4 FINAL GOVERNMENTAL_AUTHORITY Microsoft Internet Explorer 7 cpe:/a:microsoft:ie:7.0 Web Browser The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO). This checklist represents the FDCC guidance for Microsoft Internet Explorer 7. Web Browser FDCC 08/06/2009 - OVAL 5.3 Patch Content Updated 04/08/2009 - Major Version 1.2 released 10/31/2008 - Major Version 1.1.1.0 released 06/20/2008 - Major Version 1.0 released The link to the FDCC home page. FDCC FAQ FDCC primary download page FDCC individual file listings and download page true true true true true false true OVAL 5.3 9E3C08C585D0B64836FD821AA4D6410C8C9AC011 951C03ABF54ADA35FA25162743AAF02EF519417D4B47CE9D61EC3C277DB3C058 The FDCC IE7 SCAP Content using OVAL version 5.3. SCAP_CONTENT OVAL 5.4 AE21DA41BAE747F6F21DEB62B341B6035CF46AE5 2FDFEA8C9DFC84CBE7F3B9BE26B4A5C71EC1AE734010FB537B9F2FBE6CA1F848 FDCC Windows IE7 SCAP content using OVAL version 5.3. SCAP_CONTENT OVAL 5.3 9E3C08C585D0B64836FD821AA4D6410C8C9AC011 951C03ABF54ADA35FA25162743AAF02EF519417D4B47CE9D61EC3C277DB3C058 The FDCC IE7 SCAP Content using OVAL version 5.3. SCAP Content OVAL 5.4 AE21DA41BAE747F6F21DEB62B341B6035CF46AE5 2FDFEA8C9DFC84CBE7F3B9BE26B4A5C71EC1AE734010FB537B9F2FBE6CA1F848 FDCC Windows IE7 SCAP content using OVAL version 5.3. SCAP Content 7DD0E04CEE71F16BBAA6366C358B740C1041834C 53664841150B753339A32B7C3A3A4EA4F7CB760D77023A6ECC0B147AE4B02F73 FDCC Windows Vista Firewall GPOs GPOs 1C4962660C0CEB4CA530DFFE7A56C81463C78F50 37FC8ECB0A95AB31B56463A5D83E6206DC4964D6A1FA0E4AF710BBD246BEB0F6 This is the human readable version of the FDCC settings. Prose CCE-3201-1 2009-07-30T19:30:14.640Z 2009-07-30T19:30:14.640Z The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly. CCE-3204-5 2009-07-30T19:30:14.797Z 2009-07-30T19:30:14.797Z The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly. CCE-3207-8 2009-07-30T19:30:14.890Z 2009-07-30T19:30:14.890Z The "Prevent performance of First Run Customize settings" setting should be configured correctly. CCE-3216-9 2009-07-30T19:30:15.360Z 2009-07-30T19:30:15.360Z The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone. CCE-3249-0 2009-07-30T19:30:15.000Z 2009-07-30T19:30:15.000Z The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone. CCE-3264-9 2009-07-30T19:30:15.407Z 2009-07-30T19:30:15.407Z The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone. AC-3 SC-1 CCE-3275-5 2009-07-30T19:30:15.500Z 2009-07-30T19:30:15.500Z The "Configure Outlook Express" setting should be configured correctly CM-6 CCE-3337-3 2009-07-30T19:30:15.170Z 2009-07-30T19:30:15.170Z The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone. SI-3 CCE-3338-1 2009-07-30T19:30:14.610Z 2009-07-30T19:30:14.610Z The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly. CM-6 CCE-3378-7 2009-07-30T19:30:14.717Z 2009-07-30T19:30:14.717Z The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone. CM-6 CCE-3400-9 2009-07-30T19:30:15.327Z 2009-07-30T19:30:15.327Z The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone. CM-5 CM-6 CCE-3477-7 2009-07-30T19:30:55.767Z 2009-07-30T19:30:55.767Z The "Turn off downloading of enclosures" setting should be configured correctly. CM-6 CCE-3518-8 2009-07-30T19:30:14.640Z 2009-07-30T19:30:14.640Z The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly. CM-5 SI-3 SI-7 SI-8 CCE-3553-5 2009-07-30T19:30:15.077Z 2009-07-30T19:30:15.077Z The "Software channel permissions" setting should be configured correctly for the Internet Zone. CM-5 CCE-3564-2 2009-07-30T19:30:15.250Z 2009-07-30T19:30:15.250Z The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-3570-9 2009-07-30T19:30:15.110Z 2009-07-30T19:30:15.110Z The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone. CM-6 CM-7 CCE-3576-6 2009-07-30T19:30:14.577Z 2009-07-30T19:30:14.577Z The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly. CM-6 SC-1 SI-2 CCE-3584-0 2009-07-30T19:30:14.937Z 2009-07-30T19:30:14.937Z The "Automatically Check for Internet Explorer Updates" setting should be configured correctly. CM-2 CM-6 CCE-3590-7 2009-07-30T19:30:15.297Z 2009-07-30T19:30:15.297Z The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-3601-2 2009-07-30T19:30:14.983Z 2009-07-30T19:30:14.983Z The "Allow Scriptlets" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-3615-2 2009-07-30T19:30:14.907Z 2009-07-30T19:30:14.907Z The "Turn off "Delete Browsing History" functionality" setting should be configured correctly. AU-9 CM-6 CCE-3619-4 2009-07-30T19:30:15.093Z 2009-07-30T19:30:15.093Z The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone. SI-8 CCE-3623-6 2009-07-30T19:30:15.047Z 2009-07-30T19:30:15.047Z The "Logon" setting should be configured correctly for the Internet Zone. CM-6 IA-2 CCE-3647-5 2009-07-30T19:30:15.437Z 2009-07-30T19:30:15.437Z The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly. CM-6 IA-5 CCE-3677-2 2009-07-30T19:30:15.453Z 2009-07-30T19:30:15.453Z The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly. CM-5 SI-7 CCE-3696-2 2009-07-30T19:30:15.280Z 2009-07-30T19:30:15.280Z The "Logon" setting should be configured correctly for the Restricted Sites Zone. CM-6 IA-2 CCE-3706-9 2009-07-30T19:30:14.860Z 2009-07-30T19:30:14.860Z The "Disable Showing the