kriterion 0.0.1

data/standards/stig_active_directory_forest.json

@@ -0,0 +1,41 @@
+{
+  "name": "stig_active_directory_forest",
+  "date": "2016-12-19",
+  "description": "This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems. These requirements apply to the forest and can typically be reviewed once per AD Forest. The separate Active Directory Domain STIG contains domain level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Active Directory Forest Security Technical Implementation Guide (STIG)",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-15372",
+      "title": "Update access to the directory schema must be restricted to appropriate accounts.",
+      "description": "A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that rely on AD could fail as a result of invalid formats and values. The presence of invalid directory objects and attributes could cause failures in Windows AD client functions and improper resource access decisions.",
+      "severity": "high"
+    },
+    {
+      "id": "V-72835",
+      "title": "Membership to the Schema Admins group must be limited.",
+      "description": "The Schema Admins group is a privileged group in a forest root domain.  Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest.  Changes to the schema are not frequently required.  This group only contains the Built-in Administrator account by default.  Additional accounts must only be added when changes to the schema are necessary and then must be removed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8527",
+      "title": "Changes to the AD schema must be subject to a documented configuration management process. ",
+      "description": "Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate incorrectly or not all.\n\nImproper changes to the schema could result in changes to AD objects that are incompatible with correct operation of the Windows domain controller and the domain clients. This could cause outages that prevent users from logging on or accessing Windows server resources across multiple hosts.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8555",
+      "title": "Anonymous Access to AD forest data above the rootDSE level must be disabled. ",
+      "description": "For Windows Server 2003 or above, the dsHeuristics option can be configured to override the default restriction on anonymous access to AD data above the rootDSE level. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8557",
+      "title": "The Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.",
+      "description": "When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root domain PDC Emulator is the normal default to provide the authoritative time source for the entire forest. To obtain an accurate time for itself, the forest root domain PDC Emulator acts as a client to an external time source.\n\nIf the Windows Time service on the forest root domain PDC Emulator is not configured to acquire the time from a proper source, it may cause time service clients throughout the forest to operate with the inaccurate time setting.\n\nWhen a Windows computer operates with an inaccurate time setting, access to resources on computers with the accurate time might be denied. This is notably true when Kerberos authentication is utilized. Operation with an inaccurate time setting can reduce the value of audit data and invalidate it as a source of forensic evidence in an incident investigation.\n\nFurther Policy Details: \nThe Windows Time service is the preferred time synchronization tool for Windows domain controllers. This check is Not Applicable for Component locations that do not have the AD forest root domain on site. This check must be performed on the domain controller in the *forest root domain* that holds the PDC Emulator FSMO role. ",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_active_directory_service_2003.json

@@ -0,0 +1,173 @@
+{
+  "name": "stig_active_directory_service_2003",
+  "date": "2011-05-20",
+  "description": "This STIG is applicable to all Windows 2003 servers with the Windows Active Directory (AD). The settings required by each check will be applied to each Domain Controller running the AD directory service.  The system must also be reviewed using the Windows 2003 (or 2003 R2) and the Active Directory Domain STIGs. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.",
+  "title": "Active Directory Service 2003 Security Technical Implementation Guide (STIG)",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-12780",
+      "title": "The Synchronize Directory Service Data user right must not be assigned to any account.",
+      "description": "A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14783",
+      "title": "Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.",
+      "description": "Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14789",
+      "title": "Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG. \n",
+      "description": "Unlike vendor programs that might be recovered by purchasing and\\or downloading a replacement copy, the lack of a backup for locally written (non-vendor) code could result in the inability to recover from inadvertent or malicious deletion or simple hardware failure. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14797",
+      "title": "Anonymous access to the root DSE of a non-public directory must be disabled.",
+      "description": "Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-14798",
+      "title": "Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. ",
+      "description": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-14820",
+      "title": "PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). ",
+      "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14831",
+      "title": "The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.",
+      "description": "- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. \n",
+      "severity": "low"
+    },
+    {
+      "id": "V-15488",
+      "title": "For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.",
+      "description": "CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2370",
+      "title": "The access control permissions for the directory service site group policy must be configured to use the required access permissions. ",
