U Gold Disk Version 2.0 Release Notes

UNCLASSIFIED

Gold DiskRelease Notes

Content Updates

Version 2.0

October 2010

DISA Field Security Operations

UNCLASSIFIED

UNCLASSIFIEDGold Disk Release Notes Field Security OperationsOctober 2010 DISA Information Systems Agency

This page is intentionally left blank

UNCLASSIFIED


Trademark InformationTrademark Information

Gold Disk V2 October 2010 Release In addition to Symantec EndPoint Protection signature updates, added automatic detection of Symantec

AntiVirus Corporate Edition signature updates when installed on Windows Vista systems Added prescan detection for Office 2007 SP2 Removed automation for V0001135-Printer Share Permissions until further notice due to false positive. Automated V0004107-Unsupported OS for Windows 2000 systems Modified automation for V0001077-Incorrect ACLs for Event Logs due to false positive on Windows

Server 2008 systems Updated previously automated IAVMs

o 2007-A-0020 (V0013883)o 2007-A-0031 (V0014220)o 2008-A-0005 (V0015742)o 2008-A-0064 (V0017342)o 2008-A-0087 (V0017909)o 2008-A-0086 (V0017910)o 2009-A-0019 (V0018549)o 2009-A-0071 (V0019884)o 2009-A-0074 (V0019914)o 2009-A-0097 (V0021756)

Automated the following IAVMso 2010-A-0100 (V0025027)o 2010-A-0112 (V0025059)o 2010-A-0107 (V0025061)o 2010-A-0104 (V0025066)o 2010-A-0103 (V0025067)o 2010-A-0111 (V0025068)o 2010-A-0110 (V0025069)o 2010-A-0106 (V0025071)o 2010-A-0108 (V0025073)o 2010-A-0109 (V0025076)o 2010-A-0113 (V0025081)o 2010-A-0120 (V0025353)o 2010-A-0121 (V0025357)o 2010-A-0122 (V0025359)o 2010-A-0123 (V0025360)o 2010-A-0125 (V0025361)o 2010-A-0124 (V0025362)o 2010-B-0063 (V0025072)o 2010-B-0064 (V0025074)o 2010-B-0062 (V0025075)o 2010-B-0076 (V0025344)o 2010-B-0077 (V0025345)o 2010-B-0078 (V0025347)

Automated for Applicability based on Prescano 2010-A-0101 (V0025058)o 2010-A-0116 (V0025175)o 2010-A-0119 (V0025193)o 2010-B-0072 (V0025180)

1UNCLASSIFIED

Release Notes


o 2010-B-0074 (V0025183)

Gold Disk V2 August 2010 Release Added automated checking for IPv6 Transition Technologies (V0014262) on Windows XP and Windows

Server 2003. Updated automated checking and fix for Windows Vista and Windows Server 2008 Added automated checking for Internet Information System (V0003347) on Windows XP and Windows

Vista Added automated checking for Bad Logon Counter Reset (V0001098) on Windows Server 2003 Added automated checking for Display Shutdown Button (V0001075) on Windows Vista Added automated checking for Clear System Pagefile (V0001084) on Windows Vista Added automated checking for Unencrypted Pwd sent to SMB Svr (V0001141) on Windows Server 2008 Added automated checking for Smart Card Removal Option (V0001098) on Windows Server 2008 Updated IAVM 2010-B-0013 ensuring applicability only to domain controllers Updated previously automated IAVMs

o 2007-A-0030 (V0014219)o 2008-A-0014 (V0015761)o 2008-A-0041 (V0016040)o 2008-A-0056 (V0016740)o 2008-A-0061 (V0016738)o 2008-A-0077 (V0017780)o 2008-A-0081 (V0017870)o 2009-A-0039 (V0019159)o 2009-A-0044 (V0019398)o 2009-A-0046 (V0019399)o 2009-A-0120 (V0021933)o 2007-B-0005 (V0013604)

Automated the following IAVMso 2010-A-0074 (V0024369)o 2010-A-0075 (V0024370)o 2010-A-0078 (V0024371)o 2010-A-0076 (V0024372)o 2010-A-0077 (V0024374)o 2010-A-0079 (V0024377)o 2010-A-0095 (V0024848)o 2010-A-0094 (V0024850)o 2010-A-0093 (V0024852)o 2010-B-0045 (V0024366)o 2010-B-0046 (V0024367)o 2010-B-0047 (V0024368)

Automated for Applicability based on Prescano 2010-A-0082 (V0024385)o 2010-A-0092 (V0024849)o 2010-A-0089 (V0024851)o 2010-A-0090 (V0024853)o 2010-A-0091 (V0024855)o 2010-A-0098 (V0024857)o 2010-A-0096 (V0024859)o 2010-B-0048 (V0024388)o 2010-B-0054 (V0024858)

2UNCLASSIFIED


Gold Disk V2 June 2010 Release Added prescan detection for Email Server roles to resolve issue importing VMS6.x reports for systems

running Exchange Server 2003 and Exchange Server 2008. Updated automated checks for V0001148 to ensure applicability only for workstations that are part of a

domain. Updated automated checking for User Rights (V0001103) on Windows Server 2003 Member Server Updated automated checking for IPv6 Transition Technologies (V0014262) on Windows Vista and

Windows Server 2008 Updated previously automated IAVMs

o 2008-A-0058 (V0016741)o 2008-A-0090 (V0017935)o 2009-A-0032 (V0018752)o 2009-A-0034 (V0018756)o 2009-A-0078 (V0019913)o 2009-A-0077 (V0019917)o 2009-A-0090 (V0021749)o 2009-A-0095 (V0021760)o 2009-A-0117 (V0021936)

