Desktop Application Security Checklist, v2 r1.8

Version 2, Release 1.8

Final

2003-02-28

2007-03-23

Antivirus Software
Web Browser
Office Automation/Productivity Suite

Symantec Corporation
McAfee, Inc.
Netscape
Microsoft Corporation

Norton Antivirus Corporate Edition v7.6.1
McAfee VirusScan v4.5.1
Netscape Navigator v4.76-4.8, 6.23
Internet Explorer v5.5 and 6
Outlook 98, 2000, XP
MS Office 97, 2000, XP

Norton Antivirus Corporate Edition v7.6.1
McAfee VirusScan v4.5.1
Netscape Navigator v4.76-4.8, 6.23
Internet Explorer v5.5 and 6
Outlook 98, 2000, XP
MS Office 97, 2000, XP

Desktop Client

This Desktop Application Security Checklist provides the procedures for conducting a Security Readiness Review (SRR) to determine compliance with the requirements in the Desktop Application Security Technical Implementation Guide (STIG). This Checklist document must be used together with the corresponding version of the STIG document. This SRR guide focuses strictly on Norton Antivirus Corporate Edition v7.6.1, McAfee VirusScan v4.5.1, Netscape Navigator v4.76-4.8, 6.23, Internet Explorer v5.5 and 6, Outlook 98, 2000, XP and MS Office 97, 2000, XP. Additionally, this checklist ensures the site has properly installed and implemented specific desktop applications and that it is being managed in a way that is secure, efficient, and effective, through procedures outlined in the checklist. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and the Database Security Technical Implementation Guide. This checklist is broken out between five sections and three appendices:

- Section 1: This section contains summary information about the sections and appendix that comprise the Desktop Application Security Checklist. The software version applicability, effective date, types of reviews, and referenced documents are listed.

- Section 2: This section is the matrix that allows a reviewer to manually document details about the object of the SRR and the vulnerabilities discovered during the SRR process. Information about the items listed is obtained through the procedures documented in Sections 3, 4, and 5.

- Section 3: This section documents the questions that a reviewer discusses with the System Administrator (SA) or Information Systems Security Officer (ISSO). The items reviewed correspond to some of those listed in Section 2.

- Section 4: This section documents the procedures to be used by a reviewer to perform an SRR using the automated scripts. The items reviewed correspond to some of those listed in Section 2.

- Section 5: This section documents the procedures to be used by a reviewer to perform an SRR manually. The items reviewed correspond to some of those listed in Section 2.

- Appendix A: This appendix documents the required Access Control Lists (ACLs) for file and registry objects. The tables in this appendix are referenced in Sections 4 and 5.

- Appendix B: This appendix documents the values of various configuration settings. The tables in this appendix are referenced in Sections 4 and 5.

- Appendix C: This appendix documents the values of various configuration settings. The tables in this appendix are referenced in Sections 4 and 5.

The procedures in this document are part of the effort to ensure that the security configuration guidelines required by Department of Defense (DOD) Directive 8500.1, Information Assurance, and other relevant guidance have been properly implemented.

- As noted in the Desktop Application STIG, Microsoft is not providing new security patches for MS Office 97 and MS Outlook 98. In DOD‑CERT Technical Advisory 2001-T-0013, the indicated countermeasure for MS Office is to upgrade to a newer supported version of the applications. Although information on Office 97 and Outlook 98 is included in this Checklist to assist those who have been unable to upgrade, the information will be removed in a future edition.

- The user account from which Desktop Application Gold Disk is run must have Administrator privileges and have the User Right: Manage Auditing and Security Log.

- Only the configuration checks that are included in the Desktop Application Gold Disk (Internet Explorer and Microsoft Office) will be evaluated as part of the formal review process. The IAVMs and security patches included on the Desktop Gold Disk are not evaluated as part of the Desktop Application review because they are already covered in either the appropriate Windows Operating System Gold Disk or the appropriate Post Gold Disk Scripts. These will remain in the Desktop Application Gold Disk for the SAs use.

Developped for the DOD.
This checklist has been created for IT professionals, particularly Windows system administrators and information security personnel. The document assumes that the reader has experience installing and administering applications on Windows-based systems in domain or standalone configurations.

Enterprise and Specialized Security-Limited Functionality.

The user should ensure that Internet Explorer (IE 6.0 or above) is installed and properly functioning on the target system before executing this application. This application utilizes the MSXML libraries provided by Microsoft in their Internet Explorer product. If Internet Explorer 6.0 or higher is not installed on the target system, when the application is executed, it will prompt the user to execute the built-in installation program. Reviewers should not load IE 6.0 on the machine to be reviewed. If a review is required on a machine that is not currently running IE 6.0, a manual review must be completed.

The scripts create temporary files. These files are removed at the completion of the script.

Not Available.

Not Available.

DOD Directive 8500.

Please refer to the Checklist or the README.TXT files provided with the scripts for any comments, warnings, or detailed instructions

Not Available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not Available.

Not Available.

Not Available.

http://iase.disa.mil/stigs/checklist/index.html

http://iase.disa.mil/stigs/checklist/
Desktop_App_checklist_v2r18.zip

SHA1 Digest
(Desktop_App_checklist_v2r18.zip) =
f03c34b36c0c341a8b15918a4fe9cfd55044cb08

SHA256 Digest
(Desktop_App_checklist_v2r18.zip) =
6079317b51e5162dd83f4f1460b82f226ee99da3
aa2b14b15fad56d5e548a08d

Version 1, Release 1.1, 2003-02-28
Version 1, Release 1.2, 2003-04-25
Version 1, Release 1.3, 2003-05-30
Version 1, Release 1.4, 2003-06-27
Version 1, Release 1.5, 2004-10-19
Version 1, Release 1.6, 2004-12-10
Version 1, Release 1.7, 2005-01-28
Version 1, Release 1.8, 2005-02-25
Version 1, Release 1.9, 2005-04-22
Version 1, Release 1.10, 2005-08-12
Version 2, Release 1.2, 2005-12-23
Version 2, Release 1.5, 2006-09-19
Version 2, Release 1.6, 2006-11-24
Version 2, Release 1.7, 2007-01-26
Version 2, Release 1.8, 2007-03-23

Desktop Application Security Technical Implementation Guide, v2 Release 1

The following table enumerates the documents and resources consulted:

DOD Directive 8500.1, Information Assurance (IA). 24 October 2002

Desktop Application Security Technical Implementation Guide. 21 November 2002

Windows NT/2000/XP Addendum. 26 February 2004

Windows Gold Disk Version 2:
Released January 2007
http://iase.disa.mil/stigs/SRR/
GDV2_CD1_Engine_03-30-2007.iso

SHA1 Digest
(GDV2_CD1_Engine_03-30-2007.iso) =
3f942d9ae7c0aaee779292f7f627e5c7742c2833

SHA256 Digest
(GDV2_CD1_Engine_03-30-2007.iso) =
a9636c7cde87fa12b632642351bee0d776f47312ab
5af3ba1baa4c30772d7fdd

1060