Splash Screen" setting should be configured correctly. CM-5 CM-6 CCE-3744-0 2009-07-30T19:30:14.657Z 2009-07-30T19:30:14.657Z The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly. CM-5 CM-7 CCE-3751-5 2009-07-30T19:30:15.063Z 2009-07-30T19:30:15.063Z The "Loose XAML" setting should be configured correctly for the Internet Zone. CM-6 CCE-3754-9 2009-07-30T19:30:15.627Z 2009-07-30T19:30:15.627Z The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone. SC-1 CCE-3825-7 2009-07-30T19:30:15.517Z 2009-07-30T19:30:15.517Z The "Disable Internet Connection wizard" setting should be configured correctly. CM-6 CCE-3853-9 2009-07-30T19:30:14.953Z 2009-07-30T19:30:14.953Z The "Access data sources across domains" setting should be configured correctly for the Internet Zone. AC-4 CCE-3855-4 2009-07-30T19:30:15.360Z 2009-07-30T19:30:15.360Z The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone. CM-5 CCE-3866-1 2009-07-30T19:30:14.907Z 2009-07-30T19:30:14.907Z The "Turn off Managing Phishing Filter" setting should be configured correctly. SC-1 SI-3 SI-8 CCE-3875-2 2009-07-30T19:30:14.920Z 2009-07-30T19:30:14.920Z The "Turn off the Security Settings Check feature" setting should be configured correctly. SI-6 CCE-3888-5 2009-07-30T19:30:14.967Z 2009-07-30T19:30:14.967Z The "Font download" setting should be configured correctly for the Internet Zone. SI-3 CCE-3891-9 2009-07-30T19:30:15.627Z 2009-07-30T19:30:15.627Z The "Java permissions" setting should be configured correctly for the Local Machine Zone. SC-1 CCE-3894-3 2009-07-30T19:30:14.670Z 2009-07-30T19:30:14.670Z The "Turn Off Crash Detection" setting should be configured correctly. CM-4 CCE-3902-4 2009-07-30T19:30:15.703Z 2009-07-30T19:30:15.703Z The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone. SC-1 CCE-3905-7 2009-07-30T19:30:15.157Z 2009-07-30T19:30:15.157Z The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone. AC-4 CCE-3906-5 2009-07-30T19:30:14.967Z 2009-07-30T19:30:14.967Z The "Installation of desktop items" setting should be configured correctly for the Internet Zone. SI-3 CCE-3909-9 2009-07-30T19:30:15.733Z 2009-07-30T19:30:15.733Z The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone. CM-6 CM-7 CCE-3914-9 2009-07-30T19:30:15.093Z 2009-07-30T19:30:15.093Z The "Userdata persistence" setting should be configured correctly for the Internet Zone. SC-4 CCE-3924-8 2009-07-30T19:30:14.563Z 2009-07-30T19:30:14.563Z Internet Explorer Processes (Restrict ActiveX Install) CM-6 CCE-3927-1 2009-07-30T19:30:15.017Z 2009-07-30T19:30:15.017Z The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-3929-7 2009-07-30T19:30:14.577Z 2009-07-30T19:30:14.577Z The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly. AC-3 AC-6 CM-5 CCE-3933-9 2009-07-30T19:30:14.687Z 2009-07-30T19:30:14.687Z The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly. AC-3 AC-6 CM-5 CCE-3941-2 2009-07-30T19:30:14.610Z 2009-07-30T19:30:14.610Z The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly. CM-5 SI-7 CCE-3945-3 2009-07-30T19:30:15.017Z 2009-07-30T19:30:15.017Z The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-3963-6 2009-07-30T19:30:15.030Z 2009-07-30T19:30:15.030Z The "Java permissions" setting should be configured correctly for the Internet Zone. SC-1 CCE-3976-8 2009-07-30T19:30:14.953Z 2009-07-30T19:30:14.953Z The "Check for Server Certificate Revocation" setting should be configured correctly. IA-5 SC-1 CCE-3984-2 2009-07-30T19:30:15.110Z 2009-07-30T19:30:15.110Z The "Display mixed content" setting should be configured correctly for the Internet Zone. AC-3 SC-1 CCE-3989-1 2009-07-30T19:30:15.127Z 2009-07-30T19:30:15.127Z The "Display mixed content" setting should be configured correctly for the Intranet Zone. AC-3 SC-1 CCE-3993-3 2009-07-30T19:30:14.877Z 2009-07-30T19:30:14.877Z The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly. AC-4 CCE-3996-6 2009-07-30T19:30:15.267Z 2009-07-30T19:30:15.267Z The "Java permissions" setting should be configured correctly for the Restricted Sites Zone. SC-1 CCE-3998-2 2009-07-30T19:30:14.953Z 2009-07-30T19:30:14.953Z The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone. SI-3 CCE-4001-4 2009-07-30T19:30:14.843Z 2009-07-30T19:30:14.843Z The "Disable "Configuring History"" setting should be configured correctly. CM-6 CCE-4013-9 2009-07-30T19:30:14.733Z 2009-07-30T19:30:14.733Z The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone. SI-3 CCE-4017-0 2009-07-30T19:30:14.563Z 2009-07-30T19:30:14.563Z The "Security Zones: Use Only Machine Settings" setting should be configured correctly. CM-2 CM-6 CCE-4018-8 2009-07-30T19:30:15.377Z 2009-07-30T19:30:15.377Z The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone. SI-8 CCE-4026-1 2009-07-30T19:30:14.703Z 2009-07-30T19:30:14.703Z The "Check for Signature on Downloaded Programs" setting should be configured correctly. IA-5 SC-1 CCE-4028-7 2009-07-30T19:30:15.140Z 2009-07-30T19:30:15.140Z The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone. AC-3 SC-1 CCE-4031-1 2009-07-30T19:30:15.233Z 2009-07-30T19:30:15.233Z The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone. SC-8 SI-3 CCE-4036-0 2009-07-30T19:30:15.517Z 2009-07-30T19:30:15.517Z