Nuclear Regulatory Commission Computer Security Office Computer Security Standard



Similar documents
Trusted Sites IE 10 Regedit BAT GPO

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

CalREDIE Browser Requirements

Microsoft Internet Explorer (IE) Settings

Troubleshooting steps for Oracle Financials and Markview. Jan 2015

Aras Innovator Internet Explorer Client Configuration

XIA Configuration Server

Outpost Network Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Adobe Flash Player and Adobe AIR security

PLATO Learning Environment System and Configuration Requirements for workstations. October 27th, 2008

How To Protect Your Computer From Being Hacked On A Pc Or Mac (Windows) From A Virus (For A Free Download) On A Windows Xp) On Pc Or Ipad (For Free) On Your Pc Or Pc (For An Ipad

Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter

Virtual Data Centre. User Guide

NETWRIX USER ACTIVITY VIDEO REPORTER

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

PLATO Learning Environment 2.0 System and Configuration Requirements. Dec 1, 2009

Feature and Technical

Building A Secure Microsoft Exchange Continuity Appliance

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

SmartOffice Configuration Guide for Microsoft Windows XP with Internet Explorer 7

Welcome to the TransPerfect Translations Secure File Transfer Website What is Secure FTP?

Crystal Print Control Installation Instructions for PCs running Microsoft Windows XP and using the Internet Explorer browser

vcloud Director User's Guide

Certificates for computers, Web servers, and Web browser users

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

BYOD Guidance: BlackBerry Secure Work Space

BROWSER AND SYSTEM REQUIREMENTS

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Technical Brief for Windows Home Server Remote Access

Host Access Management and Security Server

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

How To Configure CU*BASE Encryption

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Clientless SSL VPN Users

Connection and Printer Setup Guide

Infinity Acute Care System monitoring system

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Setting up Millennium on your Computer February 4, 2016

Novell ZENworks 10 Configuration Management SP3

NETWRIX EVENT LOG MANAGER

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Electronic Check Processing and Remote Deposit System. Magtek Imager Check Scanner Configuration and Installation Guide

Protecting Your Organisation from Targeted Cyber Intrusion

Using Internet Explorer 8 and Windows 7 with Administrative Applications

MyReports Recommended Browser Settings MYR-200a

VPN Web Portal Usage Guide

Cloud Director User's Guide

REMOTELY ACCESS YOUR FILES WITH THE FLAGLER FILECONNECT SYSTEM

OrgPublisher EChart Server Setup Guide

Web Application Security Assessment and Vulnerability Mitigation Tests

Information Assurance Directorate

Getting Started with. Ascent Capture Internet Server Revision A

IBM Security QRadar Vulnerability Manager Version User Guide

Kerala Commercial Taxes Department DIGITAL SIGNATURE HAND BOOK

Edwin Analytics Getting Started Guide

Installing and Configuring vcenter Support Assistant

Last Updated: July STATISTICA Enterprise Server Security

Citrix Access on SonicWALL SSL VPN

Aspera Connect User Guide

Sage ERP MAS 90 Sage ERP MAS 200 Sage ERP MAS 200 SQL. Installation and System Administrator's Guide 4MASIN450-08

Server Sentinel Client Workstation

1. To ensure the appropriate level of security, you will need Microsoft Windows XP or above.

HOW TO CONFIGURE PASS-THRU PROXY FOR ORACLE APPLICATIONS

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Citect and Microsoft Windows XP Service Pack 2

I. Supported Browsers. II. Internet Browser Settings

BUILDER 3.0 Installation Guide with Microsoft SQL Server 2005 Express Edition January 2008

Recommended Practice Case Study: Cross-Site Scripting. February 2007

USER GUIDE: MaaS360 Services

How Reflection Software Facilitates PCI DSS Compliance

City of Jacksonville 1 of 6 Start Here >>

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Sage ACT! Premium 2013 Web Administrator's Guide

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

United States Department of Agriculture

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Using WMI Scripts with BitDefender Client Security

Citrix EdgeSight Administrator s Guide. Citrix EdgeSight for Endpoints 5.3 Citrix EdgeSight for XenApp 5.3

Shakambaree Technologies Pvt. Ltd.

