U Gold Disk Version 2.0 Release Notes

UNCLASSIFIED
Gold Disk
Release Notes
Content Updates
Version 2.0
October 2010
DISA Field Security Operations
UNCLASSIFIED
UNCLASSIFIED
Gold Disk Release Notes Field Security Operations
October 2010 DISA Information Systems Agency
This page is intentionally left blank
UNCLASSIFIED
UNCLASSIFIED
Trademark
ReleaseInformation
Notes
Trademark Information
Gold Disk V2 October 2010 Release
 In addition to Symantec EndPoint Protection signature updates, added automatic detection of Symantec
AntiVirus Corporate Edition signature updates when installed on Windows Vista systems
 Added prescan detection for Office 2007 SP2
 Removed automation for V0001135-Printer Share Permissions until further notice due to false positive.
 Automated V0004107-Unsupported OS for Windows 2000 systems
 Modified automation for V0001077-Incorrect ACLs for Event Logs due to false positive on Windows
Server 2008 systems
 Updated previously automated IAVMs
o 2007-A-0020 (V0013883)
o 2007-A-0031 (V0014220)
o 2008-A-0005 (V0015742)
o 2008-A-0064 (V0017342)
o 2008-A-0087 (V0017909)
o 2008-A-0086 (V0017910)
o 2009-A-0019 (V0018549)
o 2009-A-0071 (V0019884)
o 2009-A-0074 (V0019914)
o 2009-A-0097 (V0021756)
 Automated the following IAVMs
o 2010-A-0100 (V0025027)
o 2010-A-0112 (V0025059)
o 2010-A-0107 (V0025061)
o 2010-A-0104 (V0025066)
o 2010-A-0103 (V0025067)
o 2010-A-0111 (V0025068)
o 2010-A-0110 (V0025069)
o 2010-A-0106 (V0025071)
o 2010-A-0108 (V0025073)
o 2010-A-0109 (V0025076)
o 2010-A-0113 (V0025081)
o 2010-A-0120 (V0025353)
o 2010-A-0121 (V0025357)
o 2010-A-0122 (V0025359)
o 2010-A-0123 (V0025360)
o 2010-A-0125 (V0025361)
o 2010-A-0124 (V0025362)
o 2010-B-0063 (V0025072)
o 2010-B-0064 (V0025074)
o 2010-B-0062 (V0025075)
o 2010-B-0076 (V0025344)
o 2010-B-0077 (V0025345)
o 2010-B-0078 (V0025347)
 Automated for Applicability based on Prescan
o 2010-A-0101 (V0025058)
o 2010-A-0116 (V0025175)
o 2010-A-0119 (V0025193)
o 2010-B-0072 (V0025180)
1
UNCLASSIFIED
UNCLASSIFIED
o 2010-B-0074 (V0025183)
Gold Disk V2 August 2010 Release

 Added automated checking for IPv6 Transition Technologies (V0014262) on Windows XP and Windows
Server 2003. Updated automated checking and fix for Windows Vista and Windows Server 2008
 Added automated checking for Internet Information System (V0003347) on Windows XP and Windows
Vista
 Added automated checking for Bad Logon Counter Reset (V0001098) on Windows Server 2003
 Added automated checking for Display Shutdown Button (V0001075) on Windows Vista
 Added automated checking for Clear System Pagefile (V0001084) on Windows Vista
 Added automated checking for Unencrypted Pwd sent to SMB Svr (V0001141) on Windows Server 2008
 Added automated checking for Smart Card Removal Option (V0001098) on Windows Server 2008
 Updated IAVM 2010-B-0013 ensuring applicability only to domain controllers
o 2007-A-0030 (V0014219)
o 2008-A-0014 (V0015761)
o 2008-A-0041 (V0016040)
o 2008-A-0056 (V0016740)
o 2008-A-0061 (V0016738)
o 2008-A-0077 (V0017780)
o 2008-A-0081 (V0017870)
o 2009-A-0039 (V0019159)
o 2009-A-0044 (V0019398)
o 2009-A-0046 (V0019399)
o 2009-A-0120 (V0021933)
o 2007-B-0005 (V0013604)
o 2010-A-0074 (V0024369)
o 2010-A-0075 (V0024370)
o 2010-A-0078 (V0024371)
o 2010-A-0076 (V0024372)
o 2010-A-0077 (V0024374)
o 2010-A-0079 (V0024377)
o 2010-A-0095 (V0024848)
o 2010-A-0094 (V0024850)
o 2010-A-0093 (V0024852)
o 2010-B-0045 (V0024366)
o 2010-B-0046 (V0024367)
o 2010-B-0047 (V0024368)
o 2010-A-0082 (V0024385)
o 2010-A-0092 (V0024849)
o 2010-A-0089 (V0024851)
o 2010-A-0090 (V0024853)
o 2010-A-0091 (V0024855)
o 2010-A-0098 (V0024857)
o 2010-A-0096 (V0024859)
o 2010-B-0048 (V0024388)
o 2010-B-0054 (V0024858)
2
UNCLASSIFIED
UNCLASSIFIED
Gold Disk V2 June 2010 Release

