|
|
![white space](https://webarchive.library.unt.edu/eot2008/20080917123435im_/http://csrc.nist.gov/checklists/images/spacer.gif) |
![white space](https://webarchive.library.unt.edu/eot2008/20080917123435im_/http://csrc.nist.gov/checklists/images/spacer.gif) |
Desktop Application Security Checklist
Name |
Desktop Application Security Checklist, v2 r1.8
|
Version |
Version 2, Release 1.8
|
Status |
Final
|
Creation
Date |
2003-02-28
|
Revision
Date |
2007-03-23
|
Product
Category |
Antivirus Software
Web Browser
Office Automation/Productivity Suite
|
Vendor |
Symantec Corporation
McAfee, Inc.
Netscape
Microsoft Corporation
|
Product |
Norton Antivirus Corporate Edition v7.6.1
McAfee VirusScan v4.5.1
Netscape Navigator v4.76-4.8, 6.23
Internet Explorer v5.5 and 6
Outlook 98, 2000, XP
MS Office 97, 2000, XP
|
Product
Version |
Norton Antivirus Corporate Edition v7.6.1
McAfee VirusScan v4.5.1
Netscape Navigator v4.76-4.8, 6.23
Internet Explorer v5.5 and 6
Outlook 98, 2000, XP
MS Office 97, 2000, XP
|
Product
Role |
Desktop Client
|
Checklist
Summary |
This Desktop Application Security Checklist provides the
procedures for conducting a Security Readiness
Review (SRR) to determine compliance with
the requirements in the Desktop Application
Security Technical Implementation Guide (STIG).
This Checklist document must be used together
with the corresponding version of the STIG
document. This SRR guide focuses strictly
on Norton Antivirus Corporate Edition v7.6.1,
McAfee VirusScan v4.5.1, Netscape Navigator
v4.76-4.8, 6.23, Internet Explorer v5.5 and
6, Outlook 98, 2000, XP and MS Office 97,
2000, XP. Additionally, this checklist ensures
the site has properly installed and implemented
specific desktop applications and that it
is being managed in a way that is secure,
efficient, and effective, through procedures
outlined in the checklist. The items reviewed
are based on standards and requirements published
by DISA in the Security Handbook and the Database
Security Technical Implementation Guide. This
checklist is broken out between five sections
and three appendices:
- Section 1: This section contains summary information
about the sections and appendix that comprise
the Desktop Application Security Checklist.
The software version applicability, effective
date, types of reviews, and referenced documents
are listed.
- Section 2: This section is the matrix that allows a reviewer
to manually document details about the object
of the SRR and the vulnerabilities discovered
during the SRR process. Information about
the items listed is obtained through the procedures
documented in Sections 3, 4, and 5.
- Section 3: This section documents the questions that
a reviewer discusses with the System Administrator
(SA) or Information Systems Security Officer
(ISSO). The items reviewed correspond to some
of those listed in Section 2.
- Section 4: This section documents the procedures to be
used by a reviewer to perform an SRR using
the automated scripts. The items reviewed
correspond to some of those listed in Section 2.
- Section 5: This section documents the procedures to be
used by a reviewer to perform an SRR manually.
The items reviewed correspond to some of those
listed in Section 2.
- Appendix A: This appendix documents the required Access
Control Lists (ACLs) for file and registry
objects. The tables in this appendix are referenced
in Sections 4 and 5.
- Appendix B: This appendix documents the values of various
configuration settings. The tables in this
appendix are referenced in Sections 4
and 5.
- Appendix C: This appendix documents the values of various
configuration settings. The tables in this
appendix are referenced in Sections 4
and 5.
The procedures in this document are part of the effort
to ensure that the security configuration
guidelines required by Department of Defense
(DOD) Directive 8500.1, Information Assurance,
and other relevant guidance have been properly
implemented.
|
Known
Issues |
- As noted in the Desktop Application STIG, Microsoft is
not providing new security patches for MS
Office 97 and MS Outlook 98. In DOD‑CERT
Technical Advisory 2001-T-0013, the indicated
countermeasure for MS Office is to upgrade
to a newer supported version of the applications.
Although information on Office 97 and Outlook
98 is included in this Checklist to assist
those who have been unable to upgrade, the
information will be removed in a future edition.
- The user account from which Desktop Application Gold
Disk is run must have Administrator privileges
and have the User Right: Manage Auditing and
Security Log.
