StigData/Processed/Office-Skype2016-1.1.xml
|
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Skype_for_Business_2016" description="The Microsoft Skype for Business 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." filename="U_Microsoft_Skype_for_Business_2016_STIG_V1R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 14 Nov 2016" title="Microsoft Skype for Business 2016 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.1" created="1/10/2024">
<RegistryRule dscresourcemodule="PSDscResources"> <Rule id="V-70901" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password. Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>savepassword</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-70903" severity="medium" conversionstatus="pass" title="SRG-APP-000219" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Configure SIP security mode" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value enablesiphighsecuritymode is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>enablesiphighsecuritymode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-70905" severity="medium" conversionstatus="pass" title="SRG-APP-000219" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Prevents from HTTP being used for SIP connection in case TLS or TCP fail. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\office\16.0\lync</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value disablehttpconnect is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>disablehttpconnect</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> </DISASTIG> |