 Added prescan detection for Email Server roles to resolve issue importing VMS6.x reports for systems
running Exchange Server 2003 and Exchange Server 2008.
 Updated automated checks for V0001148 to ensure applicability only for workstations that are part of a
domain.
 Updated automated checking for User Rights (V0001103) on Windows Server 2003 Member Server
 Updated automated checking for IPv6 Transition Technologies (V0014262) on Windows Vista and
Windows Server 2008
o 2008-A-0058 (V0016741)
o 2008-A-0090 (V0017935)
o 2009-A-0032 (V0018752)
o 2009-A-0034 (V0018756)
o 2009-A-0078 (V0019913)
o 2009-A-0077 (V0019917)
o 2009-A-0090 (V0021749)
o 2009-A-0095 (V0021760)
o 2009-A-0117 (V0021936)
o 2010-A-0056 (V0023959)
o 2010-A-0054 (V0023963)
o 2010-A-0058 (V0023995)
o 2010-A-0053 (V0023999)
o 2010-A-0052 (V0024002)
o 2010-A-0057 (V0024003)
o 2010-A-0055 (V0024004)
o 2010-A-0068 (V0024076)
o 2010-A-0070 (V0024160)
o 2010-A-0080 (V0024375)
o 2010-B-0029 (V0023955)
o 2010-B-0030 (V0023956)
o 2010-B-0031 (V0023957)
o 2010-B-0039 (V0024168)
o 2010-A-0047 (V0023856)
o 2010-A-0065 (V0023996)
o 2010-A-0066 (V0023997)
o 2010-A-0069 (V0024159)
o 2010-B-0024 (V0023821)
o 2010-B-0032 (V0023954)
o 2010-B-0033 (V0024010)
o 2010-B-0037 (V0024163)
o 2010-B-0038 (V0024166)
o 2010-B-0041 (V0024206)
o 2010-B-0044 (V0024322)
Gold Disk V2 April 2010 Release

 Added prescan detection and support for IIS 7.0 Installation to resolve issue importing VMS6.x reports for
Windows Vista or Server 2008 systems running IIS 7.0.
 Updated automated checks for V0006318 to include installation of the DOD Root Certificates by means
other than the InstallRoot application as an accepted solution.
3
UNCLASSIFIED
UNCLASSIFIED
 Updated automated checking for WA000-WI6082 (V0013715) to correct required value

 Updated automated checking for Recycle Bin (V0001126) on Windows Server 2008
 Updated automated checking for UAC - User Elevation Prompt (V0014236) on Windows Server 2008
o 2009-A-0115 (V0021938)
o 2010-A-0014 (V0022522)
o 2010-A-0014 (V0022522)
o 2010-A-0023 (V0022677)
o 2010-A-0024 (V0022678)
o 2010-A-0025 (V0022679)
o 2010-A-0026 (V0022680)
o 2010-A-0027 (V0022681)
o 2010-A-0028 (V0022682)
o 2010-A-0029 (V0022683)
o 2010-A-0030 (V0022684)
o 2010-A-0031 (V0022685)
o 2010-A-0032 (V0022686)
o 2010-A-0038 (V0023711)
o 2010-B-0014 (V0022674)
o 2010-B-0013 (V0022675)
o 2010-B-0012 (V0022676)
o 2010-B-0020 (V0023719)
o 2010-A-0018 (V0022666)
o 2010-A-0019 (V0022667)
o 2010-A-0035 (V0022695)
o 2010-B-0010 (V0022672)
o 2010-B-0011 (V0022673)
o 2010-B-0015 (V0022698)
Gold Disk V2 February 2010 Release