Personal Secure Certificate

Entrust Managed Services PKI Administrator Guide

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

GLOBAL PAYMENTS AND CASH MANAGEMENT. HSBCnet Application Guide August 2006

Did you know your security solution can help with PCI compliance too?

The cloud server setup program installs the cloud server application, Apache Tomcat, Java Runtime Environment, and PostgreSQL.

Kodak Learning Management System (LMS)

What s New in Juniper s SSL VPN Version 6.0

August 2014 Oracle Service Cloud Infrastructure Requirements...

Vyapin Office 365 Management Suite

Installation and Troubleshooting Guide for SSL-VPN CONNECTIONS Access

2X Cloud Portal v10.5

National Security Agency

Transcription:

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1423 Microsoft Internet Explorer 11 Configuration Standard Revision Number: 1.0 Effective Date: Februaruy 1, 2015 Primary Contacts: Responsible Organization: Summary of Changes: Training: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PCT CSO-STD-1423, Microsoft Internet Explorer 11 Configuration Standard provides the minimum configuration settings that must be applied to NRC computing assets running Microsoft Internet Explorer (IE) 11. As requested ML14296A506 Primary Office Owner Standards Working Group Chair Approvals Policy, Compliance, and Training Signature Date Bill Dabbs Responsible SITSO Kathy Lyons-Burke /RA/ 10/27/2014 DAA for Non-major IT Investments Director, CSO Tom Rich /RA/ 11/03/2014 Director, OIS Jim Flanagan /RA/ 11/07/2014

CSO Standard CSO-STD-1423 Page i TABLE OF CONTENTS 1 PURPOSE... 1 2 GENERAL REQUIREMENTS... 1 2.1 PATCH APPLICATION... 1 3 SPECIFIC REQUIREMENTS... 1 3.1 NRC MODIFICATIONS TO THE DISA STIG... 2 3.1.1 DISA STIG Term Equivalence... 2 3.1.2 Requirement that is Different from the DISA STIG... 2 3.2 SECURITY ZONES... 4 3.2.1 Trusted Sites Zone... 4 3.3 ADDITIONAL WINDOWS SERVER REQUIREMENTS... 5 3.3.1 Internet Browsing on Windows Servers... 5 APPENDIX A. ACRONYMS... 6 APPENDIX B. GLOSSARY... 7 APPENDIX C. METHOD FOR IMPLEMENTING MICROSOFT IE 11 REQUIREMENTS... 8 List of Tables TABLE 3.1-1: DISA MICROSOFT IE 11 STIG AND NRC TERMS... 2 TABLE 3.1-2: IE 11 NRC-SPECIFIC REQUIREMENT THAT IS DIFFERENT FROM THE DISA STIG... 3 TABLE C.1-1: DISA STIG REQUIREMENTS ADDRESSED BY ENABLING ESC... 8

Computer Security Standard CSO-STD-1423 Microsoft Internet Explorer 11 Configuration Standard 1 PURPOSE CSO-STD-1423, Microsoft 1 Internet Explorer 11 Configuration Standard provides required configuration settings for the Nuclear Regulatory Commission (NRC) computing assets running Microsoft Internet Explorer (IE) 11. These settings serve to minimize the probability of NRC sensitive information compromise. The standard applies to computing assets used to process Sensitive Unclassified Non-Safeguards Information (SUNSI) and Safeguards Information (SGI). This configuration standard is intended for system administrators and information system security officers (ISSOs) that have the required knowledge, skills, and abilities to apply configuration settings to IE 11. 2 GENERAL REQUIREMENTS All NRC computing assets (e.g., servers, workstations, laptops) running IE 11 that are owned, managed, and/or operated by the NRC or by other parties on behalf of the NRC must comply with this standard as a minimum set of controls. Additional controls may be required after a system risk analysis is completed. The IE 11 configurations on computing assets operated by the NRC or other parties on behalf of the NRC must comply with the Defense Information Systems Agency (DISA) Microsoft IE 11 Security Technical Implementation Guide (STIG), Version 1, as modified by the requirements provided in this standard. The effective version of the DISA STIG is specified on the Computer Security Office (CSO) Standards web page. 2.1 Patch Application All available patches and security updates must be applied to IE 11 before being placed into an NRC computing environment (e.g., development, test, production). Patches must be applied on an ongoing basis per the requirements specified in CSO-STD- 0020, Organization Defined Values for System Security Controls. This ensures that known vulnerabilities are remediated on a regular schedule. 3 SPECIFIC REQUIREMENTS This section provides requirements that differ from or are required in addition to those published in the DISA Microsoft IE 11 STIG, Version 1. 1 Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.

