STIGQter: STIG Summary: Microsoft Windows Server 2019 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021: STIGQter: STIG Summary: Microsoft Windows Server 2019 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:SV-205807r569188_rule
V-205807
SRG-OS-000370-GPOS-00155
WN19-00-000080
CAT II
10
Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server.
If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
This is applicable to unclassified systems. For other systems, this is NA.
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
If an application whitelisting program is not in use on the system, this is a finding.
Configuration of whitelisting applications will vary by the program.
AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open "PowerShell".
If the AppLocker PowerShell module has not been imported previously, execute the following first:
Import-Module AppLocker
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
V-205807
False
WN19-00-000080
This is applicable to unclassified systems. For other systems, this is NA.
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
If an application whitelisting program is not in use on the system, this is a finding.
Configuration of whitelisting applications will vary by the program.
AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open "PowerShell".
If the AppLocker PowerShell module has not been imported previously, execute the following first:
Import-Module AppLocker
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
M
2907