NOTICE: Migration In Progress.
Most, but not all, of the content has moved. Please update your bookmarks to:
GPOs to Resolve eVMS Vulnerabilities
DI – BWTST CWDIllegalInDll Search Value 2
Sets HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearch dword registry to Value 2 which blocks a DLL load from the current working directory if it is set to a remote folder, including WebDAV or a UNC location. Addresses eVMS plugin ID# 48762. More information can be found at https://support.microsoft.com/en-us/kb/2264107.
DI – USGS Windows Remote Desktop NLA Enabled
GPO will be enforced on 9/13/2021:
Allows local sites to enforce Remote Desktop Network Level Authentication by applying the setting Require user authentication for remote connections by using Network Level Authentication to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. Addresses eVMS plugin ID# 58453. More information can be found at https://technet.microsoft.com/en-us/library/cc732713.aspx.
DI – BWTST Disable DES-CBC3-SHA 168
GPO Will be enforced on 6/28/2017:
The Enterprise Vulnerability Management System (eVMS) reports a Medium severity vulnerability if a remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or that uses the 3DES encryption suite. It is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. This vulnerability is showing up on Remote Desktop Services (RDP) and additional applications throughout the environment. Additional configuration changes to applications may be needed to exclude 3DES and resolve vulnerabilities. Addresses eVMS plugin ID# 42873.
- Security Filter to allow clients for Local Testing until 6/28/2017: IGSGBWTST Computers Block DES-CBC3-SHA 168 Group
- Security Filter to deviate once policy is enforced: IGSGBWTST Deviation Computers Unblock DES-CBC3-SHA 168
DI – BWTST Disable SMB 1.0
GPO Will be enforced on 6/28/2017:
In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems. Addresses eVMS plugin ID#96982. For more information can be found here. Sites that are running SAMBA on a Unix/Linux server must configure the Samba server to support SMB 2.0. Guidance is available here.
- Security Filter to allow clients for Local Testing until 6/28/2017” IGSGBWTST Computers Disable SMB 1
- Security Filter to deviate once policy is enforced: IGSGBWTST Deviation Computers Enable SMB 1
Cryptography Deviations
DI – USGS Windows Client Approval Needed Deviation – Cryptography Allow TLS 1.0 & 1.1 Browser
Clients and servers that require TLS 1.0 and 1.1 can apply this GPO. This GPO has a Active Directory security filter applied. Sites that need to apply this deviation will need to email the service desk and request clients be added to the BWTST controlled security group. Sites that need to use this deviation should document issues and resolutions on the USGS TLS 1.0/1.1 Dependencies sheet.
DI – USGS Windows Client Approval Needed Deviation – Cryptography Allow TLS 1.0 & 1.1 Registry
Clients and servers that require TLS 1.0 and 1.1 for applications (such as applications that use Microsoft SQL that still do not support TLS 1.2, even after applying fixes and updates as documented here). This GPO has an Active Directory security filter applied. Sites that need to apply the deviation can create an AD group for TLS Registry Deviation computers and make it a member of the group: “IGSGBWTST Deviation Computers – Allow TLS 1.0 1.1 Registry”. Sites that need to use this deviation should document issues and resolutions on the USGS TLS 1.0/1.1 Dependencies sheet.
DI – USGS Windows Client Approval Needed Deviation – Cryptography Allow RC4 Kerberos
Clients and servers that require RC4 Kerberos can apply this GPO. This GPO has a Active Directory security filter applied. Sites that need to apply this deviation will need to email the service desk and request clients be added to the BWTST controlled security group. Sites that need to use this deviation should document issues and resolutions on the USGS RC4 Dependencies sheet.
DI – USGS Windows Client Approval Needed Deviation – Cryptography Allow 3DES
Clients and servers that require 3DES can apply this GPO. This GPO has a Active Directory security filter applied. Sites that need to apply this deviation will need to email the service desk and request clients be added to the BWTST controlled security group. Sites that need to use this deviation should document issues and resolutions on the USGS 3DES Dependencies sheet.