Title

(U//FOUO) The HIP policy must include the signature to block local Administrator accounts from browsing the Internet (signature 7002). (Cat II impact)

Discussion

Check Content

(U//FOUO) This check should be completed on all systems. From the ePO server console, select Menu > Systems > System Tree. Select the asset to be checked, then select "Assigned Policies", followed by "Host Intrusion Prevention 8:IPS" from the product list. From the "IPS Rules" category, select the "View Effective Policy" hyperlink. Select the "Signatures" tab. Verify the signature “DISA - McAfee - Prevent Administrator Internet Browsing” is present. In addition to the signature being present, the “Severity level” must be set to “High”, “Log status” must be set to "Enable logging", and the “Allow creation of client rules” setting must be disabled. If the signature is not present or the properties are set incorrectly, this is a finding. Additional information on the signature can be found at: https://www.cybercom.smil.mil/J3/HBSS/default.aspx Note: If H36400 is a finding, this is check should also be considered a finding.

Fix Text

(U//FOUO) Install the "DISA - McAfee - Prevent Administrator Internet Browsing" signature and set it as follows: “Severity level” set to “High”, “Log status” set to "Enable logging", and the “Allow creation of client rules” setting is disabled.

Additional Identifiers

Rule ID: SV-69915r2_rule

Vulnerability ID: V-55661

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.