Title

Check for publishers certificate revocation must be enforced. (Cat III impact)

Discussion

Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated.

Check Content

Open Internet Explorer. From the menu bar, select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the "Advanced" tab, from the Advanced tab window, scroll down to the Security category, and verify the "Check for publisher's certificate revocation" box is selected. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria: If the value "State" is REG_DWORD = 23C00, this is not a finding.

Fix Text

Open Internet Explorer. From the menu bar, select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the "Advanced" tab from the Advanced tab window, scroll down to the Security category, and select the "Check for publisher's certificate revocation" box. Note: Manual entry in the registry key: HKCU\Software\Microsoft\Windows\Current Version\WinTrust\Trust Providers\Software Publishing for the value "State", set to REG_DWORD = 23C00, may first be required.

Additional Identifiers

Rule ID: SV-45116r4_rule

Vulnerability ID: V-32808

Group Title: DTBI018 - Publishers Certificate Revocation

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.