 Added prescan detection and support for Windows Server 2008 x86 and x64. The release includes Server
2008 automation for all relative STIG checks and for the latest applicable IAVMs published during this
release cycle. Automation for the remaining IAVMs will be included in subsequent releases. Windows
Server 2008 R2 is not supported by Gold Disk at this time.
 Updated automated checking and remediation for V0001073 to reflect required service pack level for
Windows Vista and Windows Server 2008.
 Updated automated checking for V0001074 to reflect change in required minimum antivirus signature
update
 Added automated checking and remediation for Internet Explorer 7 check DTBI300 (V0021887)
o 2008-A-0044 (V0016147)
o 2009-A-0018 (V0018553)
o 2009-A-0128 (V0021551)
o 2009-A-0098 (V0021755)
o 2009-A-0129 (V0022099)
o 2009-A-0125 (V0022100)
o 2009-A-0126 (V0022101)
o 2010-A-0003 (V0022244)
4
UNCLASSIFIED
UNCLASSIFIED
o 2010-A-0014 (V0022522)
o 2009-B-0054 (V0021747)
o 2009-B-0064 (V0022096)
o 2009-A-0123 (V0022059)
o 2009-A-0124 (V0022060)
o 2009-A-0130 (V0022094)
o 2009-A-0134 (V0022103)
o 2010-A-0006 (V0022237)
o 2010-A-0005 (V0022239)
o 2010-A-0007 (V0022241)
o 2010-A-0004 (V0022243)
o 2010-A-0010 (V0022245)
o 2010-A-0011 (V0022380)
o 2009-B-0062 (V0022064)
o 2009-B-0065 (V0022105)
o 2009-B-0066 (V0022106)
o 2010-B-0007 (V0022644)
Gold Disk V2 December 2009 Release

 Updated 34 Microsoft Office 2007 STIG vulnerabilities to ensure the vulnerabilities would only be found
under the Office 2007 System tree within Gold Disk. In addition to the Office 2007 System tree, the
vulnerabilities could previously be found under the tree of individual Office 2007 components (Excel 207,
Outlook 2007, etc.).
 Updated automated checking for V0017521-DTOO139 to include additional accepted values.
 Updated Office 2007 STIG checks to include automated fixes
o DTOO104 (V0017173)
o DTOO111 (V0017174)
o DTOO117 (V0017175)
o DTOO123 (V0017183)
o DTOO129 (V0017184)
 Added Prescan NA detection for the following:
o Cisco VPN Client
o Websense Products
o VMware Products
o IBM DB2
o Adobe Shockwave
o 2007-A-0029 (V0014218)
o 2007-A-0047 (V0015303)
o 2008-A-0028 (V0016015)
o 2008-A-0085 (V0017908)
o 2008-A-0086 (V0017910)
o 2008-A-0089 (V0017912)
o 2009-A-0002 (V0017997)
o 2009-A-0013 (V0018388)
o 2009-A-0044 (V0019398)
o 2009-A-0046 (V0019399)
o 2008-A-0077 (V0017780)
o 2009-A-0071 (V0019884)
5
UNCLASSIFIED
UNCLASSIFIED
o 2009-A-0092 (V0021743)
o 2009-A-0091 (V0021744)
o 2009-A-0090 (V0021749)
o 2009-A-0094 (V0021752)
o 2009-A-0096 (V0021754)
o 2009-A-0097 (V0021756)
o 2009-A-0095 (V0021760)
o 2009-A-0120 (V0021933)
o 2009-A-0118 (V0021934)
o 2009-A-0119 (V0021935)
o 2009-A-0117 (V0021936)
o 2009-A-0116 (V0021937)
o 2009-A-0115 (V0021938)
o 2008-B-0081 (V0017914)
o 2009-B-0052 (V0021742)
o 2009-B-0054 (V0021747)
o 2009-B-0053 (V0021750)
o 2009-A-0100 (V0021741)
o 2009-A-0101 (V0021863)
o 2009-A-0102 (V0021864)
o 2009-A-0103 (V0021865)
o 2009-A-0104 (V0021866)
o 2009-A-0105 (V0021867)
o 2009-A-0106 (V0021883)
o 2009-A-0109 (V0021885)
o 2009-A-0110 (V0021888)
o 2009-A-0108 (V0021889)
o 2009-A-0112 (V0021926)
o 2009-A-0111 (V0021927)
o 2008-B-0061 (V0017346)
o 2009-B-0015 (V0018638)
o 2009-B-0016 (V0018766)
o 2009-B-0021 (V0019297)
o 2009-B-0048 (V0021682)
o 2009-B-0055 (V0021886)
o 2009-B-0056 (V0021890)
o 2009-B-0059 (V0021981)
o 2009-T-0005 (V0018124)
o 2009-T-0019 (V0018637)
o 2009-T-0031 (V0019298)
Gold Disk V2 October 2009 Release

