From d5cf5b3ed144330ad4b76a22b3b4a551175d22bf Mon Sep 17 00:00:00 2001 From: MrAutomater Date: Thu, 11 Dec 2025 10:21:22 -0800 Subject: [PATCH 1/3] Convert V-254444 to a Manual Rule --- .../U_MS_Windows_Server_2022_MS_STIG_V2R5_Manual-xccdf.log | 1 + .../U_MS_Windows_Server_2022_MS_STIG_V2R6_Manual-xccdf.log | 1 + 2 files changed, 2 insertions(+) diff --git a/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R5_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R5_Manual-xccdf.log index af656fd87..06fee5517 100644 --- a/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R5_Manual-xccdf.log +++ b/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R5_Manual-xccdf.log @@ -13,6 +13,7 @@ V-254443::DoD Root CA 3- DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE V-254443::Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US::Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US V-254443::Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02::Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 V-254443::NotAfter: 8/26/2022 9:25:51 AM::NotAfter: 11/16/2024 +V-254444::*::'' V-254458::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"} V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2 V-254490::0x00000002 (2) (or if the Value Name does not exist)::2 diff --git a/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R6_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R6_Manual-xccdf.log index af656fd87..06fee5517 100644 --- a/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R6_Manual-xccdf.log +++ b/source/StigData/Archive/Windows.Server.2022/U_MS_Windows_Server_2022_MS_STIG_V2R6_Manual-xccdf.log @@ -13,6 +13,7 @@ V-254443::DoD Root CA 3- DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE V-254443::Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US::Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US V-254443::Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02::Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 V-254443::NotAfter: 8/26/2022 9:25:51 AM::NotAfter: 11/16/2024 +V-254444::*::'' V-254458::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"} V-254484::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2 V-254490::0x00000002 (2) (or if the Value Name does not exist)::2 From dba5e03bb255ae9ac9409506f4a94590c39bde2b Mon Sep 17 00:00:00 2001 From: MrAutomater Date: Thu, 11 Dec 2025 10:29:23 -0800 Subject: [PATCH 2/3] updated for 254444 as a manual stig --- .../WindowsServer-2022-MS-2.5.org.default.xml | 56 ++--- .../Processed/WindowsServer-2022-MS-2.5.xml | 218 +++++++----------- .../WindowsServer-2022-MS-2.6.org.default.xml | 56 ++--- .../Processed/WindowsServer-2022-MS-2.6.xml | 186 +++++---------- 4 files changed, 189 insertions(+), 327 deletions(-) diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml index 853d2ecc2..ac6473b31 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml @@ -11,19 +11,19 @@ - + - + - + - + - + - + - + @@ -35,49 +35,37 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.5.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.5.xml index 96b6e5895..4cd224b1b 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.5.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.5.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1308,7 +1308,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Admin Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. -If the server is not a member of a domain this not applicable. +If the server is not a member of a domain this is not applicable. <VulnDiscussion>Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. @@ -1835,6 +1835,66 @@ Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. + + + <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + False + + + False + + This is applicable to unclassified systems. It is NA for others. + +Open "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. + +Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US +Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US +Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 +NotAfter: 7/18/2025 9:56:22 AM + +Alternately, use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates" and click "Add". + +Select "Computer account" and click "Next". + +Select "Local computer: (the computer this console is running on)" and click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. + +For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DOD Root CA 3 +Issued By: US DOD CCEB Interoperability Root CA 2 +Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 +NotAfter: 7/18/2025 +Issued to: DOD Root CA 6 +Issued By: US DOD CCEB Interoperability Root CA 2 +Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 +NotAfter: 7/18/2026 <VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5451,8 +5511,8 @@ Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion True location for DoD Root CA 6 certificate is present - DoD Root CA 6,D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF - D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF + DoD Root CA 6,D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFB + D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFB DoD Interoperability Root CA 2 @@ -5513,126 +5573,6 @@ Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 Valid to: Wednesday, November 16, 2024 49CBE933151872E17C8EAE7F0ABA97FB610F6477 - - - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - False - - - - False - - This is applicable to unclassified systems. It is NA for others. - -Open "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. - -Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US -Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 9:56:22 AM - -Alternately, use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates" and click "Add". - -Select "Computer account" and click "Next". - -Select "Local computer: (the computer this console is running on)" and click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to Untrusted Certificates then Certificates. - -For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -Issued To: DOD Root CA 3 -Issued By: US DOD CCEB Interoperability Root CA 2 -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 - - 9B74964506C7ED9138070D08D5F8B969866560C8 - - - - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - False - - - - False - - This is applicable to unclassified systems. It is NA for others. - -Open "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. - -Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US -Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 9:56:22 AM - -Alternately, use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates" and click "Add". - -Select "Computer account" and click "Next". - -Select "Local computer: (the computer this console is running on)" and click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to Untrusted Certificates