U Windows 2008 STIG V6R1.9 Overview

WINDOWS 2008SECURITY TECHNICAL IMPLEMENTATION GUIDE

OVERVIEW

Version 6, Release 1.9

26 February 2010

Developed by DISA for the DoD

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 Field Security Operations26 February 2010 Defense Information Systems Agency

This page is intentionally left blank.

UNCLASSIFIED ii


TABLE OF CONTENTS

Summary Of Changes.................................................................................................v1 Introduction.....................................................................................1

1.1 Background................................................................................11.2 Authority....................................................................................11.3 Scope.........................................................................................21.4 Vulnerability Severity Code Definitions........................................21.5 STIG Distribution........................................................................21.6 Document Revisions....................................................................2

2 Performing a Windows review...........................................................32.1 ACL Deviations...........................................................................42.2 Application Exceptions................................................................42.3 Gold Standard............................................................................42.4 Review Tools..............................................................................4

2.4.1 Windows Explorer....................................................................42.4.2 Computer Management console................................................52.4.3 Control Panel...........................................................................52.4.4 Security Configuration and Analysis Snap-In..............................5

2.4.4.1 Updating the Windows Security Options File........................52.4.4.2 Performing Analysis with the Security Configuration and Analysis Snap-In............................................................................6

2.4.5 File and Registry Settings........................................................72.4.6 Using “DumpSec”....................................................................82.4.7 MS Group Policy Results Tools..................................................9

Appendix A. Object Permissions............................................................13A.1 File and Folder Permissions.......................................................13A.2 Registry Permissions.................................................................13

Appendix B. references........................................................................14B.1 Policy References......................................................................14B.2 Technical References................................................................14

Appendix C. VMS Procedures...................................................................................15

UNCLASSIFIED iii



UNCLASSIFIED iv


SUMMARY OF CHANGES

This section summarizes the changes made to this document. The change history for one year is included.

Version 6.1.9 February 2010All Sections The STIG format has been changed to be produced in XCCDF format from

VMS. This document contains supporting information, the Windows requirements are in the accompanying XML file. See the Readme.txt and “STIG Transition to XCCDF” for additional information.

V0001073 Approved Service Packs – updated to require SP2V0001074 Virus-Protection Software – added note/reference to AV check (V0019910)V0001126 Recycle Bin Configuration – added User Admin Template configurationV0001145 Disable Administrator Automatic Logon – registry value set by policy added for reference.V0002907 System Configuration Changes (Servers) – removed note that HBSS doesn’t meet requirementV0004109 Disable Dead Gateway Detection – removed, not applicable

Added new IAVMs – 2009-A-0123, 2009-A-0124, 2009-A-0125, 2009-A-0126, 2009-A-0128, 2009-A-0129, 2009-A-0130, 2009-A-0134, 2009-B-0060, 2009-B-0061, 2009-B-0062, 2009-B-0065, 2009-B-0066, 2009-B-0067, 2010-A-0003, 2010-A-0004, 2010-A-0005, 2010-A-0006, 2010-A-0007, 2010-A-0010, 2010-A-0011, 2010-A-0014, 2010-A-0016, 2010-A-0017, 2010-B-0002, 2010-B-0003, 2010-B-0004

Removed superseded IAVMs – 2008-B-0041, 2008-B-0073, 2009-A-0020, 2009-A-0041, 2009-A-0052, 2009-A-0060, 2009-A-0061, 2009-A-0093, 2009-A-0100, 2009-A-0101, 2009-A-0102, 2009-A-0103, 2009-A-0104, 2009-A-0108, 2009-A-0111, 2009-B-0056, 2009-T-0031, 2009-T-0051

The following IAVMs were added or removed after VMS reconciliation:Added – 2009-A-0039, 2009-T-0030Removed - 2009-B-0038, 2009-T-0046, 2009-T-0053

2009-A-0071 – corrected Vista/2008 file name for manual check.2009-A-0099 – corrected reference to Microsoft Bulletin

SRR Results Report – This appendix was for recording results of a manual review and has been removed from Windows STIGs for versions supported by automated tools (Gold Disk).

