STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2019 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.

DISA Rule

SV-205891r569188_rule

Vulnerability Number

V-205891

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WN19-EP-000150

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure the following mitigations are turned "ON" for java.exe, javaw.exe, and javaws.exe:

DEP:
Enable: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder.

The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.

Check Contents

If the referenced application is not installed on the system, this is NA.

This is applicable to unclassified systems, for other systems this is NA.

Run "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]:
java.exe, javaw.exe, and javaws.exe
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)

If the following mitigations do not have a status of "ON" for each, this is a finding:

DEP:
Enable: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.

Vulnerability Number

V-205891

Documentable

False

Rule Version

WN19-EP-000150

Severity Override Guidance

If the referenced application is not installed on the system, this is NA.

This is applicable to unclassified systems, for other systems this is NA.

Run "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]:
java.exe, javaw.exe, and javaws.exe
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)

If the following mitigations do not have a status of "ON" for each, this is a finding:

DEP:
Enable: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.

Check Content Reference

M

Target Key

2907

Comments