Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70289 | APSC-DV-002870 | SV-84911r1_rule | Medium |
Description |
---|
Use of un-trusted Level 1A mobile code technologies can introduce security vulnerabilities and malicious code into the client system. 1A code is defined as: - ActiveX controls - Mobile code script (JavaScript, VBScript) - Windows Scripting Host (WSH) (downloaded via URL or email) When JavaScript and VBScript execute within the browser they are Category 3, however, when they execute in WSH, they are 1A. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-03-20 |
Check Text ( C-70765r1_chk ) |
---|
Review the application documentation and interview the application administrator to identify any mobile code that is provided by the application for client consumption. If the application does not contain mobile code, or if the mobile code executes within the client browser, this is not applicable. The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and “Security” Tab. Select the “Trusted Sites” zone. Click the “sites” button. Enter the URL into the text box below the “Add this site to this zone” message. Click "Add”. Click “OK”. Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation. Next, test the application. This testing should include functional testing from all major components of the application. If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed. If the code has not been signed or the application warns that a control cannot be invoked due to security settings, this is a finding. |
Fix Text (F-76525r1_fix) |
---|
Configure the application so Category 1A mobile code is signed. |