then Certificates. - -For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - - -Issued to: DOD Root CA 6 -Issued By: US DOD CCEB Interoperability Root CA 2 -Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 -NotAfter: 7/18/2026 - D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 - @@ -5997,8 +5937,9 @@ The "Enable computer and user accounts to be trusted for delegation" user right Enable computer and user accounts to be trusted for delegation True - NULL - False + + + True False @@ -6023,8 +5964,9 @@ Accounts with the "Access Credential Manager as a trusted caller" user right may Access Credential Manager as a trusted caller True - NULL - False + + + True False @@ -6047,8 +5989,9 @@ Accounts with the "Act as part of the operating system" user right can assume th Act as part of the operating system True - NULL - False + + + True False @@ -6149,8 +6092,9 @@ The "Create a token object" user right allows a process to create an access toke Create a token object True - NULL - False + + + True False @@ -6202,8 +6146,9 @@ Accounts with the "Create permanent shared objects" user right could expose sens Create permanent shared objects True - NULL - False + + + True False @@ -6414,8 +6359,9 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000433-GPOS-00193</VulnDiscussion Lock pages in memory True - NULL - False + + + True False diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml index 7c9e84485..ab9a088bc 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml @@ -11,19 +11,19 @@ - + - + - + - + - + - + - + @@ -35,49 +35,37 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.6.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.6.xml index 8268316f7..c02e3e896 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.6.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.6.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1141,7 +1141,7 @@ Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (resilient file system) is also acceptable and is not a finding. -CSV (Cluster Shared Volumes) is not a finding. +CSV ( Cluster Shared Volumes) is not a finding. This does not apply to system partitions such the Recovery and EFI System Partition. @@ -1308,7 +1308,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Admin Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. -If the server is not a member of a domain, this not applicable. +If the server is not a member of a domain this not applicable. <VulnDiscussion>Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. @@ -1835,6 +1835,66 @@ Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. + + + <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + False + + + False + + This is applicable to unclassified systems. It is NA for others. + +Open "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. + +Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US +Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US +Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 +NotAfter: 7/18/2025 9:56:22 AM + +Alternately, use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates" and click "Add". + +Select "Computer account" and click "Next". + +Select "Local computer: (the computer this console is running on)" and click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. + +For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DOD Root CA 3 +Issued By: US DOD CCEB Interoperability Root CA 2 +Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 +NotAfter: 7/18/2025 +Issued to: DOD Root CA 6 +Issued By: US DOD CCEB Interoperability Root CA 2 +Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 +NotAfter: 7/18/2026 <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5627,126 +5687,6 @@ Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 Valid to: Wednesday, November 16, 2024 49CBE933151872E17C8EAE7F0ABA97FB610F6477 - - - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - False - - - - False - - This is applicable to unclassified systems. It is NA for others. - -Open "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. - -Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US -Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 9:56:22 AM - -Alternately, use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates" and click "Add". - -Select "Computer account" and click "Next". - -Select "Local computer: (the computer this console is running on)" and click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to Untrusted Certificates then Certificates. - -For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -Issued To: DOD Root CA 3 -Issued By: US DOD CCEB Interoperability Root CA 2 -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 - - 9B74964506C7ED9138070D08D5F8B969866560C8 - - - - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a root other than DOD Root CAs, the US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - False - - - - False - - This is applicable to unclassified systems. It is NA for others. - -Open "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. - -Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US -Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US -Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 -NotAfter: 7/18/2025 9:56:22 AM - -Alternately, use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates" and click "Add". - -Select "Computer account" and click "Next". - -Select "Local computer: (the computer this console is running on)" and click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to Untrusted Certificates then Certificates. - -For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - - -Issued to: DOD Root CA 6 -Issued By: US DOD CCEB Interoperability Root CA 2 -Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 -NotAfter: 7/18/2026 - D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 - From 2f666d9ac9218d318bc0db8d3f297701630a557c Mon Sep 17 00:00:00 2001 From: MrAutomater Date: Thu, 11 Dec 2025 11:08:04 -0800 Subject: [PATCH 3/3] update org settings --- .../WindowsServer-2022-MS-2.5.org.default.xml | 56 +++++++++++-------- .../WindowsServer-2022-MS-2.6.org.default.xml | 56 +++++++++++-------- 2 files changed, 68 insertions(+), 44 deletions(-) diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml index ac6473b31..853d2ecc2 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.5.org.default.xml @@ -11,19 +11,19 @@ - + - + - + - + - + - + - + @@ -35,37 +35,49 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + diff --git a/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml b/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml index ab9a088bc..93ecfc874 100644 --- a/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml +++ b/source/StigData/Processed/WindowsServer-2022-MS-2.6.org.default.xml @@ -11,19 +11,19 @@ - + - + - + - + - + - + - + @@ -35,37 +35,49 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +