!-- Ensure ''V-253436'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-253436" OptionValue="" />
|
||||
<!-- Ensure ''V-253442'' -le '30' -and ''V-253442'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-253442" ValueData="30" />
|
||||
<!-- Ensure ''V-253444'' -le '900' -and ''V-253444'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-253444" ValueData="900" />
|
||||
<!-- Ensure 'V-253445' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-253445" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-253446'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-253446" ValueData="US Department of Defense Warning Statement" />
|
||||
<!-- Ensure ''V-253447'' -le '10'-->
|
||||
<OrganizationalSetting id="V-253447" ValueData="10" />
|
||||
<!-- Ensure ''V-253448'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-253448" ValueData="1" />
|
||||
<!-- Ensure ''V-253478'' -match '2|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-253478" ValueData="2" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.4">
|
||||
<OrganizationalSettings fullversion="2.6">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
|
|
@ -31,13 +31,9 @@ By using this IS (which includes any device attached to this IS), you consent to
|
|||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 1 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.b" Location="" />
|
||||
<OrganizationalSetting id="V-205649" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.a" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.b" Location="" />
|
||||
<OrganizationalSetting id="V-205650" Location="" />
|
||||
<!-- Ensure ''V-205703'' -le '600' -and ''V-205703'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205703" PolicyValue="600" />
|
||||
<!-- Ensure ''V-205704'' -le '10' -and ''V-205704'' -ne '0'-->
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -1,93 +1,89 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.5">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-205632'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-205632" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-205633'' -le '900' -and ''V-205633'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205633" ValueData="900" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.b" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.a" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.b" Location="" />
|
||||
<!-- Ensure ''V-205703'' -le '600' -and ''V-205703'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205703" PolicyValue="600" />
|
||||
<!-- Ensure ''V-205704'' -le '10' -and ''V-205704'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205704" PolicyValue="10" />
|
||||
<!-- Ensure ''V-205705'' -le '7'-->
|
||||
<OrganizationalSetting id="V-205705" PolicyValue="7" />
|
||||
<!-- Ensure ''V-205706'' -le '5'-->
|
||||
<OrganizationalSetting id="V-205706" PolicyValue="5" />
|
||||
<!-- Ensure ''V-205717'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205717" ValueData="1" />
|
||||
<!-- Ensure ''V-205796'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205796" ValueData="32768" />
|
||||
<!-- Ensure ''V-205797'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-205797" ValueData="196608" />
|
||||
<!-- Ensure ''V-205798'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205798" ValueData="32768" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-205850" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205864.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-205864.b" ValueData="1" />
|
||||
<!-- Ensure ''V-205865'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-205865" ValueData="8" />
|
||||
<!-- Ensure ''V-205869'' -match '0|1'-->
|
||||
<OrganizationalSetting id="V-205869" ValueData="0" />
|
||||
<!-- Ensure ''V-205870'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-205870" ValueData="0" />
|
||||
<!-- Ensure ''V-205911'' -le '30' -and ''V-205911'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205911" ValueData="30" />
|
||||
<!-- Ensure ''V-205912'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205912" ValueData="1" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-214936" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205629'' -le '3' -and ''V-205629'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205629" PolicyValue="3" />
|
||||
<!-- Ensure ''V-205630'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-205630" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205656'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205656" PolicyValue="1" />
|
||||
<!-- Ensure ''V-205659'' -le '60' -and ''V-205659'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205659" PolicyValue="60" />
|
||||
<!-- Ensure ''V-205660'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-205660" PolicyValue="24" />
|
||||
<!-- Ensure ''V-205662'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-205662" PolicyValue="14" />
|
||||
<!-- Ensure ''V-205756'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-205756" Identity="Administrators" />
|
||||
<!-- Ensure ''V-205795'' -ge '15' -or ''V-205795'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-205795" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205909'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-205909" OptionValue="" />
|
||||
<!-- Ensure ''V-205910'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-205910" OptionValue="" />
|
||||
</OrganizationalSettings>
|
||||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.7">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-205632'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-205632" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-205633'' -le '900' -and ''V-205633'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205633" ValueData="900" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650" Location="" />
|
||||
<!-- Ensure ''V-205703'' -le '600' -and ''V-205703'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205703" PolicyValue="600" />
|
||||
<!-- Ensure ''V-205704'' -le '10' -and ''V-205704'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205704" PolicyValue="10" />
|
||||
<!-- Ensure ''V-205705'' -le '7'-->
|
||||
<OrganizationalSetting id="V-205705" PolicyValue="7" />
|
||||
<!-- Ensure ''V-205706'' -le '5'-->
|
||||
<OrganizationalSetting id="V-205706" PolicyValue="5" />
|
||||
<!-- Ensure ''V-205717'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205717" ValueData="1" />
|
||||
<!-- Ensure ''V-205796'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205796" ValueData="32768" />
|
||||
<!-- Ensure ''V-205797'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-205797" ValueData="196608" />
|
||||
<!-- Ensure ''V-205798'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205798" ValueData="32768" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-205850" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205864.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-205864.b" ValueData="1" />
|
||||
<!-- Ensure ''V-205865'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-205865" ValueData="8" />
|
||||
<!-- Ensure ''V-205869'' -match '0|1'-->
|
||||
<OrganizationalSetting id="V-205869" ValueData="0" />
|
||||
<!-- Ensure ''V-205870'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-205870" ValueData="0" />
|
||||
<!-- Ensure ''V-205911'' -le '30' -and ''V-205911'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205911" ValueData="30" />
|
||||
<!-- Ensure ''V-205912'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205912" ValueData="1" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-214936" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205629'' -le '3' -and ''V-205629'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205629" PolicyValue="3" />
|
||||
<!-- Ensure ''V-205630'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-205630" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205656'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205656" PolicyValue="1" />
|
||||
<!-- Ensure ''V-205659'' -le '60' -and ''V-205659'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205659" PolicyValue="60" />
|
||||
<!-- Ensure ''V-205660'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-205660" PolicyValue="24" />
|
||||
<!-- Ensure ''V-205662'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-205662" PolicyValue="14" />
|
||||
<!-- Ensure ''V-205756'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-205756" Identity="Administrators" />
|
||||
<!-- Ensure ''V-205795'' -ge '15' -or ''V-205795'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-205795" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205909'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-205909" OptionValue="" />
|
||||
<!-- Ensure ''V-205910'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-205910" OptionValue="" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.4">
|
||||
<OrganizationalSettings fullversion="2.6">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
|
|
@ -31,13 +31,9 @@ By using this IS (which includes any device attached to this IS), you consent to
|
|||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 1 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.b" Location="" />
|
||||
<OrganizationalSetting id="V-205649" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.a" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.b" Location="" />
|
||||
<OrganizationalSetting id="V-205650" Location="" />
|
||||
<!-- Ensure ''V-205717'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205717" ValueData="1" />
|
||||
<!-- Ensure ''V-205796'' -ge '32768'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V2R4_Manual-xccdf.xml" releaseinfo="Release: 4 Benchmark Date: 31 May 2022 3.3.0.27375 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.4" created="10/11/2022">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V2R6_Manual-xccdf.xml" releaseinfo="Release: 6 Benchmark Date: 11 May 2023 3.4.0.34222 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.6" created="5/16/2023">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-205629" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -320,34 +320,6 @@ If the system does not audit the following, this is a finding.