Version 6.1.8 December 2009All Sections Updated version numbers and dates.

Section 3 V0001112 Dormant Accounts - updated Dsquery commands

UNCLASSIFIED v


V0001157 Smart Card Removal Option – added documentableV0006840 Passwords Expiration – updated Dsquery commandV0014271 Application Account Passwords – updated Dsquery command

Appendix B Added new IAVMs – 2009-A-0090, 2009-A-0091, 2009-A-0093, 2009-A-0094, 2009-A-0095, 2009-A-0096, 2009-A-0097, 2009-A-0098, 2009-A-0099, 2009-A-0100, 2009-A-0101, 2009-A-0102, 2009-A-0103, 2009-A-0104, 2009-A-0105, 2009-A-0108, 2009-A-0109, 2009-A-0110, 2009-A-0111, 2009-A-0112, 2009-A-0115, 2009-A-0117, 2009-A-0118, 2009-A-0119, 2009-A-0120, 2009-A-0121, 2009-A-0122, 2009-B-0047, 2009-B-0048, 2009-B-0051, 2009-B-0052, 2009-B-0054, 2009-B-0055, 2009-B-0056, 2009-B-0057, 2009-B-0059

Removed superseded IAVMs – 2008-A-0063, 2009-A-0023, 2009-A-0042, 2009-A-0051, 2009-A-0053, 2009-A-0054, 2009-A-0055, 2009-A-0056, 2009-A-0059, 2009-A-0062, 2009-A-0063, 2009-A-0066, 2009-A-0081, 2009-B-0034, 2009-T-0026, 2009-T-0038, 2009-T-0050, 2009-T-0052

Version 6.1.7 October 2009All Sections Updated version numbers and dates.

Appendix B Added new IAVMs – 2009-A-0061, 2009-A-0062, 2009-A-0063, 2009-A-0066, 2009-A-0067, 2009-A-0068, 2009-A-0071, 2009-A-0074, 2009-A-0076, 2009-A-0077, 2009-A-0078, 2009-A-0081, 2009-B-0034, 2009-B-0035, 2009-B-0036, 2009-B-0037, 2009-B-0038, 2009-B-0042, 2009-T-0046, 2009-T-0049, 2009-T-0050, 2009-T-0051, 2009-T-0052

Removed superseded IAVMs – 2009-A-0025, 2009-B-0014, 2009-T-0036, 2009-T-0043

Version 6.1.6 August 2009All Sections Updated version numbers and dates.

Section 3 V0001090 Caching of Logon Credentials – removed “Disable” from titleV0002374 Disable Media Autoplay – moved to Admin Template configuration, updated reference to CTOV0003375 Domain Controller Authentication to Unlock Workstation – removed, Joint Services review decision V0004117 Syn Attack Protection Level – removed, identified as not applicable to Windows Vista/2008 during reviews with MicrosoftV0004437 TCP Connection Responses– identified as not applicable to Windows Vista/2008 during reviews with MicrosoftV0014242 UAC – Non UAC Compliant Application Virtualization – corrected policy name (removed “Switch”)

UNCLASSIFIED vi


V0014249 Terminal Services – Drive Redirection – registry value name corrected in VMS to “fDisableCdm” (checklist was correct) V0015672 Event Viewer Events.asp Links – added to align with DoD consensusV0015711 Search – Encrypted Files Indexing – corrected registry path (space between Windows and Search)V0015712 Search – Exchange Folder Indexing – updated to reflect change in policy name and value from Vista/2008 SP2 or Search 4.0 installation; corrected registry path (space between Windows and Search)V0017900 Disallow AutoPlay/AutoRun from Autorun.inf – updated reference to CTO

Appendix B Various – added note to IAVMs fixed by Vista/2008 SP2

Added new IAVMs – 2009-A-0042, 2009-A-0044, 2009-A-0046, 2009-A-0051, 2009-A-0052, 2009-A-0053, 2009-A-0054, 2009-A-0055, 2009-A-0056, 2009-A-0057, 2009-A-0058, 2009-A-0059, 2009-A-0060, 2009-B-0021, 2009-B-0023, 2009-B-0024, 2009-B-0025, 2009-B-0028, 2009-B-0030, 2009-B-0033, 2009-T-0031, 2009-T-0034, 2009-T-0036, 2009-T-0038, 2009-T-0043

