Changes in the 04/20/2015 Final Release 1. Corrected a typo: "Wndows" used by the following OVAL definition oval:gov.nist.fdcc.patch:def:10000. Affected data stream(s): SCAP 1.2 data streams for Windows XP, Vista, 7, IE7, and IE8. 2. Corrected the title of several XCCDF values which have "n" instead of a descriptive title. Affected data stream(s): SCAP 1.2 data streams for Windows XP, Vista, 7, IE7, and IE8. 3. Updated the value of @id attribute of component-ref and component to be unique. Affected data stream(s): SCAP 1.2 data streams for Windows XP, Vista, 7, IE7, and IE8. Implementation details: added the data stream version to the IDs. 4. Corrected @selector's value of the following xccdf:value: xccdf_gov.nist_value_domain_profile_name_var, xccdf_gov.nist_value_private_profile_name_var, and xccdf_gov.nist_value_public_profile_name_var Affected data stream(s): scap_gov.nist_USGCB-Windows-Vista-firewall.xml Implementation details: replaced "firewall-dir" with "firewall_dir" Changes in the 02/10/2015 Release Candidate 1 1. Updated the fileeffectiverights53 tests to use an alternate method for checking the file effective rights. Affected data stream(s): scap_gov.nist_USGCB-Windows-XP.xml (WinXP-510-2.0.7.1) Affected CCEs: CCE-1909-1, CCE-1916-6, CCE-1937-2, CCE-2052-9, CCE-2145-1, CCE-2175-8, CCE-2176-6, CCE-2178-2, CCE-2184-0, CCE-2198-0, CCE-2220-2, CCE-2312-7, CCE-2436-4, CCE-2546-0, CCE-2672-4, CCE-2674-0, CCE-2699-7, CCE-2726-8, CCE-2731-8, CCE-2784-7, CCE-2788-8, CCE-2797-9, CCE-2833-2, CCE-2855-5, CCE-2894-4, CCE-2899-3, CCE-4952-8 Affected OVAL definitions: oval:gov.nist.usgcb.xp:def:133, oval:gov.nist.usgcb.xp:def:140, oval:gov.nist.usgcb.xp:def:159, oval:gov.nist.usgcb.xp:def:128, oval:gov.nist.usgcb.xp:def:134, oval:gov.nist.usgcb.xp:def:146, oval:gov.nist.usgcb.xp:def:153, oval:gov.nist.usgcb.xp:def:138, oval:gov.nist.usgcb.xp:def:129, oval:gov.nist.usgcb.xp:def:154, oval:gov.nist.usgcb.xp:def:145, oval:gov.nist.usgcb.xp:def:130, oval:gov.nist.usgcb.xp:def:135, oval:gov.nist.usgcb.xp:def:151, oval:gov.nist.usgcb.xp:def:139, oval:gov.nist.usgcb.xp:def:152, oval:gov.nist.usgcb.xp:def:132, oval:gov.nist.usgcb.xp:def:131, oval:gov.nist.usgcb.xp:def:158, oval:gov.nist.usgcb.xp:def:144, oval:gov.nist.usgcb.xp:def:155, oval:gov.nist.usgcb.xp:def:156, oval:gov.nist.usgcb.xp:def:147, oval:gov.nist.usgcb.xp:def:148, oval:gov.nist.usgcb.xp:def:149, oval:gov.nist.usgcb.xp:def:150, oval:gov.nist.usgcb.xp:def:1351 2. Corrected a data type mismatch for oval:gov.nist.usgcb.xp:ste:117 and oval:gov.nist.usgcb.xp:var:287 Affected data stream(s): scap_gov.nist_USGCB-Windows-XP.xml (WinXP-510-2.0.7.1): Affected CCE: CCE-3085-8 3. Corrected an incorrect format and operation for the element used by accesstoken objects. Affected data stream(s): scap_gov.nist_USGCB-Windows-XP.xml (WinXP-510-2.0.7.1) Affected CCEs: CCE-1978-6, CCE-2898-5, CCE-2700-3 Affected OVAL definitions: oval:gov.nist.usgcb.xp:def:175, oval:gov.nist.usgcb.xp:def:176, oval:gov.nist.usgcb.xp:def:177 4. Corrected an incorrect mapping for value “xccdf_gov.nist_value_enable_indexing_uncached_exchange_folders_var” and the selector. Affected data stream(s): scap_gov.nist_USGCB-Windows-7.xml (Win7-510-1.2.7.1) Affected CCE: CCE-9866-5 5. Corrected an incorrect mapping for value “xccdf_gov.nist_value_enable-indexing-uncached-Exchange-folders_var” and the selector. Affected data stream(s): scap_gov.nist_USGCB-Windows-Vista.xml (Vista-510-2.0.7.1) Affected CCE: CCE-3143-5 6. Changed the following rules to use OCIL checks due to limitation in OVAL language to check for an empty string: xccdf_gov.nist_rule_network_access_named_pipes_that_can_be_accessed_anonymously, xccdf_gov.nist_rule_network_access_shares_that_can_be_accessed_anonymously Affected data stream(s): scap_gov.nist_USGCB-Windows-7.xml (Win7-510-1.2.7.1) Affected CCEs: CCE-9218-9, CCE-9196-7 Added two OCIL checks: xccdf_gov.nist_rule_network_access_OCIL-named_pipes_that_can_be_accessed_anonymously, xccdf_gov.nist_rule_network_access_OCIL-shares_that_can_be_accessed_anonymously 7. Changed