+      "description": "When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\nFor AD, the Group Policy and OU objects require special attention. In a distributed administration model (such as might be used with a help desk or other user support staff), Group Policy and OU objects are more likely to have access permissions changed from the secure defaults.\n\nIf inappropriate access permissions are defined for Group Policy Objects, it could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).\n\nIf inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-2373",
+      "title": "The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.",
+      "description": "This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges.  Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2376",
+      "title": "The Kerberos policy option must be configured to enforce user logon restrictions.",
+      "description": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2377",
+      "title": "The Kerberos service ticket maximum lifetime must meet minimum standards.",
+      "description": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2378",
+      "title": "The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.",
+      "description": "In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user’s initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that startup under a specified user account, users must always get a TGT first, then get Service Tickets to all computers and services accessed. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2379",
+      "title": "The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.",
+      "description": "This setting determines the period of time (in days) during which a users TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2380",
+      "title": "The Kerberos policy option Maximum tolerance for computer clock synchronization must be set to a maximum of 5 minutes or less. ",
+      "description": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous.  In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26683",
+      "title": "PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). \n\n",
+      "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-27109",
+      "title": "Access Control permissions on the FRS Directory data files do not have proper access permissions.",
+      "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27119",
+      "title": "Access control permissions on the GPT directory files must comply with the required guidance.",
+      "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n\nFor AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.",
+      "severity": "high"
+    },
+    {
+      "id": "V-2906",
+      "title": "A complex password filter must be installed and configured. ",
+      "description": "Weak passwords are easly broken with readily available hacker tools.  They can give an intruder access to the system with the privileges of the account whose password was broken.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-4408",
+      "title": "The domain controller must be configured to allow reset of machine account passwords.",
+      "description": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8316",
+      "title": "Access control permissions on the AD database, log, and work files must conform to the required guidance. ",
+      "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-8317",
+      "title": "The directory server data files must be located on a different logical partition from the data files owned by users. ",
+      "description": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. \n\nThe directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8320",
+      "title": "Directory server directories and files must be configured with required permissions. ",
+      "description": "Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data.\n\nSome administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools that are already installed in the environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8322",
+      "title": "Install or enable time synchronization on the directory service server. ",
+      "description": "- When a directory service that uses multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly.\n- The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation.\n- In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8324",
+      "title": "The time synchronization tool must be configured to enable logging of  time source switching.",
+      "description": "When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8326",
+      "title": "The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function. ",
+      "description": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. \n\nSome applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8327",
+      "title": "OS services that are critical for directory server operation must be configured for automatic startup. \n",
+      "description": "AD is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_active_directory_service_2008.json

@@ -0,0 +1,167 @@
+{
+  "name": "stig_active_directory_service_2008",
+  "date": "2011-05-23",
+  "description": "This STIG is applicable for all Windows 2008 servers with the Windows Active Directory Domain Services (AD DS). The settings required by each check will be applied to each Domain Controller running the AD DS.  The system must also be reviewed using the Windows 2008 (or 2008 R2) and the Active Directory Domain STIGs. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.",
+  "title": "Active Directory Service 2008 Security Technical Implementation Guide (STIG)",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-12780",
+      "title": "The Synchronize Directory Service Data user right must not be assigned to any account.",
+      "description": "A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14783",
+      "title": "Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.",
+      "description": "Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14789",
+      "title": "Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG. \n",
+      "description": "Unlike vendor programs that might be recovered by purchasing and\\or downloading a replacement copy, the lack of a backup for locally written (non-vendor) code could result in the inability to recover from inadvertent or malicious deletion or simple hardware failure. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14797",
