Windows must be configured to block application execution if certificate server status is unavailable.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7065	APPNET0050	SV-7448r2_rule	DCSL-1	Medium

Description
Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. Certificate validation tests include certificate revocation checks to determine if the certificate has been revoked by the certificate authority. In order for Authenticode to test the certificate for revocation, the authoritative revocation server must be available. If the revocation server is not available, the certificate status is unknown and the software must be prevented from running until the certificate can be validated. By default, Windows will allow application software to run if the certificate revocation server is offline and not available. This creates an integrity risk of malware being introduced into the system.

Description

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. Certificate validation tests include certificate revocation checks to determine if the certificate has been revoked by the certificate authority. In order for Authenticode to test the certificate for revocation, the authoritative revocation server must be available. If the revocation server is not available, the certificate status is unknown and the software must be prevented from running until the certificate can be validated. By default, Windows will allow application software to run if the certificate revocation server is offline and not available. This creates an integrity risk of malware being introduced into the system.

STIG	Date
Microsoft Dot Net Framework 4.0 STIG	2015-09-15

Details

Check Text ( None )
None

Fix Text (F-35216r8_fix)
Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key. For production systems, change the hexadecimal values for nibble positions 3 and 4 to "0". For development systems, change the hexadecimal values for nibble positions 3 and 4 to "0" or the IAO must provide documented approval. Example fix: Hex value: 1da00 Nibble position: 54321 To apply fix, example hex value "a" in nibble position "3" and hex value "d" in nibble position 4 would both be changed to hex value "0" resulting in a final hex value of 10000.

Fix Text (F-35216r8_fix)

Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key.

For production systems, change the hexadecimal values for nibble positions 3 and 4 to "0".

For development systems, change the hexadecimal values for nibble positions 3 and 4 to "0" or the IAO must provide documented approval.

Example fix:
Hex value: 1da00
Nibble position: 54321

To apply fix, example hex value "a" in nibble position "3" and hex value "d" in nibble position 4 would both be changed to hex value "0" resulting in a final hex value of 10000.