 Updated manual prescan question prompting to include “3 rd Party Firewalls”. If “3 rd Party Firewalls” is
selected for prescan, all Windows Firewall vulnerabilities targeting Windows XP and Windows Vista are
automatically marked as NA.
 Modified antivirus fix to install Symantec EndPoint Protection in lieu of Symantec Corporate Edition when
Symantec is selected as the preferred antivirus solution. NOTE: The 64-bit version of Symantec still
requires a manual install at this time.
6
UNCLASSIFIED
UNCLASSIFIED
 Removed automated fixing via Gold Disk for all STIG vulnerabilities where the configuration lies within
the HKCU registry hive. Making configuration changes within the HKCU registry hive via Gold Disk only
fixes the vulnerability for the individual user account running the Gold Disk application.
 Updated checking for V0002371 to include automated detection on Windows Vista.
 Updated checking for 2008-A-0044 (V0016147) to ensure the vulnerability is only applicable when DNS is
installed
o 2009-A-0018 (V0018549)
o 2009-A-0020 (V0018554)
o 2009-A-0032 (V0018752)
o 2009-A-0034 (V0018756)
o 2009-B-0036 (V0019878)
o 2009-A-0067 (V0019882)
o 2009-A-0068 (V0019881)
o 2009-A-0070 (V0019883)
o 2009-B-0035 (V0019880)
o 2009-B-0037 (V0019879)
o 2009-A-0074 (V0019914)
o 2009-A-0075 (V0019915)
o 2009-A-0076 (V0019916)
o 2009-A-0077 (V0019917)
o 2009-A-0078 (V0019913)
o 2008-A-0045 (V0016170)
o 2009-A-0003 (V0017999)
o 2009-A-0009 (V0018005)
o 2009-A-0016 (V0018403)
o 2009-T-0023 (V0018849)
o 2009-B-0019 (V0019154)
o 2009-A-0041 (V0019229)
o 2009-A-0060 (V0019802)
o 2009-A-0062 (V0019827)
o 2009-A-0061 (V0019825)
o 2009-A-0081 (V0021499)
o 2009-B-0044 (V0021502)
o 2009-T-0050 (V0021503)
o 2008-B-0073 (V0017742)
o 2009-A-0041 (V0019229)
 Automated the following Miscellaneous Security Updates.
o MS09-025
o MS09-040
Gold Disk V2 August 2009 Release

 Added DVD3 to incorporate Windows Vista patches
 Enhanced Gold Disk 2.0 engine to include the capability of running file patches other than “.exe” files.
The engine can now execute “.msu” files used to patch Windows Vista.
 The launcher.exe file has been removed. PGD.exe should be used instead. Prior to the June 2009 release,
the Gold Disk 2.0 engine had been modified to allow the 32-bit version (PGD.exe) to automatically launch
the 64-bit version (PGD64.exe) on a 64-bit system.
 Added prescan detection for:
7
UNCLASSIFIED
UNCLASSIFIED
o Windows Vista Service Pack 2