+      "title": "Anonymous access to the root DSE of a non-public directory must be disabled.",
+      "description": "Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-14798",
+      "title": "Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. ",
+      "description": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-14820",
+      "title": "PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). ",
+      "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14831",
+      "title": "The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.",
+      "description": "- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. \n",
+      "severity": "low"
+    },
+    {
+      "id": "V-15488",
+      "title": "For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.\n",
+      "description": "CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2370",
+      "title": "The access control permissions for the directory service site group policy must be configured to use the required access permissions. ",
+      "description": "When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\nFor AD, the Group Policy and OU objects require special attention. In a distributed administration model (such as might be used with a help desk or other user support staff), Group Policy and OU objects are more likely to have access permissions changed from the secure defaults.\n\nIf inappropriate access permissions are defined for Group Policy Objects, it could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).\n\nIf inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-2373",
+      "title": "The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.",
+      "description": "This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges.  Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2376",
+      "title": "The Kerberos policy option must be configured to enforce user logon restrictions.",
+      "description": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2377",
+      "title": "The Kerberos service ticket maximum lifetime must meet minimum standards.",
+      "description": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2378",
+      "title": "The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.",
+      "description": "In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user’s initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that startup under a specified user account, users must always get a TGT first, then get Service Tickets to all computers and services accessed. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2379",
+      "title": "The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.",
+      "description": "This setting determines the period of time (in days) during which a users ticket-granting ticket (TGT) may be renewed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2380",
+      "title": "The Kerberos policy option \"Maximum tolerance for computer clock synchronization\" must be set to a maximum of 5 minutes or less. ",
+      "description": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous.  In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26683",
+      "title": "PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). \n\n",
+      "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-27109",
+      "title": "Access Control permissions on the FRS Directory data files do not have proper access permissions.",
+      "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-2906",
+      "title": "Ensure a complex password filter is installed and configured to enforce password complexity requirements. \n",
+      "description": "Weak passwords are easily broken with readily available hacker tools.  They can give an intruder access to the system with the privileges of the account whose password was broken.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-4408",
+      "title": "The domain controller must be configured to allow reset of machine account passwords.",
+      "description": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8316",
+      "title": "Directory service data files do not have proper access permissions.",
+      "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-8317",
+      "title": "The directory server data files must be located on a different logical partition from the data files owned by users. ",
+      "description": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. \n\nThe directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8320",
+      "title": "Directory server directories and files must be configured with required permissions. ",
+      "description": "Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data.\n\nSome administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools that are already installed in the environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8322",
+      "title": "Install or enable time synchronization on the directory service server. ",
+      "description": "- When a directory service that uses multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly.\n- The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation.\n- In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8324",
+      "title": "The time synchronization tool must be configured to enable logging of  time source switching.",
+      "description": "When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8326",
+      "title": "The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function. ",
+      "description": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. \n\nSome applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8327",
+      "title": "OS services that are critical for directory server operation must be configured for automatic startup. \n",
+      "description": "AD is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_adobe_acrobat_pro_xi.json

@@ -0,0 +1,167 @@
+{
+  "name": "stig_adobe_acrobat_pro_xi",
+  "date": "2018-01-03",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "Adobe Acrobat Pro XI Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-75263",
+      "title": "Adobe Acrobat Pro XI Enhanced Security for standalone mode must be enabled.",
