Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

I came across this while looking at some SCAP information for Microsoft.  Many of the items look familiar and related to our issues. Perhaps the Microsoft Security Configuration Guidance Support could be helpful?  –Jeff C.

 

http://usgcb.nist.gov/usgcb_faq.html#vhdfaq_testbeforeombscap

 

(#49) What are some settings that will impact system functionality that I should test before I deploy the OMB mandated USGCB Security Content Automation Protocol (SCAP) in an operational environment?

There are a number of settings that will impact system functionality and agencies should test thoroughly before they are deployed in an operational environment.

o    Running the system as a standard user - some applications may not work properly because they require administrative access to the operating system and application directories and registry keys.

o    Minimum 12 characters password and change every 60 days - this may impact system usability and interoperability with some enterprise single sign-on password management systems.

o    Wireless service - the wireless service is disabled and this will prevent the use of Wi-Fi network interfaces that depend on the built-in wireless service.

o    The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting has been a required setting for several years, even before the USGCB mandate was announced. It is known to impact browser interoperability with Web sites that do not support the FIPS 140-2 approved algorithms. This can usually be corrected by changing the Web server configuration to support FIPS 140-2 approved algorithms. Refer to this knowledgebase article. It also affects the encryption algorithm used for the Remote Desktop Protocol (RDP), RDP is the protocol used by Terminal Services, Remote Desktop, and Remote Assistance. RDP connections will fail if both computers are not configured to use the same encryption algorithm. Computers running Windows XP can be updated to the latest version of Microsoft's RDP client in order to connect to Terminal Services servers, however, there is no update for the RDP server included with Windows XP. This means that computers running Windows XP with this setting enabled cannot support incoming Remote Desktop and Remote Assistance connections. See this knowledgebase article for more information.

o    Unsigned drivers installation behavior - drivers that are not digitally signed by Microsoft cannot be installed under Windows XP.

o    Windows Firewall - the built-in firewall may prevent other applications from communicating with some applications.

o    Additional settings - refer to this knowledgebase article for additional settings that may impact system interoperability with legacy systems.

[See Additional settings included…]

Security configuration guidance support

http://support.microsoft.com/kb/885409

 

Microsoft, the Center for Internet Security (CIS), the National Security Agency (NSA), the Defense Information Systems Agency (DISA), and the National Institute of Standards and Technology (NIST) have published "security configuration guidance" for Microsoft Windows.

The high security levels that are specified in some of these guides may significantly restrict functionality of a system. Therefore, you should perform significant testing before you deploy these recommendations. We recommend that you take additional precautions when you do the following:

• Edit access control lists (ACLs) for files and registry keys
• Enable Microsoft network client: Digitally sign communications (always)
• Enable Network security: Do not store LAN Manager hash value on next password change
• Enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
• Disable Automatic Update service or Background Intelligent Transfer Service (BITS)
• Disable NetLogon service
• Enable NoNameReleaseOnDemand

Microsoft strongly supports industry efforts to provide security guidance for deployments in high security areas. However, you must thoroughly test the guidance in the target environment. If you need additional security settings beyond the default settings, we highly recommend that you see the Microsoft-issued guides. These guides can serve as a starting point for your organization's requirements. For support or for questions about third-party guides, contact the organization that issued the guidance.

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu