Windows systems must be configured to prevent application use of Test Root certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7061	APPNET0046	SV-7444r2_rule	DCSL-1	Medium

Description
Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. A root certificate is a public key certificate or self signed certificate that identifies the Root Certificate Authority. Digital certificates are verified by using a chain of trust. The trust anchor for digital certificates is the Root Certificate Authority (CA). A CA may generate a Test Root Certificate that is used for testing purposes. Configuring production Windows systems to allow applications to use Test Root Certificates in order to ascertain trust can create an integrity risk.

Description

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. A root certificate is a public key certificate or self signed certificate that identifies the Root Certificate Authority. Digital certificates are verified by using a chain of trust. The trust anchor for digital certificates is the Root Certificate Authority (CA). A CA may generate a Test Root Certificate that is used for testing purposes. Configuring production Windows systems to allow applications to use Test Root Certificates in order to ascertain trust can create an integrity risk.

STIG	Date
Microsoft Dot Net Framework 4.0 STIG	2015-09-15

Details

Check Text ( None )
None

Fix Text (F-12602r10_fix)
Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key. For production systems, change the hexadecimal value in nibble position 2 to "0". For development systems, change the hexadecimal value in nibble position 2 to "0" or the IAO must approve the settings. Example fix: Hex value: 100a0 Nibble position: 54321 To apply fix, example hex value "a" in nibble position 2 would be changed to hex value "0" resulting in a hex value of 10000.

Fix Text (F-12602r10_fix)

Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key.

For production systems, change the hexadecimal value in nibble position 2 to "0".

For development systems, change the hexadecimal value in nibble position 2 to "0" or the IAO must approve the
settings.

Example fix:
Hex value: 100a0
Nibble position: 54321

To apply fix, example hex value "a" in nibble position 2 would be changed to hex value "0" resulting in a hex value of 10000.