Removed superseded IAVMs – 2008-B-0033, 2008-T-0024, 2009-A-0008, 2009-A-0021, 2009-A-0027, 2009-A-0028, 2009-A-0029, 2009-A-0030, 2009-A-0031, 2009-A-0035, 2009-A-0036, 2009-A-0040, 2009-B-0063, 2009-T-0015, 2009-T-0018, 2009-T-0029

Appendix F V0015673 Internet Connection Wizard ISP Downloads – corrected policy name referenced.V0003379 LAN Manager Hash Value – corrected Cat to I

Version 6.1.5 June 2009All Sections Updated version numbers and dates.

Section 1 1.9 Referenced Documents – Note added regarding checklist references and Windows Server 2008 Security Compliance Toolkit.

Section 3 V0001122 Password Protected Screen Savers – Removed requirement for screen saver executable name to be specified. Removed note referring to Desktop configuration.

Appendix B 2008-A-0086 – corrected file version number2008-B-0075 – added note to manual check on IIS and Internet printing requirement2009-A-0013 – added Exchange Server MAPI Client and Collaboration Data Objects 1.2.1

UNCLASSIFIED vii


Added new IAVMs – 2009-A-0023, 2009-A-0025, 2009-A-0027, 2009-A-0028, 2009-A-0029, 2009-A-0030, 2009-A-0031, 2009-A-0032, 2009-A-0034, 2009-A-0035, 2009-A-0036, 2009-A-0037, 2009-A-0039, 2009-A-0040, 2009-A-0041, 2009-B-0015, 2009-B-0016, 2009-B-0018, 2009-B-0019, 2009-T-0010, 2009-T-0018, 2009-T-0019, 2009-T-0021, 2009-T-0022, 2009-T-0023, 2009-T-0025, 2009-T-0026, 2009-T-0029

Removed superseded IAVMs – 2008-A-0042, 2008-A-0051, 2008-A-0076, 2008-A-0083, 2008-B-0084, 2008-B-0086, 2009-A-0001, 2009-A-0005, 2009-A-0007, 2009-A-0014, 2009-B-0010, 2009-B-0013, 2009-T-0011, 2009-T-0013

Version 6.1.4 April 2009All Sections Updated version numbers and dates.

Section 3 V0001089 Display Legal Notice – added note on short versionV0015505 – CMA Agent – corrected Confidentiality level to match VMS (removed C)

Appendix B 2008-T-0032 – removed Windows 2000 SP4 – SQL Server 2000 Desktop Engine (WMSDE) from Vulnerable Applications

Added new IAVMs – 2009-A-0012, 2009-A-0013, 2009-A-0014, 2009-A-0016, 2009-A-0017, 2009-A-0018, 2009-A-0019, 2009-A-0020, 2009-A-0021, 2009-B-0008, 2009-B-0009, 2009-B-0010, 2009-B-0013, 2009-B-0014, 2009-T-0011, 2009-T-0013, 2009-T-0014, 2009-T-0015

Removed superseded IAVMs – 2008-A-0080, 2008-B-0077, 2008-T-0057, 2008-T-0065, 2008-T-0067, 2009-B-0005, 2009-B-0007

UNCLASSIFIED viii


1 INTRODUCTION

1.1 Background

The Windows 2008 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, as well as the Windows 2008 Security Guide and security templates published by Microsoft Corporation. The vulnerabilities discussed in this document are applicable to Windows 2008 (all versions).

The requirements are detailed in the accompanying xml files. Two versions may be included; one marked “manual” includes all of the requirements. The second marked “benchmark” includes only checks that have OVAL content for use in scanning tools.

This document is meant for use in conjunction with other applicable STIGs and Checklists such as Directory Services, Web, DNS, Database, Secure Remote Computing, and Desktop Applications.