Automated the following IAVMso 2010-A-0056 (V0023959)o 2010-A-0054 (V0023963)o 2010-A-0058 (V0023995)o 2010-A-0053 (V0023999)o 2010-A-0052 (V0024002)o 2010-A-0057 (V0024003)o 2010-A-0055 (V0024004)o 2010-A-0068 (V0024076)o 2010-A-0070 (V0024160)o 2010-A-0080 (V0024375)o 2010-B-0029 (V0023955)o 2010-B-0030 (V0023956)o 2010-B-0031 (V0023957)o 2010-B-0039 (V0024168)

Automated for Applicability based on Prescano 2010-A-0047 (V0023856)o 2010-A-0065 (V0023996)o 2010-A-0066 (V0023997)o 2010-A-0069 (V0024159) o 2010-B-0024 (V0023821)o 2010-B-0032 (V0023954)o 2010-B-0033 (V0024010)o 2010-B-0037 (V0024163)o 2010-B-0038 (V0024166)o 2010-B-0041 (V0024206)o 2010-B-0044 (V0024322)

Gold Disk V2 April 2010 Release Added prescan detection and support for IIS 7.0 Installation to resolve issue importing VMS6.x reports for

Windows Vista or Server 2008 systems running IIS 7.0. Updated automated checks for V0006318 to include installation of the DOD Root Certificates by means

other than the InstallRoot application as an accepted solution.

3UNCLASSIFIED


Updated automated checking for WA000-WI6082 (V0013715) to correct required value Updated automated checking for Recycle Bin (V0001126) on Windows Server 2008 Updated automated checking for UAC - User Elevation Prompt (V0014236) on Windows Server 2008 Updated previously automated IAVMs

o 2009-A-0115 (V0021938)o 2010-A-0014 (V0022522)

Automated the following IAVMso 2010-A-0014 (V0022522)o 2010-A-0023 (V0022677)o 2010-A-0024 (V0022678)o 2010-A-0025 (V0022679)o 2010-A-0026 (V0022680)o 2010-A-0027 (V0022681)o 2010-A-0028 (V0022682)o 2010-A-0029 (V0022683)o 2010-A-0030 (V0022684)o 2010-A-0031 (V0022685)o 2010-A-0032 (V0022686)o 2010-A-0038 (V0023711)o 2010-B-0014 (V0022674)o 2010-B-0013 (V0022675)o 2010-B-0012 (V0022676)o 2010-B-0020 (V0023719)

Automated for Applicability based on Prescano 2010-A-0018 (V0022666)o 2010-A-0019 (V0022667)o 2010-A-0035 (V0022695)o 2010-B-0010 (V0022672)o 2010-B-0011 (V0022673)o 2010-B-0015 (V0022698)

Gold Disk V2 February 2010 Release Added prescan detection and support for Windows Server 2008 x86 and x64. The release includes Server

2008 automation for all relative STIG checks and for the latest applicable IAVMs published during this release cycle. Automation for the remaining IAVMs will be included in subsequent releases. Windows Server 2008 R2 is not supported by Gold Disk at this time.

Updated automated checking and remediation for V0001073 to reflect required service pack level for Windows Vista and Windows Server 2008.

Updated automated checking for V0001074 to reflect change in required minimum antivirus signature update

Added automated checking and remediation for Internet Explorer 7 check DTBI300 (V0021887) Updated previously automated IAVMs

o 2008-A-0044 (V0016147)o 2009-A-0018 (V0018553)

Automated the following IAVMso 2009-A-0128 (V0021551)o 2009-A-0098 (V0021755)o 2009-A-0129 (V0022099)o 2009-A-0125 (V0022100)o 2009-A-0126 (V0022101)o 2010-A-0003 (V0022244)

4UNCLASSIFIED


o 2010-A-0014 (V0022522)o 2009-B-0054 (V0021747)o 2009-B-0064 (V0022096)

Automated for Applicability based on Prescano 2009-A-0123 (V0022059)o 2009-A-0124 (V0022060)o 2009-A-0130 (V0022094)o 2009-A-0134 (V0022103)o 2010-A-0006 (V0022237)o 2010-A-0005 (V0022239)o 2010-A-0007 (V0022241)o 2010-A-0004 (V0022243)o 2010-A-0010 (V0022245)o 2010-A-0011 (V0022380)o 2009-B-0062 (V0022064)o 2009-B-0065 (V0022105)o 2009-B-0066 (V0022106)o 2010-B-0007 (V0022644)

Gold Disk V2 December 2009 Release Updated 34 Microsoft Office 2007 STIG vulnerabilities to ensure the vulnerabilities would only be found

under the Office 2007 System tree within Gold Disk. In addition to the Office 2007 System tree, the vulnerabilities could previously be found under the tree of individual Office 2007 components (Excel 207, Outlook 2007, etc.).

Updated automated checking for V0017521-DTOO139 to include additional accepted values. Updated Office 2007 STIG checks to include automated fixes

o DTOO104 (V0017173)o DTOO111 (V0017174)o DTOO117 (V0017175)o DTOO123 (V0017183)o DTOO129 (V0017184)

Added Prescan NA detection for the following:o Cisco VPN Cliento Websense Productso VMware Productso IBM DB2o Adobe Shockwave

Updated previously automated IAVMso 2007-A-0029 (V0014218)o 2007-A-0047 (V0015303)o 2008-A-0028 (V0016015)o 2008-A-0085 (V0017908)o 2008-A-0086 (V0017910)o 2008-A-0089 (V0017912)o 2009-A-0002 (V0017997)o 2009-A-0013 (V0018388)o 2009-A-0044 (V0019398)o 2009-A-0046 (V0019399)

Automated the following IAVMso 2008-A-0077 (V0017780)o 2009-A-0071 (V0019884)