The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly. CM-6 CCE-4040-2 2009-07-30T19:30:15.377Z 2009-07-30T19:30:15.377Z The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone. SC-4 CCE-4043-6 2009-07-30T19:30:14.593Z 2009-07-30T19:30:14.593Z Internet Explorer Processes (Zone Elevation Protection) CM-6 CCE-4047-7 2009-07-30T19:30:14.593Z 2009-07-30T19:30:14.593Z The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly. CM-6 CCE-4050-1 2009-07-30T19:30:15.157Z 2009-07-30T19:30:15.157Z The "Active scripting" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4052-7 2009-07-30T19:30:14.750Z 2009-07-30T19:30:14.750Z The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone. CM-6 CM-7 CCE-4053-5 2009-07-30T19:30:15.233Z 2009-07-30T19:30:15.233Z The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4056-8 2009-07-30T19:30:15.453Z 2009-07-30T19:30:15.453Z The "Turn off page transitions" setting should be configured correctly. CM-6 CCE-4057-6 2009-07-30T19:30:15.250Z 2009-07-30T19:30:15.250Z The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4062-6 2009-07-30T19:30:15.187Z 2009-07-30T19:30:15.187Z The "Font download" setting should be configured correctly for the Restricted Sites Zone. SI-3 CCE-4066-7 2009-07-30T19:30:15.280Z 2009-07-30T19:30:15.280Z The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4068-3 2009-07-30T19:30:15.030Z 2009-07-30T19:30:15.030Z The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone. SC-1 CCE-4079-0 2009-07-30T19:30:15.203Z 2009-07-30T19:30:15.203Z The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-4084-0 2009-07-30T19:30:15.203Z 2009-07-30T19:30:15.203Z The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-4087-3 2009-07-30T19:30:15.420Z 2009-07-30T19:30:15.420Z The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone. AC-3 SC-1 CCE-4098-0 2009-07-30T19:30:14.813Z 2009-07-30T19:30:14.813Z The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly. CM-6 SI-2 CCE-4099-8 2009-07-30T19:30:14.983Z 2009-07-30T19:30:14.983Z The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-4101-2 2009-07-30T19:30:15.267Z 2009-07-30T19:30:15.267Z The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone. SC-1 CCE-4104-6 2009-07-30T19:30:15.047Z 2009-07-30T19:30:15.047Z The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-4109-5 2009-07-30T19:30:14.717Z 2009-07-30T19:30:14.717Z The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone. SI-3 CCE-4110-3 2009-07-30T19:30:15.297Z 2009-07-30T19:30:15.297Z The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-4118-6 2009-07-30T19:30:14.627Z 2009-07-30T19:30:14.627Z The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly. CM-5 CM-6 CCE-4119-4 2009-07-30T19:30:15.217Z 2009-07-30T19:30:15.217Z The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4121-0 2009-07-30T19:30:15.127Z 2009-07-30T19:30:15.127Z The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone. AC-3 SC-1 CCE-4122-8 2009-07-30T19:30:14.627Z 2009-07-30T19:30:14.627Z The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly. CM-6 CCE-4131-9 2009-07-30T19:30:14.733Z 2009-07-30T19:30:14.733Z The "Web Browser Applications" setting should be configured correctly for the Internet Zone. CM-6 CM-7 CCE-4132-7 2009-07-30T19:30:15.313Z 2009-07-30T19:30:15.313Z The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-4138-4 2009-07-30T19:30:15.140Z 2009-07-30T19:30:15.140Z The "Display mixed content" setting should be configured correctly for the Local Machine Zone. AC-3 SC-1 CCE-4139-2 2009-07-30T19:30:15.000Z 2009-07-30T19:30:15.000Z The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone. SC-1 SI-3 CCE-4143-4 2009-07-30T19:30:15.063Z 2009-07-30T19:30:15.063Z The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone. CM-6 CCE-4147-5 2009-07-30T19:30:14.843Z 2009-07-30T19:30:14.843Z The "Disable Changing Automatic Configuration Settings" setting should be configured correctly. CM-5 CCE-4149-1 2009-07-30T19:30:14.687Z 2009-07-30T19:30:14.687Z The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly. CM-6 CCE-4150-9 2009-07-30T19:30:15.187Z 2009-07-30T19:30:15.187Z The "File download" setting should be configured correctly for the Restricted Sites Zone. SI-3 CCE-4153-3 2009-07-30T19:30:14.733Z 2009-07-30T19:30:14.733Z The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone. CM-6 CCE-4158-2 2009-07-30T19:30:15.327Z 2009-07-30T19:30:15.327Z The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone. CM-5 CM-6 CCE-4160-8 2009-07-30T19:30:15.640Z 2009-07-30T19:30:15.640Z The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone. SC-1 CCE-4161-6 2009-07-30T19:30:15.077Z 2009-07-30T19:30:15.077Z The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone. CM-6 CCE-4162-4 2009-07-30T19:30:14.670Z 2009-07-30T19:30:14.670Z The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly. CM-6 CCE-4163-2 2009-07-30T19:30:15.343Z 2009-07-30T19:30:15.343Z The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone. SC-1 CCE-4171-5 2009-07-30T19:30:14.703Z 2009-07-30T19:30:14.703Z The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly. CM-5 CCE-4174-9 2009-07-30T19:30:14.920Z 2009-07-30T19:30:14.920Z The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly. CM-5 SI-7 CCE-4175-6 