1.2 Authority

DoD Directive 8500.1 requires that “all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines” and tasks Defense Information Systems Agency (DISA) to “develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA.” This document is provided under the authority of DoD Directive 8500.1.

Although the use of the principles and guidelines in this STIG provide an environment that contributes to the security requirements of DoD systems operating at Mission Assurance Categories (MAC) I through III, applicable DoDI 8500.2 IA controls need to be applied to all systems and architectures.

The Information Operations Condition (INFOCON) for the DoD recommends actions during periods when a heightened defensive posture is required to protect DoD computer networks from attack. The Information Assurance Officer (IAO) will ensure compliance with the security requirements of the current INFOCON level and will modify security requirements to comply with this guidance.

The Joint Task Force - Global Network Operations (JTF-GNO) has also established requirements (i.e., timelines) for training, verification, installation, and progress reporting. These guidelines can be found on their Web site: https://www.jtfgno.mil.

Initially, these directives are discussed and released as Warning Orders (WARNORDs) and feedback to the JTF-GNO is encouraged. The JTF-GNO may then upgrade these orders to directives; they are then called Communication Tasking Orders (CTOs). It is each organization's responsibility to take action by complying with the CTOs and reporting compliance via their respective Computer Network Defense Service Provider (CNDSP).

UNCLASSIFIED 1

https://www.jtfgno.mil/


1.3 Scope

This document is a requirement for all DoD administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.

1.4 Vulnerability Severity Code Definitions

Severity Category Codes (CAT) are a measure of risk used to assess a facility or system security posture. Each security policy specified in this document is assigned a Severity Code of CAT I, II, or III. Each policy is evaluated based on the probability of a realized threat occurring and the expected loss associated with an attack exploiting the resulting vulnerability.

Vulnerability Severity CodesCategory I Vulnerabilities that allow an attacker immediate access into a

machine, allow superuser access, or bypass a firewall. i.e. Granting unnecessary accounts the User Right Act as Part of the Operating System as an example with Windows.

Category II Vulnerabilities that provide information that have a high potential of giving access to an intruder. i.e. Not requiring password complexity would increase the risk of an intruder gaining access.

Category III Vulnerabilities that provide information that potentially could lead to compromise. i.e. Allowing users to install printer drivers could potentially lead to compromise with unapproved drivers.

1.5 STIG Distribution

Parties within the DoD and Federal Government's computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) Web site. This site contains the latest copies of any STIGs and Checklists, scripts, and other related security information. The Non-classified Internet Protocol Router Network (NIPRNet) Uniform Resource Locator (URL) for the IASE site is http://iase.disa.mil/.

1.6 Document Revisions

Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

UNCLASSIFIED2

http://iase.disa.mil/


2 PERFORMING A WINDOWS REVIEW

The review of Windows 2008 is supported by the Gold Disk. The Gold Disk Users Guide is available in the Documentation directory of Gold Disk #1. It should thoroughly be reviewed prior to executing scans, in particular the Warnings section. The manual contains detailed information on the use of the various windows and the expected output.

In a Windows Domain, the review should be done with the reviewer logged on to the domain. The review will then reveal the actual effective settings on the box that may result from a combination of Group and Local policies.

Note: The Windows Server checklists apply to both member servers and domain controllers. The following requirements apply only to domain controllers:

V-2373V-2376V-2377V-2378V-2379V-2380V-2906V-4407V-4408V-15488

Warning: The settings in this STIG are directed towards securing a native Windows environment (i.e. Windows 2000 or later OSs). If the environment is a mixed one, with down-level OSs, or maintains trusts with down-level OSs, then the following checks should be reviewed. Configuring them to the required setting could cause compatibility problems.

