Windows must be configured to check the time stamp servers certificate for revocation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7066	APPNET0051	SV-7449r3_rule	DCSL-1	Medium

Description
Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. As part of the overall signing process, a trusted time stamp server also digitally signs the assembly. The time stamp server's signature confirms the developer's certificate was valid at the time the developer signed the assembly. If the system is not configured properly, Authenticode will not check for revocation of the time stamp server’s certificate. Not checking for certificate revocation creates a risk that could lead to a loss of system integrity.

Description

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a mechanism to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. .Net application developers sign their application code with their public key and Authenticode technology performs certificate validation tasks prior to allowing the application to run. As part of the overall signing process, a trusted time stamp server also digitally signs the assembly. The time stamp server's signature confirms the developer's certificate was valid at the time the developer signed the assembly. If the system is not configured properly, Authenticode will not check for revocation of the time stamp server’s certificate. Not checking for certificate revocation creates a risk that could lead to a loss of system integrity.

STIG	Date
Microsoft Dot Net Framework 4.0 STIG	2015-09-15

Details

Check Text ( None )
None

Fix Text (F-12607r12_fix)
Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key. For production systems, change the hexadecimal value for nibble position 5 to "1". For development systems, change the hexadecimal value for nibble position 5 to "1" or the IAO must provide documented approval. Example fix: Hex value: d0000 Nibble position: 54321 To apply fix, the example hex value "d" in nibble position 5 would be changed to a hex value of "1" resulting in a hex value of 10000.

Fix Text (F-12607r12_fix)

Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key.

For production systems, change the hexadecimal value for nibble position 5 to "1".

For development systems, change the hexadecimal value for nibble position 5 to "1" or the IAO must provide documented approval.

Example fix:
Hex value: d0000
Nibble position: 54321
To apply fix, the example hex value "d" in nibble position 5 would be changed to a hex value of "1" resulting in a hex value of 10000.