|
|||
Logon/Logoff >> Logon - Failure</RawString>
|
||||
<Subcategory>Logon</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-205729" severity="medium" conversionstatus="pass" title="SRG-OS-000240-GPOS-00090" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Success</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
||||
Account Lockout events can be used to identify potentially malicious logon attempts.
|
||||
|
||||
Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-92987</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator").
|
||||
|
||||
Enter "AuditPol /get /category:*"
|
||||
|
||||
Compare the "AuditPol" settings with the following:
|
||||
|
||||
If the system does not audit the following, this is a finding.
|
||||
|
||||
Logon/Logoff >> Account Lockout - Success</RawString>
|
||||
<Subcategory>Account Lockout</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-205730" severity="medium" conversionstatus="pass" title="SRG-OS-000240-GPOS-00090" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Failure</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
|
@ -1179,7 +1151,7 @@ Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00"
|
|||
|
||||
This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.)
|
||||
|
||||
|
|
@ -1276,7 +1248,7 @@ Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate".
|
|||
|
||||
If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Open "Command Prompt".
|
||||
|
||||
|
|
@ -1303,7 +1275,7 @@ Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "
|
|||
|
||||
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Open "Command Prompt".
|
||||
|
||||
|
|
@ -1332,7 +1304,7 @@ Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) an
|
|||
|
||||
If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'.
|
||||
|
||||
|
|
@ -1399,7 +1371,7 @@ Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objec
|
|||
|
||||
If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'.
|
||||
|
||||
|
|
@ -1432,7 +1404,7 @@ Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate".
|
|||
|
||||
If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Open "Command Prompt".
|
||||
|
||||
|
|
@ -1485,7 +1457,7 @@ If they do not, this is a finding.</RawString>
|
|||
|
||||
System administrators must log on to systems using only accounts with the minimum level of authority necessary.
|
||||
|
||||
For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V-36433 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks.
|
||||
For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (refer to AD.0003 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks.
|
||||
|
||||
Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -1493,7 +1465,7 @@ Standard user accounts must not be members of the built-in Administrators group.
|
|||
<LegacyId>V-93043</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Open "Computer Management".
|
||||
|
||||
|
|
@ -1541,7 +1513,7 @@ If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding.
|
|||
|
||||
Other systems:
|
||||
|
||||
If systems are configured with a "Type" of "NTP", including standalone systems and the domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding.
|
||||
If systems are configured with a "Type" of "NTP", including standalone or nondomain-joined systems and the domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding.
|
||||
|
||||
To determine the domain controller with the PDC Emulator role:
|
||||
|
||||
|
|
@ -1560,26 +1532,24 @@ Enter "Get-ADDomain | FT PDCEmulator".</RawString>
|
|||
|
||||
If system files are not monitored for unauthorized changes, this is a finding.
|
||||
|
||||
A properly configured and approved DoD ESS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. </RawString>
|
||||
An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205807" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None">
|
||||
<Description><VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
<Description><VulnDiscussion>Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93379</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems. For other systems, this is NA.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
If an application whitelisting program is not in use on the system, this is a finding.
|
||||
Configuration of allowlisting applications will vary by the program.
|
||||
|
||||
Configuration of whitelisting applications will vary by the program.
|
||||
|
||||
AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
AppLocker is an allowlisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
|
||||
If AppLocker is used, perform the following to view the configuration of AppLocker:
|
||||
|
||||
|
|
@ -1595,9 +1565,9 @@ Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
|
|||
|
||||
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
|
||||
|
||||
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
|
||||
Implementation guidance for AppLocker is available at the following link:
|
||||
|
||||
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString>
|
||||
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205829" severity="medium" conversionstatus="pass" title="SRG-OS-000425-GPOS-00189" dscresource="None">
|
||||
<Description><VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
|
||||
|
|
@ -1617,13 +1587,13 @@ Satisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion
|
|||
If protection methods have not been implemented, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205843" severity="medium" conversionstatus="pass" title="SRG-OS-000479-GPOS-00224" dscresource="None">
|
||||
<Description><VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93185</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly.
|
||||
<RawString>Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly.
|
||||
|
||||
If they are not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1693,8 +1663,7 @@ Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastS
|
|||
|
||||
If the "PasswordLastSet" date is more than one year old, this is a finding.
|
||||
|
||||
|
||||
Member servers and standalone systems:
|
||||
Member servers and standalone or nondomain-joined systems:
|
||||
|
||||
Open "Command Prompt".
|
||||
|
||||
|
|
@ -1709,9 +1678,7 @@ If the "Password Last Set" date is more than one year old, this is a finding.</R
|
|||
<LegacyId>V-93213</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>For standalone systems, this is NA.
|
||||
|
||||
Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.
|
||||
<RawString>For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Verify the system has a TPM and it is ready for use.
|
||||
|
||||
|
|
@ -2588,7 +2555,7 @@ Inherited from - "None" for all
|
|||
Principal - Access - Applies to
|
||||
SYSTEM - Full Control - This key and subkeys
|
||||
Administrators - Special - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -2669,7 +2636,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - This key and subkeys
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -2750,7 +2717,7 @@ Administrators - Full Control - This key and subkeys
|
|||
SYSTEM - Full Control - This key and subkeys
|
||||
CREATOR OWNER - Full Control - Subkeys only
|
||||
ALL APPLICATION PACKAGES - Read - This key and subkeys
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Server Operators – Read – This Key and subkeys (Domain controllers only)
|
||||
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
|
||||
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding.
