STIGQter STIGQter: STIG Summary: Windows 10 Security Technical Implementation Guide Version: 1 Release: 19 Benchmark Date: 25 Oct 2019: Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.

DISA Rule

SV-91885r3_rule

Vulnerability Number

V-77189

Group Title

WN10-EP-000070

Rule Version

WN10-EP-000070

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure the following mitigations are turned "ON" for Acrobat.exe:

DEP:
Enable: ON

ASLR:
BottomUp: ON
ForceRelocateImages: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder.

The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.

Check Contents

This is NA prior to v1709 of Windows 10.

This is applicable to unclassified systems, for other systems this is NA.

Run "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Get-ProcessMitigation -Name Acrobat.exe".
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)

If the following mitigations do not have a status of "ON", this is a finding:

DEP:
Enable: ON

ASLR:
BottomUp: ON
ForceRelocateImages: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.

Vulnerability Number

V-77189

Documentable

False

Rule Version

WN10-EP-000070

Severity Override Guidance

This is NA prior to v1709 of Windows 10.

This is applicable to unclassified systems, for other systems this is NA.

Run "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Get-ProcessMitigation -Name Acrobat.exe".
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)

If the following mitigations do not have a status of "ON", this is a finding:

DEP:
Enable: ON

ASLR:
BottomUp: ON
ForceRelocateImages: ON

Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON

The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.

Check Content Reference

M

Target Key

2885

Comments