StigData/Archive/Office/U_Microsoft_Skype_for_Business_2016_STIG_V1R1_Manual-xccdf.xml

<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="Microsoft_Skype_for_Business_2016" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2016-11-02">accepted</status><title>Microsoft Skype for Business 2016 Security Technical Implementation Guide</title><description>The Microsoft Skype for Business 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 14 Nov 2016</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-70901" selected="true" /><select idref="V-70903" selected="true" /><select idref="V-70905" selected="true" /></Profile><Group id="V-70901"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-85525r1_rule" severity="medium" weight="10.0"><version>DTOO420</version><title>The ability to store user passwords in Skype must be disabled.
</title><description>&lt;VulnDiscussion&gt;Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password. Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Microsoft Skype for Business 2016</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Microsoft Skype for Business 2016</dc:subject><dc:identifier>3123</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-77233r1_fix">Set the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Allow storage of user passwords" to "Disabled".
</fixtext><fix id="F-77233r1_fix" /><check system="C-71345r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Microsoft Skype for Business 2016.xml" /><check-content>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.</check-content></check></Rule></Group><Group id="V-70903"><title>SRG-APP-000219</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-85527r1_rule" severity="medium" weight="10.0"><version>DTOO421</version><title>Session Initiation Protocol (SIP) security mode must be configured.
</title><description>&lt;VulnDiscussion&gt;When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Microsoft Skype for Business 2016</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Microsoft Skype for Business 2016</dc:subject><dc:identifier>3123</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001184</ident><fixtext fixref="F-77235r1_fix">Set the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Configure SIP security mode" to "Enabled".
</fixtext><fix id="F-77235r1_fix" /><check system="C-71347r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Microsoft Skype for Business 2016.xml" /><check-content>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Configure SIP security mode" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value enablesiphighsecuritymode is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-70905"><title>SRG-APP-000219</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-85529r1_rule" severity="medium" weight="10.0"><version>DTOO422</version><title>In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.
</title><description>&lt;VulnDiscussion&gt;Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Microsoft Skype for Business 2016</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Microsoft Skype for Business 2016</dc:subject><dc:identifier>3123</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001184</ident><fixtext fixref="F-77237r1_fix">Set the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" to "Enabled".
</fixtext><fix id="F-77237r1_fix" /><check system="C-71349r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Microsoft Skype for Business 2016.xml" /><check-content>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Skype for Business 2016 -&gt; Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKLM\Software\Policies\Microsoft\office\16.0\lync
 
Criteria: If the value disablehttpconnect is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group></Benchmark>