kriterion 0.0.1

data/standards/stig_mobileiron_core_v9.x_mdm.json

@@ -0,0 +1,89 @@
+{
+  "name": "stig_mobileiron_core_v9.x_mdm",
+  "date": "2017-06-02",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "MobileIron Core v9.x MDM Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-70517",
+      "title": "All MobileIron Core MDM server cryptography supporting DoD functionality must be configured to use FIPS 140-2 validated encryption modules.",
+      "description": "Unapproved cryptographic algorithms cannot be relied upon to provide confidentiality or integrity, and DoD data could be compromised as a result. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government for protecting unclassified data.\n\nSFR ID: FCS",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70519",
+      "title": "The MobileIron Core MDM server must be configured to leverage the MDM Platform user accounts and groups for MDM Server user identification and authentication.",
+      "description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). \n\nSFR ID: FIA",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70521",
+      "title": "Before establishing a user session, the MobileIron Core MDM server must be configured to display an administrator-specified advisory notice and consent warning message regarding use of the MDM server.",
+      "description": "Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to accessing the MDM server or MDM Server platform.\n\nThe MDM server/server platform is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. \n\nThe approved DoD text must be used as specified in KS referenced in DoDI 8500.01.\n\nThe non-bracketed text below must be used without any changes as the warning banner. \n\n[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”]\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \n-At any time, the USG may inspect and seize data stored on this IS. \n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nSFR ID: FMT_SMF_EXT.1.1(2) Refinement d.",
+      "severity": "low"
+    },
+    {
+      "id": "V-70523",
+      "title": "The MobileIron Core MDM server must be configured to block mobile devices that do not have required OS type and version.",
+      "description": "Unapproved mobile device OS types and versions may have vulnerabilities and need to be prohibited to mitigate these risks to sensitive DoD data and DoD networks.\n\nSFR ID: FMT_SMF.1.1(2) Refinement f.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70525",
+      "title": "The MobileIron Core MDM server must be configured to record within each audit record required information: a. date and time of the event; b. type of event; c. mobile device identity; and d. [no other audit relevant information].",
+      "description": "Audit records must contain basic data fields so they contain enough information to support identification and investigation of attempted or successful compromises. Failure to have these data fields in audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary.\n\nSFR ID: FAU_GEN.1.2(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70527",
+      "title": "The MobileIron Core MDM server must be configured to block mobile devices that do not have required applications installed.",
+      "description": "The security baseline of managed mobile devices could be compromised if key required applications are not installed, including device monitoring and management applications. This requirement mitigates that risk.\n\nSFR ID: FMT_SMF.1.1(1) Refinement #28",
+      "severity": "low"
+    },
+    {
+      "id": "V-70529",
+      "title": "The MobileIron Core MDM server must be configured to enable an audit record for the following auditable events: any event selected in the ST under FAU_ALT_EXT.2.1.",
+      "description": "Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary.\n\nSFR ID: FAU_GEN.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70531",
+      "title": "The MobileIron Core MDM server must be configured with the Administrator roles: a. MD user. b. Server primary administrator. c. Security configuration administrator. d. Device user group administrator. e. Auditor.",
+      "description": "Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.\n\nSFR ID: FMT_SMR.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70533",
+      "title": "The MobileIron Core MDM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.",
+      "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock but may be at the application-level where the application interface window is secured instead.\n\nSFR ID: FMT_SMF.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70535",
+      "title": "The MobileIron Core MDM server platform must be protected by a DoD-approved firewall.",
+      "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution.\n\nSFR ID: FMT_SMF.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70537",
+      "title": "The firewall protecting the MobileIron Core MDM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.",
+      "description": "Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since the MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality.\n\nSFR ID: FMT_SMF.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70539",
+      "title": "The MobileIron Core MDM server appliance must be configured to terminate the network connection associated with a communications session at the end of any transaction with an MDM agent or other server or after 10 minutes of inactivity.",
+      "description": "If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability.\n\nSFR ID: FMT_SMF.1.1(1) Refinement",
+      "severity": "medium"
+    },
+    {
+      "id": "V-70541",
+      "title": "The MobileIron Core MDM agent must be configured for the periodicity of reachability events for six hours or less.",
+      "description": "Mobile devices that do not enforce security policy or verify the status of the device are vulnerable to a variety of attacks. The key security function of MDM technology is to distribute mobile device security polices in such a manner that they are enforced on managed mobile devices. To accomplish this function, the MDM agent must verify the status and other key information of the managed device and report that status to the MDM server periodically.\n\nSFR ID: FMT_SMF_EXT.3.2",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_mobility_policy.json

@@ -0,0 +1,65 @@
+{
+  "name": "stig_mobility_policy",
+  "date": "2013-03-12",
+  "description": "This STIG provides policy, training, and operating procedure security controls for the use of mobile/wireless devices and systems in the DoD environment. This STIG applies to any mobile/wireless device (such as WLAN Access Points and clients, Bluetooth devices, smartphones and cell phones, tablets, wireless keyboards and mice, and wireless remote access devices) used to store, process, transmit or receive DoD information.  The previous version of this STIG was called the General Wireless Policy STIG (V1R9).  Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