o Internet Explorer 8
o Windows Internet Name Service (WINS)
 Automated checks and fixing for (applicable to IE7 on Windows Vista only):
o DTBI485 (V0015527)
o DTBI490 (V0015528)
 Updated checking
o DTOO212 (V0017581)
o DTOO267 (V0017778)
 Updated checking for V0003383 to check correctly on Windows Vista
 Updated checking for V0003472 (Windows Time Service). The vulnerability will be closed if the value is
blank or does not exist. The value will be open if the value is not blank. The value can be closed manually
if the value is an authorized server.
 Updated checking for 2008-B-0075 (V0017793)
 Updated checking and patching for 2009-A-0018 (V0018553)
o 2009-A-0043 (V0019405)
o 2009-A-0046 (V0019399)
o 2009-A-0049 (V0019589)
o 2009-A-0050 (V0019756)
o 2009-A-0051 (V0019757)
o 2009-A-0052 (V0019758)
o 2009-A-0059 (V0019796)
o 2009-B-0022 (V0019400)
o 2009-B-0023 (V0019403)
o 2009-B-0024 (V0019401)
o 2009-B-0031 (V0019760)
o 2009-B-0032 (V0019759)
o 2009-T-0032 (V0019397)
o 2009-A-0042 (V0019404)
o 2009-A-0053 (V0019762)
o 2009-A-0054 (V0019761)
o 2009-A-0055 (V0019763)
o 2009-A-0056 (V0019764)
o 2009-A-0057 (V0019765)
o 2009-A-0058 (V0019768)
o 2009-B-0020 (V0019296)
o 2009-B-0028 (V0019437)
o 2009-T-0034 (V0019481)
o 2009-T-0038 (V0019458)
o 2009-T-0043 (V0019770)
 Automated checking for the following on Windows Vista:
o V0014234 o V0014242 o V0015702 o V0015710
o V0014235 o V0017374 o V0015703 o V0015711
o V0014236 o V0014230 o V0015704 o V0015712
o V0014237 o V0014243 o V0015705 o V0015713
o V0014239 o V0014250 o V0015706 o V0015714
o V0014240 o V0015700 o V0015708 o V0015715
o V0014241 o V0015701 o V0015709 o V0015716
8
UNCLASSIFIED
UNCLASSIFIED
o V0015717 o V0015722 o V0015727 o V0015696

o V0015718 o V0015723 o V0016020 o V0015697
o V0015719 o V0015724 o V0016021 o V0015698
o V0015720 o V0015725 o V0016048 o V0015699
o V0015721 o V0015726 o V0014262 o V0014231
o V0014232 o V0017420 o V0017430 o V0017440
o V0016047 o V0017421 o V0017431 o V0017441
o V0014248 o V0017422 o V0017432 o V0017442
o V0014249 o V0017423 o V0017433 o V0017443
o V0015707 o V0017424 o V0017434 o V0017444
o V0017415 o V0017425 o V0017435 o V0017445
o V0017416 o V0017426 o V0017436 o V0017446
o V0017417 o V0017427 o V0017437 o V0017447
o V0017418 o V0017428 o V0017438
o V0017419 o V0017429 o V0017439
 Automated patching for V0001073 on Windows Vista
Gold Disk V2 June 2009 Release

 Enhanced Gold Disk 2.0 engine to include the capability of running on Windows Vista x86 and Windows
Vista x64. NOTE: Will detect and patch several STIG vulnerabilities. Subsequent Gold Disk V2 releases
will include IAVM and additional STIG automation
 Modified the Gold Disk 2.0 engine to use the manifest file in order for the application to automatically
escalate privileges to administrator on Vista when these privileges are present in the login. This will
eliminate the user having to start Gold Disk by the right click option ‘Run as Administrator’
 Modified the Gold Disk 2.0 engine to allow the 32-bit version (PGD.exe) to automatically launch the 64-bit
version (PGD64.exe) on a 64-bit system. The launcher.exe file is now optional and will be removed in a
future release
 Modified the Gold Disk 2.0 engine to accurately display the findings for V0001103 and other User Rights
STIG vulnerabilities
 DVD2/CD9 now includes the 32-bit and 64-bit client installation files for Symantec Endpoint Protection.
The Symantec AntiVirus Corporate Edition client install is still the default Symantec application when
remediating V0001074-Approved DOD Virus Scan Program. To install Symantec Endpoint Protection, it
would have to be installed manually. NOTE: Symantec AntiVirus Corporate Edition will not install on
Windows Vista.
 Updated manual prescan question prompting to include IBM Websphere
 Modified checking for RSS Attachment Downloads (V0015682) to check on all service pack levels of
Windows XP
 Modified checking to match updated checklist requirements for Password Protected Screen Savers
(V0001122)
 Automated checks and fixing for DTBI705 (V0015577)
 Updated checking
o DTOO212 (V0017581)
o DTOO267 (V0017778)
 Updated checking and fixing of 2009-A-0002 (V0017997) to ensure checking patching for all applicable
service packs
o 2009-A-0032 (V0018752)
o 2009-A-0033 (V0018755)
o 2009-A-0034 (V0018756)
o 2009-T-0021 (V0018776)
9
UNCLASSIFIED
UNCLASSIFIED
o 2009-T-0022 (V0018781)
o 2009-A-0039 (V0019159)
o 2009-T-0018 (V0018612)
o 2009-T-0029 (V0019231)
o 2009-A-0027 (V0018785)
o 2009-A-0028 (V0018793)
o 2009-A-0029 (V0018797)
o 2009-A-0030 (V0018798)
o 2009-A-0036 (V0018848)
o 2009-B-0018 (V0018969)
o 2009-T-0027 (V0019160)
 Automated the following Miscellaneous Security Updates.
o MS09-012
Gold Disk V2 April 2009 Release

