StigData/Processed/Office-Skype2016-1.1.xml

<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Skype_for_Business_2016" description="The Microsoft Skype for Business 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." filename="U_Microsoft_Skype_for_Business_2016_STIG_V1R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 14 Nov 2016" title="Microsoft Skype for Business 2016 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.1" created="1/10/2024">
  <RegistryRule dscresourcemodule="PSDscResources">
    <Rule id="V-70901" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password. Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key>
      <LegacyId>
      </LegacyId>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>savepassword</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70903" severity="medium" conversionstatus="pass" title="SRG-APP-000219" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key>
      <LegacyId>
      </LegacyId>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Configure SIP security mode" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value enablesiphighsecuritymode is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>enablesiphighsecuritymode</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70905" severity="medium" conversionstatus="pass" title="SRG-APP-000219" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key>
      <LegacyId>
      </LegacyId>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value disablehttpconnect is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>disablehttpconnect</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
  </RegistryRule>
</DISASTIG>