3.113 / V0006831 Encryption and Signing of Secure Channel Traffic3.043 / V0001163 Encryption of Secure Channel Traffic4.044 / V0003374 Strong Session Key (WIN2K/W2K3 Native Domains)3.114 / V0006832 SMB Client Packet Signing (Always)3.115 / V0006833 SMB Server Packet Signing (Always)3.062 / V0003337 Anonymous SID/Name Translation3.018 / V0001093 Restrict Anonymous Network Shares3.071 / V0003377 Everyone Permissions Apply to Anonymous Users3.073 / V0003379 LAN Manager Hash Value3.031 / V0001153 LanMan Authentication Level3.076 / V0003382 Minimum Session Security for NTLM SSP-based (including secure RPC) Clients3.089 / V0003666 Minimum Session Security for NTLM SSP-based (including secure RPC) servers3.077 / V0003383 FIPS compliant Algorithms

UNCLASSIFIED 3


2.1 ACL Deviations

The Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in these requirements. If the reviewed ACL is more restrictive, or if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site IAO.

2.2 Application Exceptions

Site-approved Applications may require specific exceptions to the requirements in this document, for proper functioning. Exceptions should be justified and clearly documented with the IAO. When exceptions are made for requirements rated as Category 1’s, the site needs to document, and receive documentation from the vendor that the exception is necessary. It should also include any additional action that the site is taking to mitigate the risk (e.g., ACL settings, Group membership, Firewall, etc.).

2.3 Gold Standard

The Gold Standard is the minimum level of security configuration that a system must meet in order to be connected to the network. The Platinum standard is the security level that must be reached to achieve certification and accreditation. This STIG measures a system’s security configuration against the Platinum Standard.

2.4 Review Tools

2.4.1 Windows Explorer

Windows Explorer permits users and administrators to search for files and also manage the permissions and audit configuration of file objects on NTFS volumes.

Right Click on the “Start” button.Select “Explore”

Change Folder Options to expose hidden and protected operating system files.

Select “Folder and search options” from the “Organize” menuSelect the “View” tabSelect the radio-button labeled, “Show hidden files, folders and drives”Uncheck the box labeled “Hide protected operating system files”Uncheck the box labeled “Hide extensions of known file types” Click on the “OK” button to continue.

Searching for files

When performing searches from Windows Explorer, select Advanced Search and ensure the Location is Local Hard Drives and “Include non-indexed, hidden, and system files (might be slow)” is checked.

UNCLASSIFIED4


2.4.2 Computer Management console

The Computer Management console is used to configure a variety of system-related features for the local environment such as Shared folders, Local users and groups and Services among others.

Select “Administrative Tools” > “Computer Management” from the Start Menu (or “Programs” first in Classic View)

2.4.3 Control Panel

The Control Panel is used to configure a variety of features for the local environment such as Display settings (screen saver), Installed Programs (including updates and patches) and System.

Select “Control Panel” from the Start MenuAlternately, select “Control Panel” on the Desktop (assumes Classic View)

2.4.4 Security Configuration and Analysis Snap-In

The Microsoft Management Console (MMC) is the primary system configuration tool for Windows. It utilizes “Snap-in” functions to configure the various parts of the system. The Security Configuration and Analysis snap-in is used to determine the composite effect of Local policy and of Group Policy for such as Account Policy, System Auditing and Security Options.

2.4.4.1 Updating the Windows Security Options File

Some of the requirements in this STIG depend upon the use of a Microsoft security options file that has been updated to include some additional security checks (“MSS” settings) that are not visible in policies by default.

Note: The procedure for viewing hidden folders and files in Windows Explorer, earlier in this section, may need to be performed prior to completing this task.

To load the updated Security Options file, do the following (Due to changes in Windows security, the administrator must first take ownership of the file before changes are made):

Open a command prompt with elevated privileges ‘Run as administrator’ Take ownership of the file with the command ‘takeown /f c:\windows\inf\sceregvl.inf’ Add Full permissions with the command ‘icacls c:\windows\inf\sceregvl.inf /grant username:f’ where ‘username’ is the administrator account.

Rename the sceregvl.inf file in the %SystemRoot%\inf directory. Copy the updated sceregvl.inf file from the media provided to the %SystemRoot%\inf

directory. The file can be found Templates directory included in the STIG zip file.