 Updated manual prescan question prompting
 Added vulnerability for Windows DNS and BIND (manual review at this time)
 Updated V0001073 Service Pack check for Windows 2003 to make SP1 or less a CAT I per the checklist
 Modified Local Users Exist on a workstation (V0001148) to report all user accounts that are found.
Manual review will be needed to validate any accounts found are authorized
 Modified checking and fixing to match updated checklist requirements
o DTBI355 (V0015500)
o DTBI675 (V0015563)
o DTBI010 - (V0017296)
 Updated checking and fixing of Disable Media Autoplay (V0002374) to ensure that a prerequisite patch is
applied
 New prescan for Microsoft Expression Web
 New prescan for McAfee 8.7i. Additionally the GD will install this version if remediating V0001074 and
the user chooses McAfee
 New prescan for .Net 3.0 and .Net 3.5. Note that for vulnerability concerns, .Net 2.0, 3.0, and 3.5 are
mutually exclusive and will only display the latest version found in prescan and for vulnerabilities
 Moved 34 Office 2007 vulnerabilities to a new target of Microsoft Office System 2007
 Removed automation for IAVM 2008-A-0088
o 2008-B-0058 (V0017345)
o 2009-A-0013 (V0018388)
o 2009-B-0008 (V0018390)
o 2009-B-0009 (V0018406)
o 2009-A-0020 (V000000)
o 2009-A-0019 (V0018549)
o 2009-A-0018 (V0018553)
o 2008-T-0059
o 2009-B-0002
o 2009-B-0003
o 2009-B-0004
o 2009-T-0011
o 2009-B-0010
o 2009-A-0017
o 2009-T-0014
10
UNCLASSIFIED
UNCLASSIFIED
o 2009-A-0021
o 2009-B-0013
 Corrected check and fix for the following security patches.
o MS04-014
o MS03-034
Gold Disk V2 February 2009 Release

 Automated DCOM Object Registry Permissions (V0006826)
o 2008-T-0040 MS08-050 (V0016746)
o 2008-A-0088 MS08-070 (V0017907)
o 2008-A-0086 MS08-071 (V0017910)
o 2008-A-0089 MS08-072 (V0017912)
o 2008-A-0085 MS08-074 (V0017908)
o 2008-A-0090 MS08-078 (V0017935)
o 2009-A-0002 MS09-001 (V0017997)
o 2009-A-0014 MS09-002 (V0018389)
o 2008-B-0077 (V0017873)
o 2008-B-0086
o 2009-A-0004
o 2009-A-0005
o 2009-A-0006
o 2009-A-0007
o 2009-A-0008
o 2008-A-0083
o 2009-B-0005
 Automated the remaining Office 2007 vulnerabilities that were not done in the Dec. release.
 Automated new vulnerability (V0018010) User Right Debug programs
 Updated the following checks to match new target (Internet Explorer) and or requirements
o DTBI137 V0003433
o DTBI367 (V0003430)
o DTBI697 (V0014245)
o DTBI076 (V0006276)
o DTBI685 (V0015573)
o DTBI036 (V0006253)
Gold Disk V2 December 2008 Release

 Added specific versioning to the XML version displayed by the Gold Disk – details can be found in About
Gold Disk Version 2.0.
 Updated all McAfee checks to be version specific. Previous Gold Disk releases checked and configured
McAfee the same regardless of the version installed. Changes made are to apply specific checks and fixes
for 8.0i and 8.5i depending on the version installed. See note in known issues “item 10” regarding the
Detection and Remediation tabs. Automated checking and fixing is correct for McAfee 8.0i and 8.5i
 Added the following for XP FDCC requirements
o V0001091 [A] Halt on Audit Failure XP FDCC
o V0001085 [A] Secure Removable Media XP FDCC
o V0003375 [A] Domain Controller Auth. XP FDCC
o V0001075 [A] Display Shutdown Button XP FDCC
o V0001084 [A] Clear System Page File XP FDCC
o V0017373 [A] Secure Removable Media XP FDCC
11
UNCLASSIFIED
UNCLASSIFIED
o V0016007 8dot3 Name Creation XP FDCC