+  "title": "Mobility Policy Security Technical Implementation Guide (STIG)",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-12072",
+      "title": "Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO). \n",
+      "description": "Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.",
+      "severity": "high"
+    },
+    {
+      "id": "V-12106",
+      "title": "Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. ",
+      "description": "The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed.  Sites should post signs and train users to this requirement to mitigate this vulnerability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-13982",
+      "title": "All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. ",
+      "description": "Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains.\n\nUser agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. \n",
+      "severity": "low"
+    },
+    {
+      "id": "V-14894",
+      "title": "All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers  must be located in a secure room with limited access or otherwise secured to prevent tampering or theft.",
+      "description": "DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15782",
+      "title": "Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks. ",
+      "description": "The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohitibits the use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19813",
+      "title": "Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information.",
+      "description": "With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.",
+      "severity": "high"
+    },
+    {
+      "id": "V-8283",
+      "title": "All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information. \n\n",
+      "description": "Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.",
+      "severity": "high"
+    },
+    {
+      "id": "V-8284",
+      "title": "The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. ",
+      "description": "The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8297",
+      "title": "Wireless devices connecting directly or indirectly to the network must be included in the site security plan.",
+      "description": "The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people.  Documentation of the enclave configuration must include all attached systems.  If the current configuration cannot be determined, then it is difficult to apply security policies effectively.  Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_mozilla_firefox.json

@@ -0,0 +1,161 @@
+{
+  "name": "stig_mozilla_firefox",
+  "date": "2018-04-02",
+  "description": "The Mozilla Firefox Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil",
+  "title": "Mozilla Firefox",
+  "version": "4",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-15768",
+      "title": "FireFox is configured to ask which certificate to present to a web site when a certificate is required.",
+      "description": "When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15770",
+      "title": "Firefox automatically executes or downloads MIME types which are not authorized for auto-download.",
+      "description": "The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar. \n\nWhen you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to \"Do this automatically for files like this from now on\", an entry appears for that type of file in the Firefox Applications panel, shown below.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15771",
+      "title": "Network shell protocol is enabled in FireFox.",
+      "description": "Although current versions of Firefox have this set to disabled by default, use of this option can be harmful.  This would allow the browser to access the Windows shell. This could allow access to the\nunderlying system.  This check verifies that the default setting has not been changed.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15772",
+      "title": "Firefox not configured to prompt user before download and opening for required file types.",
+      "description": "New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open.  The application will be configured to open these files using external applications only.  After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files.  When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue.  New file types cannot be added directly to the Application plugin listing. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15773",
+      "title": "FireFox plug-in for ActiveX controls is installed.",
+      "description": "When an ActiveX control is referenced in an HTML document, MS Windows checks to see if\nthe control already resides on the client machine. If not, the control can be downloaded from a\nremote web site. This provides an automated delivery method for mobile code.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15774",
+      "title": "Firefox formfill assistance option is disabled.",
+      "description": "In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved.  This mitigates the risk of a website gleaning private information from prefilled information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15775",
+      "title": "Firefox is configured to autofill passwords.",
+      "description": "While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15776",
+      "title": "FireFox is configured to use a password store with or without a master password.",
+      "description": "Firefox can be set to store passwords for sites visited by the user.  These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited.  This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15777",
+      "title": "History retention must be set to 40 days.",
+      "description": "This setting specifies the number of days that Firefox keeps track of the pages viewed in the History List. If you enable this policy setting, a user cannot set the number of days that Firefox keeps track of the pages viewed in the History List. The number of days that Firefox keeps track of the pages viewed in the History List must be specified. If you disable or do not configure this policy setting, a user can set the number of days that Firefox tracks views of pages in the History List.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15778",
+      "title": "FireFox is not configured to block pop-up windows.",
+      "description": "Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15779",
+      "title": "FireFox is configured to allow JavaScript to move or resize windows.\n",
+      "description": "JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.  Set browser setting to prevent scripts on visited websites from moving and resizing browser windows.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15983",
+      "title": "Firefox must be configured to allow only TLS.",
+      "description": "Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15985",
+      "title": "Firefox is configured to allow JavaScript to raise or lower windows.",