the following rule to use OCIL checks due to limitation in OVAL language to check for an empty string: xccdf_gov.nist_rule_Shares-that-can-be-accessed-anonymously Affected data stream(s): scap_gov.nist_USGCB-Windows-Vista.xml (Vista-510-2.0.7.1) Affected CCE: CCE-3349-8 Added two OCIL checks: xccdf_gov.nist_rule_OCIL-Shares-that-can-be-accessed-anonymously 8. Corrected duplicate OVAL ID (oval:gov.nist.usgcb.windowsseven:obj:20020) used in multiple data streams Affected data stream(s): scap_gov.nist_USGCB-Windows-7.xml (Win7-510-1.2.7.1) Affected CCE: CCE-9985-3 9. Updated the xccdf_gov.nist_rule_security_patches_up_to_date (oval:gov.nist.fdcc.patch:obj:10000) to correct a possible false positive when the non-security patches are collected (i.e. language packs). Affected data stream(s): scap_gov.nist_USGCB-Windows-7.xml, scap_gov.nist_USGCB-Windows-Vista.xml, scap_gov.nist_USGCB-Windows-XP.xml, scap_gov.nist_USGCB-ie7.xml, and scap_gov.nist_USGCB-ie8.xml 10.USGCB-Windows-Settings.xls: missing multiple CCE IDs from the Excel spreadsheet. Added the following CCE IDs: CCE-2777-1, CCE-2336-6, CCE-3014-8, CCE-2810-0, CCE-9793-1, CCE-9832-7, CCE-10425-7 11. Change Request: modify the sleep System Hibernate Timeout rules to check for either Hibernate or Sleep Timeout settings Implementation details: - created two XCCDF rules for each data stream to replace the following rules: "xccdf_gov.nist_rule_Specify_the_System_Hibernate_Timeout_On_Battery" with "xccdf_gov.nist_rule_Specify_the_System_Hibernate_or_Sleep_Timeout_On_Battery" "xccdf_gov.nist_rule_Specify_the_System_Hibernate_Timeout_Plugged_in" with "xccdf_gov.nist_rule_Specify_the_System_Hibernate_or_Sleep_Timeout_Plugged_in" Affected data stream(s): scap_gov.nist_USGCB-Windows-7-Energy.xml, scap_gov.nist_USGCB-Windows-Vista-Energy.xml" 12.Change Request: modify the Power Saving settings to check the Active Power Scheme configuration Implementation details: - updated the following OVAL definitions to check the Active Power Scheme configuration settings: oval:gov.nist.usgcb.vista:def:20022 oval:gov.nist.usgcb.vista:def:20023 oval:gov.nist.usgcb.vista:def:20024 oval:gov.nist.usgcb.vista:def:20025 oval:gov.nist.usgcb.windowsseven:def:20022 oval:gov.nist.usgcb.windowsseven:def:20023 oval:gov.nist.usgcb.windowsseven:def:20024 oval:gov.nist.usgcb.windowsseven:def:20025 Affected XCCDF rules for Vista and Windows 7 Energy data streams: - xccdf_gov.nist_rule_Specify_the_System_Hibernate_or_Sleep_Timeout_On_Battery - xccdf_gov.nist_rule_Specify_the_System_Hibernate_or_Sleep_Timeout_Plugged_in - xccdf_gov.nist_rule_Turn_off_the_Display_On_Battery - xccdf_gov.nist_rule_Turn_off_the_Display_Plugged_In Affected data streams: scap_gov.nist_USGCB-Windows-7-Energy.xml, scap_gov.nist_USGCB-Windows-Vista-Energy.xml" 13.Change Request: update the “Interactive Logon: Smartcard removal behavior” to “No Action.” Implementation details: - changed the value for XCCDF variable "xccdf_gov.nist_value_smart_card_removal_behaviour_var" from "lock_workstation" to "no_action" Affected XCCDF rules for the following data streams: - Windows XP: xccdf_gov.nist_value_smart_card_removal_var - Windows Vista: xccdf_gov.nist_value_smart-card-removal-behaviour_var - Windows 7: xccdf_gov.nist_rule_interactive_logon_smart_card_removal_behavior Affected data streams: scap_gov.nist_USGCB-Windows-XP.xml, scap_gov.nist_USGCB-Windows-Vista.xml, scap_gov.nist_USGCB-Windows-7.xml" 14. Corrected the value for the xccdf:reference to point to the right checklist Updated data streams: scap_gov.nist_USGCB-Windows-7.xml, scap_gov.nist_USGCB-Windows-7-Energy.xml, scap_gov.nist_USGCB-Windows-7-firewall.xml; scap_gov.nist_USGCB-Windows-Vista.xml; scap_gov.nist_USGCB-Windows-Vista-Energy.xml, scap_gov.nist_USGCB-Windows-Vista-firewall.xml, scap_gov.nist_USGCB-Windows-XP.xml, scap_gov.nist_USGCB-Windows-XP-firewall.xml, scap_gov.nist_USGCB-ie8.xml 15. Updated the inventory definitions referenced in the USGCB data streams to match the latest version from Mitre's OVAL repository. 