|
||||
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
|
||||
|
|
@ -2816,11 +2783,11 @@ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
|||
Value Name: LegalNoticeCaption
|
||||
|
||||
Value Type: REG_SZ
|
||||
Value: See message title options below
|
||||
Value: Refer to message title options below
|
||||
|
||||
"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent.
|
||||
|
||||
If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.
|
||||
If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000130.
|
||||
|
||||
Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.</RawString>
|
||||
<ValueData />
|
||||
|
|
@ -3313,7 +3280,7 @@ Value: 0x00000000 (0)</RawString>
|
|||
<LegacyId>V-93419</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers. For domain controllers and standalone systems, this is NA.
|
||||
<RawString>This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -3451,7 +3418,7 @@ With User Account Control enabled, filtering the privileged token for local admi
|
|||
<LegacyId>V-93519</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers. For domain controllers and standalone systems, this is NA.
|
||||
<RawString>This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -3664,7 +3631,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<LegacyId>V-93045</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems; it is NA for domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -4020,7 +3987,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<LegacyId>V-93453</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems, it is NA for domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -4520,7 +4487,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-205864.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Virtualization-Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Virtualization-based security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4538,7 +4505,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-205864.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Virtualization-Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>Virtualization-based security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -4818,7 +4785,7 @@ Value: 0x00000000 (0) (or if the Value Name does not exist)</RawString>
|
|||
<LegacyId>V-93275</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>'{0}' -le '4'</OrganizationValueTestString>
|
||||
<RawString>This applies to member servers. For domain controllers and standalone systems, this is NA.
|
||||
<RawString>This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
|
|
@ -4842,7 +4809,7 @@ Value: 4 (or less)</RawString>
|
|||
<LegacyId>V-93277</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>For domain controllers and standalone systems, this is NA.
|
||||
<RawString>For domain controllers and standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Open "PowerShell" with elevated privileges (run as administrator).
|
||||
|
||||
|
|
@ -5057,7 +5024,7 @@ Value: 0x00000000 (0)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-205919" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="Registry">
|
||||
<Description><VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone or nondomain-joined computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -5300,61 +5267,120 @@ Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion
|
|||
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
|
||||
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205649.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-205649" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93489.a</LegacyId>
|
||||
<LegacyId>V-93489</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,AC06108CA348CC03B53795C64BF84403C1DBD341</RawString>
|
||||
<Thumbprint>AC06108CA348CC03B53795C64BF84403C1DBD341</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205649.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 1</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
<RawString>This is applicable to unclassified systems. It is NA for others.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93489.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 1 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 1,49CBE933151872E17C8EAE7F0ABA97FB610F6477</RawString>
|
||||
Open "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
NotAfter: 11/16/2024 9:57:16 AM
|
||||
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates" and click "Add".
|
||||
|
||||
Select "Computer account" and click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)" and click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Issued to: DoD Root CA 3
|
||||
Issued By: DoD Interoperability Root CA 2
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
Valid to: 11/16/2024 9:57:16 AM</RawString>
|
||||
<Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205650.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-205650" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>US DoD CCEB Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93491.a</LegacyId>
|
||||
<LegacyId>V-93491</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for US DoD CCEB Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>US DoD CCEB Interoperability Root CA 2,AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</RawString>
|
||||
<Thumbprint>AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205650.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>US DoD CCEB Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
<RawString>This is applicable to unclassified systems. It is NA for others.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93491.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for US DoD CCEB Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>US DoD CCEB Interoperability Root CA 2,929BF3196896994C0A201DF4A5B71F603FEFBF2E</RawString>
|
||||
<Thumbprint>929BF3196896994C0A201DF4A5B71F603FEFBF2E</Thumbprint>
|
||||
Open "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates" and click "Add".
|
||||
|
||||
Select "Computer account" and click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)" and click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "US DoD CCEB Interoperability Root CA ..." under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM</RawString>
|
||||
<Thumbprint>9B74964506C7ED9138070D08D5F8B969866560C8</Thumbprint>
|
||||
</Rule>
|
||||
</RootCertificateRule>
|
||||
<SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
|
||||
|
|
@ -5450,15 +5476,15 @@ Verify if Windows Defender is in use or enabled:
|
|||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName”
|
||||
Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Verify if third-party anti-virus is in use or enabled:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayNameâ€
|
||||
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName”
|
||||
Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayNameâ€
|
||||
</RawString>
|
||||
<ServiceName>
|
||||
</ServiceName>
|
||||
|
|
@ -5527,7 +5553,7 @@ Accounts with the "Access this computer from the network" user right may access
|
|||
<LegacyId>V-93007</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -5561,7 +5587,7 @@ The Guests group must be assigned this right to prevent unauthenticated access.&
|
|||
<LegacyId>V-93009</LegacyId>
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>'{0}' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'</OrganizationValueTestString>
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -5598,7 +5624,7 @@ The Guests group must be assigned to prevent unauthenticated access.</VulnDis
|
|||
<LegacyId>V-93011</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -5647,7 +5673,7 @@ If the following accounts or groups are not defined for the "Deny log on as a se
|
|||
- Enterprise Admins Group
|
||||
- Domain Admins Group
|
||||
|
||||
If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding.
|
||||
If any accounts or groups are defined for the "Deny log on as a service" user right on nondomain-joined systems, this is a finding.
|
||||
|
||||
</RawString>
|
||||
</Rule>
|
||||
|
|
@ -5668,7 +5694,7 @@ The Guests group must be assigned this right to prevent unauthenticated access.&
|
|||
<LegacyId>V-93015</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -5731,7 +5757,7 @@ The Guests group must be assigned this right to prevent unauthenticated access.&
|
|||
<LegacyId>V-92965</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -5764,7 +5790,7 @@ The "Enable computer and user accounts to be trusted for delegation" user right
|
|||
<LegacyId>V-93047</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This applies to member servers and standalone systems. A separate version applies to domain controllers.
|
||||
<RawString>This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers.
|
||||
|
||||
Verify the effective setting in Local Group Policy Editor.