+      "description": "JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15986",
+      "title": "Firefox is configured to allow JavaScript to disable or replace context menus.",
+      "description": "A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application.  A website may execute JavaScript that can make changes to these context menus.  This can help disguise an attack.  Set this preference to \"false\" so that webpages will not be able to affect the context menu event.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15987",
+      "title": "Firefox is configured to allow JavaScript to hide or change the status bar.",
+      "description": "When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window.  Determines whether the text in the browser status bar may be set by JavaScript.  Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15988",
+      "title": "Firefox is configured to allow JavaScript to change the status bar text.",
+      "description": "JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.  Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window.  This setting prevents the status bar from being hidden.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15989",
+      "title": "Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.",
+      "description": "Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17988",
+      "title": "Installed version of Firefox unsupported.",
+      "description": "Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.",
+      "severity": "high"
+    },
+    {
+      "id": "V-19741",
+      "title": "Firefox application is set to auto-update.",
+      "description": "Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19742",
+      "title": "Firefox automatically updates installed add-ons and plugins.",
+      "description": "Set this to false to disable checking for updated versions of the Extensions/Themes.  Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19743",
+      "title": "Firefox required security preferences cannot be changed by user.",
+      "description": "Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator.  Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple \"byte-shifting\" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be \"called\" from the configuration file local-settings.js",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19744",
+      "title": "Firefox automatically checks for updated version of installed Search plugins.",
+      "description": "Updates need to be controlled and installed from authorized and trusted servers.  This setting overrides a number of other settings which may direct the application to access external URLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6318",
+      "title": "The DOD Root Certificate is not installed.",
+      "description": "The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64891",
+      "title": "Extensions install must be disabled.",
+      "description": "A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, a Chrome extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79053",
+      "title": "Background submission of information to Mozilla must be disabled.",
+      "description": "There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_ms_exchange_2013_client_access_server.json

@@ -0,0 +1,209 @@
+{
+  "name": "stig_ms_exchange_2013_client_access_server",
+  "date": "2016-07-19",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "MS Exchange 2013 Client Access Server Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-69715",
+      "title": "Exchange must use Encryption for RPC client access.",
+      "description": "This setting controls whether client machines are forced to use secure channels to communicate with the server. If this feature is enabled, clients will only be able to communicate with the server over secure communication channels.\n\nFailure to require secure connections to the client access server increases the potential for unintended eavesdropping or data loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69717",
+      "title": "Exchange must use Encryption for OWA access.",
+      "description": "This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is enabled, clients will only be able to communicate with the directory if they are capable of supporting secure communication with the server.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between servers and clients. The network and DMZ STIG identify criteria for OWA and Public Folder configuration in the network, including CAC enabled pre-authentication through an application firewall proxy.\n\nFailure to require secure connections on a web site increases the potential for unintended eavesdropping or data loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69719",
+      "title": "Exchange must have Forms-based Authentication enabled.",
+      "description": "Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD requires authentication using DoD Public Key Infrastructure (PKI) certificates. Authentication for Outlook Web App (OWA) is used to enable web access to user email mailboxes and should assume that certificate-based authentication has been configured. This setting controls whether forms-based logon should be used by the OWA website. \n\nBecause the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through an application proxy or other pre-authenticator, which performs CAC authentication prior to arrival at the CA server. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server must have forms-based authentication enabled, and Exchange must have forms-based Authentication disabled. \n\nIf forms-based Authentication is enabled on the Exchange CA server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69721",
+      "title": "Exchange must have authenticated access set to Integrated Windows Authentication only.",
+      "description": "To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications (e.g., authentication servers) and other applications that perform information and system access control functions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69723",
+      "title": "Exchange must have Administrator audit logging enabled.",
+      "description": "Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to affect change using the same mechanisms as email administrators.\n\nAuditing changes to access mechanisms not only supports accountability and non-repudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. \n\nNote: This administrator auditing feature audits all exchange changes regardless of the users' assigned role or permissions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69725",
+      "title": "Exchange Servers must use approved DoD certificates.",
+      "description": "Server certificates are required for many security features in Exchange; without them the server cannot engage in many forms of secure communication. Failure to implement valid certificates makes it virtually impossible to secure Exchange's communications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69727",