16. Updated the URL value for xsi:schemaLocation to match the OVAL version specified by oval:schema_version. =============================================================================================================================================================== =============================================================================================================================================================== =============================================================================================================================================================== Changes in the 3/16/2012 release Added a new datastream for SCAP 1.2. This content was built on the existing OVAL 5.4 content, but implements requirements and features of the new versions of the data formats which make up SCAP 1.2. Support for XCCDF 1.2, OVAL 5.10, CPE 2.3, and OCIL 2.0. The changes are too extensive to document individually in the change log, tens of thousands of changes were made. The changes can be classified into several broad categories: 1. Element names changed to meet new requirements of XCCDF 1.2. Updated headers and metadata in the XCCDF documents too. 2. New OVAL logic implemented in the Windows XP baseline which should result in better performance when checking file system permissions. 3. Conditional logic checks added for most of the settings that fall under the "conditional" category in the settings spreadsheet for all affected baselines. 4. OCIL checks added for the user settings across all affected baselines. 5. Replaced the static OVAL content for verifying that all Windows and Internet Explorer patches are installed with a dynamic check that utilizes the Windows Update Agent API. Changes in the 11/14/2011 release Corrected profile and version nomenclature in the Windows XP, Windows Vista, and Internet Explorer XCCDF files for the OVAL 5.3 and OVAL 5.4 data streams. Corrected URI for dynamically retrieving the latest version of the OVAL 5.3 and 5.4 content for patch definitions. Changes in the 8/26/2011 release Removed the Media Center definition from the XP SCAP stream and added it to the Vista SCAP stream. Added CCE IDs for several settings Vista CCE ID XP CCE ID Control Panel\Programs and Features\Turn Windows features on or off Games CCE-18891-2 CCE-18796-3 Control Panel\Programs and Features\Turn Windows features on or off Internet Information Services CCE-18279-0 CCE-18870-6 Control Panel\Programs and Features\Turn Windows features on or off SimpleTCP Services CCE-18624-7 CCE-18307-9 Control Panel\Programs and Features\Turn Windows features on or off Telnet Client CCE-18129-7 (Not Applicable) Control Panel\Programs and Features\Turn Windows features on or off Telnet Server CCE-18284-0 (Not Applicable) Control Panel\Programs and Features\Turn Windows features on or off TFTP Client CCE-18700-5 (Not Applicable) Control Panel\Programs and Features\Turn Windows features on or off Windows Media Center CCE-18689-0 (Not Applicable) Changes in the 6/21/2011 release OVAL and XCCDF Added data streams for Windows XP, Windows Vista, and Internet Explorer 7. The changes are so extensive that listing them individually is not practical. The major changes: All of the existing FDCC content was moved to the USGCB, the element name spaces were updated, e.g. oval:gov.nist.usgcb.vista and oval:gov.nist.usgcb.xp Many settings were added to the XP, Vista, and IE7 data streams in order to more closely allign those baselines with the USGCB for Windows 7 and IE8. Allow scripting of Internet Explorer web browser control (CCE-18394-7) Allow status bar updates via script (CCE-3249-0) Include local directory path when uploading files to a server (CCE-18552-0) Launching programs and unsafe files (CCE-18467-1) Run .NET Framework-reliant components not signed with Authenticode (CCE-18731-0) Run .NET Framework-reliant components signed with Authenticode (CCE-18230-3) Allow scripting of Internet Explorer web browser control (CCE-18912-6) Allow Scriptlets (CCE-3639-2) Include local directory path when uploading files to a server (CCE-18738-5) Launching