Thursday, August 13, 2009

Windows Vista - and Gold Disks, part 2

Our ACA sent out a note that the Army had pushed forward with Vista. All systems are supposed to upgrade to Vista by December 2009. Any systems that have machines that are not AT LEAST Vista (or do not have a waiver) could be disconnected. Of course, I foresee many systems experiencing problems with the idiosyncrasies of Vista, but that’s another story. Further, any system that has accreditation will not need re-accreditation, according to the ACA.

The latest version of the Gold Disk came out in June. I noticed on my last certification trip that it checked for many many more controls than the prior version of Gold Disk that I used. A little inspection of the documentation revealed that Gold Disk now works on Vista. And, the latest Vista checklist states that the Gold Disk is acceptable to use when testing a Vista machine. So, I plopped it in my laptop to see what would turn up. Note that my laptop is configured to corporate policy, and is not even close to DoD STIGs.

Gold Disk completed its analysis successfully, and I created the XML to take a look at what it found, and what was not reviewed. As expected, there were plenty of findings, along with configurations that were correctly set. I was most interested in what was not reviewed as those tests would be the pain points when out testing other systems; those tests would have to be performed manually. Following are some of the checks that were "Not Reviewed" when I ran the Gold Disk. Where practical, I’ll attempt to list what the Vista Checklist has to say. The checklist is Version 6, Release 1.12, Dated 26 June 2009.

· Physical Security – V0001070 - manual

· Shared Accounts – V0001072 - manual

· System Recovery backups - V0001076 – manual

· Registry Key Auditing - V0001088 – unable to determine why this check was not performed

· Legal Notice is Not Configured – V0001089 – I’m guessing this because the setting is in the Security Policy > Local Policy that GD did not pick it up. (We have a banner on our laptops, it may be set by a Group Policy.)

· Security Configuration Tools – V0001128 – Again, I think this has to do with Group Policy.

· Strong Password Filtering – V0001131 – I think GD has not been updated for this check, as it seems like a registry check. (And the checklist still references the fact that GD doesn’t work on Vista.)

· Access To Windows Event Logs – V0001137 – I’m not sure why this is not checked.

· Users With Administrative Privilege – V0001140 – obvious.

· Enable Strong Password Filtering – V0001150 – I think this is like V0001089.

· Service Object Permission – V0002371 – looks manual. I thought it was checked on XP systems, though.

· Disable Reversible Password Encryption – V0002372 – Local security policy

· Unencrypted Remote Access – V0002908 – looks like a manual check

· Anonymous SID/Name Translation – V0003337 – manual security policy check

· Anonymous Access to Named Pipes – V0003338 – manual security policy check. (Though I thought this worked in XP, so it must be a Vista security change.)

· Remotely Accessible Registry Paths – V0003339 – manual registry inspection

· Anonymous Access To Network Shares – V0003340 – manual security policy check.

· Internet Information System (IIS) – V0003347 – manual check

· Security Related Software Patches – V0003828 – manual check

· Remotely Accessible Registry Paths and Sub Paths – V0004443 – manual registry check

· DCOM – Authorization Level – V0006825 – need the command line to check

· DCOM – RunAs Value – V0006830 – manual registry check

· Audit Configuration – V0006850 – manual security policy check

· A boat load of IAVMs

· Backup Administrator’s Account – V0014224 – manual

· Administrator Account Password Changes – V0014225 – policy check

· Hide Computer – V0014231 – I’m not sure why this isn’t checked. I know MSS checks are performed against XP.

· IPSec Exemptions – V0014232 – see above

· A whole bunch of UAC settings – these require a manual security policy check

· There were a bunch of Desktop Application checks – that seem to be related to Vista’s security architecture.

· A bunch of Windows Firewall checks were not reviewed. These look like registry settings. I don’t know if the Gold Disk couldn’t get access to the registry key, or if it is because our laptops use a 3rd party firewall.

· There were some other findings, but as I look at them, I’m not sure if it is Vista, or my specific machine.

As I test more machines, I’ll get a handle on why some of the findings are manual checks.

No comments:

Post a Comment