2009-07-30T19:30:14.767Z 2009-07-30T19:30:14.767Z The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly. AC-4 CCE-4192-1 2009-07-30T19:30:14.937Z 2009-07-30T19:30:14.937Z The "Enable third-party browser extensions" setting should be configured correctly. CM-5 SI-3 CCE-4196-2 2009-07-30T19:30:15.170Z 2009-07-30T19:30:15.170Z The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone. SC-1 SI-3 CCE-4199-6 2009-07-30T19:30:14.797Z 2009-07-30T19:30:14.797Z The "Prevent Ignoing Certificate Errors" setting should be configured correctly. SI-6 CCE-4202-8 2009-07-30T19:30:15.343Z 2009-07-30T19:30:15.343Z The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone. SC-1 CCE-4215-0 2009-07-30T19:30:15.390Z 2009-07-30T19:30:15.390Z The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone. CM-6 CM-7 CCE-4226-7 2009-07-30T19:30:15.530Z 2009-07-30T19:30:15.530Z The "Disable the Reset Web Settings feature" should be configured correctly. CM-5 CM-6 CCE-4232-5 2009-07-30T19:30:15.420Z 2009-07-30T19:30:15.420Z The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone. AC-3 SC-1 CCE-4237-4 2009-07-30T19:30:15.500Z 2009-07-30T19:30:15.500Z The "Disable external branding of Internet Explorer" setting should be configured correctly. CM-6 CCE-4246-5 2009-07-30T19:30:15.467Z 2009-07-30T19:30:15.467Z The "Disable AutoComplete for forms" setting should be configured correctly. CM-5 CCE-4259-8 2009-07-30T19:30:15.437Z 2009-07-30T19:30:15.437Z The "Enable Native XMLHttp Support" setting should be configured correctly. SC-1 CCE-4546-8 2009-07-30T19:30:15.717Z 2009-07-30T19:30:15.717Z The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone. SC-1 CCE-4564-1 2009-07-30T19:30:15.717Z 2009-07-30T19:30:15.717Z The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone. SC-1 CCE-4581-5 2009-07-30T19:31:58.670Z 2009-07-30T19:31:58.670Z The "Turn off downloading of enclosures" setting should be configured correctly. CM-6 CCE-4643-3 2009-07-30T19:30:15.657Z 2009-07-30T19:30:15.657Z The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone. CM-6 CM-7 CCE-4652-4 2009-07-30T19:30:15.670Z 2009-07-30T19:30:15.670Z The "Java permissions" setting should be configured correctly for the Intranet Zone. SC-1 CCE-4692-0 2009-07-30T19:30:15.687Z 2009-07-30T19:30:15.687Z The "Java permissions" setting should be configured correctly for the Locked Down Internet Zone. SC-1 CCE-4763-9 2009-07-30T19:30:15.657Z 2009-07-30T19:30:15.657Z Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate. AC-4 CCE-4793-6 2009-07-30T19:30:15.670Z 2009-07-30T19:30:15.670Z The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone. SC-1 SI-3 CCE-4845-4 2009-07-30T19:30:15.733Z 2009-07-30T19:30:15.733Z The "Java permissions" setting should be configured correctly for the Trusted Sites Zone. SC-1 3 UNDER_REVIEW GOVERNMENTAL_AUTHORITY Redhat Enterprise Linux 4.0 cpe:/o:redhat:enterprise_linux:4.0 Operating System This guide has been created to assist IT professionals, in effectively securing systems with Red Hat Enterprise Linux 4. Operating System Developed for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the UNIX operating system and is familiar with common computer terminology. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. true true true false false false true CEDF5407C0E9C96996853B647A90461E43312A81 7ED1A3EEE24EFE888934F3C3153B43C02760CA977D9F52050A2285460B039B2A SCAP content for the checklist entitled SCAP: Guide To The Secure Configuration of Red Hat Enterprise Linux 4. SCAP_CONTENT CEDF5407C0E9C96996853B647A90461E43312A81 7ED1A3EEE24EFE888934F3C3153B43C02760CA977D9F52050A2285460B039B2A SCAP content for the checklist entitled SCAP: Guide To The Secure Configuration of Red Hat Enterprise Linux 4. SCAP Content CFC60D835D75538A8DC56C62B9DC48A5ADB83DAA A84319C8F2495F6E8784A7845AC50DF892E8356B7842EC24189A36100997E1E9 Prose 3 UNDER_REVIEW GOVERNMENTAL_AUTHORITY Sun Solaris 9 cpe:/o:sun:solaris:9 Operating System This guide has been created to assist IT professionals, in effectively securing systems with Sun Microsystems Solaris 9. Operating System Developed for the DOD. This guide has been created to assist IT professionals, in effectively securing systems with Sun Microsystems Solaris 9. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. This guide has been created to assist IT professionals, in effectively securing systems with Sun Microsystems Solaris 9. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. true true true false false false true CBFF22750ADEA3CCD14E34C422B76CCC232C8B5A 0EF8545AA5C2D12DAE5C8A4111A1102085F8CE52ABA6A2C1975404241ABBEA50 SCAP content for checklist entitled SCAP: Guide To The Secure Configuration of Sun Solaris 9. SCAP_CONTENT CBFF22750ADEA3CCD14E34C422B76CCC232C8B5A 0EF8545AA5C2D12DAE5C8A4111A1102085F8CE52ABA6A2C1975404241ABBEA50 SCAP content for checklist entitled SCAP: Guide To The Secure Configuration of Sun Solaris 9. SCAP Content CFC60D835D75538A8DC56C62B9DC48A5ADB83DAA A84319C8F2495F6E8784A7845AC50DF892E8356B7842EC24189A36100997E1E9 Prose 2 UNDER_REVIEW GOVERNMENTAL_AUTHORITY HP HP-UX 11 cpe:/o:hp:hp-ux:11 Operating System This guide has been created to assist IT professionals, in effectively securing systems with HP-UX 11. Operating System Developed for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the UNIX operating system and is familiar with common computer terminology. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. false true false false false false true 9F449A6BBE5100416B4487E66038368816B72BE9 2A1AAC44576C0E466D732A06CA8824DEA51E3F941DF1DDA58BD73614DE57A279 The machine-readable configuration guidance for the checklist entitled SCAP: Guide To The Secure Configuration of HP-UX 11. Standalone XCCDF CFC60D835D75538A8DC56C62B9DC48A5ADB83DAA A84319C8F2495F6E8784A7845AC50DF892E8356B7842EC24189A36100997E1E9 Prose 2 UNDER_REVIEW GOVERNMENTAL_AUTHORITY IBM AIX 5 cpe:/o:ibm:aix:5 Operating System This guide has been created to assist IT professionals, in effectively securing systems with IBM AIX 5. Operating System Developed for the DOD. This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the UNIX operating system and is familiar with common computer terminology. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. false true false false false false true 8482B0FF060F1F105E514325310AFA314F4AC625 473716B92B81D54379ADDD358721FDEAA9503FF2AC1BD74112124D69321264C0 This is the machine-readable configuration content for the checklist entitled SCAP: Guide To The Secure Configuration of IBM AIX 5. Standalone XCCDF CFC60D835D75538A8DC56C62B9DC48A5ADB83DAA A84319C8F2495F6E8784A7845AC50DF892E8356B7842EC24189A36100997E1E9 Prose 1 UNDER_REVIEW GOVERNMENTAL_AUTHORITY Apache HTTP Server 2.0 cpe:/a:apache:http_server:2.0 Web Server Apache HTTP Server 1.3 cpe:/a:apache:http_server:1.3 Web Server This group of checklists covers valuable security-related information for the Apache web server and web site server products. It includes procedures to perform a Security Readiness Review (SRR). Security items covered are based on the Web Server Secure Technology Implementation Guide (STIG) published by DISA. The reviewer will apply Systems Administration knowledge and have familiarity with web server and web site configurations. Apache Server, UNIX, Linux, and/or Windows server experience is beneficial. Users of this checklist will need to be able to navigate the file systems of these operating environments. This web server checklist targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or that may lead to the interruption of production operations. The documentation provides procedures for assessing Apache web server and Apache web site server products. The document is broken into the following sections: Section 1: Contains specific product requirements for an Apache web server that were not addressed in the Web Server Secure Technology Implementation Guide (STIG) [http://iase.disa.mil/stigs/stig/index.html]. Section 2: Is not applicable to assessing Apache, but is specific to clients of the DISA VMS database. Section 3: Provides configuration information for Apache 1.3.x web server installations focusing on mitigating denial of dervice attacks, restricting file access, mitigating buffer overflows, account management, OS and DMZ configurations. Section 4: Provides configuration information for Apache web site 1.3.x in the areas of policy configuration, account privileges, and encryption. Section 5: Provides configuration information for Apache 2.x web server installations focusing on mitigating Denial of Service attacks, restricting file access, mitigating buffer overflows, account management, OS and DMZ configurations. Section 6: Provides configuration information for Apache web site 2.x in the areas of policy configuration, account privileges, and encryption. Note: Specific assessment procedures and information for assessing Apache can be found in all other sections of this checklist bundle, some of which is question-answer oriented. Web Server Developed by DISA for the DOD. This document is intended for those responsible for the configuration and management of information systems. It assumes that the reader has knowledge of web servers and is familiar with common computer terminology. MANAGED SSLF DOD Directive 8500.2, DOD Directive 8520.2 Please refer to the Checklist. Only available to DOD customers. false false false false false false false 781955F1F661BD3014D61548008B1742E2393257 E2479B2ECBB09E82F542EB211F74AAC864547389D2B6D9430379F545B47128F7 Prose 1 FINAL GOVERNMENTAL_AUTHORITY Microsoft Windows Server 2003 cpe:/o:microsoft:windows_2003_server Operating System ISC Bind 9.3.1 cpe:/a:isc:bind:9.3.1 DNS Servers ISC Bind 9.3.2 cpe:/a:isc:bind:9.3.2 DNS Servers Microsoft Windows Server 2000 cpe:/o:microsoft:windows_2000:::server Operating System Microsoft Windows XP cpe:/o:microsoft:windows_xp Operating System Microsoft Windows 2000 cpe:/o:microsoft:windows_2000 Operating System Cisco Content Services Switch cpe:/h:cisco:content_services_switch Network Switch This document contains procedures that enable qualified personnel to conduct a Domain Name System (DNS) Security Readiness Review (SRR). The DNS SRR assesses an organization�¢??s compliance with the Defense Information Systems Agency (DISA) DNS Security Technical Implementation Guidance (STIG). DISA Field Security Operations (FSO) conducts SRRs to provide DISA, Joint Commands, and other