+      "title": "Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.",
+      "description": "Identification and Authentication provide the foundation for access control. For EAS to be used effectively on DoD networks, client certificate authentication must be used for communications between the MEM and email server. Additionally, the internal and external URLs must be set to the same address, since all EAS traffic must be tunneled to the device from the MEM.\n\nThe risk associated with email synchronization with CMD should be mitigated by the introduction of MEM products and is specified in the DoD CIO memo dated 06 Apr 2011. The memo states specifically, \"Email redirection from the email server (e.g., Exchange Server) to the device shall be controlled via centrally managed server.\" When EAS is used on DoD networks, the devices must be managed by an MEM.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69729",
+      "title": "Exchange must have IIS map client certificates to an approved certificate server.",
+      "description": "For EAS to be used effectively on DoD networks, client certificate authentication must be used for communications between the MEM and email server. Identification and Authentication provide the foundation for access control. IIS must be mapped to an approved certificate server for client certificates. Additionally, the internal and external URLs must be set to the same address, since all EAS traffic must be tunneled to the device from the MEM.\n\nThe risk associated with email synchronization with CMD should be mitigated by the introduction of MEM products and is specified in the DoD CIO memo dated 06 Apr 2011. The memo states specifically, \"Email redirection from the email server (e.g., Exchange Server) to the device shall be controlled via centrally managed server.\" When EAS is used on DoD networks, the devices must be managed by an MEM.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69731",
+      "title": "Exchange Email Diagnostic log level must be set to lowest level.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial of service conditions. \n\nExchange diagnostic logging is broken up into 29 main \"services\", each of which has anywhere from 2 to 26 \"categories\" of events to be monitored. Moreover, each category may be set to one of four levels of logging: Lowest, Low, Medium, and High, depending on how much detail one desires. The higher the level of detail, the more disk space required to store the audit material.\n\nDiagnostic logging is intended to help administrators debug problems with their systems, not as a general purpose auditing tool. Because the diagnostic logs collect a great deal of information, the log files may grow large very quickly. Diagnostic log levels may be raised for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic log levels should be reduced again.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69733",
+      "title": "Exchange must have Audit record parameters set.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged.\n\nAudit records should include the following fields to supply useful event accounting: \nObject modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-69735",
+      "title": "Exchange must have Queue monitoring configured with threshold and action.",
+      "description": "Monitors are automated \"process watchers\" that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange has built-in monitors that enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. \n\nThis field offers choices of alerts when a \"warning\" or \"critical\" threshold is reached on the SMTP queue. A good rule of thumb (default) is to issue warnings when SMTP queue growth exceeds 10 minutes and critical messages when it exceeds 20 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate a network or other issue (such as inbound SPAMMER traffic) that directly impacts email delivery. \n\nNotification choices include email alert to an email-enabled account, for example, an email Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69737",
+      "title": "Exchange must have Send Fatal Errors to Microsoft disabled.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log entry to be sent to Microsoft giving general details about the nature and location of the error. Microsoft, in turn, uses this information to improve the robustness of their product.\n\nWhile this type of debugging information would not ordinarily contain sensitive information, it may alert eavesdroppers to the existence of problems in your Exchange organization. At the very least, it could alert them to (possibly) advantageous timing to mount an attack. At worst, it may provide them with information as to which aspects of Exchange are causing problems and might be vulnerable (or at least sensitive) to attack.\n\nAll system errors in Exchange will result in outbound traffic that may be identified by an eavesdropper. For this reason, the \"Report Fatal Errors to Microsoft\" feature must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69739",
+      "title": "Exchange must have Audit data protected against unauthorized read access.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses.\n\nThe contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write access to audit log data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69741",
+      "title": "Exchange must not send Customer Experience reports to Microsoft.",
+      "description": "It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nExamples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69743",
+      "title": "Exchange must have Audit data protected against unauthorized modification.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses.\n\nThe contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write access to audit log data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69745",
+      "title": "Exchange must have audit data protected against unauthorized deletion.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses.\n\nThe contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write access to audit log data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69747",
+      "title": "Exchange must have Audit data on separate partitions.",
+      "description": "Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. \n\nSuccessful exploit of an application server vulnerability may well be logged by monitoring or audit processes when it occurs. By writing log and audit data to a separate partition where separate security contexts protect them, it may offer the ability to protect this information from being modified or removed by the exploit mechanism.",
+      "severity": "low"
+    },
+    {
+      "id": "V-69751",
+      "title": "Exchange Local machine policy must require signed scripts.",