Re-register scecli.dll by executing ‘regsvr32 scecli.dll’ in the command prompt with elevated privileges.

The additional options will now appear in Windows policy tools such as the Security Configuration and Analysis tool (a restart of the tool may be required.)

UNCLASSIFIED 5


2.4.4.2 Performing Analysis with the Security Configuration and Analysis Snap-In

Use the following procedure to load the Security Configuration and Analysis snap-in and analyze the system:

Select “Start” Enter “MMC” in the “Search programs and files” field and Enter Select “File” from the MMC menu bar. Select “Add/Remove snap-in” from the drop-down menu. Select the “Security Configuration and Analysis” snap-in and click the “Add” button. Click “OK”. Right-click on the Security Configuration and Analysis object in the left window. Select ‘Open Database’ (this will create the database file if one does not exist) Enter “C:\temp\scan\srr.sdb” for the database name. In the ‘Import Template’ window select the appropriate file name for the type of system.

o The security templates can be found in th Templates directory included in the STIG zip file.

o FSOWinVersion_Analyze_Only.inf Check the box to “Clear the database before importing”. Select “Open”. Right-click on the Security Configuration and Analysis object in the left window. Select ‘Analyze Computer Now’ (DO NOT select ‘Configure Computer Now’) Enter “C:\temp\scan\srr.log” for the log name in the ‘Error log file path’ window and

click OK. The Analyzing System Security windows will appear When the analysis is complete, the Security Configuration and Analysis node can be

expanded to view current configurations ‘Database Settings’ are the required settings imported from the analysis template file ‘Computer Settings’ are the effective settings on the system

UNCLASSIFIED6


2.4.5 File and Registry Settings

File and Registry Permissions and Auditing can be viewed using Windows Explorer for files and directories and the Registry Editor (Regedit.exe) for registry keys.

To open Windows Explorer: Right click the Start button and select “Explore”

To open Registry Editor: Click the Start button and select “Run” (Classic view) Type “Regedit” and Enter

To investigate a possible ACL discrepancy:

File ACLs Navigate in Windows Explorer to the file or directory being investigated Right click and select “Properties” Select the “Security” Tab

Registry ACLS Navigate in Registry Editor to the key being investigated Right click the key and select “Permissions”

Highlight each group in turn to view effective settings.

To investigate a possible File Auditing discrepancy:

Navigate in Windows Explorer to the file or directory being investigated Right click and select “Properties” Select the Security tab Click on the “Advanced” button Select the Auditing tab Highlight an ‘Auditing Entry” and click the edit button.

To investigate a possible Registry Auditing discrepancy:

Navigate in Registry Editor to the key being investigated Right-click the registry key and select “Permissions” Click on the “Advanced” button Select the Auditing tab Highlight an ‘Auditing Entry” and click the edit button.

2.4.6 Using “DumpSec”

The DumpSec application is an analysis tool that permits the user to systematically review ACL, audit, and user information from the local system. This tool is not included with Windows, but

UNCLASSIFIED 7


may be acquired or downloaded from SomarSoft, Inc. (www.somarsoft.com). It is also available on Disk #1 of the Gold Disk in the folder “Files needed for manual review”.

Navigate to the folder that contains the application and double click on “DumpSec”

Select “Dump Users as Table” from the “Report” menu.Select the available fields in the following sequence, and click on the “Add” button for each entry:

UserNameSIDPswdRequiredPswdExpiresPswdLastSetTimeLastLogonTimeAcctDisabledGroups

Click “OK” to proceed.

Some user accounts may appear repetitively, because “Groups” is included in the report.

The data from DumpSec can be copied to another program such as a spreadsheet for analysis by selecting “Copy all items” from the Edit menu and pasting in to the other program.

UNCLASSIFIED8

http://www.somarsoft.com/


2.4.7 MS Group Policy Results Tools

This section contains information for using Microsoft tools to analyze group policy. In an Active Directory environment, these utilities help Administrators determine the source of the effective security configuration settings that are in force on a system. The Manual SRR review procedures in of this STIG report the security policy related settings that are in effect on a system, but do not identify the source of that setting. An effective setting can come from any number of sources: Local Computer Policy, multiple Domain Group Policies or Group Policies associated with Organizational Units.

The Security Configuration and Analysis MMC snap-in permits the analysis of Account Policy, System Auditing, Local Policies, Event Logs, Services, Registry ACLs and Auditing, and File ACLs and Auditing. The tool provides a comparison of effective settings (Computer Settings) to a Security Template (Database Settings). Directions for loading this tool are provided in a previous section.

The Resultant Set of Policy (RSoP) MMC snap-in and GPResult.exe will report the source policy for security settings that are enforced on the system. This will allow an Administrator to determine which policy must be changed to fix a specific setting that is the cause or a finding on the system. (Note: these tools do not report if a settings is configured in the Local Policy). This will assist an Administrator in determining which policy must be changed to fix a specific setting that is the cause or a finding on the system.

The Group Policy Management Console (GPMC) MMC snap-in is another tool that combines the features of the RSOP and Group Policy Object Editor. The GPMC can be downloaded from Microsoft.

Resultant Set of Policy

The RSoP snap-in provides the source of effective settings at the setting level. Use the following procedure to use the MMC and load the Resultant Set of Policy snap-in:

Select “Start” and “Run” from the desktop. Type “mmc.exe” in the Run dialog. Select “File” from the MMC menu bar. Select “Add/Remove snap-in” from the drop-down menu. Click the “Add” button on the Standalone tab. Select the “Resultant Set of Policy” snap-in and click the “Add” button. Click “Close”. Click “OK”. Right-click on the ‘Resultant Set of Policy’ object in the left window. Select ‘Generate RSoP Data’, click ‘Next’ Select ‘Logging Mode’, click ‘Next’ Select ‘This Computer’, click ‘Next’

UNCLASSIFIED 9


Select option for User Policy settings, click ‘Next’ Click ‘Next’ Click ‘Finish’

GPResult.exe

This command-line tool displays information about the result Group Policy has had but does not provide detail at the settings level for Security Options. The default is for the local computer and locally logged on user.

The following information comes from Microsoft’s documentation.

GPResult provides the following general information:

Operating System Type (Professional, Server, Domain Controller). Build number and Service Pack details. Whether Terminal Services is installed and, if so, the mode it is using. User Information User name and location in Active Directory (if applicable). Whether the user has a local or roaming profile and location of the profile. Security group membership. Security privileges. Computer Information Computer name and location in Active Directory (if applicable). Domain name and type Site name.

GPResult also provides the following information about Group Policy:

The last time policy was applied and the domain controller that applied policy, for the user and computer.

The complete list of applied Group Policy objects and their details, including a summary of the extensions that each Group Policy object contains.

Registry settings that were applied and their details. Folders that are re-directed and their details. Software management information detailing assigned and published applications. Disk quota information. IP Security settings. Scripts.

GPResult Syntax

gpresult [/s] [/u] [/p] [/user] [/scope] [/v] [/z] [/?]

/s computer

UNCLASSIFIED10


Specifies the name or IP address of a remote computer. The default is the local computer.

/u domain\userRuns the command with the account permissions of the user specified. The default is the permissions of currently logged on user.

/p passwordSpecifies the password of the user account that is specified with the /u parameter.

/user TargetUserNameSpecifies the user name whose RSoP data is to be displayed

/scope {user|computer}Displays either the user settings or computer settings. If scope is omitted, both will be displayed.

/VRuns GPResult in verbose mode.

/ZSpecifies that the output display all available Group Policy information. It is recommended that output be redirected to a text file (i.e. gpresult /z>policy.txt)

/? displays a command-line syntax screen.

Group Policy Management Console

The GPMC should appear in the Administrative Tools menu after it has been installed on a system. It can also be loaded in an MMC with the following steps:

Select “Start” and “Run” from the desktop. Type “mmc.exe” in the Run dialog. Select “File” from the MMC menu bar. Select “Add/Remove snap-in” from the drop-down menu. Click the “Add” button on the Standalone tab. Select the “Group Policy Management” snap-in and click the “Add” button. Click “Close”. Click “OK”.

