SV-205888r569188_rule
V-205888
SRG-OS-000480-GPOS-00227
WN19-EP-000120
CAT II
10
Ensure the following mitigations are turned "ON" for GROOVE.EXE:
DEP:
Enable: ON
ASLR:
ForceRelocateImages: ON
ImageLoad:
BlockRemoteImageLoads: ON
Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON
Child Process:
DisallowChildProcessCreation: ON
Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder.
The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.
If the referenced application is not installed on the system, this is NA.
This is applicable to unclassified systems, for other systems this is NA.
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter "Get-ProcessMitigation -Name GROOVE.EXE".
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)
If the following mitigations do not have a status of "ON", this is a finding:
DEP:
Enable: ON
ASLR:
ForceRelocateImages: ON
ImageLoad:
BlockRemoteImageLoads: ON
Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON
Child Process:
DisallowChildProcessCreation: ON
The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.
V-205888
False
WN19-EP-000120
If the referenced application is not installed on the system, this is NA.
This is applicable to unclassified systems, for other systems this is NA.
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter "Get-ProcessMitigation -Name GROOVE.EXE".
(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.)
If the following mitigations do not have a status of "ON", this is a finding:
DEP:
Enable: ON
ASLR:
ForceRelocateImages: ON
ImageLoad:
BlockRemoteImageLoads: ON
Payload:
EnableExportAddressFilter: ON
EnableExportAddressFilterPlus: ON
EnableImportAddressFilter: ON
EnableRopStackPivot: ON
EnableRopCallerCheck: ON
EnableRopSimExec: ON
Child Process:
DisallowChildProcessCreation: ON
The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.
M
2907