Desktop App ChecklistWord格式.docx
《Desktop App ChecklistWord格式.docx》由会员分享,可在线阅读,更多相关《Desktop App ChecklistWord格式.docx(153页珍藏版)》请在冰豆网上搜索。
UpdatedforSTIGVersionChange3.1
VariousSections
Updatedfornewmobilecoderequirements
Section2.3.1
UpdatedforSymantecVersion10.x
Section2.3.2
UpdatedforMcAfeeVersion8.x
Section2.4.2
IEupdatedJavaPermissions
Section2.7
Updatedwithindicatorofwhenthecheckapplies
Section2.8
AntiSpyware–newsection
Version3.1.2
DTAS017
UpdatedtoaddinformationforVersion10.x
DTAS069
Updatedtohavecorrectvalueofthekey
DTAS040
DESKTOPAPPLICATIONCHECKLIST-SCRIPTCHECKPROCEDURES
ThissectionoftheChecklistprovidestheprocedurestobeusedtoconductself-assessmentandreviewsSRRfortheDesktopApplicationSTIGrequirementsusingtheautomatedtoolsdevelopedandmaintainedbyDISAFieldSecurityOperations(FSO).Thereviewerusestheoutputofthesescriptstoanalyzeanddocumentpotentialsecurityvulnerabilitiesonthereviewedsystem.
1.UseVersion2.0oftheGoldDisktoconductthereview.InserttheCDandthendoubleclickonthepgd.exe.ThiswillcausetheGolddisktolaunchandevaluatewhatproductsarethesystembeingreviewed.
2.
3.Uponsuccessfulcompletionoftheinitialscan,thelowerrighthandpanewillidentifyalltheapplicationsthatarepresentonthemachine.TheDesktopreviewprocessincludesthefollowingproducts:
4.
Antivirus
MacAfee
Symantec
Browsers
Netscape
InternetExplorer
OfficeAutomation
Word
Excel
Access
FrontPage
Outlook
PowerPoint
TherearealsogeneralchecksthatareincludedthatarecalledDesktopApplicationGeneral.Thesechecksapplytoallmachines.ThereisagroupofchecksthatarecalledDesktopApplication–Remote.ThisgroupofchecksappliesifthemachineconnectstoaDoDremotelye.g.,Laptop.
UponexecutionofthestartupGUI,clicktheEvaluateAssetbutton.TheGUIisbrokendownintoseveralbranches.Inordertoperformareview,thereviewermustknowwhatapplicationsarepartsofthereview(listedabove).Onlytheapplicationsactuallyinstalledonthemachinewillbeevaluated.Pleasenoteforallthe‘documentable’findings,thesefindingsshouldbeuploadedintoVMS6.0inanOpenstatus
5.InordertocreateanXMLfile,selectReports,thenVMS6.x.ThiswillcauseadialogboxtoappearwhichwillaskforafilenamefortheVMSimportfile.
6.
7.LogontoVMS.Iftheassetisnotregistered–theassetwillbeaddedduringtheupload.Iftheassetexists,itwillbeupdatedwiththeresultsfromtheGoldDisk.
8.
9.Ifamanualregistrationisdonethefollowingitemsareofnote:
10.
11.ManualRegistration:
YouwillfindtheappropriateselectioncriteriabyselectingComputing.Thenselectingtheyellowfolder.EnsurethatinadditiontotheminimumrequiredfieldsforVMSthefollowingfieldsarepopulatedthefollowingfields:
12.
Underthe:
GeneralTab
HostName:
Entermanually
Description:
EnterManually
Ensureallrequiredfileswhicharedesignatedwithan*arecorrect
AssetIdentification
IPAddress(ensuretoclicktheaddbuttonbytheIPaddresswindow)
MACAddress(ensuretoclicktheaddbuttonbytheMacwindow)
AssetPosture
Underthistabexpandthecomputinglocatedontheleft,godownthrougheachitem,andselectwhatisapplicabletothesystemyouareregistering.Onceyoucheckaselectionyoumustclickthe>
andensureitisaddedtotheselectedboxontheright
AWindowsassetmustalsohavearole(aworkstation,memberserver,ordomaincontrollerassigned).Pleaseensurethatthecorrectroleisassigned.
Clickthesavebutton,ifthisisnotclickedyouwillloseyourselections.
Function
Selectassetfunctionfromtheleftwindowandclickthe>
arrowtoaddittotheselectedwindow
AdditionalInformation
Fillintheadditionalinformationasrequired
Ensureyouclickthesavebuttonoryouwilllosetheinformation,ifthishappenstheassetwillbecreatedandyoucanmodifyitatthattime.Donotrecreatethesameasset.
Clickthesavebuttontoensureallyourworkissaved.Theassetisnotregisteredwiththerequiredchecks.
Aftersuccessfulregistration,inadditiontothe‘expected’Windowscheck,therewillalsobeDesktopGeneralchecksandIEChecks.Thisisexpected.WithVMS6.0,thesevulnerabilitiesfromtheDesktopSTIGareshownonWindowsAssets
13.UploadresultsintoVMSbyNavigatingtoAssetFindingMaint.
14.