+      "description": "Enhanced Security (ES) is a sandbox capability that restricts access to system resources. ES can be configured in two modes: Standalone mode is when Acrobat opens the desktop PDF client. ES Browser mode is when a PDF is opened via the browser plugin. When Enhanced Security is enabled and a PDF file tries to complete a restricted action from an untrusted location, a security warning must appear.\n\nEnhanced Security “hardens” the application against risky actions. It prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000431",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75265",
+      "title": "Adobe Acrobat Pro XI Enhanced Security for browser mode must be enabled.",
+      "description": "Enhanced Security (ES) is a sandbox capability that restricts access to system resources and prevents PDF cross domain access. ES can be configured in two modes: Standalone mode is when Acrobat opens the desktop PDF client. ES Browser mode is when a PDF is opened via the browser plugin. When Enhanced Security is enabled and a PDF file tries to complete a restricted action from an untrusted location, a security warning must appear.\n\nEnhanced Security “hardens” the application against risky actions. It prevents cross domain access, prohibits script and data injection, blocks stream access to XObjects, silent printing, and execution of high privilege JavaScript.\n\nSatisfies: SRG-APP-000112, SRG-APP-000431",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75267",
+      "title": "Adobe Acrobat Pro XI PDF file attachments must be blocked.",
+      "description": "Acrobat Pro allows for files to be attached to PDF documents. Attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications.\n\nThis feature prevents users from opening or launching file types other than PDF or FDF and disables the menu option to re-enable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75269",
+      "title": "Adobe Acrobat Pro XI access to unknown websites must be restricted.",
+      "description": "Acrobat provides the ability for the user to store a list of websites with an associated behavior of allow, ask, or block. Websites that are not in this list are unknown. PDF files can contain URLs that will initiate connections to unknown websites in order to share or get information. That access must be restricted.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75271",
+      "title": "Adobe Acrobat Pro XI access to websites must be blocked.",
+      "description": "PDF files can contain URLs that initiate connections to websites in order to share or get information. Any Internet access introduces a security risk as malicious websites can transfer harmful content or silently gather data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75273",
+      "title": "Adobe Acrobat Pro XI must be configured to block Flash Content.",
+      "description": "Flash has a long history of vulnerabilities.  Although Flash is no longer provided with Acrobat, if the system has Flash installed, a malicious PDF could execute code on the system.  Configuring Flash to run from a privileged location limits the execution capability of untrusted Flash content that may be embedded in the PDF.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75275",
+      "title": "The Adobe Acrobat Pro XI send and Track plugin for Outlook must be disabled.",
+      "description": "When enabled, the Adobe Send and Track button appears in Outlook. When an email is composed it enables the ability to send large files as public links through Outlook. The attached files can be uploaded to the Adobe Document Cloud and public links to the files are inserted in the email body.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75277",
+      "title": "Adobe Acrobat Pro XI privileged file and folder locations must be disabled.",
+      "description": "Privileged Locations are the primary method Acrobat uses to allow users and admins to specify trusted content that should be exempt from security restrictions, such as when Enhanced Security is enabled.\n\nA Privileged Location may be a file, folder, or a host. If the user is allowed to set a Privileged Location, they could bypass security protections.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75279",
+      "title": "Adobe Acrobat Pro XI FIPS mode must be enabled.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nSatisfies: SRG-APP-000416, SRG-APP-000514",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75281",
+      "title": "Adobe Acrobat Pro XI periodic downloading of Adobe European certificates must be disabled.",
+      "description": "By default, the user can update Adobe European certificates from an Adobe server through the GUI.\n\nWhen updating Adobe European certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to download those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75285",
+      "title": "Adobe Acrobat Pro XI Protected Mode must be enabled.",
+      "description": "Protected Mode is a “sandbox” that is essentially a read-only mode.\n\nWhen enabled, Acrobat allows the execution environment of untrusted PDF's and the processes the PDF may invoke but also presumes all PDFs are potentially malicious and confines processing to a restricted sandbox.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75287",
+      "title": "Adobe Acrobat Pro XI Protected View must be enabled.",
+      "description": "Protected View is a “super-sandbox” that is essentially a read-only mode. When enabled, Acrobat strictly confines the execution environment of untrusted PDF's and the processes the PDF may invoke. Acrobat also assumes all PDFs are potentially malicious and confines processing to a restricted sandbox.\n\nWhen the PDF is opened, the user is presented with the option to trust the document. When the user chooses to trust the document, all features are enabled, this action assigns trust to the document and adds the document to the users’ list of Privileged Locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75289",
+      "title": "The Adobe Acrobat Pro XI latest security-related software updates must be installed.",
+      "description": "Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).",
+      "severity": "high"
+    },
+    {
+      "id": "V-75293",
