Desktop Application Security Technical Implementation Guide, v2 Release 1

v2 Release 1

Final

2004-07-26

2004-10-29

Antivirus Software
Web Browser
Office Automation/Productivity Suite

Symantec Corporation
McAfee, Inc.
Netscape
Microsoft Corporation

Norton Antivirus v9
McAfee v7
Netscape Navigator v4.2, 6.7 and 7
Internet Explorer v6
Outlook 2000, XP and 2003
MS Office 2000, XP and 2003

Norton Antivirus v9
McAfee v7
Netscape Navigator v4.2, 6.7 and 7
Internet Explorer v6
Outlook 2000, XP and 2003
MS Office 2000, XP and 2003

Desktop Client

This Desktop Application Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) applications on desktop workstations in order to alleviate security vulnerabilities. The requirements and recommendations set forth in this document will assist IAOs and IAMs in protecting desktop applications in the DECCs, DECC-Ds, RNOSCs, SSOs, other DISA customers, and other DOD locations. The document will also assist in identifying external security exposures created when desktop workstations are connected to an Automated Information System (AIS) outside the site's control. This document provides general guidance on some of the commonly found desktop applications in the most commonly found desktop operating system environments. Web browsers (Netscape Navigator v4.2, 6.7 and 7; Internet Explorer v6) and e-mail clients (Outlook 2000, XP, 2003) were given priority, because they are most common. Anti-virus products (NAV v9, McAfee v7), because of their strategic importance in preventing problems, were also a priority. Other applications (MS Office 2000, XP, 2003) were added as specific requirements were identified. Appendices exist that apply the general guidance to specific products and versions of commonly found applications. For applications not specifically defined in the appendices, such as Corel WordPerfect Office, Eudora, Ghostview, Lotus Notes, Macromedia Shockwave, and Outlook Express, guidance from the general section should be used to secure the application. Even though this document addresses the security of COTS applications rather than an operating system, it is not possible to completely separate the security issues. Security is an attribute of the whole as well as of each of the parts. In accordance with this philosophy, the same policies and guidance that apply clearly to operating systems are also applicable to applications.

This Desktop Application STIG presents the known security configuration items, vulnerabilities, and issues required to be addressed by DoD policy. In addition to this STIG, compliance validation tools and checklists are available to .mil and .gov customers to assist in the efforts to implement the required configuration. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DoD Customers. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation will lead to a loss of required functionality.

Developped for the DOD.
This document is intended to be useful to desktop administrators whose duty it is to setup users’ desktops.

Enterprise and Specialized Security-Limited Functionality.

Not available.

Not available.

Not available.

Not available.

DOD Directive 8500.

Refer to Known Issues.

Not available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not available.

Not available.

Not available.

http://iase.disa.mil/stigs/stig/index.html

http://iase.disa.mil/stigs/stig/
desktop-application-stig-v2r1.pdf

SHA1 Digest
(desktop-application-stig-v2r1.pdf) =
14f573f830c0cd12f7117738452c4bd7a179af23

SHA256 Digest
(desktop-application-stig-v2r1.pdf) =
47fa0bdcd2c81f83e8b80cc2c6586e97adbb622
ebad6a37c7effe416df33940b

v2 Release 0: 2004-07-26
v2 Release 1: 2004-10-29

Desktop Application Checklist v1r1.10

Government Publications

Chairman of the Joint Chiefs of Staff, CJCS Manual 6510.01, “Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND),” 15 March 2002.

Department of Defense, Chief Information Officer Memorandum, “Department of Defense (DoD) Public Key Infrastructure (PKI),” 12 August 2000.

Department of Defense, Chief Information Officer Memorandum, “Policy Guidance for Use of Mobile Code Technologies in Department of Defense (DoD) Information Systems,” 7 November 2000.

Department of Defense, Chief Information Officer Memorandum, “Public Key Enabling (PKE) of Applications, Web Servers, and Networks for the Department of Defense  (DoD),” 17 May 2001.

Department of Defense, DoD Directive (DODD) 8500.1, “Information Assurance (IA),” 24 October 2002.

Department of Defense, “X.509 Certificate Policy for the United States Department of Defense,” Version 5.2, 13 November 2000.

Defense Information Systems Agency, “Configuration Guidance for Client Workstations and Applications To Implement the DoD Policy on the Use of Mobile Code,” Version 1.0, 15 February 2002.

Defense Information Systems Agency, “Developer’s Guide for Using Mobile Code Technologies in Department of Defense and Intelligence Community Information Systems,” 15 August 2002.

Defense Information Systems Agency, “Secure Remote Computing Security Technical Implementation Guide,” Version 1, Release 1.

National Security Agency (NSA), “E- mail Security in the Wake of Recent Malicious Code Incidents,” Version 2.6, 29 January 2002.

National Security Agency (NSA), “Guide to Securing Microsoft Windows NT Networks,” Version 4.2, 18 September 2001.

National Security Agency (NSA), “Microsoft Office 2000 Executable Content Security Risks and Countermeasures,” 8 February 2002.

Public Law 100-235, “Computer Security Act of 1987,” 8 January 1988.

Government Web Sites

http://www.disa.mil/ 
Defense Information Systems Agency

https://datahouse.disa.mil/  Defense Information Systems Agency Datahouse

http://iase.disa.mil/ 
(NIPRNet) Defense Information Systems

http://iase.disa.smil.mil/ 
(SIPRNet) Agency Information Assurance Support Environment

 http://www.cert.mil/ 
(NIPRNet) Department of Defense

http://www.cert.smil.mil/ 
(SIPRNet) Computer Emergency Response Team (DOD-CERT)

http://dodpki.c3pki.chamb.disa.mil/ 
Department of Defense or http://dodpki.c3pki.den.disa.mil/  Class 3 Public Key Infrastructure (PKI) Home Page

http://www.c3i.osd.mil/org/sio/ia/pki.html 
Department of Defense Public Key Infrastructure Program Management Office (DOD PKI PMO)

http://www.nsa.gov/isso/index.html 
National Security Agency Information Assurance Directorate (NSA IAD)

Commercial and Other Non-government Sites

http://www.icsalabs.com/ 
International Computer Security Association (ICSA) Labs

http://www.mcafee.com/support/ 
McAfee Support

http://www.microsoft.com/downloads/search.asp 
Microsoft Download Center

http://www.microsoft.com/windows/ie/
downloads/default.asp  Microsoft IE Product

Downloads 

http://www.microsoft.com/technet/
security/current.asp  Microsoft TechNet Security

http://channels.netscape.com/ns/
browsers/default.jsp  Netscape Browser Central

http://wp.netscape.com/security/notes/index.html  Netscape Security Notes

http://www.symantec.com/techsupp/  Symantec Service & Support

http://www.wildlist.org/  The WildList Organization

1061