5UNCLASSIFIED


o 2009-A-0092 (V0021743)o 2009-A-0091 (V0021744)o 2009-A-0090 (V0021749)o 2009-A-0094 (V0021752)o 2009-A-0096 (V0021754)o 2009-A-0097 (V0021756)o 2009-A-0095 (V0021760)o 2009-A-0120 (V0021933)o 2009-A-0118 (V0021934)o 2009-A-0119 (V0021935)o 2009-A-0117 (V0021936)o 2009-A-0116 (V0021937)o 2009-A-0115 (V0021938)o 2008-B-0081 (V0017914)o 2009-B-0052 (V0021742)o 2009-B-0054 (V0021747)o 2009-B-0053 (V0021750)

Automated for Applicability based on Prescano 2009-A-0100 (V0021741)o 2009-A-0101 (V0021863)o 2009-A-0102 (V0021864)o 2009-A-0103 (V0021865)o 2009-A-0104 (V0021866)o 2009-A-0105 (V0021867)o 2009-A-0106 (V0021883)o 2009-A-0109 (V0021885)o 2009-A-0110 (V0021888)o 2009-A-0108 (V0021889)o 2009-A-0112 (V0021926)o 2009-A-0111 (V0021927)o 2008-B-0061 (V0017346)o 2009-B-0015 (V0018638)o 2009-B-0016 (V0018766)o 2009-B-0021 (V0019297)o 2009-B-0048 (V0021682)o 2009-B-0055 (V0021886)o 2009-B-0056 (V0021890)o 2009-B-0059 (V0021981)o 2009-T-0005 (V0018124)o 2009-T-0019 (V0018637)o 2009-T-0031 (V0019298)

Gold Disk V2 October 2009 Release Updated manual prescan question prompting to include “3 rd Party Firewalls”. If “3rd Party Firewalls” is

selected for prescan, all Windows Firewall vulnerabilities targeting Windows XP and Windows Vista are automatically marked as NA.

Modified antivirus fix to install Symantec EndPoint Protection in lieu of Symantec Corporate Edition when Symantec is selected as the preferred antivirus solution. NOTE: The 64-bit version of Symantec still requires a manual install at this time.

6UNCLASSIFIED


Removed automated fixing via Gold Disk for all STIG vulnerabilities where the configuration lies within the HKCU registry hive. Making configuration changes within the HKCU registry hive via Gold Disk only fixes the vulnerability for the individual user account running the Gold Disk application.

Updated checking for V0002371 to include automated detection on Windows Vista. Updated checking for 2008-A-0044 (V0016147) to ensure the vulnerability is only applicable when DNS is

installed Updated previously automated IAVMs

o 2009-A-0018 (V0018549)o 2009-A-0020 (V0018554)o 2009-A-0032 (V0018752)o 2009-A-0034 (V0018756)

Automated the following IAVMso 2009-B-0036 (V0019878)o 2009-A-0067 (V0019882)o 2009-A-0068 (V0019881)o 2009-A-0070 (V0019883)o 2009-B-0035 (V0019880)o 2009-B-0037 (V0019879)o 2009-A-0074 (V0019914)o 2009-A-0075 (V0019915)o 2009-A-0076 (V0019916)o 2009-A-0077 (V0019917)o 2009-A-0078 (V0019913)

Automated for Applicability based on Prescano 2008-A-0045 (V0016170)o 2009-A-0003 (V0017999)o 2009-A-0009 (V0018005)o 2009-A-0016 (V0018403)o 2009-T-0023 (V0018849)o 2009-B-0019 (V0019154)o 2009-A-0041 (V0019229)o 2009-A-0060 (V0019802)o 2009-A-0062 (V0019827)o 2009-A-0061 (V0019825)o 2009-A-0081 (V0021499)o 2009-B-0044 (V0021502)o 2009-T-0050 (V0021503)o 2008-B-0073 (V0017742)o 2009-A-0041 (V0019229)

Automated the following Miscellaneous Security Updates.o MS09-025o MS09-040

Gold Disk V2 August 2009 Release Added DVD3 to incorporate Windows Vista patches Enhanced Gold Disk 2.0 engine to include the capability of running file patches other than “.exe” files.

The engine can now execute “.msu” files used to patch Windows Vista. The launcher.exe file has been removed. PGD.exe should be used instead. Prior to the June 2009 release,

the Gold Disk 2.0 engine had been modified to allow the 32-bit version (PGD.exe) to automatically launch the 64-bit version (PGD64.exe) on a 64-bit system.

Added prescan detection for:

7UNCLASSIFIED


o Windows Vista Service Pack 2o Internet Explorer 8o Windows Internet Name Service (WINS)

Automated checks and fixing for (applicable to IE7 on Windows Vista only):o DTBI485 (V0015527)o DTBI490 (V0015528)

Updated checkingo DTOO212 (V0017581)o DTOO267 (V0017778)

Updated checking for V0003383 to check correctly on Windows Vista Updated checking for V0003472 (Windows Time Service). The vulnerability will be closed if the value is

blank or does not exist. The value will be open if the value is not blank. The value can be closed manually if the value is an authorized server.

