SCAP Compliance Checker (SCC) ‐ DISA STIG scans and remediations - mluchettii/github-wiki-mluchetti GitHub Wiki

Table of Contents

• SCC interface
  • Content
    • Installing additional STIGs
    • STIG Benchmark details
    • Manual questions
• Running a SCAP scan with Windows 11 STIGs
  • Reports
    • Microsoft Office 365 STIG SCAP Benchmark results
    • Microsoft Windows 11 STIG SCAP Benchmark results
    • Microsoft Edge STIG SCAP Benchmark results
• Remediations
  • V-235759 - Edge must be configured to allow only TLS.
    • Test information
    • Implementing the remediation via the Registry Editor
    • Results after Edge control fix

SCC interface

Content

The Content pane displays the available SCAP profiles. Here, we can see all the DISA STIG SCAP content that was installed during initial setup.

Installing additional STIGs

If you want to install additional STIGs, visit the STIGs Document Library that is hosted on the DoD Cyber Exchange public platform:

https://www.cyber.mil/stigs/downloads/

STIG Benchmark details

Mozilla Firefox for Windows STIG

When conducting a thorough scan, it's important to check the details of a STIG benchmark and check if there is a more up-to-date version available from the STIGs Document Library.

Manual questions

Notice that some STIGs ask the user to provide answers to manual questions. For each question, the user must report if there is a finding or not, or if it is not applicable/not reviewed.

Running a SCAP scan with Windows 11 STIGs

If manual questions are left unanswered, the application will remind the user to answer them. The best practice would be to complete them, so as to receive the most accurate results possible. For the sake of this simple demonstration, I left them unanswered and continued with the scan.

Local scan is underway, using Windows SCAP profiles, including profiles for Edge, Office, and the OS itself.

Upon completion of the scan, click View Results.

All results for this scan session are displayed here. In the bottom left pane, click the STIG benchmark with the HTML report you want to see. You can choose the report with all settings shown (pass and fail) or the report with only non-compliant checks (failed checks only).

Reports

Microsoft Office 365 STIG SCAP Benchmark results

The Office 365 scan resulted in 15/139 passed rule checks and a score of 10.79%.

Non-compliant rules

V-223280 - Macros must be blocked from running in Access files from the Internet.

Macros are a major attack vector in the Office 365 applications. Thankfully, there is a remediation listed here, which involves setting a policy value in the security settings of the Access application, essentially blocking macros from running in Office files from the Internet.

Microsoft Windows 11 STIG SCAP Benchmark results

The Windows 11 scan resulted in 81/254 passed rule checks and a score of 38.94%.

Non-compliant rules

V-253387 - The default autorun behavior must be configured to prevent autorun commands.

Another best security practice that prevents autorun from potentially executing malicious code. The fix involves changing the default behavior for AutoRun from 'Enabled' to 'Do not execute any autorun commands'.

Microsoft Edge STIG SCAP Benchmark results

The Microsoft Edge scan resulted in 6/56 passed rule checks and a score of 12.24%.

Non-compliant rules

Remediations

V-235759 - Edge must be configured to allow only TLS.

To prevent the use of an outdated version of SSL, this rule correctly states that the Edge browser must be configured to allow only TLS 1.0, 1.1, or 1.2. Without the policy configured, the definition of this rule states that Edge uses a default minimum version, which is TLS 1.0.

Test information

Here, we can see the tests that were used to determine the state of this control. In this case, it checks the values of the SSLVersionMin string value located in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge key in the Windows Registry, where a string object with the value of SSLVersionMin must be equal to 'tls1.2'.

Implementing the remediation via the Registry Editor

To start, I will examine the Edge policy key in the Registry Editor:

No string object named SSLVersionMin was found, so I will create it:

Creating the string object

SSLVersionMin string object with value of 'tls1.2' created in the Windows Registry, satisfying the security control.

Results after Edge control fix

This time, the remediation was picked up by the scanner, ever so slightly improving the score by 2.05%.

Further confirmation that the remediation implementation resulted in a now successful control check, as it no longer appears under CAT I results.