o V0015672 Event Viewer Events.asp Links XP FDCC
o V0001130 [A] System File ACLs XP FDCC
o V0017410 XP Firewall Domain Profile – Enable Firewall
o V0017390 [A] XP Firewall Domain Profile – File and Printer Sharing
o V0017391 [A] XP Firewall Domain Profile – ICMP Exceptions
o V0017392 [A] XP Firewall Domain Profile – Local Port Exceptions
o V0017393 [A] XP Firewall Domain Profile – Local Program Exceptions
o V0017394 [A] XP Firewall Domain Profile – Logging
o V0017397 [A] XP Firewall Domain Profile – Plug and Play
o V0017398 [A] XP Firewall Domain Profile – Display Notifications
o V0017399 [A] XP Firewall Domain Profile – Unicast Response
o V0017411 [A] XP Firewall Standard Profile – Enable Firewall
o V0017400 [A] XP Firewall Standard Profile – File and Printer Sharing
o V0017401 [A] XP Firewall Standard Profile – ICMP Requests
o V0017402 [A] XP Firewall Standard Profile – Local Port Exceptions
o V0017403 [A] XP Firewall Standard Profile – Local Program Exceptions
o V0017404 [A] XP Firewall Standard Profile – Remote Administration
o V0017405 [A] XP Firewall Standard Profile – Remote Desktop
o V0017406 [A] XP Firewall Standard Profile – Plug and Play
o V0017407 [A] XP Firewall Standard Profile – No Exceptions
o V0017408 [A] XP Firewall Standard Profile – Display Notifications
o V0017409 [A] XP Firewall Standard Profile – Unicast Response
 Updated the following per XP FDCC requirements
o Built-in Admin account enabled XP FDCC (V0016047)
o FDCC XP user rights (V0001103)
o Updated Screen Saver Grace Period (V0004442) to check registry value is reg_sz instead of
reg_dword
 Added V0017900 New Autorun.inf Check
 Added Office 2007 vulnerabilities. Due to time only the following could be automated for December. The
remaining are planned for February 2009
o DTOO171
o DTOO172
o DTOO173
o DTOO174
o DTOO175
o DTOO176
o DTOO177
o DTOO178
o DTOO179
o DTOO180
o DTOO181
o DTOO182
o DTOO183
o DTOO184
o DTOO185
 Automated the following IAVMs or Microsoft patches
o 2008-A-0064
o 2008-B-0057
o 2008-T-0055
12
UNCLASSIFIED
UNCLASSIFIED
o 2008-A-0078
o 2008-B-0075
o 2008-B-0076
o 2008-T-0056
o 2008-A-0081
o 2008-T-0058
o 2008-B-0079
o 2008-A-0087
o 2008-T-0047
o 2008-T-0037
o 2008-B-0065
o 2008-B-0080
o 2008-A-0075
o 2008-A-0074
o 2008-A-0073
o 2008-B-0072
Gold Disk V2 September 2008 Release

o 2008-A-0044
o 2008-T-0033
o 2008-T-0035
o 2008-B-0053
o 2008-A-0056
o 2008-A-0062
o 2008-A-0060
o 2008-A-0058
o 2008-A-0059
o 2008-B-0056
o 2008-T-0039
o 2008-A-0061
o 2007-B-0031
o 2007-A-0003 – Updated automation
o 2007-A-0037 – Corrected false positive
o Oracle – NA based on prescan detection only
 2008-A-0049
 2008-A-0047
 2008-A-0046
 2008-A-0050
 2008-A-0052
 File ACL V0001130 – Corrected a possible false positive on some systems
 Modified checking to match updated checklist requirements for the following vulnerabilities in the desktop
checklist
o DTAM110 (V0014630)
o DTAM111 (V0014631)
o DTAM131 (V0014658)
o DTAM132 (V0014659)
o DTAM133 (V0014660)
o DTAM134 (V0014661)
o DTAM130 (V0014657)
13
UNCLASSIFIED
UNCLASSIFIED
o DTBI061 (V0006267)
o DTBI091 (V0006281)
o DTBI036 (V0006253)
o DTBI025 (V0016879)
 Enhanced prescan to detect Oracle installations on 2003 64 bit systems
Gold Disk V2 July 2008 Release