+      "title": "Adobe Acrobat Pro XI Default Handler changes must be disabled.",
+      "description": "Acrobat Pro allows users to change the version of Acrobat Pro that is used to read PDF files. This is a risk if multiple versions of Acrobat are installed on the system and the other version has dissimilar security configurations or known vulnerabilities. When the Default PDF Handler is disabled, the end users will not be able to change the default PDF viewer.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75295",
+      "title": "Adobe Acrobat Pro XI must disable the ability to store files on Acrobat.com.",
+      "description": "Adobe Acrobat Pro XI provides the ability to store PDF files on Adobe.com servers. Allowing users to store files on non-DoD systems introduces risk of data compromise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75297",
+      "title": "Adobe Acrobat Pro XI certified document trust must be disabled.",
+      "description": "Certified document trust elevates signed PDF files to a privileged location and bypasses privileged view security protections. Disabling certified documents disables and locks the end user's ability to elevate certified documents as a privileged location.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75299",
+      "title": "Adobe Acrobat Pro XI privileged host locations must be disabled.",
+      "description": "Privileged Locations are the primary method Acrobat uses to allow users and admins to specify trusted content that should be exempt from security restrictions, such as when Enhanced Security is enabled.\n\nA Privileged Location may be a file, folder, or a host. If the user is allowed to set a Privileged Location, they could bypass security protections.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75301",
+      "title": "Adobe Acrobat Pro XI privileged site locations must be disabled.",
+      "description": "Privileged Locations are the primary method Acrobat uses to allow users and admins to specify trusted content that should be exempt from security restrictions, such as when Enhanced Security is enabled.\n\nA Privileged Location may be a file, folder, or a host. If the user is allowed to set a Privileged Location, they could bypass security protections.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75303",
+      "title": "Adobe Acrobat Pro XI Periodic downloading of Adobe certificates must be disabled.",
+      "description": "By default, the user can update Adobe certificates from an Adobe server through the GUI.\n\nWhen updating Adobe certificates is disabled, it prevents the automatic download and installation of certificates and disables and locks the end user's ability to download those certificates.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75305",
+      "title": "Adobe Acrobat Pro XI SharePoint and Office365 Access must be disabled.",
+      "description": "Both SharePoint and Office365 configurations are shared in one setting. Disabling this setting removes the user’s ability to use both SharePoint and Office365 cloud features and functions. If the user is allowed to store files on public cloud services, there is a risk of data compromise.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75307",
+      "title": "The Adobe Acrobat Pro XI Welcome Screen must be disabled.",
+      "description": "The Adobe Welcome screen can be distracting. It provides marketing material and also has online links to the Adobe quick tips website, tutorials, blogs, and community forums.\n\nWhen the Adobe Welcome screen is disabled, the Welcome screen will not be populated on application startup.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75309",
+      "title": "Adobe Acrobat Pro XI Webmail must be disabled.",
+      "description": "Acrobat Pro XI provides a Webmail capability. This allows users to send PDFs as email attachments using any mail account that supports SMTP/IMAP protocols. In addition to existing desktop email clients, users can now configure these mail accounts by providing User Name, Password, IMAP and SMTP details. The capability allows users to utilize Gmail and Yahoo mail accounts to send PDF files directly from within the Acrobat application. This capability allows the user to by-pass existing email protections provided by DoD email services.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75311",
+      "title": "Adobe Acrobat Pro XI third-party web connectors must be disabled.",
+      "description": "Third-party connectors include services such as Dropbox and Google Drive. When third-party web connectors are disabled, it prevents access to third-party services for file storage. Allowing access to online storage services introduces the risk of data loss or data exfiltration.",
+      "severity": "low"
+    },
+    {
+      "id": "V-75313",
+      "title": "Adobe Acrobat Pro XI Adobe Cloud Synchronization must be disabled.",
+      "description": "By default, Adobe online services are tightly integrated in Adobe Acrobat. When the Adobe Cloud synchronization is disabled it prevents the synchronization of desktop preferences across devices on which the user is signed in with an Adobe ID (including phones).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75315",
+      "title": "Adobe Acrobat Pro XI Adobe Repair Installation must be disabled.",
+      "description": "When Repair Installation is disabled the user does not have the option (Help Menu) or ability to repair an Adobe Acrobat Pro XI install. Ability to repair includes the risk that established security settings could be overwritten.",
+      "severity": "low"
+    },
+    {
+      "id": "V-79057",
+      "title": "An unsupported Adobe Acrobat Pro version must not be installed.",
+      "description": "Failure to install the most current Adobe Acrobat Pro version leaves a system vulnerable to exploitation. Current versions correct known security and system vulnerabilities. \n\nIf the Adobe Acrobat Pro installation is not at the most current version and patch level, this is a Category 1 finding since new vulnerabilities will not be patched.\n\nAdobe Acrobat Pro XI is End of Life. Reference the following URL: http://www.adobe.com/support/products/enterprise/eol/. Click on \"Adobe enterprise products and technical support periods\".\n",
+      "severity": "high"
+    }
+  ]
+}