Updated checking for 2008-B-0075 (V0017793) Updated checking and patching for 2009-A-0018 (V0018553) Automated the following IAVMs

o 2009-A-0043 (V0019405)o 2009-A-0046 (V0019399)o 2009-A-0049 (V0019589)o 2009-A-0050 (V0019756)o 2009-A-0051 (V0019757)o 2009-A-0052 (V0019758)o 2009-A-0059 (V0019796)o 2009-B-0022 (V0019400)o 2009-B-0023 (V0019403)o 2009-B-0024 (V0019401)o 2009-B-0031 (V0019760)o 2009-B-0032 (V0019759)o 2009-T-0032 (V0019397)

Automated for Applicability based on Prescano 2009-A-0042 (V0019404)o 2009-A-0053 (V0019762)o 2009-A-0054 (V0019761)o 2009-A-0055 (V0019763)o 2009-A-0056 (V0019764)o 2009-A-0057 (V0019765)o 2009-A-0058 (V0019768)o 2009-B-0020 (V0019296)o 2009-B-0028 (V0019437)o 2009-T-0034 (V0019481)o 2009-T-0038 (V0019458)o 2009-T-0043 (V0019770)

Automated checking for the following on Windows Vista:o V0014234o V0014235o V0014236o V0014237o V0014239o V0014240o V0014241o V0014242

o V0017374o V0014230o V0014243o V0014250o V0015700o V0015701o V0015702o V0015703



8UNCLASSIFIED


o V0015721o V0015722o V0015723o V0015724

o V0015725o V0015726o V0015727o V0016020

o V0016021o V0016048o V0014262o V0015696

o V0015697o V0015698o V0015699o V0014231

o V0014232o V0016047o V0014248o V0014249o V0015707o V0017415o V0017416o V0017417o V0017418o V0017419




Automated patching for V0001073 on Windows Vista

Gold Disk V2 June 2009 Release Enhanced Gold Disk 2.0 engine to include the capability of running on Windows Vista x86 and Windows

Vista x64. NOTE: Will detect and patch several STIG vulnerabilities. Subsequent Gold Disk V2 releases will include IAVM and additional STIG automation

Modified the Gold Disk 2.0 engine to use the manifest file in order for the application to automatically escalate privileges to administrator on Vista when these privileges are present in the login. This will eliminate the user having to start Gold Disk by the right click option ‘Run as Administrator’

Modified the Gold Disk 2.0 engine to allow the 32-bit version (PGD.exe) to automatically launch the 64-bit version (PGD64.exe) on a 64-bit system. The launcher.exe file is now optional and will be removed in a future release

Modified the Gold Disk 2.0 engine to accurately display the findings for V0001103 and other User Rights STIG vulnerabilities

DVD2/CD9 now includes the 32-bit and 64-bit client installation files for Symantec Endpoint Protection. The Symantec AntiVirus Corporate Edition client install is still the default Symantec application when remediating V0001074-Approved DOD Virus Scan Program. To install Symantec Endpoint Protection, it would have to be installed manually. NOTE: Symantec AntiVirus Corporate Edition will not install on Windows Vista.

Updated manual prescan question prompting to include IBM Websphere Modified checking for RSS Attachment Downloads (V0015682) to check on all service pack levels of

Windows XP Modified checking to match updated checklist requirements for Password Protected Screen Savers

(V0001122) Automated checks and fixing for DTBI705 (V0015577) Updated checking

o DTOO212 (V0017581)o DTOO267 (V0017778)

Updated checking and fixing of 2009-A-0002 (V0017997) to ensure checking patching for all applicable service packs

Automated the following IAVMso 2009-A-0032 (V0018752)o 2009-A-0033 (V0018755)o 2009-A-0034 (V0018756)o 2009-T-0021 (V0018776)o 2009-T-0022 (V0018781)o 2009-A-0039 (V0019159)

9UNCLASSIFIED


Automated for Applicability based on Prescano 2009-T-0018 (V0018612)o 2009-T-0029 (V0019231)o 2009-A-0027 (V0018785)o 2009-A-0028 (V0018793)o 2009-A-0029 (V0018797)o 2009-A-0030 (V0018798)o 2009-A-0036 (V0018848)o 2009-B-0018 (V0018969)o 2009-T-0027 (V0019160)

Automated the following Miscellaneous Security Updates.o MS09-012

Gold Disk V2 April 2009 Release Updated manual prescan question prompting Added vulnerability for Windows DNS and BIND (manual review at this time) Updated V0001073 Service Pack check for Windows 2003 to make SP1 or less a CAT I per the checklist Modified Local Users Exist on a workstation (V0001148) to report all user accounts that are found.

Manual review will be needed to validate any accounts found are authorized Modified checking and fixing to match updated checklist requirements

o DTBI355 (V0015500)o DTBI675 (V0015563)o DTBI010 - (V0017296)

Updated checking and fixing of Disable Media Autoplay (V0002374) to ensure that a prerequisite patch is applied

New prescan for Microsoft Expression Web New prescan for McAfee 8.7i. Additionally the GD will install this version if remediating V0001074 and

the user chooses McAfee New prescan for .Net 3.0 and .Net 3.5. Note that for vulnerability concerns, .Net 2.0, 3.0, and 3.5 are

mutually exclusive and will only display the latest version found in prescan and for vulnerabilities Moved 34 Office 2007 vulnerabilities to a new target of Microsoft Office System 2007 Removed automation for IAVM 2008-A-0088 Automated the following IAVMs

o 2008-B-0058 (V0017345)o 2009-A-0013 (V0018388)o 2009-B-0008 (V0018390)o 2009-B-0009 (V0018406)o 2009-A-0020 (V000000)o 2009-A-0019 (V0018549)o 2009-A-0018 (V0018553)

Automated for Applicability based on Prescano 2008-T-0059o 2009-B-0002 o 2009-B-0003 o 2009-B-0004 o 2009-T-0011 o 2009-B-0010 o 2009-A-0017 o 2009-T-0014 o 2009-A-0021 o 2009-B-0013

Corrected check and fix for the following security patches.

10UNCLASSIFIED


o MS04-014o MS03-034

Gold Disk V2 February 2009 Release Automated DCOM Object Registry Permissions (V0006826) Automated the following IAVMs

o 2008-T-0040 MS08-050 (V0016746)o 2008-A-0088 MS08-070 (V0017907)o 2008-A-0086 MS08-071 (V0017910)o 2008-A-0089 MS08-072 (V0017912) o 2008-A-0085 MS08-074 (V0017908) o 2008-A-0090 MS08-078 (V0017935)o 2009-A-0002 MS09-001 (V0017997)o 2009-A-0014 MS09-002 (V0018389)o 2008-B-0077 (V0017873)

Automated for Applicability based on Prescano 2008-B-0086o 2009-A-0004o 2009-A-0005o 2009-A-0006o 2009-A-0007o 2009-A-0008o 2008-A-0083o 2009-B-0005

Automated the remaining Office 2007 vulnerabilities that were not done in the Dec. release. Automated new vulnerability (V0018010) User Right Debug programs Updated the following checks to match new target (Internet Explorer) and or requirements

o DTBI137 V0003433o DTBI367 (V0003430)o DTBI697 (V0014245)o DTBI076 (V0006276)o DTBI685 (V0015573)o DTBI036 (V0006253)

Gold Disk V2 December 2008 Release Added specific versioning to the XML version displayed by the Gold Disk – details can be found in About

Gold Disk Version 2.0. Updated all McAfee checks to be version specific. Previous Gold Disk releases checked and configured

McAfee the same regardless of the version installed. Changes made are to apply specific checks and fixes for 8.0i and 8.5i depending on the version installed. See note in known issues “item 10” regarding the Detection and Remediation tabs. Automated checking and fixing is correct for McAfee 8.0i and 8.5i

Added the following for XP FDCC requirementso V0001091 [A] Halt on Audit Failure XP FDCCo V0001085 [A] Secure Removable Media XP FDCCo V0003375 [A] Domain Controller Auth. XP FDCCo V0001075 [A] Display Shutdown Button XP FDCCo V0001084 [A] Clear System Page File XP FDCCo V0017373 [A] Secure Removable Media XP FDCCo V0016007 8dot3 Name Creation XP FDCCo V0015672 Event Viewer Events.asp Links XP FDCCo V0001130 [A] System File ACLs XP FDCC

11UNCLASSIFIED


o V0017410 XP Firewall Domain Profile – Enable Firewallo V0017390 [A] XP Firewall Domain Profile – File and Printer Sharingo V0017391 [A] XP Firewall Domain Profile – ICMP Exceptionso V0017392 [A] XP Firewall Domain Profile – Local Port Exceptionso V0017393 [A] XP Firewall Domain Profile – Local Program Exceptionso V0017394 [A] XP Firewall Domain Profile – Loggingo V0017397 [A] XP Firewall Domain Profile – Plug and Playo V0017398 [A] XP Firewall Domain Profile – Display Notificationso V0017399 [A] XP Firewall Domain Profile – Unicast Responseo V0017411 [A] XP Firewall Standard Profile – Enable Firewallo V0017400 [A] XP Firewall Standard Profile – File and Printer Sharingo V0017401 [A] XP Firewall Standard Profile – ICMP Requestso V0017402 [A] XP Firewall Standard Profile – Local Port Exceptionso V0017403 [A] XP Firewall Standard Profile – Local Program Exceptions o V0017404 [A] XP Firewall Standard Profile – Remote Administration o V0017405 [A] XP Firewall Standard Profile – Remote Desktop o V0017406 [A] XP Firewall Standard Profile – Plug and Play o V0017407 [A] XP Firewall Standard Profile – No Exceptions o V0017408 [A] XP Firewall Standard Profile – Display Notifications o V0017409 [A] XP Firewall Standard Profile – Unicast Response

Updated the following per XP FDCC requirementso Built-in Admin account enabled XP FDCC (V0016047)o FDCC XP user rights (V0001103)o Updated Screen Saver Grace Period (V0004442) to check registry value is reg_sz instead of

reg_dword Added V0017900 New Autorun.inf Check Added Office 2007 vulnerabilities. Due to time only the following could be automated for December. The

remaining are planned for February 2009o DTOO171o DTOO172o DTOO173o DTOO174o DTOO175o DTOO176o DTOO177o DTOO178o DTOO179o DTOO180o DTOO181o DTOO182o DTOO183o DTOO184o DTOO185

Automated the following IAVMs or Microsoft patcheso 2008-A-0064o 2008-B-0057o 2008-T-0055o 2008-A-0078o 2008-B-0075o 2008-B-0076o 2008-T-0056

12UNCLASSIFIED


o 2008-A-0081o 2008-T-0058o 2008-B-0079o 2008-A-0087

Automated for Applicability based on Prescano 2008-T-0047o 2008-T-0037o 2008-B-0065o 2008-B-0080o 2008-A-0075o 2008-A-0074o 2008-A-0073o 2008-B-0072

Gold Disk V2 September 2008 Release Automated the following IAVMs or Microsoft patches

o 2008-A-0044o 2008-T-0033o 2008-T-0035o 2008-B-0053o 2008-A-0056o 2008-A-0062o 2008-A-0060o 2008-A-0058o 2008-A-0059o 2008-B-0056o 2008-T-0039o 2008-A-0061o 2007-B-0031o 2007-A-0003 – Updated automationo 2007-A-0037 – Corrected false positiveo Oracle – NA based on prescan detection only

2008-A-0049 2008-A-0047 2008-A-0046 2008-A-0050 2008-A-0052

File ACL V0001130 – Corrected a possible false positive on some systems Modified checking to match updated checklist requirements for the following vulnerabilities in the desktop

checklisto DTAM110 (V0014630)o DTAM111 (V0014631)o DTAM131 (V0014658)o DTAM132 (V0014659)o DTAM133 (V0014660)o DTAM134 (V0014661)o DTAM130 (V0014657)o DTBI061 (V0006267)o DTBI091 (V0006281)o DTBI036 (V0006253)o DTBI025 (V0016879)

13UNCLASSIFIED


Enhanced prescan to detect Oracle installations on 2003 64 bit systems

Gold Disk V2 July 2008 Release Automated the following IAVMs or Microsoft patches

o 2007-A-0037o 2008-A-0028o 2008-A-0029o 2008-A-0030o 2008-A-0037o 2008-A-0039o 2008-A-0040o 2008-A-0041o 2008-B-0043o 2008-T-0024o 2008-T-0025o MS08-034o 2008-A-0019o 2008-A-0020o 2008-A-0021o 2008-A-0022o 2008-A-0023o 2008-B-0040o 2008-A-0027

Updated checks for the following vulnerabilities to match new platinum/gold policy requirementso OS/2 Subsystem Installed (V0001078)o Posix Files (V0001079)o Posix registry entry (V0001083)o LanMan Authentication Level (V0001153)o OS/2 Registry Keys (V0001082)o Clear System Pagefile (V0001084)

Modified checking and remediation (where applicable) to match updated requirements.o Screen Saver Grace Period (V004442)o IE - Make Proxy Settings Per Machine (V0003430) – removed from XPo Lockout Duration (V0001099)o DTBI026 (V0006246)

Automated the followingo Anonymous Access to Named Pipes and Shares (V0006834)o Audit Access to Global System Objects (V0014228)o WA000-WI035 (V0013698) – added the built-in administrator account as acceptable to have

permissions per requirements. Updated prescan to detect Symantec Endpoint Protection on 32 and 64 bit systems Modified checking for V0001074 “Approved DOD Virus Scan Program” to allow for Symantec Endpoint

Protection and to improve checking efficiency on other systems.

Gold Disk V2 May 2008 Release Automated the following IAVMs or Microsoft patches

o 2002-A-0002o 2008-A-0015o 2008-A-0014o 2008-A-0012o 2008-A-0013

14UNCLASSIFIED


o 2008-T-0008o 2008-B-0037o 2008-B-0035o 2008-B-0033o 2008-T-0012o 2008-B-0034o 2008-A-0018o 2008-A-0017o 2008-T-0011 NA based on Pre Scan onlyo 2008-T-0010 NA based on Pre Scan onlyo MS08-025

Updated prescan for Microsoft Visual Studio on x32 and x64 Updated the following checks per new checklist requirements

o Password Uniqueness (V0001107)o Software Certificate Installation Files (V0015823)o Windows Installer – IE Security Prompt (V0015684)o DTBI590 (V0015548)o DTBI595 (V0015549)o DTBI600 (V0015550)o DTBI605 (V0015551)o DTBI610 (V0015552)o DTBI615 (V0015553)o DTBI620 (V0015554)o DTBI625 (V0015555)o DTBI630 (V0015556)o DTBI635 (V0015557)o DTBI640 (V0015558)o DTBI645 (V0015559)o DTBI592 (V0015565)o DTBI594 (V0015566)o DTBI599 (V0015568)o DTBI612 (V0015569)o DTBI614 (V0015570)o DTBI647 (V0015571)o DTBI649 (V0015572)o DTBI596 (V0015603)

Gold Disk V2 March 2008 Release Updated IIS Metabase checking to correct several errors that could occur on some systems

o IIS Explorer lockout when Gold Disk is runningo Gold Disk crashing on some systems

Corrected the following IE 7 checks to match checklist requirementso DTBI645 (V0015559)o DTBI647 (V0015571)o DTBI649 (V0015572)o DTBI640 (V0015558)o DTBI680 (V0015564)o DTBI685 (V0015573)o DTBI690 (V0015574)o DTBI720 (V0015580)o DTBI024 (V0006245)

15UNCLASSIFIED


o DTBI128 (V0006303)o DTBI040 (V0006257)o DTBI495 (V0015529)o DTBI592 (V0015565)o DTBI614 (V0015570)o DTBI612 (V0015569)o DTBI605 (V0015551)o DTBI594 (V0015566)o DTBI375 (V0015504)o DTBI596 (V0015603)o DTBI597 (V0015604)o DTBI725 (V0015581)o DTBI625 (V0015555)

Updated many IE6 checks to match new checklist requirements Updated the following windows checks to add and automate for XP or to match new checklist requirements

o V0002371 [M] Service Object Permissionso V0001122 [A] Password Protected Screen Saverso V0001103 – [A] User Rights Assignmentso Unnecessary Services (V0003487) LanMan Authentication Level (V0001153)o Minimum Password Length (V0006836)o V0014228 Audit Access to Global System Objectso V0014229 Audit Backup and Restore Privilegeso V0014247 Terminal Services – Prevent Password Sao V0014268 Attachment Manager –Preserve Zone Inforo V0014269 Attachment Manager – Hide Mechanisms too V0014270 Attachment Manager – Scan with Antiviruo V0014252 Logon – Run Once Listo V0014267 Power Management – Require Password on o V0014253 RPC – Unauthenticated RPC Clientso V0014254 RPC – Endpoint Mapper Authenticationo V0014260 HTTP - Printer Driverso V0014256 Internet Download / Online Orderingo V0014259 Printing Over HTTPo V0014258 Search Companion Content File Updateso V0014255 Publish to Webo V0014257 Windows Messenger Customer Experience Io V0014261 Windows Update Device Driver Searchingo V0014246 IE – Turn Off Crash Detectiono V0015666 [A] Windows Peer to Peer Networking o V0015667 [A] Prohibit Network Bridge o V0015669 [A] Prohibit Internet Connection Sharing o V0015670 [A] Error Reporting - Display Error Notifo V0015671 [A] Root Certificates Update o V0015673 [A] Internet Connection Wizard ISP Downloo V0015674 [A] Internet File Association Service o V0015675 [A] Windows Registration Wizard o V0015676 [A] Order Prints Online o V0015677 [A] Windows Movie Maker Codec Downloads o V0015678 [A] Windows Movie Maker Web Links o V0015679 [A] Windows Movie Maker Online Hosting

16UNCLASSIFIED


o V0015680 [A] Classic Logon o V0015681 [A] Prevent Internet Information Systemo V0015682 [A] RSS Attachment Downloads o V0015683 [A] Windows Explorer – Shell Protocol Proo V0015684 [A] Windows Installer – IE Security Prompo V0015685 [A] Windows Installer – User Control o V0015686 [A] Windows Installer – Vendor Signed Updo V0015687 [A] Media Player – First Use Dialog Boxes

Automated the following IAVMs or Microsoft patcheso 2008-B-0016 (V0015739)o 2008-A-0005 (V0015742)o 2008-A-0006 (V0015744)o 2008-A-0007 (V0015741)o 2008-A-0008 (V0015738)o 2008-A-0009 (V0015743)o 2008-A-0010 (V0015745)o 2008-B-0003 (V0015663)o 2007-T-0051 (V0015593)o 2008-B-0001 (V0015600)o MS08-002

Gold Disk V2 January 2008 Release Updated the Gold Disk to run fixes in CD order where possible. This significantly reduces the number of

times users are prompted to change CDs during the remediation process DVD/share drive support. See Appendix J Microsoft Office 2000, XP, 2003 prescan detection on Windows 2003 64 bit Microsoft Office 2007 detection on all Gold Disk supported OSs Added check and fix automation for the following IAVMs:

o 2007-A-0053o 2007-A-0054o 2005-T-0022o 2007-A-0056o 2007-T-0050o 2007-A-0055

Added IA control information to the Misc. tab Automated IE 7 vulnerabilities on all Gold Disk supported OSs Automated several vulnerabilities associated with McAfee Updated ACL checking to stay in sync with checklist requirement changes

Gold Disk V2 November 2007 Release Please note that the Gold Disk Pre-Scan is not currently detecting many software products to include

Microsoft Office when installed on 2003 64 bit. Undetected products should be manually added to the asset posture and the associated vulnerabilities addressed in VMS. Pre-Scan detection for Microsoft Office is currently working on 32 bit Operating Systems.

Added check and fix automation for the following IAVMs:o 2007-B-0027o 2007-T-0038o 2006-A-0027o 2006-A-0056o 2007-T-0040o 2007-A-0047

17UNCLASSIFIED


Corrected checking for the following IAVM on Windows 2000 when Jscript 5.1 is installed:o 2006-B-0009

Added check and fix automation for the following IAVMs on 2003 64 bit:o 2006-B-0002o 2006-T-0018

Added the following IAVMs to the Oracle Prescan NA checks:o 2007-A-0052o 2007-A-0051o 2007-A-0050o 2007-A-0049o 2007-A-0048

Added Prescan NA (additional information questions) for the following IAVMs:o 2007-T-0008o 2001-A-0001o 2007-A-0039o 2007-T-0043o 2007-T-0044o 2007-B-0033o 2007-T-0013o 2007-T-0035

Added check and fix automation for the following NON-IAVM patch:o MS07-053o MS07-054

Changed the confidentiality level in the Non-Interactive.xml control file to match the default of Sensitive that is used when running the Gold Disk interactively

Modified the Gold Disk executable to split out Systems and Enclaves in the edit asset information window. Updated the Gold Disk to include .Net and Antispyware vulnerabilities Automated the following checks for IIS, and Symantec:

o WA000-WI035o WA000-WI110o WA000-WI080o WA000-WI100o WA000-WI6080o WA000-WI6082o WA000-WI6084o WA000-WI6086o WA000-WI6088o WA000-WI6090o WA000-WI6092o WA000-WI6094o WA000-WI6096o DTAS060o DTAS061o DTAS062o DTAS063o DTAS064o DTAS065o DTAS066o DTAS067o DTAS068o DTAS069

18UNCLASSIFIED


Gold Disk V2 September 2007 Release Added check and fix automation for the following IAVMs released between July and August:

o 2007-B-0013 o 2007-A-0036 o 2007-A-0037 o 2007-T-0028 o 2007-A-0042 o 2007-A-0043 o 2007-B-0024 o 2007-A-0044 o 2007-B-0025 o 2007-B-0026 o 2007-A-0045

Added check and fix automation for the following IAVMs on 2003 64 bit:o 2007-A-0020 o 2007-A-0014 o 2007-B-0009 o 2007-B-0005 o 2007-B-0004 o 2007-B-0003 o 2006-B-0010o 2006-A-0036o 2006-B-0011o 2006-A-0038o 2006-B-0014o 2006-T-0026o 2006-T-0033o 2006-T-0034o 2006-B-0020o 2006-T-0039

Updated Registry Policy Processing (V0004448) due to a checklist change to look for “NoGPOListChanges” in the registry

Updated Secure Channel Data (V0001163 & V0001164) to be closed when Domain Member: Digitally encrypt or sign secure channel data (always) is set correctly to Enabled

Updated User Rights (V0001103) to remove checking for the following checks due to a checklist change as they are separate vulnerabilities. Additionally made changes due to problems found during regression testing to correctly check and remediate per the checklist for the user rights below:

o Act as part of the operating systemo Deny access to this computer from the network