programs and unsafe files (CCE-18137-0) Internet Explorer Processes (CCE-3924-8) Do not process the run once list (CCE-3086-6) (CCE-5032-8) Specify the System Hibernate Timeout (On Battery) (CCE-18938-1) Specify the System Hibernate Timeout (Plugged In) (CCE-18358-2) Turn off the Display (On Battery) (CCE-18686-6) Turn off the Display (Plugged In) (CCE-18303-8) Enable/Disable PerfTrack (CCE-18388-9) Configure Windows NTP Client (CCE-18220-4) (CCE-18099-2) Default behavior for AutoRun (CCE-8404-6) Turn off game updates (CCE-18987-8) Allow users to connect remotely using Remote Desktop Services (CCE-18715-3) (CCE-18782-3) Do not delete temp folder upon exit (CCE-18414-3) Do not use temporary folders per session (CCE-18913-4) Configure Automatic Updates (CCE-3358-9) (CCE-7528-3) Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box (CCE-3363-9) (CCE-8400-4) No auto-restart with logged on users for scheduled automatic updates installations (CCE-2462-0) (CCE-8375-8) Reschedule Automatic Updates scheduled installations (CCE-2852-2) (CCE-8406-1) MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (CCE-5101-1) MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (CCE-4271-3) User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (CCE-4467-7) Fax (CCE-2849-8) Core Networking - Dynamic Host Configuration Protocol (DHCP-In) (CCE-18320-2) Games Internet Information Services SimpleTCP Services Telnet Client Telnet Server TFTP Client Windows Media Center Enable screen saver (CCE-5043-5) (CCE-2901-7) Turn off Help Ratings (CCE-4851-2) Many settings were removed from the XP, Vista, and IE7 data streams. Prevent IIS installation (CCE-3288-8) (CCE-4262-2) Turn off Untrusted Content (CCE-3046-0) Do not allow drive redirection (CCE-2874-6) Turn off Windows Meeting Space (CCE-2557-7) Do not allow Windows Messenger to be run (CCE-2684-9) Do not automatically start Windows Messenger initially (CCE-4797-7) (CCE-2455-4) Audit: Shut down system immediately if unable to log security audits (CCE-3001-5) (CCE-2851-4) Devices: Allowed to format and eject removable media CCE-3225-0) (CCE-3111-2) MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (CCE-3244-1) (CCE-2683-1) Synchronize directory service data (CCE-4970-0) (CCE-2810-0) WLAN AutoConfig Turn off Help Experience Improvement Program (CCE-5239-9) Turn off Help Ratings (CCE-4851-2) Prompt for password on resume from hibernate / suspend (CCE-3169-0) (CCE-4390-1) Turn off Windows Update device driver search prompt (CCE-3278-9) (CCE-5014-6) Display Error Notification (CCE-5136-7) Turn off Automatic Root Certificates Update (CCE-3454-6) (CCE-5054-2) Turn off Windows Movie Maker automatic codec downloads (CCE-3403-3) CCE-4242-4) Turn off Windows Movie Maker online Web links (CCE-3297-9) (CCE-4732-4) Turn off Windows Movie Maker saving to online video hosting provider (CCE-3385-2) (CCE-4997-3) Turn off Windows Update device driver searching (CCE-3278-9) (CCE-5014-6) Don't display the Getting Started welcome screen at logon (CCE-2781-3) (CCE-5160-7) Configure Outlook Express (CCE-3275-5) (CCE-3275-5) Disable the Reset Web Settings feature (CCE-4226-7) (CCE-4226-7) Turn on the Internet Connection Wizard Auto Detect (CCE-4036-0) (CCE-4036-0) Disable Automatic Install of Internet Explorer components (CCE-3518-8) (CCE-3518-8) Disable Periodic Check for Internet Explorer software updates (CCE-3576-6) (CCE-3576-6) Disable showing the splash screen (CCE-3706-9) (CCE-3706-9) Disable software update shell notifications on program launch (CCE-4118-6) (CCE-4118-6) Unused elements were removed from all of the datastreams, however there are still a handful of unused elements in the Vista and XP datastreams, they will be removed in a future revision to the content. Data type was corrected for the setting Network access: Allow anonymous SID/Name translation (CCE-9531-5) Searched for and replaced comments that had no information for temporary text. Corrected the CCE ID for the setting MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 Recommended) (CCE-7716-4). Correct the