CSO Standard CSO-STD-1423 Page 2 3.1 NRC Modifications to the DISA STIG The following sections provide guidance in applying the DISA STIG to the NRC and the DISA STIG configuration setting modified to be NRC-specific. Many of the IE STIG requirements involve Java settings. These Java settings are Microsoft Java settings, not Oracle Java. Please note that Microsoft Java has been deprecated since July 1, 2009. 3.1.1 DISA STIG Term Equivalence To understand how to comply with the DISA Microsoft IE 11 STIG, system administrators must substitute the NRC terms supplied in Table 3.1-1 for the equivalent terms used throughout the STIG. Table 3.1-1: DISA Microsoft IE 11 STIG and NRC Terms DISA STIG Terms DoD (Department of Defense) Information Assurance Manager (IAM), Information Assurance Officer (IAO), Network Security Officer (NSO), and Site Representative Mission Assurance Category (MAC-1) Mission Assurance Category (MAC-2) Mission Assurance Category (MAC-3) NRC ISSO NRC Terms Systems with a Federal Information Processing Standard (FIPS)-199 High Sensitivity Level Systems with a FIPS-199 Moderate Sensitivity Level Systems with a FIPS-199 Low Sensitivity Level 3.1.2 Requirement that is Different from the DISA STIG This section provides the NRC-specific requirement that is different from the published DISA STIG requirements. In Table 3.1-2, IE 11 NRC-Specific Requirement that is Different from the DISA STIG, the section header matches the header in the DISA STIG. The following defines the information contained within the columns of Table 3.1-2: Step: The unique identifier of this configuration item within this standard. STIG ID: The DISA STIG identifier (ID) number for this configuration item. Setting Name: The configuration item or issue. DISA Setting: The configuration setting per the DISA STIG. NRC-Specific Requirement: The NRC setting (which is different from the DISA STIG requirement) for a configuration item. Rationale: The rationale for the NRC-specific requirement that is different from the published setting in the DISA STIG.

CSO Standard CSO-STD-1423 Page 3 Table 3.1-2: IE 11 NRC-Specific Requirement that is Different from the DISA STIG Step STIG ID Setting Name DISA Setting Encryption NRC-Specific Requirement Rationale 1. DTBI014 DTBI014 - IE SSL/TLS Settings Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 must be selected. Configure client encryption per the requirements in CSO-STD- 2009. NRC encryption requirements are specified in CSO-STD-2009, Cryptographic Control Standard. SSL 2.0 must not be used. Java Permissions 2. DTBI031 DTBI031-IE11- Java Permission - Internet Java must be disabled for the Internet Zone. Configure Java Permissions for the Internet Zone to be High Safety. The use of High Safety permission enabled Java applets to run in a sandbox. NRC requires the use of certain Java applications. Configuration of Connections 3. DTBI305 DTBI305-IE11- Automatic configuration of connections Configure Internet Explorer to Disable changing Automatic Configuration settings to Enabled. For NRC domain based systems, this setting must be configured to be disabled. For systems not on the NRC domain, this setting is required. The NRC specific proxy is being used to prevent user changes and distruption to Internet/Local Area Network (LAN) connections. Network Configurations 4. DTBI375 DTBI375-IE11- Network paths (UNCs) for Intranet sites Configure Internet Explorer to Intranet Sites: Include all network paths (UNCs) to Disabled. Configure UNC path settings for Intranet Sites to Enabled for User Acceptance Training. Some web applications can only be accessed through UNC paths. This requirement is allowed to facilitate access during User Acceptance Testing. Enhanced Protection Mode 5. DTBI985 DTBI985-IE11- ActiveX controls in Enhanced Protected Mode Configure Internet Explorer to Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode Configure Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled to Disabled. The DISA configuration will not allow certain required applications (e.g., Adobe) to run outside of the Enhanced Protection Mode (thus preventing it from running). The NRC configuration will prompt the user to run Adobe in a regular protected mode.