+      "description": "Scripts often provide a way for attackers to infiltrate a system, especially those downloaded from untrusted locations. By setting machine policy to prevent unauthorized script executions, unanticipated system impacts can be avoided. Failure to allow only signed remote scripts reduces the attack vector vulnerabilities from unsigned remote scripts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69753",
+      "title": "Exchange IMAP4 service must be disabled.",
+      "description": "The IMAP4 protocol is not approved for use within the DoD. It uses a clear text-based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network, allowing malicious users to access other system features. Uninstalling or disabling the service will prevent the use of the IMAP4 protocol.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69755",
+      "title": "Exchange POP3 service must be disabled.",
+      "description": "The POP3 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network allowing malicious users to access other system features. Uninstalling or disabling the service will prevent the use of the POP3 protocol.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69757",
+      "title": "Exchange must have the Public Folder virtual directory removed if not in use by the site.",
+      "description": "To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed.\n\nBy default, a virtual directory is installed for Public Folders. If an attacker were to intrude into an Exchange CA server and be able to access the Public Folder website, it would provide an additional attack vector, provided the virtual directory was present.\n\nOnce removed, the Public functionality cannot be used without restoring the virtual directory.",
+      "severity": "low"
+    },
+    {
+      "id": "V-69759",
+      "title": "Exchange must have the Microsoft Active Sync directory removed.",
+      "description": "To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the Exchange application default has Active Sync disabled.\n\nIf an attacker were to intrude into an Exchange CA server and reactivate Active Sync, this attack vector could once again be open, provided the virtual directory is present.\n\nOnce removed, the Active Sync functionality cannot be used without restoring the virtual directory, not a trivial process.",
+      "severity": "low"
+    },
+    {
+      "id": "V-69761",
+      "title": "Exchange application directory must be protected from unauthorized access.",
+      "description": "Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring access permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69763",
+      "title": "Exchange software baseline copy must exist.",
+      "description": "Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed; otherwise, unauthorized changes to the software may not be discovered. This effort is a vital step to securing the host and the applications, as it is the only method that may provide the ability to detect and recover from otherwise undetected changes, such as those that result from worm or bot intrusions. \n\nThe Exchange software and configuration baseline is created and maintained for comparison during scanning efforts. Operational procedures must include baseline updates as part of configuration management tasks that change the software and configuration.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69765",
+      "title": "Exchange software must be monitored for unauthorized changes.",
+      "description": "Monitoring software files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69767",
+      "title": "Exchange services must be documented and unnecessary services must be removed or disabled.",
+      "description": "Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result.\n \nExchange Server has role-based server deployment to enable protocol path control and logical separation of network traffic types.\n\nFor example, a server implemented in the Client Access role (i.e., Outlook Web App [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS), enabling system administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, servers created to host mailboxes are dedicated to that task and must operate only the services needed for mailbox hosting. (Exchange servers must also operate some Web services, but only to the degree that Exchange requires the IIS engine in order to function).\n\nBecause POP3 and IMAP4 clients are not included in the standard desktop offering, they must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69769",
+      "title": "Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.",
+      "description": "Identification and authentication provide the foundation for access control. Access to email services applications requires NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email.\n\nNote: There is a technical restriction in Exchange OA that requires a direct SSL connection from Outlook to the CA server. There is also a constraint where Microsoft supports that the CA server must participate in the AD domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69771",
+      "title": "Exchange software must be installed on a separate partition from the OS.",
+      "description": "In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system.\n\nEmail services should be installed on a partition that does not host other applications. Email services should never be installed on a Domain Controller/Directory Services server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69773",
+      "title": "Exchange must provide redundancy.",
+      "description": "Load balancing is a way to manage which Exchange servers receive traffic. Load balancing helps distribute incoming client connections over a variety of endpoints. This ensures that no one endpoint takes on a disproportional share of the load. Load balancing provides failover redundancy in case one or more endpoints fails. By using load balancing, users continue to receive Exchange service in case of a computer failure. Load balancing also enables Exchange to handle more traffic than one server can process while offering a single host name for your clients.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69775",
+      "title": "Exchange OWA must use https.",
+      "description": "Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered.",
+      "severity": "high"
+    },
+    {
+      "id": "V-69777",
+      "title": "Exchange OWA must have S/MIME Certificates enabled.",
+      "description": "Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec.\n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69779",
+      "title": "Exchange must have the most current, approved service pack installed.",
+      "description": "Failure to install the most current Exchange service pack leaves a system vulnerable to exploitation. Current service packs correct known security and system vulnerabilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69781",
+      "title": "Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
+      "description": "Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.",
+      "severity": "medium"
+    }
+  ]
+}