Department of Defense (DOD) organizations with a level of confidence that their DNS is secure and can adequately support their mission. This document provides step by step instructions to verify Domain Name Systems are securely configured. This checklist is arranged by asset posture. The first section is dedicated to the Non-Computing Asset posture of DNS Policy. These checks/requirements need only be performed once for the site as they apply to all DNS servers and the DNS architecture, regardless of platform or function. The finding status should be updated if a change takes place on the system, during a yearly accreditation visit if vulnerabilities are identified, or during a self assessment. The remaining sections focus on the computing asset posture of the type of DNS software running on the platform: All DNS servers, BIND, Windows DNS, or CISCO CSS. - Section 2: Non-Computing DNS Policy - Section 3: All DNS servers - Section 4: BIND servers, both UNIX and Windows operating system platforms - Section 5: Windows DNS Server - Section 6: CISCO CSS DNS Domain Name Server The reviewer must examine the IAVM notices carefully when there are potential issues. In future releases of the checklist, additional guidance will be provided on how to check for these scenarios. Developped for the DOD. This checklist has been created for IT professionals, particularly network system administrators and information security personnel. The document assumes that the reader has experience installing and administering DNS Servers. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. Version 1, Release 1, date unknown Version 1, Release 2.2, date unknown Version 1, Release 3.1, date unknown Version 2, Release 1.1, 2004-05-12 Version 2, Release 1.2, 2004-07-15 Version 2, Release 1.3, 2005-08-08 Version 2, Release 2, 2006-06-16 Version 3, Release 1, 2006-12-08 Version 3, Release 1.1, 2007-03-15 Version 4, Release 1.1, 2007-10-17 Version 4, Release 1.5, 2008-12-15 false false false false false false false 72C424EEFF19910FF5B5E45DBB36C9E4DC7B82BD 4BAEBA2A91B857E08C58AC19877CED2DE81A7F6ADABA05C4E28845B92DBDDB21 Prose 1 FINAL GOVERNMENTAL_AUTHORITY Microsoft SQL Server 2000 cpe:/a:microsoft:sql_server:2000 Database Management System Oracle Database 8i cpe:/a:oracle:oracle8i Database Management System Oracle Database 10g cpe:/a:oracle:oracle10g Database Management System Oracle Database 9i cpe:/a:oracle:oracle9i Database Management System IBM DB2 8.1 cpe:/a:ibm:db2:8.1 Database Management System Microsoft SQL Server 7.0 cpe:/a:microsoft:sql_server:7.0 Database Management System The Database Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. This SRR guide focuses strictly on Oracle versions 8i, 9i and Microsoft SQL Server versions 7.0, 2000. Additionally, this checklist ensures the site has properly installed and implemented the database environment and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and the Database Security Technical Implementation Guide. The results of the SRR scripts will coincide with the Database SRR Checklist with the following: F - Finding, N/F - Not A Finding, N/A - Not Applicable, MR - Manual Review, or NR - Not Reviewed, which can be filled in Section 2A (Oracle SRR Result Report) or Section 2B (MS SQL Server SRR Results Report). DISA Field Security Operations has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, superuser access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. Category IV vulnerabilities, when resolved, will prevent the possibility of degraded security. Database Server The vulnerabilities discussed in Sections 2A and 3A of this document are applicable to Oracle versions 8i, 9i, and 10g, vulnerabilities discussed in Sections 2B and 3B are applicable to MS SQL Server versions 7.0 and 2000, and vulnerabilities discussed in Sections 2C and 3C are applicable to DB2 version 8 on Unix and Windows platforms. The checklist does not address database versions earlier than those referenced above. For earlier versions, the reviewer should mark all checks except the check for a supported version, as NA and treat this as a completed database review. The unsupported version check should be marked as Open. The generic checklist should be used to cover databases other than Oracle, SQL Server, and DB2. To perform a successful Security Readiness Review (SRR), this document provides two methods to assess vulnerabilities on an Oracle and MS SQL Server DBMS �???�??�?�¢?? DISA FSO scripts and manual procedures. The manual procedures should be performed if the SRR command-scripts are not available, if they are not permitted, or if there is a discrepancy in the tools�???�??�?�¢?? reporting. Developped for the DOD. This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience administering Oracle, SQL Server, DB2, or other databases. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.TXT files provided with the scripts for any comments, warnings, or detailed instructions. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. Version 6, Release 1.4, 2004-05 Version 6, Release 1.5, 2004-09 Version 6, Release 1.6, 2004-12-10 Version 7, Release 1.2, 2005-07-29 Version 7, Release 1.3, 2005-12-16 Version 7, Release 1.4, 2006-04-14 Version 7, Release 2.1, 2006-06-30 Version 7, Release 2.2, 2006-10-29 false false false false false false false 2AFE1E2A8F95B9A01FD0AA14CEAD0041F4D88E30 B02C178D37086C3771AA7F800103030B6C172DDD3E6452C264FDDFB664FF3B47 Prose 1 FINAL GOVERNMENTAL_AUTHORITY IBM OS390 cpe:/o:ibm:os_390 Operating System This SRR Review Procedures, OS/390 Resource Access Control Facility (RACF) document provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the OS/390 Security Technical Implementation Guides (STIG). This checklist must be used together with the corresponding version of the STIG document. This SRR guide focuses strictly on the IBM OS/390 operating system (OS) and how the RACF security component interacts with the operating system. Additionally, this checklist ensures the site has properly installed and implemented the RACF component for the IBM OS/390 OS and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the OS/390 Security Technical Implementation Guide. Server Developped for the DOD. This checklist has been created for IT professionals, particularly operating system administrators with a background in the IBM OS/390 OS, as well as information security personnel. The document assumes that the reader has experience installing and administering the IBM OS/390-based systems in domain or standalone configurations. MANAGED SSLF DOD Directive 8500. Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers. Version 4, Release 1.3, 2004-02 Version 4, Release 1.4, 2004-10 Version 4, Release 1.5, 2005-07 Version 5, Release 1.1, 2006-04 Version 5, Release 2.1, 2006-11 Version 5, Release 2.2, 2007-03-23 Version 5, Release 2.3, 2007-05-30 Version 5, Release 2.6, 2007-11 Version 5, Release 2.10, 2008-12 false false false false false false false DA3C50C3AD808FD310289153CA5DBF2128F9BC54 72B43F1AEC2F185BF3B63AEE78EAD5AA9F73D48DC5E65644C8781FA57FC7A5E6 Prose 1 UNDER_REVIEW GOVERNMENTAL_AUTHORITY Microsoft Windows Server 2003 cpe:/o:microsoft:windows_2003_server Operating System Microsoft Windows Server 2000 cpe:/o:microsoft:windows_2000:::server Operating System Directory Services Security Checklist provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the Directory Services Security Technical Implementation Guide (STIG). This Checklist document must be used together with the corresponding version of the STIG document. This Checklist currently addresses three review subjects: - Generic Directory Service - This subject covers checks for an implementation of a generic directory service. - Generic Directory Synchronization Application - This subject covers checks for an implementation of an application used to perform synchronization on two or more directory service implementations. - Active Directory (AD) Implementation - This subject covers checks for AD Domain Controllers, AD Domains, and the AD Forest that make up an implementation of Active Directory. The procedures in this document are part of the effort to ensure that the security configuration guidelines required by Department of Defense (DoD) Directive 8500.1, Information Assurance, and other relevant guidance are properly implemented. In order to minimize repetition, certain procedures in this document reference information in the Windows 2000 Security Checklist and the Windows Server 2003 Security Checklist. Therefore, familiarity with those documents is considered a prerequisite to this checklist. false false false false false false false 5E715F27A4C5935831A3EE1BEA085C5B34842394 641A6D9E86B05CC58F47031E21684C2EE8175B36A3C210AB325038B90F274F57 Prose 1 FINAL GOVERNMENTAL_AUTHORITY Microsoft Internet Explorer cpe:/a:microsoft:ie Web Browser Microsoft Windows Server 2003 cpe:/o:microsoft:windows_2003_server Operating System NetMeeting cpe:/a:microsoft:netmeeting Microsoft Windows Media Player cpe:/a:microsoft:windows_media_player The Windows Server 2003 Security Checklist is composed of three major sections and several appendices. The organizational breakdown proceeds as follows: Section 1- Introduction This section contains summary information about the sections and appendices that comprise the Windows Server 2003 Security Checklist, and defines its scope. Supporting documents consulted are listed in this section. Section 2- Automated System Check Procedures This section contains summary information for running the Gold Disk. Section 3- Manual System Check Procedures This section documents the procedures that instruct the reviewer on how to perform an SRR manually, and to interpret the program output for vulnerabilities. Appendix A- Object Permissions This appendix documents the allowed Access Control Lists (ACLs) for file and registry objects. The tables contained in this section are referenced in Section 3. Appendix B- Information Assurance Vulnerability Management (IAVM) Compliance This appendix contains checks for IAVM compliance to be done against a Windows Server 2003 machine. Appendix C- MS Group Policy Analysis Tools This appendix provides information for the use of Microsoft tools for analyzing group policy. Appendix D- Windows VMS Asset Creation and Findings Import Procedures for Reviewers and Self Assessments This appendix documents the procedures for creating