CSO Standard CSO-STD-1423 Page 4 Step STIG ID Setting Name DISA Setting is enabled to Enabled. NRC-Specific Requirement Rationale 3.2 Security Zones System administrators must not disable the IE 11 security zones. IE 11 includes predefined security zones with preset default levels of security to manage a secure environment. Internet Zone By default, all Internet and intranet sites are assigned to the Internet zone. Intranet sites are not part of the Local Intranet zone unless the user explicitly adds them to this zone. Local Intranet Zone The Local Intranet zone contains all network connections that are established using a Universal Naming Convention (UNC) path, websites that bypass proxy servers or have names that do not include periods (for example, http://local), as long as they are not assigned to the Restricted Sites or Trusted Sites zones. Trusted Sites Zone The Trusted Sites zone contains websites that are deemed safe (e.g., websites that are on the intranet or from established trusted companies). Restricted Sites Zone The Restricted Sites zone contains websites that are not trusted. 3.2.1 Trusted Sites Zone System administrators must change the level of security for each IE 11 security zone in compliance with the DISA Microsoft IE 11 STIG. Security zones offer a method to enforce Internet security policies, based on the origin of the web content. The Internet zone is the default zone for all websites unless otherwise configured. The system administrator must lock down the Internet zone as a first line of defense against potentially dangerous websites. A tightly configured Internet zone will cause some websites to not operate normaly by default. By adding the website to the Trusted Sites zone, a set of privacy and security policies less restrictive than the Internet zone is used. The level of security set for the Trusted Sites zone is applied to sites that are specifically indicated to be trusted not to damage the computing asset or information. The Trusted Sites security zone is reserved for sites that are known to be harmless and business related, and require additional capabilities that are not configured in the Internet, Local Intranet, or Restricted Sites security zones. For example: ActiveX is a form of mobile code. ActiveX can be used to embed multimedia content into other applications such as Microsoft Office or IE. ActiveX plug-ins (e.g., Adobe Flash) will not display properly unless the website displaying the content is added to the Trusted Sites zone. Websites in the Trusted Sites zone are permitted to download web content and files.

CSO Standard CSO-STD-1423 Page 5 If there is a business need, the system and network ISSO can authorize specific sites in the Trusted Sites zone. The authorization and rationale supporting the need to add a site in the Trusted Sites zone must be documented in the system security documentation. 3.3 Additional Windows Server Requirements This section defines specific requirements for Windows servers only. 3.3.1 Internet Browsing on Windows Servers Browsing the Internet on servers can expose the server to malicious code obtained from website content. Due to the criticality of servers providing services for business operations (e.g., Domain services, print server, file server), the network must ensure that Internet browsing capabilities on all Windows server types are prohibited, with the following exemption: The following Windows server type is exempt from being blocked: Windows Server Update Services (WSUS) Server If there is a business need, the system and network ISSO can authorize specific servers to access the Internet via the web browser. The authorization and rationale supporting the need for web browsing on the server must be documented. Intranet browsing (e.g., SharePoint, Internet web applications) is permitted on Windows servers.

CSO Standard CSO-STD-1423 Page 6 APPENDIX A. CAT COM CSO DISA DoD ESC FIPS IAM IAO ID IE LAN MAC ISSO NRC NSO OLE SGI SSL STD STIG SUNSI TLS UNC WSUS ACRONYMS Severity Category Code Component Object Model Computer Security Office Defense Information Systems Agency Department of Defense Enhanced Security Configuration Federal Information Processing Standard Information Assurance Manager Information Assurance Officer Identifier Internet Explorer Local Area Network Mission Assurance Category Information System Security Officer Nuclear Regulatory Commission Network Security Officer Object Linking and Embedding Safeguards Information Secure Socket Layer Standard Security Technical implementation Guide Sensitive Unclassified Non-Safeguards Information Transport Layer Security Universal Naming Convention Windows Server Update Services

