Title

(U) ESS must use the approved DoD WSUS ESS site for Microsoft patches. (Cat II impact)

Discussion

(U) Microsoft patches and updates from an un-trusted non-DoD source can introduce malicious content into the ESS environment and can introduce settings that will override a secured installation of the application. This can place DoD information at risk.

Check Content

(CUI) Note: If automatic updates are not being used and system administrator manually downloads, installs, and documents ESS approved patches, this check can be considered NA. If the ePO server is using Windows update, it must use the approved DoD ESS WSUS site or a downstream site WSUS server and must be configured for the appropriate ESS WSUS container. Important Note: There are approved patches that are only applicable to ePO servers. Simply pointing the ePO server to the DoD ESS WSUS and downloading/installing all patches is not an approved method. The ePO server must be configured for client-side targeting and placed in the appropriate target group. WSUS procedures can be found on the DoD Patch Repository website: -For guidance on configuring ESS for the DoD WSUS: https://patches.csd.disa.mil/Metadata.aspx?ID=80664 -For the WSUS Downstream Server Configuration Guide: https://patches.csd.disa.mil/WSUS/Documentation.aspx Using Local Computer Policy (i.e.: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Configure Automatic Updates. Settings must be: - Configure Automatic Updates: verify Enabled is selected - Configure Automatic Updating: verify “2 - Notify for download and notify for install” - Scheduled Install Day: verify 0 - Everyday - Scheduled Install Time: verify 03:00 Using Local Computer Policy (i.e.: gpedit.msc) navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Specify intranet Microsoft update service location. Settings must be: - Specific intranet Microsoft update service location: verify Enabled is selected - Set the intranet update service for detecting updates: verify https://dodwsus.csd.disa.mil is configured - Set the intranet statistics server: verify https://dodwsus.csd.disa.mil is configured Using Local Computer Policy (i.e.: gpedit.msc) navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Enable client-side targeting. Setting must be: - Enable client-side targeting: verify Enabled is selected - For Windows Server 2003, Target group name for this computer: verify ESS is configured - For Windows Server 2008 R2, Target group name for this computer: verify ESS2008R2 is configured - For Windows Server 2012/R2, Target group name for this computer: verify ESS2012 is configured 1) If automatic updates are being used, and if the three group policy settings above are not set to be compliant, this is a finding. 2) If the ePO server does not have client-side targeting configured and is not placed in the appropriate target group (ESS, ESS2008R2, or ESS2012), this is a finding.

Fix Text

(CUI) If the ePO server is using Windows update, update the settings to use the DoD ESS WSUS site or a downstream site WSUS server and configure for the appropriate ESS WSUS container. Using Local Computer Policy (i.e.: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Configure Automatic Updates and configure the following: - In the "Configure Automatic Updates" section, select the "Enabled" radio button - In the "Configure Automatic updating" dropdown, select "2" - Notify for download and notify for install - In the "Scheduled Install Day" dropdown, select "0 - Everyday" - In the "Scheduled Install Time" dropdown, select "03:00" Using Local Computer Policy (i.e.,: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Specify intranet Microsoft update service location and configure the following: - In the "Specific intranet Microsoft update service location" section, select the "Enabled" radio button - In the "Set the intranet update service for detecting updates" text box, enter "https://dodwsus.csd.disa.mil" - In the "Set the intranet statistics server" textbox, enter "https://dodwsus.csd.disa.mil" Using Local Computer Policy (i.e.,: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Enable client-side targeting and configure the following: - In the "Enable client-side targeting" section, select the "Enabled" radio button - For a Windows Server 2003, in the Target group name for this computer textbox, enter "HBSS" - For Windows Server 2008 R2, in the Target group name for this computer textbox, enter "HBSS2008R2" - For Windows Server 2012/R2, in the Target group name for this computer textbox, enter "HBSS2012"

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.