AnSAshouldchooseLocation,thenClicktheblueXMLarrowiconlocatedattherightof‘Computing’.Thiswillpromptforthenameafiletobeuploaded.Thisprocesswillregistertheassetifitdoesn’texist.
AreviewershouldchooseVisit,thenClicktheblueXMLarrowiconlocatedattherightof‘Computing’.Thiswillpromptforthenameafiletobeuploaded.Thisprocesswillregistertheassetifitdoesn’texist.
Afterupload,reviewtheEnclavethattheassetistiedtobynavigatingtothe‘Systems/Enclaves’taboftheasset.SelecttheAppropriateEnclave.Iftheenclaveisnotpresent,contacttheIAMorteamleadtodetermineiftheenclavehasbeenrequested,Click‘>
>
’,Click‘Save’.
DESKTOPAPPLICATIONCHECKLIST-MANUALCHECKPROCEDURES
ThissectionoftheChecklistprovidestheprocedurestobeusedtoconductamanualSRRfortheDesktopApplicationSTIGrequirements.Theresultsfromtheproceduresdocumentedinthissectioncanberecordedonacopyofsection2,SRRResultReport.
1.1ToolsUsed
1.2
ToconductamanualreviewofcompliancewiththeDesktopApplicationSTIGrequirements,itisnecessarytousesometoolsthatareprovidedwiththeWindowsoperatingsystem.Thissectiondescribestheindividualtoolsandprovidesexamplesoftheappearanceofthosetools.
EditFileTypeFacility
TheEditFileTypefacilityisusedtomanuallyverifyWindowsfiletypeproperties.ThisfacilityisaccessedthroughtheWindowsNTExplorerapplicationonWindowsNTortheWindowsExplorerapplicationonWindows2000.
OntheToolsmenu,selecttheFolderOptions…item.OntheFolderOptionswindow,selecttheFileTypestab.Afterselectingafiletype,selecttheEdit…buttonforWindowsNTortheAdvancedbuttonforWindows2000providesaccesstothefiletypeproperties.
ThefollowingexamplesshowtheappearanceofthefacilityonWindowsNT:
ThefollowingexamplesshowtheappearanceofthefacilityonWindows2000:
ItshouldbenotedthattheWindowsFolderOptionswindowincludescolumnheadingsthatcanbeusedtosorttheentriesbyextensionorfiletype.
FileVersionChecking
TomanuallychecktheversionofaWindowsfileitisnecessarytosearchforthefileandtonavigatetothefileversioninformation.Thiscanbedonethroughthe“Search|ForFilesorFolders…”facility.
FromtheWindowsStartmenuselecttheSearchitem.OntheSearchmenu,selecttheForFilesorFolders…item.Afterthefileisfound,rightclickonthefilename,selectthePropertiesitem,andselecttheVersiontab.ThefollowingexamplesshowtheappearanceofthefacilityonWindows:
ApplicationDialogs
Thissectionprovidesexamplesofthedialogwindowsthatareusedinthemanualapplicationchecks.
MSOutlookDialogs
TomanuallychecktheSecurityZonesettinginOutlookselecttheOptions…itemontheToolsmenu.OntheOptionswindow,selecttheSecuritytab.Thefollowingexampleshowstheappearanceofthedialog:
TomanuallychecktheAttachmentSecuritysetting(ifapplicable)inOutlook98or2000,selecttheAttachmentSecurity…buttonontheSecuritytabshownabove.Thefollowingexampleshowstheappearanceofthedialog:
MSOfficeDialogs
TomanuallychecktheMacroSecurityLevelsettinginthe2000and2002versionsofWord,Excel,PowerPoint,andOutlook,starteachapplicationandselecttheToolsmenuanditsMacroitem.OntheMacromenu,selecttheSecurity…item.OntheSecuritywindow,selecttheSecurityLeveltab.TheappearanceoftheSecurityLeveltabisthesameinalltheapplications.ThefollowingexampleshowstheappearanceofthedialoginOutlook2000:
WindowsRegistryEditor
Tomanuallycheckthevaluesofsomeapplicationoptions,itisnecessarytousetheWindowsRegistryEditor.Itcanbestartedusingtheregedt32.execommandataWindowscommandpromptorfromtheRun…itemontheStartmenu.FromtheOptionsmenu,selecttheReadOnlyModeitemtoensurethatnoupdatesareinadvertentlymade.ThefollowingexampleshowstheappearanceoftheRegistryEditor:
NOTE:
IfasystemisconfiguredinaccordancewiththeapplicableNSAguidanceontheinstalledWindowsoperatingsystem,theWindowsRegistryEditorwillbeaccessibleonlytouserswithadministrator-levelprivilege.ThereforechecksthatrequiretheuseoftheWindowsRegistryEditorwillrequirethataprivilegedusersignon.Tocheckuser-specific(i.e.,HKCU)keys,itmaybenecessarytousetheLoadHivefacility.
FileandDirectoryPermissionChecking
Therearemultiplewaystocheckfileanddirectorypermissions:
∙OnWindowsNTsystems,theDumpSecutilitycanbeused.DetailsontheusageofDumpSeccanbefoundinthesectionUsingDumpSecintheWindowsSecurityChecklistdocument.
∙
∙OnWindows2000systems,theMicrosoftManag