CSO Standard CSO-STD-1423 Page 7 APPENDIX B. ActiveX Computing Asset Enhanced Security Configuration Trusted Sites Restricted Sites Sandbox GLOSSARY A software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly in the context of the World Wide Web. Any hardware device or component of the environment that supports information-related activities. A Windows add-on feature for Windows Server 2003 and later that enables a locked down version of IE 11. IE 11 security zone for the Internet site whose content the user trusts. IE 11 security zone contains sites the user does not trust. An area in memory outside of which the program cannot make calls.

CSO Standard CSO-STD-1423 Page 8 APPENDIX C. METHOD FOR IMPLEMENTING MICROSOFT IE 11 REQUIREMENTS C.1 Enhanced Security Configuration The Enhanced Security Configuration (ESC) automated mechanism tool can help system administrators to implement the required IE 11 security configurations specified in this standard and secure IE 11. ESC is a Windows add-on feature for Windows Server 2003 and later that enables a locked down configuration of IE 11. ESC increases the security of IE 11 and reduces the risk of attack from web-based insecure content. ESC is enabled by default for Windows Servers. Enabling ESC configures IE 11 with higher security settings for the built-in security zones than a non-esc enabled IE 11. ESC will allow for additional security configurations to be made to support security, however ESC will not permit a setting preconfigured by ESC to be configured to a less secure value. System administrators must: Implement ESC for IE 11 on servers and enable for both system administrators and users. Configure ESC through the Add/Remove Windows Components area for Windows Server 2003 and in the Server Manager console under Configure IE ESC for Windows Server 2008. Enable ESC to assist in hardening a portion of the IE 11 requirements. For example, by enabling ESC for both users and system administrators, 64 of the 154 checks (42%) in the DISA Microsoft IE 11 STIG are configured automatically. 2 Table C.1-1, DISA STIG Requirements Addressed by Enabling ESC, lists the DISA STIG IDs that will be addressed when ESC is enabled. The following defines the information contained within the columns of Table C.1-1: STIG ID: The DISA STIG ID number for this configuration item. Severity: The DISA Severity Category Code (CAT) level assigned for this configuration item. CAT-I findings are of the highest severity, while CAT-III findings are the lowest. Rule Title: The title of the configuration item. Table C.1-1: DISA STIG Requirements Addressed by Enabling ESC STIG ID Severity Rule Title DTBI022 CAT II The Download signed ActiveX controls property must be disallowed (Internet DTBI023 CAT II The Download unsigned ActiveX controls property must be disallowed (Internet DTBI024 CAT II The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet 2 Per the version of the DISA STIG used in the creation of this standard, DISA Microsoft Internet Explorer 10 STIG V1R2.