test type to sid_test for the setting Accounts: Administrator account status (CCE-2943-9). OVAL Changed logic for the setting Account Lockout Duration (CCE-9308-8) (CCE-2363-0) (CCE-2928-0) in order to accomodate vendors who check the value via WMI. Intereated the version of most elements throughtout the content, our failure to iterate the version for many elements in the January update caused problems for scanning tools which leveraged them to minimize the volume of content pushed to clients. Changed logic for the setting Network access: Named Pipes that can be accessed anonymously (CCE-3380-3) (CCE-3150-0) so that its case insensitive. Logic for numerous settings was adjusted slightly so that values which exceed the prescribed value will pass. Updated the regex statement for the setting Network access: Named Pipes that can be accessed anonymously (CCE-3380-3) so that its case insensitive. XCCDF Corrected case in the URI references used in the Windows 7 energy content, i.e., the URIs were updated to USGCB-Windows-7-Energy-oval.xml Changes in the 1/31/2011 release OVAL and XCCDF Distinct content for the X86 and AMD64 platform architectures have been combined into a single stream that works on both platforms Changed all filenames, replaced each underscore with a dash. Corrected the CCE ID for the following setting: Turn off handwriting personalization data sharing (CCE-10658-3) Changed the varial type to Boolean for the following setting: Network access: Allow anonymous SID/Name transl (CCE-9531-5) OVAL Changed operating syste definitions to ignore processor architecture Removed redundant criterion from Enable/Disable PerfTrack (CCE-10219-4) Corrected a minor logic errors for the following settings: Administrator Account Status (CCE-9199-1) Offer Remote Assistance (CCE-9960-6) MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (CCE-9456-5) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (CCE-9501-8) MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (CCE-9487-0) Set a time limit for active but idle Terminal Services sessions (CCE-10608-8) Set a time limit for disconnected sessions (CCE-9858-2) Do not allow users to enable or disable add-ons (CCE-10235-0) Allow status bar updates via script - Internet Zone (CCE-9750-1) Navigate windows and frames across different domains - Internet Zone (CCE-9865-7) Allow status bar updates via script - Restricted Sites Zone (CCE-10431-5) Replaced temporary descriptions with more useful information. Changed the logic for the following audit policy setting definitions to allow for more restrictive configurations: Audit Process Creation (CCE-9562-0 CCE-9805-3) Audit Logoff (CCE-8856-7 CCE-9058-9) Audit Special Logon (CCE-9763-4 CCE-9521-6) Audit Authentication Policy Change (CCE-9976-2 CCE-10014-9) Audit File System (CCE-9217-1 CCE-9811-1) Audit Registry (CCE-9737-8 CCE-10078-4) XCCDF Corrected the title and description tags for the following settings: Create symbolic links (CCE-8460-8) Configure Windows NTP client (CCE-10500-7) Extend point and print connection to search Windows update and use alternate connection if needed (CCE-10782-1) Disable remote desktop sharing (CCE-10763-1) Corrected the description tag for 2 setting groups: windows_firewall_with_advanced_security_public_profile windows_firewall_with_advanced_security_private_profile Corrected variable reference for Maximum System Log Size (CCE-10156-8) Fax Service (CCE-10150-1) Corrected value selectors for Configuration of Wireless Settings Using Windows Connect Now (CCE-9879-8) Replaced temporary descriptions with more useful information. Deselected the following audit policy setting definitions becuase they are all listed as "No auditing" in the baseline and therefore *any* configuration is compliant. Audit Application Group Management (CCE-8822-9 CCE-9591-9) Audit Distribution Group Management (CCE-9644-6 CCE-8829-4) Audit DPAPI Activity (CCE-9735-2 CCE-9412-8) Audit Process Termination (CCE-9227-0 CCE-9818-6) Audit RPC Events (CCE-9492-0 CCE-9364-1) Audit Detailed Directory Service Replication (CCE-9628-9 CCE-9526-5) Audit Directory Service Access (CCE-9765-9 CCE-9791-5) Audit Directory Service Changes (CCE-9734-5 CCE-8850-0) Audit Directory Service Replication (CCE-9637-0 CCE-9755-0) Audit IPsec Extended Mode (CCE-9661-0 CCE-8857-5) Audit IPsec Main Mode (CCE-9715-4 CCE-8956-5) Audit IPsec Quick Mode (CCE-9632-1 CCE-9671-9) Audit Account Lockout (CCE-8853-4 CCE-9023-3) Audit Other Logon/Logoff Events (CCE-9622-2 CCE-9631-3) Audit Application Generated (CCE-9816-0 CCE-8860-9) Audit Certification Services (CCE-9460-7 CCE-9488-8) Audit File Share (CCE-9376-5 CCE-9405-2) Audit Filtering Platform Connection (CCE-9728-7 CCE-9569-5) Audit Filtering Platform Packet Drop (CCE-9133-0) Audit Handle Manipulation (CCE-9789-9 CCE-10098-2) Audit Kernel Object (CCE-9803-8 CCE-9137-1) Audit Other Object Access Events (CCE-9455-7 CCE-9545-5) Audit SAM (CCE-9856-6 CCE-9845-9) Audit Authorization Policy Change (CCE-9633-9 CCE-10050-3) Audit Filtering Platform Policy Change (CCE-9902-8 CCE-10081-8) Audit MPSSVC Rule-Level Policy Change (CCE-9153-8 CCE-9913-5) Audit Other Policy Change Events (CCE-9596-8 CCE-10049-5) Audit Non Sensitive Privilege Use (CCE-9190-0 CCE-9159-5) Audit Other Privilege Use Events (CCE-9988-7 CCE-9314-6) Audit Other System Events (CCE-9586-9 CCE-10088-3) Added several metadata tags that will be required by SCAP 1.1. Updated the profile IDs in the Windows 7 content to match the nomenclature used in other USGCB and FDCC content. Changes in the 10/18/2010 release OVAL Corrected the registry value name for the "Do not process the run once list" (CCE-10154-3) XCCDF Corrected the value mapping table for “Allow users to connect remotely using Remote Desktop Services” (CCE-9985-3) Changes in the 9/24/2010 release OVAL and XCCDF The following configuration items are now checked within the Windows 7 SCAP content: CCE-9199-1, CCE-8503-5, CCE-8655-3, CCE-8560-5, CCE-9487-0, CCE-9096-9, CCE-8804-7, CCE-9770-9, CCE-9532-3, CCE-9301-3, and CCE-9403-7. Added the following configuration items to the Windows 7 SCAP content: Control Panel\Programs and Features\Turn Windows features on or off Games Internet Information Services SimpleTCP Services Telnet Client Telnet Server TFTP Client Windows Media Center Created SCAP content bundles for the energy conservation settings recommended by the EPA: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings Specify the System Hibernate Timeout (On Battery) Specify the System Hibernate Timeout (Plugged In) Computer Configuration\Administrative Templates\System\Power Management\Video and Display Settings Turn off the Display (On Battery) Turn off the Display (Plugged In) Removed orphaned objects from the Windows 7 SCAP content. Updated the CCE IDs to include those most recently provided by MITRE. Corrected rule and definition for Allow users to connect remotely using Remote Desktop Services (CCE-9985-3). XCCDF Corrected rule for Do not process the run once list (CCE-10154-3). Changed benchmark IDs to distinguish between x86 (32-bit Windows) and x64 (64-bit Windows) baselines. Changes in 8/31/2010 release: OVAL Numerous changes to match the USGCB Beta settings spreadsheet: New definitions: Core Networking - Dynamic Host Configuration Protocol (DHCP-In). Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In). Replaced the user version of the "Turn off handwriting personalization data sharing" (CCE-10658-3) setting with the computer version (CCE-10645-0). Changed the Debug user right so that Administrators are now allowed to possess it (CCE-8583-7). Changed "User Account Control: Behavior of the elevation prompt for standard users" (CCE-8813-8) to "Prompt for credentials on the secure desktop." Removed the following definitions: Require trusted path for credential entry (CCE-10092-5) Turn off Windows Update device driver search prompt (CCE-10694-8) Turn off Automatic Root Certificates Update (CCE-10681-5) Turn off Windows Update device driver searching (CCE-10093-3) Do not process the legacy run list (CCE-9983-8) Turn off Managing Phishing filter (CCE-10540-3) Disable Automatic Install of Internet Explorer components (CCE-9987-9) Disable Periodic Check for Internet Explorer software updates (CCE-10634-4) Disable showing the splash screen (CCE-10632-8) Allow status bar updates via script Turn on Basic feed authentication over HTTP (CCE-10007-3) Devices: Allowed to format and eject removable media (CCE-8868-2) MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (CCE-8784-1) WLAN AutoConfig (CCE-10844-9) Prohibit use of Internet Connection Firewall on your DNS domain network Prohibit use of Internet Connection Sharing on your DNS domain network (CCE-9797-2) XCCDF Numerous changes to match the USGCB Beta settings spreadsheet: New definitions: Core Networking - Dynamic Host Configuration Protocol (DHCP-In). Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In). Replaced the user version of the "Turn off handwriting personalization data sharing" (CCE-10658-3) setting with the computer version (CCE-10645-0). Changed the Debug user right so that Administrators are now allowed to possess it (CCE-8583-7). Changed "User Account Control: Behavior of the elevation prompt for standard users" (CCE-8813-8) to "Prompt for credentials on the secure desktop." Removed the following definitions: Require trusted path for credential entry (CCE-10092-5) Turn off Windows Update device driver search prompt (CCE-10694-8) Turn off Automatic Root Certificates Update (CCE-10681-5) Turn off Windows Update device driver searching (CCE-10093-3) Do not process the legacy run list (CCE-9983-8) Turn off Managing Phishing filter (CCE-10540-3) Disable Automatic Install of Internet Explorer components (CCE-9987-9) Disable Periodic Check for Internet Explorer software updates (CCE-10634-4) Disable showing the splash screen (CCE-10632-8) Allow status bar updates via script Turn on Basic feed authentication over HTTP (CCE-10007-3) Devices: Allowed to format and eject removable media (CCE-8868-2) MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (CCE-8784-1) WLAN AutoConfig (CCE-10844-9) Prohibit use of Internet Connection Firewall on your DNS domain network Prohibit use of Internet Connection Sharing on your DNS domain network (CCE-9797-2) Prior Changes: XCCDF Changed firewall log file path to support more possible paths, and file name will pass, as long as its located in one of these locations: c-z:\windows\system32\logfiles\firewall\ %systemroot%\system32\logfiles\firewall\ %windir%\system32\logfiles\firewall\ Changed version to 0.1.06 Corrected text of maximum_system_log_size rule description and title. Changed linked oval definition for maximum_system_log_size to definition 268. Changes profile ID to "united_states_government_configuration_baseline_1.0.1.0" Added CCE's for the following rules: network_security_force_logoff_when_logon_hours_expire wlan_autoconfig Kerberos Authentication Service maximum_system_log_size turn_off_data_execution_prevention_for_explorer prevent_windows_media_drm_internet_access do_not_show_first_use_dialog_boxes prevent_automatic_updates configure_automatic_updates reschedule_automatic_updates_scheduled_installations no_auto_restart_with_logged_on_users_for_scheduled_automatic_updates_ins tallations do_not_display_install_updates_and_shut_down_option_in_shut_down_windows _dialog_box Commented out empty identity elements for the following rules while awaiting CCEs: mss_enable_dead_gw_detect ipsec_main_mode file_system_auditing registry_auditing prohibit_use_of_internet_connection_firewall_on_your_dns_domain_network do_not_allow_digital_locker_to_run disable_remote_desktop_sharing turn_off_the_communities_features windows_mail_application_manual_launch_permitted turn_off_help_experience_improvement_program turn_off_help_ratings prompt_for_password_on_resume_from_hibernate_suspend prevent_users_from_sharing_files_within_their_profile OVAL Changed firewall log file size checks from 'equals' to 'greater than or equals'.  Corrected numerous OVAL definitions in the Windows 7 OVAL content so that always precedes the , removed blank lines. Commented out all