PC presentation or application sharing capabilities are not properly limited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19625	VVoIP 1725	SV-21766r2_rule		Medium

Description
Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability it creates is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures to present to collaborative communications sessions. All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC.

Description

Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability it creates is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures to present to collaborative communications sessions. All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2019-03-18

Details

Check Text ( C-23918r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user. Inspect or have a SA demonstrate the configuration and capabilities of the collaboration tool with respect to its sharing capabilities. This is a finding if the following is not met: > PC based collaboration application sharing and remote control features or capabilities will not provide unrestricted access to other (i.e., non shared) applications, the local hard drive(s), or other drives accessible through the network. For example, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. > Sharing capabilities will be limited to the collaboration application, and other applications or documents specifically shared by the host PC user. (e.g., document based applications and documents launched by the host PC user)

Check Text ( C-23918r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user.

Inspect or have a SA demonstrate the configuration and capabilities of the collaboration tool with respect to its sharing capabilities. This is a finding if the following is not met:
> PC based collaboration application sharing and remote control features or capabilities will not provide unrestricted access to other (i.e., non shared) applications, the local hard drive(s), or other drives accessible through the network. For example, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC.
> Sharing capabilities will be limited to the collaboration application, and other applications or documents specifically shared by the host PC user. (e.g., document based applications and documents launched by the host PC user)

Fix Text (F-20329r1_fix)
Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user. Configure PC collaboration applications of all forms to not provide full remote control access to the host PC. Limit access to the applications relevant to the collaboration session or the video display. Train users in proper operation of the sharing capabilities. If necessary, limit or deny access to collaboration applications that do not or cannot be configured to not provide full PC remote control as described above.

Fix Text (F-20329r1_fix)

Ensure PC based collaboration application sharing and remote control features or capabilities do not provide unrestricted access to other (i.e., non-shared) applications, the local hard drive(s), or other drives accessible through the network. In other words, the collaboration application will not provide, or will be configured to not provide, full remote control of the host (i.e., shared) PC. Sharing capabilities will be limited to the collaboration application and other applications or documents (e.g., document based applications and documents launched by the host PC user) specifically shared by the host PC user.

Configure PC collaboration applications of all forms to not provide full remote control access to the host PC. Limit access to the applications relevant to the collaboration session or the video display. Train users in proper operation of the sharing capabilities. If necessary, limit or deny access to collaboration applications that do not or cannot be configured to not provide full PC remote control as described above.