Select a domain in the left panel to view the applied Group Policies. Additional information can be obtained from Microsoft’s website.

UNCLASSIFIED 11



UNCLASSIFIED12


APPENDIX A. OBJECT PERMISSIONS

NSA has determined that the default file ACL settings are adequate when the Security Option:

“Network access: Let everyone permissions apply to anonymous users” is set to “Disabled” and

Power User Group Membership for client systems is restricted to no members.

Discrepancies may occur if either of the two following conditions are true:

The object’s security posture is more restrictive than specified in this document. The object’s security posture is configured in direct support of the system’s mission.

Note: If an ACL setting prevents a site’s applications from performing properly, the site can modify that specific setting. Settings should only be changed to the minimum necessary for the application to function. Each exception to the recommended settings should be documented and kept on file by the IAO.

A.1 File and Folder Permissions

No additional changes are required to file and folder permissions at this time.

A.2 Registry Permissions

No additional changes are required to registry permissions other than those specified in specific requirements of the STIG at this time.

UNCLASSIFIED 13


APPENDIX B. REFERENCES

B.1 Policy References

a. DoD Directive 8500.1, “Information Assurance”, October 24, 2002

b. DoD Instruction 8500.2, “Information Assurance (IA) Implementation”, February 6, 2003

c. CJCSM 6510.01, “Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND)”, March 25, 2003

d. DISA Windows 2003/XP/2000/Vista Addendum, Version 6.1, May 21, 2007

B.2 Technical References

a. Microsoft Corporation “Microsoft Solutions for Security, Windows Server 2008 Security Guide”, 2008

b. Microsoft Corporation “Windows Vista Security Guide”, 2006

c. Microsoft Corporation “Microsoft Solutions for Security, Threats, and Countermeasures: Security Settings in Windows Server 2003 and Windows XP V2.0”, December 2005

Note: Microsoft recently updated the Windows Server 2008 Security Guide which is now part of the Windows Server 2008 Security Compliance Toolkit. References in this checklist to Appendix A of the Windows Server 2008 Security Guide are now in the Security Baseline Settings workbook of the Compliance Toolkit. The references in the checklist will be updated in a future release.

UNCLASSIFIED14


APPENDIX C. VMS PROCEDURES

Asset Creation

If the asset has not been created by another process (i.e. Gold Disk results import) then you must create the asset.

Access VMS 6.0 Web Application - Click ‘Asset Finding Maint.’- Click ‘Assets / Findings’- Expand ‘Visits’ or ‘By Location’- Expand the correct Folder under your selection- Continue expanding folders until you reach the ‘Computing’ folder- Click the yellow folder icon located at the right of ‘Computing’- Input data on ‘General’ tab- Click the ‘Asset Identification’ tab

o Enter I.P. Address, which must match the import file.o Click ‘Add’o Enter MAC Address, which must match the import file.o Click ‘Add’

- Click the ‘Asset Posture’ tabo Expand ‘Computing’o Expand ‘Operating System’, ‘Roles’ and ‘Applications’o Expand each and select the appropriate choiceso Click ‘>>’o Click ‘Save’

After successful asset creation, in addition to the ‘expected’ Windows check, there will also be Desktop General checks and IE Checks. This is expected. With VMS 6.0, these vulnerabilities from the Desktop STIG are shown on Windows Assets.

Asset Findings Update

Import the results from the scan tool such as the Gold Disk into VMS. To update manually follow the procedures below.

Access VMS 6.0 Web Application - Click ‘Asset Finding Maint.’- Click ‘Assets / Findings’- Expand ‘Visits’ or ‘By Location’- Expand the correct Folder under your selection- Continue expanding folders until you reach the ‘Computing’ folder- Expand ‘Computing’ - Expand ‘Must Review’- Expand the correct asset

UNCLASSIFIED 15


- Select the Windows Operating System- Click the vulnerability to be modified

o Edit desired datao Click ‘Save’ o (Repeat as necessary)

UNCLASSIFIED16