assets and importing findings into VMS 6.0 Appendix E- Joint Task Force - Global Network Operations (JTF-GNO) Communications Tasking Orders (CTO) Compliance This appendix identifies Windows specific requirements from JTF-GNO CTOs. Appendix F- SRR Results Report This section is the matrix that allows the reviewer to document vulnerabilities discovered during the SRR process. The entries in this table are mapped to the manual procedures in Section 3 and appendix B. Server This document is designed to instruct the reviewer on how to assess Windows Server 2003 configurations in Windows 2000, or Windows 2003 domains. In addition, the security settings recommended can also be used to configure Group Policy in a Windows 2000 or Windows 2003 Active Directory environment Field Security Operations- DISA Sites are required to secure the Microsoft Windows Server 2003 operating system in accordance with DOD Directive 8500.1, Section 4.18 (and related footnote). The checks in this document were developed from DOD guidelines specified in the above reference, as well as the Windows Server 2003 security guides and security templates published by the Microsoft Corporation. The Threats and Countermeasures Guide Windows Server 2003 Security Guide false false false false false false false B93DF561AF2A44ACDAC863C78F45B314FF7CFF40 FBE9B767B5A91E32E96919077F5FA22526B436EA719441B56A7E43617A854186 Prose 1 FINAL GOVERNMENTAL_AUTHORITY Microsoft Windows Defender cpe:/a:microsoft:windows_defender Malware Microsoft Internet Explorer cpe:/a:microsoft:ie Web Browser Microsoft Windows Mail cpe:/a:microsoft:windows_mail Microsoft Windows Media Player cpe:/a:microsoft:windows_media_player Microsoft Windows Server 2008 cpe:/o:microsoft:windows_server:2008 Operating System The Windows Server 2008 Security Checklist is composed of three major sections and several appendices. The organizational breakdown proceeds as follows: Section 1 - Introduction This section contains summary information about the sections and appendices that comprise the Windows Server 2008 Security Checklist, and defines its scope. Supporting documents consulted are listed in this section. Section 2 - Automated System Check Procedures The Gold Disk does not support Windows 2008 at this time. Section 3 - Manual System Check Procedures This section documents the procedures that instruct the reviewer on how to perform an SRR manually, and to interpret the program output for vulnerabilities. Appendix A - Object Permissions This appendix documents the any additional Access Control Lists (ACLs) for file and registry objects. The tables contained in this section are referenced in Section 3. Appendix B - Joint Task Force Global Network Operations (JTF-GNO) Information Assurance Vulnerability Management (IAVM) Compliance This appendix contains checks for IAVM compliance to be done against a Windows Server 2008 machine. Appendix C - MS Group Policy Analysis Tools This appendix provides information for the use of Microsoft tools for analyzing group policy. Appendix D - Windows VMS Asset Creation and Findings Import Procedures for Reviewers and Self Assessments This appendix documents the procedures for creating assets and importing findings into VMS 6.0 Appendix E - Joint Task Force - Global Network Operations (JTF-GNO) Communications Tasking Orders (CTO) Compliance This appendix identifies Windows specific requirements from JTF-GNO CTOs. Appendix F - SRR Result Report This section is the matrix that allows the reviewer to document vulnerabilities discovered during the SRR process. The entries in this table are mapped to procedures, referenced by Vulnerability and STIG IDs in Sections 3 and Appendix B. Server This document is designed to instruct the reviewer on how to assess Windows Server 2008 configurations in Windows domains. In addition, the security settings recommended can also be used to configure Group Policy in a Windows Active Directory environment. Version 6.1.1 - July 2008 - New Checklist Version 6.1.2 - 2008-12-26 Version 6.1.3 - 2009-02-27 Windows Server 2008 Security Guide Windows Vista Security Guide The Threats and Countermeasures Guide false false false false false false false FF48B762BDD5706914B676B4DC2981578257AABF CF67BA5309D5D24A8561E90752D703927AB89771DDD3CE02BB9528C64C1819F9 Prose 1 FINAL GOVERNMENTAL_AUTHORITY Research In Motion Blackberry cpe:/a:rim:blackberry Wireless Email This Checklist provides security policy and configuration requirements for the use of BlackBerry wireless email in the Department of Defense (DoD). Guidance in this document applies to all BlackBerry systems, including BlackBerry handheld devices and the BlackBerry Enterprise Server (BES). This checklist serves as both a security review checklist and a configuration guide. Information Assurance Officers (IAOs), Security Managers (SMs), System Administrators (SAs), device users, and security readiness reviewers, each with varying experience levels, should use this document to ensure the security of BlackBerry implementations. Thus, the format of each section is tailored to meet these various needs. false false false false false false false DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 Prose