CSO Standard CSO-STD-1423 Page 9 STIG ID Severity Rule Title DTBI030 CAT II Font downloads must be disallowed (Internet DTBI032 CAT II Accessing data sources across domains must be disallowed (Internet DTBI036 CAT II Functionality to drag and drop or copy and paste files must be disallowed (Internet DTBI038 CAT II Launching programs and files in IFRAME must be disallowed (Internet DTBI039 CAT II Navigating windows and frames across different domains must be disallowed (Internet DTBI042 CAT II Userdata persistence must be disallowed (Internet DTBI044 CAT II Clipboard operations via script must be disallowed (Internet DTBI046 CAT II Logon options must be configured to prompt (Internet DTBI112 CAT II The Download signed ActiveX controls property must be disallowed (Restricted Sites DTBI113 CAT II The Download unsigned ActiveX controls property must be disallowed (Restricted Sites DTBI114 CAT II The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites DTBI115 CAT II ActiveX controls and plug-ins must be disallowed (Restricted Sites DTBI116 CAT II ActiveX controls marked safe for scripting must be disallowed (Restricted Sites DTBI119 CAT II File downloads must be disallowed (Restricted Sites DTBI120 CAT II Font downloads must be disallowed (Restricted Sites DTBI122 CAT II Accessing data sources across domains must be disallowed (Restricted Sites DTBI123 CAT II The Allow META REFRESH property must be disallowed (Restricted Sites DTBI127 CAT II Installation of desktop items must be disallowed (Restricted Sites DTBI128 CAT II Launching programs and files in IFRAME must be disallowed (Restricted Sites DTBI129 CAT II Navigating windows and frames across different domains must be disallowed (Restricted Sites DTBI132 CAT II Userdata persistence must be disallowed (Restricted Sites DTBI133 CAT II Active scripting must be disallowed (Restricted Sites DTBI134 CAT II Clipboard operations via script must be disallowed (Restricted Sites DTBI136 CAT II Logon options must be configured and enforced (Restricted Sites DTBI340 CAT II Active content from CDs must be disallowed to run on user machines. DTBI350 CAT II Software must be disallowed to run or install with invalid signatures. DTBI355 CAT II Third-party browser extensions must be disallowed. DTBI365 CAT II Checking for server certificate revocation must be enforced. DTBI370 CAT II Checking for signatures on downloaded programs must be enforced. DTBI385 CAT II Script-initiated windows without size or position constraints must be disallowed (Internet

CSO Standard CSO-STD-1423 Page 10 STIG ID Severity Rule Title DTBI390 CAT II Script-initiated windows without size or position constraints must be disallowed (Restricted Sites DTBI395 CAT II Scriptlets must be disallowed (Internet DTBI415 CAT II Automatic prompting for file downloads must be disallowed (Internet DTBI455 CAT II Loose XAML files must be disallowed (Internet DTBI460 CAT II Loose XAML files must be disallowed (Restricted Sites DTBI465 CAT II MIME sniffing must be disallowed (Internet DTBI470 CAT II MIME sniffing must be disallowed (Restricted Sites DTBI495 CAT II Pop-up Blocker must be enforced (Internet DTBI500 CAT II Pop-up Blocker must be enforced (Restricted Sites DTBI515 CAT II Websites in less privileged web content zones must be disallowed to navigate into the Internet zone. DTBI520 CAT II Websites in less privileged web content zones must be disallowed to navigate into the Restricted Sites zone. DTBI575 CAT II Allow binary and script behaviors must be disallowed (Restricted Sites DTBI580 CAT II Automatic prompting for file downloads must be disallowed (Restricted Sites DTBI650 CAT II.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites DTBI655 CAT II.NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites DTBI670 CAT II Scripting of Java applets must be disallowed (Restricted Sites DTBI800 CAT II Scripting of IE web browser control property must be disallowed (Internet DTBI810 CAT II When uploading files to a server, the local directory path must be excluded (Internet DTBI820 CAT II Launching programs and unsafe files property must be set to prompt (Internet DTBI830 CAT II ActiveX controls without prompt property must be used in approved domains only (Internet DTBI840 CAT II Cross-Site Scripting (XSS) Filter must be enforced (Internet DTBI850 CAT II Scripting of IE web browser control must be disallowed (Restricted Sites DTBI860 CAT II When uploading files to a server, the local directory path must be excluded (Restricted Sites DTBI870 CAT II Launching programs and unsafe files property must be set to prompt (Restricted Sites DTBI880 CAT II ActiveX controls without prompt property must be used in approved domains only (Restricted Sites DTBI890 CAT II Cross-Site Scripting (XSS) Filter property must be enforced (Restricted Sites DTBI910 CAT II Status bar updates via script must be disallowed (Internet DTBI920 CAT II.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet

CSO Standard CSO-STD-1423 Page 11 STIG ID Severity Rule Title DTBI930 CAT II.NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet DTBI940 CAT II Scriptlets must be disallowed (Restricted Sites DTBI950 CAT II Status bar updates via script must be disallowed (Restricted Sites

CSO Standard CSO-STD-1423 Page 12 CSO-STD-1423 Change History Date Version Description of Changes Method Used to Announce & Distribute 27-Oct-14 1.0 Initial Release CSO web page and notification forum Training Upon request

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information