Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This check verifies that file and print sharing is not installed on remote access devices. Select the Control Panel directory from Start-Settings. Click on Network and Dial-in Connections. Right-click on Local Area Connection and Properties. If File and Print Sharing is not listed, this is not a finding. If File and Print Sharing is listed, then check the personal firewall policy. If port 445 inbound is being filtered, this is not a finding. If File and Print Sharing is listed and the firewall policy is not filtering inbound 445, this is a finding.
Disable file and print sharing
This check verifies that the remote access software is configured for dial-out only. Navigate to the Services applet in the Administrative Tools folder. Check the services listing for the Remote Access Service (or other third party remote access software service) and view the properties. Highlight the communications port and select Configure. Verify “dial-out only” is selected. If a modem is installed and enabled in the active profile, the SA should demonstrate that auto or manual answer modes are not used. Work with the SA to review the configuration of several remote access devices. On the client device, this setting is usually enabled in the specific communications software used. All communications software, regardless of function must have this capability disabled if available. Some examples are: Winfax and other fax software, PcAnywhere and other remote access software, Internet and POTS phone dialers, etc. While it is not possible to write checks for all possible applications, the reviewer should work with the SA to review the settings of all installed RAS applications. If the remote devices are not available for review, ensure the disabling of this setting is addressed in the user agreement, training materials, or site remote device configuration procedures.
Disable incoming dialup.
This check verifies the remote access device is configured to prevent simultaneous use of the NIC and modem for communications. Verify that the remote device is configured to use at least two hardware profiles. One profile enables the modem and disables the NIC, while the second profile disables the modem but enables the NIC. Navigate to the Control Panel folder and select the “System” applet. Select the “Hardware” tab for the System Properties menu. Click “Cancel” to return to the “System Properties” dialog box. Click the “Device Manager” button. Expand and view the properties for the modem and the Network Adapter (controller). Review the selection in the “Device Usage” area. Reboot and select another hardware profile upon restart. Repeat the above steps to view the modem and NIC in the other profile. If profiles are not in use on the remote device, this is a finding. If “Use this device (enable)” is selected for both the modem and the NIC in a single hardware profile, this is a finding.
Create a hardware profile that disables the modem when the network card is active.
This check verifies use of workstation policy and site written policy to prevent unapproved configuration changes. The system’s user and advanced user rights policies must be configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configuration which may adversely affect the security posture of the laptop or workstation. Use the User Manager or Administrative Tools applet to view user accounts and policies for users who access the system’s resources. Select “User Rights” from the “Policies” menu. Select the checkbox, “Show Advanced User Rights.” Click “Cancel” when finished examining the data in this dialog box. By scrolling through the choices in the drop-down box labeled “Right,” navigate to the rights listed below and compare the contents of the “Grant To” listbox with the acceptable values in the following table. If there are any discrepancies, this is a finding. Users Rights Authorized Groups Load and unload device drivers Administrators Modify firmware environment values Administrators Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. View a copy of approval letters if such approvals have been authorized.
Create a software baseline.
Because of the variation of installations, you must work with the IAO and manually check to determine the product installed. The software version can usually be verified by starting the firewall program from the toolbar icon or from the Start menu. The version number may appear in the window or be available by clicking the Help menu item and then selecting About. The location varies from product to product. If the personal firewall is supported by the JTF-GNO and is older than the current JTF-GNO-provided release, this is a finding. For technologies which do not have compatible DOD licensed personal firewalls available, then DAA approval and use of a NIAP Validated Products List with a Evaluation Assurance Level (EAL) of 2 or higher is an acceptable mitigation.
Install a personal firewall product that is licensed by DOD.
Review a copy of the site’s baseline procedures or written policy regarding configuration of remote access devices. Note that this check does not include validation of the contents, which is verified in another requirement. If a personal firewall baseline configuration document does not exist, this is a finding.
Develop a software baseline for the personal firewall configuration.
Inspect the configuration of the host-based firewall installed on the endpoint devices. Examples of ports which are needed for operation are as follows: SMTP, SSL, HTTP, and HTTPS. If other ports are open, request the IAO provide documented justification showing these ports are needed for site operations. If this documentation does not exist, this is a finding. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Startup Programs menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone.
Block all unneeded ports.
The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone. PPSM. If the personal firewall is not configured for a Deny-by-Default posture, this is a finding.
A Deny-by-Default posture is setup on the personal firewall.
This check verifies that the firewall is configured in a deny by default posture. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone. If the firewall is not in a deny by default posture, this is a finding.
Ensure the firewall is in a deny by default configuration.
Have the SA or NSO demonstrate the configuration of the personal firewall. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Navigate to the Alerts configuration menu or tab and verify that the setting to log alerts is enabled. At a minimum, all inbound connections from the Internet Zone must be logged to a text file. If the log alerts setting is not enabled in the personal firewall software, this is a finding.
Configure the firewall to log in bound connections.
Inspect the training or user agreement documentation. Verifiy that the users are informed of this requirement. If the user is unaware of this requirement or does not perform this task at least weekly, this is a finding.
