STIGQter STIGQter: STIG Summary: Riverbed SteelHead CX v8 ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 30 Nov 2015:

If TLS optimization is used, the Riverbed Optimization System (RiOS) providing Signed SMB and/or Encrypted MAPI must ensure the integrity and confidentiality of data transmitted over the WAN.

DISA Rule

SV-77277r1_rule

Vulnerability Number

V-62787

Group Title

SRG-NET-000521-ALG-000002

Rule Version

RICX-AG-000032

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

On the Server-Side SteelHead appliance Navigate to the device Management Console.

Navigate to Configure >> Optimization >> Windows Domain Auth
Under Kerberos select "Add a New User"
Enter the "Active Directory Domain Name".
Enter the UserID in "Domain Login:".
Enter the User Account Password in "Password".
Enter "Password Confirm"
Select "Enable RODC Password Replication Policy"
Enter the "Domain Controller Name(s):" or IP Addresses.
Click "Add".
Verify that "In Domain Mode, Status: In a Domain" is displayed on the page.

Navigate to Configure >> Optimization >> CIFS (SMB1).
Select "Enable SMB Signing"
Select "NTLM Delegation Mode"
Select "Enable Kerberos Authentication Support".
Click "Apply"

Navigate to Configure >> Optimization >> SMB2/3.
Select "Enable SMB2 and SMB3 Signing"
Select "NTLM Delegation Mode"
Select "Enable Kerberos Authentication Support".
Click "Apply".

Navigate to Configure >> Optimization >> MAPI.
Select "Enable Encrypted Optimization"
Select "NTLM Delegation Mode"
Select "Enable Kerberos Authentication Support".
Click "Apply".

Navigate to the top of the web page and click "Save" to save these setting permanently.

Check Contents

Verify the RiOS providing Signed SMB and Encrypted MAPI optimization services is configured to ensure the integrity and confidentiality of data transmitted over the WAN.

Navigate to the device Management Console.
Navigate to Configure >> Optimization >> Windows Domain Auth
Verify that a Domain is defined under "Kerberos"
Navigate to Configure >> Optimization >> CIFS (SMB1).
Verify that "Enable SMB Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

Navigate to Configure >> Optimization >> SMB2/3.
Verify that "Enable SMB2 and SMB3 Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

Navigate to Configure >> Optimization >> MAPI.
Verify that "Enable Encrypted Optimization", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

If any SMB Signing or Encrypted MAPI is selected and the status of "In Domain Mode, Status: In a Domain" is not displayed, this is a finding.

Vulnerability Number

V-62787

Documentable

False

Rule Version

RICX-AG-000032

Severity Override Guidance

Verify the RiOS providing Signed SMB and Encrypted MAPI optimization services is configured to ensure the integrity and confidentiality of data transmitted over the WAN.

Navigate to the device Management Console.
Navigate to Configure >> Optimization >> Windows Domain Auth
Verify that a Domain is defined under "Kerberos"
Navigate to Configure >> Optimization >> CIFS (SMB1).
Verify that "Enable SMB Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

Navigate to Configure >> Optimization >> SMB2/3.
Verify that "Enable SMB2 and SMB3 Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

Navigate to Configure >> Optimization >> MAPI.
Verify that "Enable Encrypted Optimization", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected.

If any SMB Signing or Encrypted MAPI is selected and the status of "In Domain Mode, Status: In a Domain" is not displayed, this is a finding.

Check Content Reference

M

Target Key

2929

Comments