- Only the configuration checks that are included in the
Desktop Application Gold Disk (Internet Explorer
and Microsoft Office) will be evaluated as
part of the formal review process. The IAVMs
and security patches included on the Desktop
Gold Disk are not evaluated as part of the
Desktop Application review because they are
already covered in either the appropriate
Windows Operating System Gold Disk or the
appropriate Post Gold Disk Scripts. These
will remain in the Desktop Application Gold
Disk for the SAs use.
|
Target
Audience |
Developped for the DOD.
This checklist has been created for IT professionals,
particularly Windows system administrators
and information security personnel. The document
assumes that the reader has experience installing
and administering applications on Windows-based
systems in domain or standalone configurations.
|
Target
Operational Environment |
Enterprise and Specialized
Security-Limited Functionality.
|
Checklist
Installation Tools |
The user should ensure that Internet Explorer (IE 6.0 or
above) is installed and properly functioning
on the target system before executing this
application. This application utilizes the
MSXML libraries provided by Microsoft in their
Internet Explorer product. If Internet Explorer
6.0 or higher is not installed on the target
system, when the application is executed,
it will prompt the user to execute the built-in
installation program. Reviewers should not
load IE 6.0 on the machine to be reviewed.
If a review is required on a machine that
is not currently running IE 6.0, a manual
review must be completed.
|
Rollback
Capability |
The scripts create temporary files. These files are removed
at the completion of the script.
|
Testing
Information |
Not Available.
|
NIAP/CMVP
Status |
Not Available.
|
Regulatory
Compliance |
DOD Directive 8500.
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Please refer to the Checklist or the README.TXT files provided
with the scripts for any comments, warnings,
or detailed instructions
|
Disclaimer |
Not Available.
|
Product
Support |
It should be noted that FSO Support for the STIGs, Checklists,
and Tools is only available to DOD Customers.
|
Submitting
Organization/Authors |
Defense Information Systems Agency
|
Point
of Contact |
Not Available.
|
Sponsor |
Not Available.
|
Licensing |
Not Available.
|
Checklist
Homepage |
http://iase.disa.mil/stigs/checklist/index.html
|
Download
Package |
http://iase.disa.mil/stigs/checklist/
Desktop_App_checklist_v2r18.zip
|
Integrity |
SHA1 Digest
(Desktop_App_checklist_v2r18.zip) =
f03c34b36c0c341a8b15918a4fe9cfd55044cb08
SHA256 Digest
(Desktop_App_checklist_v2r18.zip) =
6079317b51e5162dd83f4f1460b82f226ee99da3
aa2b14b15fad56d5e548a08d
|
Change
History |
Version
1, Release 1.1, 2003-02-28
Version 1, Release 1.2, 2003-04-25
Version 1, Release 1.3, 2003-05-30
Version 1, Release 1.4, 2003-06-27
Version 1, Release 1.5, 2004-10-19
Version 1, Release 1.6, 2004-12-10
Version 1, Release 1.7, 2005-01-28
Version 1, Release 1.8, 2005-02-25
Version 1, Release 1.9, 2005-04-22
Version 1, Release 1.10, 2005-08-12
Version 2, Release 1.2, 2005-12-23
Version 2, Release 1.5, 2006-09-19
Version 2, Release 1.6, 2006-11-24
Version 2, Release 1.7, 2007-01-26
Version 2, Release 1.8, 2007-03-23
|
Dependency/Requirement |
Desktop Application Security Technical Implementation Guide,
v2 Release 1
|
References |
The following table enumerates the documents and resources
consulted:
DOD Directive 8500.1, Information Assurance
(IA). 24 October 2002
Desktop Application Security Technical Implementation
Guide. 21 November 2002
Windows NT/2000/XP Addendum. 26 February 2004
Windows Gold Disk Version 2:
Released January 2007
http://iase.disa.mil/stigs/SRR/
GDV2_CD1_Engine_03-30-2007.iso
SHA1 Digest
(GDV2_CD1_Engine_03-30-2007.iso) =
3f942d9ae7c0aaee779292f7f627e5c7742c2833
SHA256 Digest
(GDV2_CD1_Engine_03-30-2007.iso) =
a9636c7cde87fa12b632642351bee0d776f47312ab
5af3ba1baa4c30772d7fdd |
NIST
Identifier |
1060
|
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|