|
||||
|
||||
|
|
@ -1,89 +1,85 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.5">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-205632'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-205632" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-205633'' -le '900' -and ''V-205633'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205633" ValueData="900" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.a" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649.b" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.a" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650.b" Location="" />
|
||||
<!-- Ensure ''V-205717'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205717" ValueData="1" />
|
||||
<!-- Ensure ''V-205796'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205796" ValueData="32768" />
|
||||
<!-- Ensure ''V-205797'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-205797" ValueData="196608" />
|
||||
<!-- Ensure ''V-205798'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205798" ValueData="32768" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-205850" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205864.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-205864.b" ValueData="1" />
|
||||
<!-- Ensure ''V-205865'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-205865" ValueData="8" />
|
||||
<!-- Ensure ''V-205869'' -match '0|1'-->
|
||||
<OrganizationalSetting id="V-205869" ValueData="0" />
|
||||
<!-- Ensure ''V-205870'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-205870" ValueData="0" />
|
||||
<!-- Ensure ''V-205906'' -le '4'-->
|
||||
<OrganizationalSetting id="V-205906" ValueData="4" />
|
||||
<!-- Ensure ''V-205911'' -le '30' -and ''V-205911'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205911" ValueData="30" />
|
||||
<!-- Ensure ''V-205912'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205912" ValueData="1" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-214936" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205629'' -le '3' -and ''V-205629'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205629" PolicyValue="3" />
|
||||
<!-- Ensure ''V-205630'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-205630" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205656'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205656" PolicyValue="1" />
|
||||
<!-- Ensure ''V-205659'' -le '60' -and ''V-205659'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205659" PolicyValue="60" />
|
||||
<!-- Ensure ''V-205660'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-205660" PolicyValue="24" />
|
||||
<!-- Ensure ''V-205662'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-205662" PolicyValue="14" />
|
||||
<!-- Ensure ''V-205672'' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'-->
|
||||
<OrganizationalSetting id="V-205672" Identity="Enterprise Admins,Domain Admins,Local account and member of Administrators group,Guests" />
|
||||
<!-- Ensure ''V-205756'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-205756" Identity="Administrators" />
|
||||
<!-- Ensure ''V-205795'' -ge '15' -or ''V-205795'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-205795" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205909'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-205909" OptionValue="" />
|
||||
<!-- Ensure ''V-205910'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-205910" OptionValue="" />
|
||||
</OrganizationalSettings>
|
||||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="2.7">
|
||||
<!-- Ensure 'V-205631' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-205631" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-205632'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-205632" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-205633'' -le '900' -and ''V-205633'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205633" ValueData="900" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-205648.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205649" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-205650" Location="" />
|
||||
<!-- Ensure ''V-205717'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205717" ValueData="1" />
|
||||
<!-- Ensure ''V-205796'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205796" ValueData="32768" />
|
||||
<!-- Ensure ''V-205797'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-205797" ValueData="196608" />
|
||||
<!-- Ensure ''V-205798'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-205798" ValueData="32768" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-205850" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205864.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-205864.b" ValueData="1" />
|
||||
<!-- Ensure ''V-205865'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-205865" ValueData="8" />
|
||||
<!-- Ensure ''V-205869'' -match '0|1'-->
|
||||
<OrganizationalSetting id="V-205869" ValueData="0" />
|
||||
<!-- Ensure ''V-205870'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-205870" ValueData="0" />
|
||||
<!-- Ensure ''V-205906'' -le '4'-->
|
||||
<OrganizationalSetting id="V-205906" ValueData="4" />
|
||||
<!-- Ensure ''V-205911'' -le '30' -and ''V-205911'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-205911" ValueData="30" />
|
||||
<!-- Ensure ''V-205912'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-205912" ValueData="1" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-214936" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-205629'' -le '3' -and ''V-205629'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205629" PolicyValue="3" />
|
||||
<!-- Ensure ''V-205630'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-205630" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205656'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205656" PolicyValue="1" />
|
||||
<!-- Ensure ''V-205659'' -le '60' -and ''V-205659'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-205659" PolicyValue="60" />
|
||||
<!-- Ensure ''V-205660'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-205660" PolicyValue="24" />
|
||||
<!-- Ensure ''V-205662'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-205662" PolicyValue="14" />
|
||||
<!-- Ensure ''V-205672'' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'-->
|
||||
<OrganizationalSetting id="V-205672" Identity="Enterprise Admins,Domain Admins,Local account and member of Administrators group,Guests" />
|
||||
<!-- Ensure ''V-205756'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-205756" Identity="Administrators" />
|
||||
<!-- Ensure ''V-205795'' -ge '15' -or ''V-205795'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-205795" PolicyValue="15" />
|
||||
<!-- Ensure ''V-205909'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-205909" OptionValue="" />
|
||||
<!-- Ensure ''V-205910'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-205910" OptionValue="" />
|
||||
</OrganizationalSettings>
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V2R3_Manual-xccdf.xml" releaseinfo="Release: 3 Benchmark Date: 01 Nov 2021 3.2.2.36079 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.3" created="10/11/2022">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Windows_Server_2019_MS_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_Server_2019_MS_STIG_V2R7_Manual-xccdf.xml" releaseinfo="Release: 7 Benchmark Date: 07 Jun 2023 3.4.0.34222 1.10.0" title="Microsoft Windows Server 2019 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.7" created="6/5/2023">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-205629" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -193,7 +193,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO
|
|||
<LegacyId>V-92979</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -221,7 +221,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO
|
|||
<LegacyId>V-92981</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -249,7 +249,7 @@ Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPO
|
|||
<LegacyId>V-92983</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -277,7 +277,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO
|
|||
<LegacyId>V-92967</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -305,7 +305,7 @@ Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPO
|
|||
<LegacyId>V-92969</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -320,34 +320,6 @@ If the system does not audit the following, this is a finding.
|
|||
Logon/Logoff >> Logon - Failure</RawString>
|
||||
<Subcategory>Logon</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-205729" severity="medium" conversionstatus="pass" title="SRG-OS-000240-GPOS-00090" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Success</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
||||
Account Lockout events can be used to identify potentially malicious logon attempts.
|
||||
|
||||
Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-92987</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator").
|
||||
|
||||
Enter "AuditPol /get /category:*"
|
||||
|
||||
Compare the "AuditPol" settings with the following:
|
||||
|
||||
If the system does not audit the following, this is a finding.
|
||||
|
||||
Logon/Logoff >> Account Lockout - Success</RawString>
|
||||
<Subcategory>Account Lockout</Subcategory>
|
||||
</Rule>
|
||||
<Rule id="V-205730" severity="medium" conversionstatus="pass" title="SRG-OS-000240-GPOS-00090" dscresource="AuditPolicySubcategory">
|
||||
<AuditFlag>Failure</AuditFlag>
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
|
|
@ -361,7 +333,7 @@ Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion
|
|||
<LegacyId>V-92989</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -389,7 +361,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO
|
|||
<LegacyId>V-93089</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -417,7 +389,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion
|
|||
<LegacyId>V-93091</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -445,7 +417,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93093</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -473,7 +445,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93095</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -501,7 +473,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO
|
|||
<LegacyId>V-93097</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -529,7 +501,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO
|
|||
<LegacyId>V-93099</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -557,7 +529,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO
|
|||
<LegacyId>V-93101</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -585,7 +557,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPO
|
|||
<LegacyId>V-93103</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -613,7 +585,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93105</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -641,7 +613,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93107</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -669,7 +641,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93109</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -697,7 +669,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93111</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -725,7 +697,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93113</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -753,7 +725,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPO
|
|||
<LegacyId>V-93115</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -781,7 +753,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO
|
|||
<LegacyId>V-93117</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -809,7 +781,7 @@ Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPO
|
|||
<LegacyId>V-93119</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -835,7 +807,7 @@ Credential Validation records events related to validation tests on credentials
|
|||
<LegacyId>V-93153</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -861,7 +833,7 @@ Credential Validation records events related to validation tests on credentials
|
|||
<LegacyId>V-93155</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -887,7 +859,7 @@ Audit Group Membership records information related to the group membership of a
|
|||
<LegacyId>V-93159</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -915,7 +887,7 @@ Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPO
|
|||
<LegacyId>V-93161</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -995,7 +967,7 @@ Satisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000480-GPOS-00227</VulnDiscussion
|
|||
<LegacyId>V-93171</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -1021,7 +993,7 @@ Plug and Play activity records events related to the successful connection of ex
|
|||
<LegacyId>V-93157</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -1047,7 +1019,7 @@ Removable Storage auditing under Object Access records events related to access
|
|||
<LegacyId>V-93167</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -1075,7 +1047,7 @@ Removable Storage auditing under Object Access records events related to access
|
|||
<LegacyId>V-93169</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the "AuditPol" tool to review the current Audit Policy configuration:
|
||||
|
||||
|
|
@ -1190,7 +1162,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic
|
|||
if ($lastLogin -eq $null) {
|
||||
$lastLogin = 'Never'
|
||||
}
|
||||
Write-Host $user.Name $lastLogin $enabled
|
||||
Write-Host $user.Name $lastLogin $enabled
|
||||
}"
|
||||
|
||||
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
|
||||
|
|
@ -1228,9 +1200,9 @@ Note: Example of documentation can be a copy of the site's CCB approved Software
|
|||
<LegacyId>V-93219</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Determine whether there is a HIDS or HIPS on each server.
|
||||
<RawString>Determine whether there is a HIDS or HIPS on each server.
|
||||
|
||||
If the HIPS component of ESS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement.
|
||||
If the HIPS component of ESS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement.
|
||||
|
||||
A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO.
|
||||
|
||||
|
|
@ -1285,9 +1257,9 @@ Run "Net user [username]", where [username] is the name of the temporary user ac
|
|||
If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205657" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="None">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password might not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.
|
||||
|
||||
It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default. The AO still has the overall authority to use another equivalent capability to accomplish the check.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
Windows LAPS must be used to change the built-in Administrator account password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93473</LegacyId>
|
||||
|
|
@ -1366,11 +1338,11 @@ If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF
|
|||
|
||||
For each printer:
|
||||
|
||||
Select the printer and "Manage".
|
||||
Select the printer and "Manage".
|
||||
|
||||
Select "Printer Properties".
|
||||
Select "Printer Properties".
|
||||
|
||||
Select the "Sharing" tab.
|
||||
Select the "Sharing" tab.
|
||||
|
||||
If "Share this printer" is checked, select the "Security" tab.
|
||||
|
||||
|
|
@ -1560,26 +1532,24 @@ Enter "Get-ADDomain | FT PDCEmulator".</RawString>
|
|||
|
||||
If system files are not monitored for unauthorized changes, this is a finding.
|
||||
|
||||
A properly configured McAfee Application Control and Change Control (MACC) module will meet the requirement for file integrity checking.</RawString>
|
||||
An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205807" severity="medium" conversionstatus="pass" title="SRG-OS-000370-GPOS-00155" dscresource="None">
|
||||
<Description><VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
<Description><VulnDiscussion>Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
|
||||
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93379</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems. For other systems, this is NA.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
If an application whitelisting program is not in use on the system, this is a finding.
|
||||
Configuration of allowlisting applications will vary by the program.
|
||||
|
||||
Configuration of whitelisting applications will vary by the program.
|
||||
|
||||
AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
AppLocker is an allowlisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
|
||||
|
||||
If AppLocker is used, perform the following to view the configuration of AppLocker:
|
||||
|
||||
|
|
@ -1595,9 +1565,9 @@ Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
|
|||
|
||||
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
|
||||
|
||||
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
|
||||
Implementation guidance for AppLocker is available at the following link:
|
||||
|
||||
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm</RawString>
|
||||
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-205829" severity="medium" conversionstatus="pass" title="SRG-OS-000425-GPOS-00189" dscresource="None">
|
||||
<Description><VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
|
||||
|
|
@ -1623,7 +1593,7 @@ If protection methods have not been implemented, this is a finding.</RawString>
|
|||
<LegacyId>V-93185</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly.
|
||||
<RawString>Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly.
|
||||
|
||||
If they are not, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1634,7 +1604,7 @@ If they are not, this is a finding.</RawString>
|
|||
<LegacyId>V-93369</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.
|
||||
<RawString>Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account.
|
||||
|
||||
If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -1710,8 +1680,6 @@ If the "Password Last Set" date is more than one year old, this is a finding.</R
|
|||
<OrganizationValueTestString />
|
||||
<RawString>For standalone or nondomain-joined systems, this is NA.
|
||||
|
||||
Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine.
|
||||
|
||||
Verify the system has a TPM and it is ready for use.
|
||||
|
||||
Run "tpm.msc".
|
||||
|
|
@ -1784,7 +1752,7 @@ Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a findin
|
|||
<LegacyId>V-93231</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled.
|
||||
<RawString>Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled.
|
||||
|
||||
Run "System Information".
|
||||
|
||||
|
|
@ -2378,7 +2346,7 @@ Viewing in File Explorer:
|
|||
For each folder, view the Properties.
|
||||
Select the "Security" tab, and the "Advanced" button.