Develop and implement procedures to review audit data.
This check verifies that the personal firewall security level is in compliance. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Programs menu. Navigate to the personal firewall Security Settings configuration window or tab and verify that the security level for both the Local and Internet Zones are set to intermediate setting of “Medium” or higher. The specific default intermediate settings may vary, depending on the vendor firewall used. At a minimum, this level of security should be customized to include the following: - Blocking all Internet access until expressly permitted by the user. - Silently block unused ports. - Block or prompt for usage of Java Applet and ActiveX controls. If the security level is not set to a minimum of intermediate or “Medium” and the above listed minimum settings are not in place, then mark this as a Category II finding.
Ensure firewall is set to at least a medium level of security.
This check verifies use of an approved encryption product to protect data on client devices used for remote access. The site should provide documentation of compliance. The site may also provide documentation that product is on the approved Data at Rest (DAR) products list. To verify encryption is configured on the remote endpoints, check the configuration of the operating system. If either an approved product is not used or it is not configured for use on the devices, this is a finding.
Ensure sensitive data is encrypted using an approved encryption product.
Interview a sampling of remote users to verify that they store a copy of the private encryption key in a secure location (e.g., floppy disk, CD, etc.). If they do not follow this procedure, ask if they were trained on this requirement and examine the sites remote user agreement or training documentation for a description of this procedure. If the user is does not have a back up of the private key, this is a finding. If users are not available for interview and this requirement is not addressed in either user training or user access agreement, this is a finding.
Develop and implement a process to ensure a backup of the encryption key is stored in a secure location.
Interview the IAO to verify data loss prevention procedures for encrypted data on remote access devices. These procedures may be as simple as a requirement for users to backup or an automated backup to an unencrypted folder on the network. Alternative but more expensive methods are third party key storage and multiple key access. If procedures do not exist for key or data recovery, this is a finding.
Develop a recovery plan for key recovery or data recovery in the event of a lost key.
Execute the software’s dialer applet from the Programs menu. The selections may vary depending on the products used for the VPN client. Verify that split tunneling is disabled or that tunneling is enabled in the Properties dialog box. Upon the establishment of a VPN connection to a DOD network, no other connections of any kind will be established. Next, verify that the setting for “local LAN access” is not selected. For example, if home networks are used, no connection between the device and other home network devices will be established during a VPN session. If Split Tunneling is used for VPN communications or if local LAN access is permitted, even for printing purposes, this is a finding.
Configure the VPN so that split tunneling is disabled.
Verify the system’s user and advanced user rights policies are configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configurations, which may adversely affect the security posture of the remote device. There are several ways to accomplish this item. Have the NSO demonstrate the site’s method for securing the VPN profile configuration. Since the VPN client software generally does not have a setting for preventing users from changing the settings, the most likely method used will be to enable the operating system policies to ensure the profile directory of the client software is enabled for read and execute only for ordinary users. Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. Note: If the remote user has administrative rights, then this is a finding only if a written policy does not exist informing the user that changes must be pre-approved regardless of having administrative rights.
Ensure there is a configuration control process in place and is followed for VPN client configurations.
Verify the existence of VPN client configuration and access procedures. Also, examine the site user training program to ensure VPN security procedures are included. Such items as local LAN access, split tunneling, and obtaining approval for configuration changes should be addressed in the training. If written VPN procedures do not exist, are inadequate, or are not provided to the users, this is a finding. If VPN security is not included in the training program, this is a finding.
Develop and distribute user instructions for the VPN client.
Interview the network administrator to ensure both the VPN appliance and the client software use IPSec tunneling protocol to secure traffic sent between the network and remote access devices. That is, the tunneling protocol selected in the VPN configuration must be IPSec only. Next, navigate to the IPSec configuration tab of the VPN appliance; the IPSec attribute values selected must be AES, ESP, and MD5. The above settings are controlled in the VPN network appliance configuration, but encryption protocol and authentication protocol settings in the client configuration must be compatible or the client’s remote connection request will be unsuccessful. Configuration of the network device is beyond the scope of this requirement, however, these settings are addressed in the VPN procedures document required in SRC-EPT-620. View the dial-up VPN client communications security properties using the following steps. Select “Setting” from the Start Menu. Select “Network and Dial-up Connections”. Select the VPN connection used for connection to the remote network. (Hint: The type will be Virtual Private Network). Right click and select “properties” and select the “Security” tab. Verify data encryption is turned on. Refer to SRC-EPT-800 for instructions on verifying Tunnel mode is enabled on the client. If the IPSec tunneling protocol is not enabled for VPN communications between the client and VPN appliance, this is a finding. If the concentrator is not configured to use ESP and AES, this is a finding. If the VPN client used is not FIPs 140-1/2 compliant, this is a finding.
Ensure that IPSEC is being used.
Navigate to the Services applet in the Administrative Tools folder. Check the services listing to see if SNMP is installed and enabled. If SNMP service is installed, this is a finding.
Ensure SNMP is not enabled.