STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2016 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

DISA Rule

SV-224826r569186_rule

Vulnerability Number

V-224826

Group Title

SRG-OS-000370-GPOS-00155

Rule Version

WN16-00-000090

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.

If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.

Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Check Contents

This is applicable to unclassified systems. For other systems, this is NA.

Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

If an application whitelisting program is not in use on the system, this is a finding.

Configuration of whitelisting applications will vary by the program.

AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.

If AppLocker is used, perform the following to view the configuration of AppLocker:

Open "PowerShell".

If the AppLocker PowerShell module has not been imported previously, execute the following first:

Import-Module AppLocker

Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:

Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml

This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.

Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Vulnerability Number

V-224826

Documentable

False

Rule Version

WN16-00-000090

Severity Override Guidance

This is applicable to unclassified systems. For other systems, this is NA.

Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

If an application whitelisting program is not in use on the system, this is a finding.

Configuration of whitelisting applications will vary by the program.

AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.

If AppLocker is used, perform the following to view the configuration of AppLocker:

Open "PowerShell".

If the AppLocker PowerShell module has not been imported previously, execute the following first:

Import-Module AppLocker

Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:

Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml

This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.

Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:

https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Check Content Reference

M

Target Key

4205

Comments