|
||||
Default permissions:
|
||||
\Program Files
|
||||
\Program Files
|
||||
Type - "Allow" for all
|
||||
Inherited from - "None" for all
|
||||
Principal - Access - Applies to
|
||||
|
|
@ -2771,7 +2739,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO
|
|||
<OrganizationValueTestString>{0} is set to the required legal notice before logon</OrganizationValueTestString>
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: LegalNoticeText
|
||||
|
|
@ -2809,17 +2777,17 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion
|
|||
<OrganizationValueTestString>'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'</OrganizationValueTestString>
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: LegalNoticeCaption
|
||||
|
||||
Value Type: REG_SZ
|
||||
Value: See message title options below
|
||||
Value: Refer to message title options below
|
||||
|
||||
"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent.
|
||||
"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent.
|
||||
|
||||
If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150.
|
||||
If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000130.
|
||||
|
||||
Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.</RawString>
|
||||
<ValueData />
|
||||
|
|
@ -2839,7 +2807,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPO
|
|||
<OrganizationValueTestString>'{0}' -le '900' -and '{0}' -gt '0'</OrganizationValueTestString>
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: InactivityTimeoutSecs
|
||||
|
|
@ -2911,7 +2879,7 @@ Enabling "Include command line data for process creation events" will record the
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
|
||||
|
||||
Value Name: ProcessCreationIncludeCmdLine_Enabled
|
||||
|
|
@ -2935,7 +2903,7 @@ Enabling PowerShell script block logging will record detailed information from t
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
|
||||
|
||||
Value Name: EnableScriptBlockLogging
|
||||
|
|
@ -2947,7 +2915,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-205644" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="Registry">
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
<Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
|
||||
This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2958,7 +2926,7 @@ This setting allows administrators to enable more precise auditing capabilities.
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: SCENoApplyLegacyAuditPolicy
|
||||
|
|
@ -3008,7 +2976,7 @@ Value: 0x00000002 (2)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: NoLMHash
|
||||
|
|
@ -3098,11 +3066,11 @@ Value: 0x00000004 (4)</RawString>
|
|||
<LegacyId>V-93399</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify the registry value below.
|
||||
<RawString>Verify the registry value below.
|
||||
|
||||
If it does not exist or is not configured as specified, this is a finding.
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\
|
||||
|
||||
Value Name: NoLockScreenSlideshow
|
||||
|
|
@ -3136,7 +3104,7 @@ Value: 0x00000000 (0)</RawString>
|
|||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-205688" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.
|
||||
<Description><VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system.
|
||||
|
||||
This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
|
|
@ -3194,7 +3162,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\
|
||||
|
||||
Value Name: DontDisplayNetworkSelectionUI
|
||||
|
|
@ -3480,7 +3448,7 @@ This setting may cause issues with some network scanning tools if local administ
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: EnableUIADesktopToggle
|
||||
|
|
@ -3529,7 +3497,7 @@ Value: 0x00000002 (2) (Prompt for consent on the secure desktop)
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: EnableInstallerDetection
|
||||
|
|
@ -3553,7 +3521,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: EnableSecureUIAPaths
|
||||
|
|
@ -3577,7 +3545,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: EnableVirtualization
|
||||
|
|
@ -3621,7 +3589,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: RestrictAnonymous
|
||||
|
|
@ -3643,7 +3611,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
|
||||
|
||||
Value Name: RestrictNullSessAccess
|
||||
|
|
@ -3947,7 +3915,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: FilterAdministratorToken
|
||||
|
|
@ -3973,7 +3941,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: ConsentPromptBehaviorUser
|
||||
|
|
@ -3999,7 +3967,7 @@ Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: EnableLUA
|
||||
|
|
@ -4045,7 +4013,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
|
||||
|
||||
Value Name: DisablePasswordChange
|
||||
|
|
@ -4139,7 +4107,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
|
||||
|
||||
Value Name: RequireSignOrSeal
|
||||
|
|
@ -4211,14 +4179,14 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
|
||||
|
||||
Value Name: RequireStrongKey
|
||||
|
||||
Value Type: REG_DWORD
|
||||
Value: 0x00000001 (1)
|
||||
|
||||
|
||||
This setting may prevent a system from being joined to a domain if not configured consistently between systems.</RawString>
|
||||
<ValueData>1</ValueData>
|
||||
<ValueName>RequireStrongKey</ValueName>
|
||||
|
|
@ -4237,7 +4205,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
|
||||
|
||||
Value Name: RequireSecuritySignature
|
||||
|
|
@ -4261,7 +4229,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
|
||||
|
||||
Value Name: EnableSecuritySignature
|
||||
|
|
@ -4285,7 +4253,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
|
||||
|
||||
Value Name: RequireSecuritySignature
|
||||
|
|
@ -4309,7 +4277,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
|
||||
|
||||
Value Name: EnableSecuritySignature
|
||||
|
|
@ -4366,7 +4334,7 @@ Value Name: Enabled
|
|||
|
||||
Value Type: REG_DWORD
|
||||
Value: 0x00000001 (1)
|
||||
|
||||
|
||||
Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site.</RawString>
|
||||
<ValueData>1</ValueData>
|
||||
<ValueName>Enabled</ValueName>
|
||||
|
|
@ -4405,7 +4373,7 @@ Value: 0x00000002 (2)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
|
||||
|
||||
Value Name: DisableIPSourceRouting
|
||||
|
|
@ -4427,7 +4395,7 @@ Value: 0x00000002 (2)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
|
||||
|
||||
Value Name: EnableICMPRedirect
|
||||
|
|
@ -4886,7 +4854,7 @@ https://docs.microsoft.com/en-us/windows/security/identity-protection/credential
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: LimitBlankPasswordUse
|
||||
|
|
@ -4910,7 +4878,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
|
||||
If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
|
||||
|
||||
Value Name: MaximumPasswordAge
|
||||
|
|
@ -4932,9 +4900,9 @@ Value: 0x0000001e (30) (or less, but not 0)</RawString>
|
|||
<OrganizationValueTestString>'{0}' -match '1|2'</OrganizationValueTestString>
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
|
||||
|
||||
|
||||
Value Name: scremoveoption
|
||||
|
||||
Value Type: REG_SZ
|
||||
|
|
@ -4956,7 +4924,7 @@ If configuring this on servers causes issues, such as terminating users' remote
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: RestrictAnonymousSAM
|
||||
|
|
@ -4978,7 +4946,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\
|
||||
|
||||
Value Name: EveryoneIncludesAnonymous
|
||||
|
|
@ -5088,7 +5056,7 @@ Value: 0x00000005 (5)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\
|
||||
|
||||
Value Name: LDAPClientIntegrity
|
||||
|
|
@ -5110,7 +5078,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\
|
||||
|
||||
Value Name: NTLMMinClientSec
|
||||
|
|
@ -5132,7 +5100,7 @@ Value: 0x20080000 (537395200)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\
|
||||
|
||||
Value Name: NTLMMinServerSec
|
||||
|
|
@ -5154,7 +5122,7 @@ Value: 0x20080000 (537395200)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>If the following registry value does not exist or is not configured as specified, this is a finding:
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\
|
||||
|
||||
Value Name: ProtectionMode
|
||||
|
|
@ -5204,7 +5172,7 @@ Value: 0x00000002 (2) (or if the Value Name does not exist)</RawString>
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Verify the registry value below. If it does not exist or is not configured as specified, this is a finding.
