An error occurred:

HBSS ePO 5.x STIG Version Comparison

HBSS ePO 5.x Security Technical Implementation Guide

Comparison

There are 7 differences between versions v2 r5 (Oct. 27, 2021) (the "left" version) and v2 r7 (April 27, 2022) (the "right" version).

Check H30120 - ePO 5x was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

(U) ESS must use the approved DoD WSUS ESS site for Microsoft patches.

Check Content

(CUI) Note: If automatic updates are not being used and system administrator manually downloads, installs, and documents ESS approved patches, this check can be considered NA. If the ePO server is using Windows update, it must use the approved DoD ESS WSUS site or a downstream site WSUS server and must be configured for the appropriate ESS WSUS container. Important Note: There are approved patches that are only applicable to ePO servers. Simply pointing the ePO server to the DoD ESS WSUS and downloading/installing all patches is not an approved method. The ePO server must be configured for client-side targeting and placed in the appropriate target group. WSUS procedures can be found on the DoD Patch Repository website: -For guidance on configuring ESS for the DoD WSUS: https://patches.csd.disa.mil/Metadata.aspx?ID=80664 -For the WSUS Downstream Server Configuration Guide: https://patches.csd.disa.mil/WSUS/Documentation.aspx Using Local Computer Policy (i.e.: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Configure Automatic Updates. Settings must be: - Configure Automatic Updates: verify Enabled is selected - Configure Automatic Updating: verify “2 - Notify for download and notify for install” - Scheduled Install Day: verify 0 - Everyday - Scheduled Install Time: verify 03:00 Using Local Computer Policy (i.e.: gpedit.msc) navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Specify intranet Microsoft update service location. Settings must be: - Specific intranet Microsoft update service location: verify Enabled is selected - Set the intranet update service for detecting updates: verify https://dodwsus.csd.disa.mil is configured - Set the intranet statistics server: verify https://dodwsus.csd.disa.mil is configured Using Local Computer Policy (i.e.: gpedit.msc) navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Enable client-side targeting. Setting must be: - Enable client-side targeting: verify Enabled is selected - For Windows Server 2003, Target group name for this computer: verify ESS is configured - For Windows Server 2008 R2, R2 and beyond, Target group name for this computer: verify ESS2008R2 ESSXXXX is configured - configured For Windows (where XXXX is equal to the Server server OS version) 1) 2012/R2, Target group name for this computer: verify ESS2012 is configured 1) If automatic updates are being used, and if the three group policy settings above are not set to be compliant, this is a finding. 2) If the ePO server does not have client-side targeting configured and is not placed in the appropriate target group (ESS, ESS2008R2, or ESS2012), this is a finding.

Discussion

(U) Microsoft patches and updates from an un-trusted non-DoD source can introduce malicious content into the ESS environment and can introduce settings that will override a secured installation of the application. This can place DoD information at risk.

Fix

(CUI) If the ePO server is using Windows update, update the settings to use the DoD ESS WSUS site or a downstream site WSUS server and configure for the appropriate ESS WSUS container. Using Local Computer Policy (i.e.: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Configure Automatic Updates and configure the following: - In the "Configure Automatic Updates" section, select the "Enabled" radio button - In the "Configure Automatic updating" dropdown, select "2" - Notify for download and notify for install - In the "Scheduled Install Day" dropdown, select "0 - Everyday" - In the "Scheduled Install Time" dropdown, select "03:00" Using Local Computer Policy (i.e.,: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Specify intranet Microsoft update service location and configure the following: - In the "Specific intranet Microsoft update service location" section, select the "Enabled" radio button - In the "Set the intranet update service for detecting updates" text box, enter "https://dodwsus.csd.disa.mil" - In the "Set the intranet statistics server" textbox, enter "https://dodwsus.csd.disa.mil" Using Local Computer Policy (i.e.,: gpedit.msc), navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Windows Update >> Enable client-side targeting and configure the following: - In the "Enable client-side targeting" section, select the "Enabled" radio button - For a Windows Server 2003, in the Target group name for this computer textbox, enter "HBSS" - For Windows Server 2008 R2, in the Target group name for this computer textbox, enter "HBSS2008R2" - For Windows Server 2012/R2, in the Target group name for this computer textbox, enter "HBSS2012"