Updated the Service Pack check to require SP2 on Windows 2003 per the checklist Corrected known problem with the Gold Disk not saving and restoring sessions properly after the first save

and restore Improved performance with loading XML and prescan and when running on systems with IIS installed Corrected detection for 2005-T-0005. The Gold Disk originally may have given false negatives Corrected findings details for auditing settings (V0001080) to more accurately display incorrect audit

settings rather than incorrect permissions

Gold Disk V2 July 2007 Release Added check and fix automation for the following IAVMs released between May and June:

o 2007-B-0010 o 2007-A-0029

19UNCLASSIFIED


o 2007-A-0030 o 2007-A-0031 o 2007-A-0028 o 2007-A-0033 o 2007-A-0034 o 2007-B-0011 o 2007-A-0035o 2007-T-0024o 2007-A-0022o 2007-A-0023o 2007-A-0024o 2007-A-0025o 2007-A-0026

Updated the fix for 2006-A-0052 to work with all versions of windows installer. Corrected to include all IE vulnerabilities when IE7 is installed. Previous versions of the Gold Disk did not

list any vulnerabilities when IE7 is installed. These vulnerabilities will be manual review until analysis can be done to determine how to automate checking on IE7.

Added XML versioning. If a user changes an XML control file, they will be prompted concerning the detected change when running the Gold Disk. The user can either run the Gold Disk with the change or not run at that time. If they choose to run with the change, “Modified” appears on the Gold Disk information bar to indicate that they are not using the released XML.

2007-T-0016 added to Bind Manual prescan NA. 2007-T-0021 added to Firefox manual prescan NA. 2006-B-0009 Corrected possible false positive that could occur on some Windows 2000 systems. Engine fixes to accommodate McAfee AV signature date format inconsistencies that caused the Gold Disk

to crash on some systems. Additionally modified the engine to accommodate a change in where McAfee anti-virus stores the signature file date.

Updated automation for the following IAVMs:o 2007-A-0033o 2007-A-0034o 2007-B-0011o 2007-A-0035

Updates to the following vulnerabilities to keep in sync with checklist guidance for the release:o DTBI006 IE – Local Zone - Includeso DTBI040 IE – Zone Settingso DTAS017 Antivirus AutoProtect – Check Floppy at Shutdowno Anonymous Access to Named Pipes and Shareso Corrected fix for user right: Deny logon through Terminal Serviceo Corrected fix for user right: Create Pagefile

Updated checking for the following IAVMs:o 2003-A-0017o 2004-A-0006o 2004-A-0017o 2004-A-0018o 2004-A-0019o 2005-A-0001o 2005-A-0017o 2005-A-0018o 2005-A-0025o 2005-A-0029o 2005-A-0030

20UNCLASSIFIED


o 2006-A-0002o 2006-A-0015o 2006-A-0036o 2006-A-0038o 2006-A-0051o 2007-A-0005o 2007-A-0014

o 2003-B-0004o 2003-B-0006o 2004-B-0016o 2006-B-0007o 2006-B-0009o 2006-B-0010o 2006-B-0011o 2006-B-0014o 2006-B-0020o 2006-B-0021o 2007-B-0003o 2007-B-0004

o 2004-T-0031o 2004-T-0035o 2004-T-0040o 2005-T-0001o 2005-T-0003o 2005-T-0004o 2005-T-0019o 2005-T-0026o 2005-T-0029o 2005-T-0041o 2005-T-0042o 2006-T-0003o 2006-T-0015o 2006-T-0026o 2006-T-0033o 2006-T-0034o 2006-T-0039

Gold Disk V2 May 2007 Release

Browse for executable screen during remediation now displays the Disk Label of the needed CD.

Anti-virus disk prompting now displays the Disk Label of the needed CD.

Icon indicators on the Remediation warning screen.

Enumeration for websites now enumerates more accurately.

Added automation (where possible) for IAVMs released between March and April.

Content Management Progress for May 2007 release.

21 new interactive pre-scan questions covering 33 IAVMs.

21UNCLASSIFIED


Gold Disk V2 March 2007 Release

Resizable tree-view within the Gold Disk GUI.

Allow for editing of the IP Address/MAC Address information.

Display totals for all severities.

Added automation (where possible) for IAVMs released between January and February.

Performance improvements reduce processing time by approximately 60 to 80 percent.

Ability to do an “interview-based” pre-scan for products which are not directly available to do signature assessments.

Gold Disk V2 Jan 2007 Release

Save Session capability

o Allows the Gold Disk user to save the current state of the review session to a file. This session file can later be reloaded to complete the analysis of the system under review.

Vulnerability Status report.

o Rich-text format that can be saved to disk or printed. User parameters allow selection of affected software components, vulnerability status and selection of fields to include in the report.

File ACL content is now generated out of the database. This was previously post-processed and added after automated XML generation was completed.

Added automation (where possible) for IAVMs released between November and December.

Internet Explorer 7.0 Pre-scan detection.

Pre-scan Not Applicable Expansion:

o Ability to detect Symantec and Microsoft Exchange Server products. IAVMs affecting these products set to NA if the product is not found on the system during pre-scan.

Gold Disk V2 Nov 2006 Release

Corrected checking and fixing for Bad Logon Counter Reset.

Corrected checking and fixing for Password Expiration.

Updated 2005-A-0001 to use an updated Microsoft patch.

Corrected checking and fixing for 2006-A-0028.

Added automation (where possible) for IAVMs released between September and October.

Added automated prescan for the following software:

o Oracle

o Adobe Reader and Flash Player

o Winzip

22UNCLASSIFIED

This page is intentionally left blank

UNCLASSIFIED

U Gold Disk Version 2.0 Release Notes

Documents

Transcript of U Gold Disk Version 2.0 Release Notes