|
||||
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Hive: HKEY_LOCAL_MACHINE
|
||||
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
|
||||
Value Name: DisableAutomaticRestartSignOn
|
||||
|
|
@ -5299,61 +5267,120 @@ Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion
|
|||
<RawString>DoD Root CA 5,4ECB5CC3095670454DA1CBD410FC921F46B8564B</RawString>
|
||||
<Thumbprint>4ECB5CC3095670454DA1CBD410FC921F46B8564B</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205649.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-205649" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93489.a</LegacyId>
|
||||
<LegacyId>V-93489</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,AC06108CA348CC03B53795C64BF84403C1DBD341</RawString>
|
||||
<Thumbprint>AC06108CA348CC03B53795C64BF84403C1DBD341</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205649.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>DoD Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
<RawString>This is applicable to unclassified systems. It is NA for others.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93489.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for DoD Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>DoD Interoperability Root CA 2,49CBE933151872E17C8EAE7F0ABA97FB610F6477</RawString>
|
||||
Open "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
NotAfter: 11/16/2024 9:57:16 AM
|
||||
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates" and click "Add".
|
||||
|
||||
Select "Computer account" and click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)" and click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Issued to: DoD Root CA 3
|
||||
Issued By: DoD Interoperability Root CA 2
|
||||
Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477
|
||||
Valid to: 11/16/2024 9:57:16 AM</RawString>
|
||||
<Thumbprint>49CBE933151872E17C8EAE7F0ABA97FB610F6477</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205650.a" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<Rule id="V-205650" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>US DoD CCEB Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93491.a</LegacyId>
|
||||
<LegacyId>V-93491</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for US DoD CCEB Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>US DoD CCEB Interoperability Root CA 2,AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</RawString>
|
||||
<Thumbprint>AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9</Thumbprint>
|
||||
</Rule>
|
||||
<Rule id="V-205650.b" severity="medium" conversionstatus="pass" title="SRG-OS-000066-GPOS-00034" dscresource="CertificateDSC">
|
||||
<CertificateName>US DoD CCEB Interoperability Root CA 2</CertificateName>
|
||||
<Description><VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.
|
||||
<RawString>This is applicable to unclassified systems. It is NA for others.
|
||||
|
||||
Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>V-93491.b</LegacyId>
|
||||
<Location />
|
||||
<OrganizationValueRequired>True</OrganizationValueRequired>
|
||||
<OrganizationValueTestString>location for US DoD CCEB Interoperability Root CA 2 certificate is present</OrganizationValueTestString>
|
||||
<RawString>US DoD CCEB Interoperability Root CA 2,929BF3196896994C0A201DF4A5B71F603FEFBF2E</RawString>
|
||||
<Thumbprint>929BF3196896994C0A201DF4A5B71F603FEFBF2E</Thumbprint>
|
||||
Open "PowerShell" as an administrator.
|
||||
|
||||
Execute the following command:
|
||||
|
||||
Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
|
||||
|
||||
If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM
|
||||
Alternately, use the Certificates MMC snap-in:
|
||||
|
||||
Run "MMC".
|
||||
|
||||
Select "File", "Add/Remove Snap-in".
|
||||
|
||||
Select "Certificates" and click "Add".
|
||||
|
||||
Select "Computer account" and click "Next".
|
||||
|
||||
Select "Local computer: (the computer this console is running on)" and click "Finish".
|
||||
|
||||
Click "OK".
|
||||
|
||||
Expand "Certificates" and navigate to Untrusted Certificates >> Certificates.
|
||||
|
||||
For each certificate with "US DoD CCEB Interoperability Root CA ..." under "Issued By":
|
||||
|
||||
Right-click on the certificate and select "Open".
|
||||
|
||||
Select the "Details" tab.
|
||||
|
||||
Scroll to the bottom and select "Thumbprint".
|
||||
|
||||
If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
|
||||
|
||||
Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
|
||||
Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8
|
||||
NotAfter: 7/18/2025 9:56:22 AM</RawString>
|
||||
<Thumbprint>9B74964506C7ED9138070D08D5F8B969866560C8</Thumbprint>
|
||||
</Rule>
|
||||
</RootCertificateRule>
|
||||
<SecurityOptionRule dscresourcemodule="SecurityPolicyDsc">
|
||||
|
|
@ -5646,7 +5673,7 @@ If the following accounts or groups are not defined for the "Deny log on as a se
|
|||
- Enterprise Admins Group
|
||||
- Domain Admins Group
|
||||
|
||||
If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding.
|
||||
If any accounts or groups are defined for the "Deny log on as a service" user right on nondomain-joined systems, this is a finding.
