Windows must be configured to invalidate PKCS #7 version 1 signed objects

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-31212	APPNET0068	SV-41412r1_rule	DCSL-1	Medium

Description
Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. If the system is not configured properly, Authenticode will not invalidate older PKCS #7 version 1 signed objects creating a risk which could affect the integrity of the system.

Description

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. If the system is not configured properly, Authenticode will not invalidate older PKCS #7 version 1 signed objects creating a risk which could affect the integrity of the system.

STIG	Date
Microsoft Dot Net Framework 4.0 STIG	2014-01-08

Details

Check Text ( C-39949r12_chk )
This check must be performed for each user on the system. In order to determine compliance, the hexadecimal values contained in each users "State" registry key must be converted to binary values. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". Document the hexadecimal value of the user's "State" registry key. Each character in a hex string is referred to as a "nibble". For example, a hex value of f0000 has 5 binary "nibbles". For guidance purposes, the nibble positions are numbered 1 through 5 starting from the right and moving to the left. Open the Windows calculator. Select "View", then "Programmer". Select "Hex" and then "Dword". Enter the 5 nibble hex value obtained from the user's registry key. Select "Bin". The hex value will automatically convert to a binary value. Start counting from 1 (not 0) and count the bit positions starting from the right and moving to the left. The total number of bit positions will vary from 18 to 20 depending upon the hex values input into the calculator. If bit position 17 is not a value of "1" on production systems, this is a finding. If bit 17 is not a value of "1" on a development system and the IAO has not provided documented approval, this is a finding.

Check Text ( C-39949r12_chk )

This check must be performed for each user on the system. In order to determine compliance, the hexadecimal values contained in each users "State" registry key must be converted to binary values. Use regedit to locate
"HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State".

Document the hexadecimal value of the user's "State" registry key. Each character in a hex string is referred to as a "nibble". For example, a hex value of f0000 has 5 binary "nibbles". For guidance purposes, the nibble positions are numbered 1 through 5 starting from the right and moving to the left.

Open the Windows calculator.

Select "View", then "Programmer".
Select "Hex" and then "Dword".
Enter the 5 nibble hex value obtained from the user's registry key.

Select "Bin".

The hex value will automatically convert to a binary value.

Start counting from 1 (not 0) and count the bit positions starting from the right and moving to the left. The total number of bit positions will vary from 18 to 20 depending upon the hex values input into the calculator.

If bit position 17 is not a value of "1" on production systems, this is a finding.

If bit 17 is not a value of "1" on a development system and the IAO has not provided documented approval, this is a finding.

Fix Text (F-35123r8_fix)
Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key. For production systems, change the hexadecimal value for nibble position 5 to "1". For development systems, change the hexadecimal value for nibble position 5 to "1" or the IAO must provide documented approval. Example fix: Hex value: f0000 Nibble position: 54321 To apply fix, the example hex value "f" in nibble position 5 would be changed to "1" resulting in a hex value of 10000.

Fix Text (F-35123r8_fix)

Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key.

For production systems, change the hexadecimal value for nibble position 5 to "1".

For development systems, change the hexadecimal value for nibble position 5 to "1" or the IAO must provide documented approval.

Example fix:
Hex value: f0000
Nibble position: 54321
To apply fix, the example hex value "f" in nibble position 5 would be changed to "1" resulting in a hex value of 10000.