|
||||
|
||||
</RawString>
|
||||
</Rule>
|
||||
|
|
@ -0,0 +1,87 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.3">
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-254248" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-254265" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-254343.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-254343.b" ValueData="1" />
|
||||
<!-- Ensure ''V-254344'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-254344" ValueData="8" />
|
||||
<!-- Ensure ''V-254357'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-254357" ValueData="100" />
|
||||
<!-- Ensure ''V-254358'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-254358" ValueData="32768" />
|
||||
<!-- Ensure ''V-254359'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-254359" ValueData="196608" />
|
||||
<!-- Ensure ''V-254360'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-254360" ValueData="32768" />
|
||||
<!-- Ensure ''V-254387'' -le '600' -and ''V-254387'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254387" PolicyValue="600" />
|
||||
<!-- Ensure ''V-254388'' -le '10' -and ''V-254388'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254388" PolicyValue="10" />
|
||||
<!-- Ensure ''V-254389'' -le '7'-->
|
||||
<OrganizationalSetting id="V-254389" PolicyValue="7" />
|
||||
<!-- Ensure ''V-254390'' -le '5'-->
|
||||
<OrganizationalSetting id="V-254390" PolicyValue="5" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-254443" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-254444" Location="" />
|
||||
<!-- Ensure ''V-254454'' -le '30' -and ''V-254454'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-254454" ValueData="30" />
|
||||
<!-- Ensure ''V-254456'' -le '900' -and ''V-254456'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-254456" ValueData="900" />
|
||||
<!-- Ensure 'V-254457' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-254457" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-254458'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-254458" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-254459'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-254459" ValueData="1" />
|
||||
<!-- Ensure ''V-254484'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-254484" ValueData="1" />
|
||||
<!-- Ensure ''V-254285'' -ge '15' -or ''V-254285'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-254285" PolicyValue="15" />
|
||||
<!-- Ensure ''V-254286'' -le '3' -and ''V-254286'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254286" PolicyValue="3" />
|
||||
<!-- Ensure ''V-254287'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-254287" PolicyValue="15" />
|
||||
<!-- Ensure ''V-254288'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-254288" PolicyValue="24" />
|
||||
<!-- Ensure ''V-254289'' -le '60' -and ''V-254289'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254289" PolicyValue="60" />
|
||||
<!-- Ensure ''V-254290'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254290" PolicyValue="1" />
|
||||
<!-- Ensure ''V-254291'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-254291" PolicyValue="14" />
|
||||
<!-- Ensure ''V-254447'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-254447" OptionValue="" />
|
||||
<!-- Ensure ''V-254448'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-254448" OptionValue="" />
|
||||
<!-- Ensure ''V-254499'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-254499" Identity="Administrators" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,83 @@
|
|||
<!--
|
||||
The organizational settings file is used to define the local organizations
|
||||
preferred setting within an allowed range of the STIG.
|
||||
|
||||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.3">
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct AntiVirus service information-->
|
||||
<OrganizationalSetting id="V-254248" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ServiceName/StartupType is populated with correct Firewall service information-->
|
||||
<OrganizationalSetting id="V-254265" ServiceName="" StartupType="" />
|
||||
<!-- Ensure ''V-254343.b'' -match '1|3'-->
|
||||
<OrganizationalSetting id="V-254343.b" ValueData="1" />
|
||||
<!-- Ensure ''V-254344'' -match '1|3|8|ShouldBeAbsent'-->
|
||||
<OrganizationalSetting id="V-254344" ValueData="8" />
|
||||
<!-- Ensure ''V-254357'' -match '0|1|2|99|100'-->
|
||||
<OrganizationalSetting id="V-254357" ValueData="100" />
|
||||
<!-- Ensure ''V-254358'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-254358" ValueData="32768" />
|
||||
<!-- Ensure ''V-254359'' -ge '196608'-->
|
||||
<OrganizationalSetting id="V-254359" ValueData="196608" />
|
||||
<!-- Ensure ''V-254360'' -ge '32768'-->
|
||||
<OrganizationalSetting id="V-254360" ValueData="32768" />
|
||||
<!-- Ensure ''V-254432'' -le '4'-->
|
||||
<OrganizationalSetting id="V-254432" ValueData="4" />
|
||||
<!-- Ensure location for DoD Root CA 3 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.a" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 4 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.b" Location="" />
|
||||
<!-- Ensure location for DoD Root CA 5 certificate is present-->
|
||||
<OrganizationalSetting id="V-254442.c" Location="" />
|
||||
<!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-254443" Location="" />
|
||||
<!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
|
||||
<OrganizationalSetting id="V-254444" Location="" />
|
||||
<!-- Ensure ''V-254454'' -le '30' -and ''V-254454'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-254454" ValueData="30" />
|
||||
<!-- Ensure ''V-254456'' -le '900' -and ''V-254456'' -gt '0'-->
|
||||
<OrganizationalSetting id="V-254456" ValueData="900" />
|
||||
<!-- Ensure 'V-254457' is set to the required legal notice before logon-->
|
||||
<OrganizationalSetting id="V-254457" ValueData="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
|
||||
|
||||
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
|
||||
|
||||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
|
||||
|
||||
-At any time, the USG may inspect and seize data stored on this IS.
|
||||
|
||||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
|
||||
|
||||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
|
||||
|
||||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." />
|
||||
<!-- Ensure ''V-254458'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
|
||||
<OrganizationalSetting id="V-254458" ValueData="DoD Notice and Consent Banner" />
|
||||
<!-- Ensure ''V-254459'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-254459" ValueData="1" />
|
||||
<!-- Ensure ''V-254484'' -match '1|2'-->
|
||||
<OrganizationalSetting id="V-254484" ValueData="1" />
|
||||
<!-- Ensure ''V-254285'' -ge '15' -or ''V-254285'' -eq '0'-->
|
||||
<OrganizationalSetting id="V-254285" PolicyValue="15" />
|
||||
<!-- Ensure ''V-254286'' -le '3' -and ''V-254286'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254286" PolicyValue="3" />
|
||||
<!-- Ensure ''V-254287'' -ge '15'-->
|
||||
<OrganizationalSetting id="V-254287" PolicyValue="15" />
|
||||
<!-- Ensure ''V-254288'' -ge '24'-->
|
||||
<OrganizationalSetting id="V-254288" PolicyValue="24" />
|
||||
<!-- Ensure ''V-254289'' -le '60' -and ''V-254289'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254289" PolicyValue="60" />
|
||||
<!-- Ensure ''V-254290'' -ne '0'-->
|
||||
<OrganizationalSetting id="V-254290" PolicyValue="1" />
|
||||
<!-- Ensure ''V-254291'' -ge '14'-->
|
||||
<OrganizationalSetting id="V-254291" PolicyValue="14" />
|
||||
<!-- Ensure ''V-254435'' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'-->
|
||||
<OrganizationalSetting id="V-254435" Identity="Enterprise Admins,Domain Admins,Local account and member of Administrators group,Guests" />
|
||||
<!-- Ensure ''V-254447'' -ne 'Administrator'-->
|
||||
<OrganizationalSetting id="V-254447" OptionValue="" />
|
||||
<!-- Ensure ''V-254448'' -ne 'Guest'-->
|
||||
<OrganizationalSetting id="V-254448" OptionValue="" />
|
||||
<!-- Ensure ''V-254499'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
|
||||
<OrganizationalSetting id="V-254499" Identity="Administrators" />
|
||||
</OrganizationalSettings>
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Загрузка…
Ссылка в новой задаче