o 2007-A-0037
o 2008-A-0028
o 2008-A-0029
o 2008-A-0030
o 2008-A-0037
o 2008-A-0039
o 2008-A-0040
o 2008-A-0041
o 2008-B-0043
o 2008-T-0024
o 2008-T-0025
o MS08-034
o 2008-A-0019
o 2008-A-0020
o 2008-A-0021
o 2008-A-0022
o 2008-A-0023
o 2008-B-0040
o 2008-A-0027
 Updated checks for the following vulnerabilities to match new platinum/gold policy requirements
o OS/2 Subsystem Installed (V0001078)
o Posix Files (V0001079)
o Posix registry entry (V0001083)
o LanMan Authentication Level (V0001153)
o OS/2 Registry Keys (V0001082)
o Clear System Pagefile (V0001084)
 Modified checking and remediation (where applicable) to match updated requirements.
o Screen Saver Grace Period (V004442)
o IE - Make Proxy Settings Per Machine (V0003430) – removed from XP
o Lockout Duration (V0001099)
o DTBI026 (V0006246)
 Automated the following
o Anonymous Access to Named Pipes and Shares (V0006834)
o Audit Access to Global System Objects (V0014228)
o WA000-WI035 (V0013698) – added the built-in administrator account as acceptable to have
permissions per requirements.
 Updated prescan to detect Symantec Endpoint Protection on 32 and 64 bit systems
 Modified checking for V0001074 “Approved DOD Virus Scan Program” to allow for Symantec Endpoint
Protection and to improve checking efficiency on other systems.
Gold Disk V2 May 2008 Release

o 2002-A-0002
14
UNCLASSIFIED
UNCLASSIFIED
o 2008-A-0015
o 2008-A-0014
o 2008-A-0012
o 2008-A-0013
o 2008-T-0008
o 2008-B-0037
o 2008-B-0035
o 2008-B-0033
o 2008-T-0012
o 2008-B-0034
o 2008-A-0018
o 2008-A-0017
o 2008-T-0011 NA based on Pre Scan only
o 2008-T-0010 NA based on Pre Scan only
o MS08-025
 Updated prescan for Microsoft Visual Studio on x32 and x64
 Updated the following checks per new checklist requirements
o Password Uniqueness (V0001107)
o Software Certificate Installation Files (V0015823)
o Windows Installer – IE Security Prompt (V0015684)
o DTBI590 (V0015548)
o DTBI595 (V0015549)
o DTBI600 (V0015550)
o DTBI605 (V0015551)
o DTBI610 (V0015552)
o DTBI615 (V0015553)
o DTBI620 (V0015554)
o DTBI625 (V0015555)
o DTBI630 (V0015556)
o DTBI635 (V0015557)
o DTBI640 (V0015558)
o DTBI645 (V0015559)
o DTBI592 (V0015565)
o DTBI594 (V0015566)
o DTBI599 (V0015568)
o DTBI612 (V0015569)
o DTBI614 (V0015570)
o DTBI647 (V0015571)
o DTBI649 (V0015572)
o DTBI596 (V0015603)
Gold Disk V2 March 2008 Release

 Updated IIS Metabase checking to correct several errors that could occur on some systems
o IIS Explorer lockout when Gold Disk is running
o Gold Disk crashing on some systems
 Corrected the following IE 7 checks to match checklist requirements
o DTBI645 (V0015559)
o DTBI647 (V0015571)
o DTBI649 (V0015572)
o DTBI640 (V0015558)
15
UNCLASSIFIED
UNCLASSIFIED
o DTBI680 (V0015564)
o DTBI685 (V0015573)
o DTBI690 (V0015574)
o DTBI720 (V0015580)
o DTBI024 (V0006245)
o DTBI128 (V0006303)
o DTBI040 (V0006257)
o DTBI495 (V0015529)
o DTBI592 (V0015565)
o DTBI614 (V0015570)
o DTBI612 (V0015569)
o DTBI605 (V0015551)
o DTBI594 (V0015566)
o DTBI375 (V0015504)
o DTBI596 (V0015603)
o DTBI597 (V0015604)
o DTBI725 (V0015581)
o DTBI625 (V0015555)
 Updated many IE6 checks to match new checklist requirements
 Updated the following windows checks to add and automate for XP or to match new checklist requirements
o V0002371 [M] Service Object Permissions
o V0001122 [A] Password Protected Screen Savers
o V0001103 – [A] User Rights Assignments
o Unnecessary Services (V0003487) LanMan Authentication Level (V0001153)
o Minimum Password Length (V0006836)
o V0014228 Audit Access to Global System Objects
o V0014229 Audit Backup and Restore Privileges
o V0014247 Terminal Services – Prevent Password Sa
o V0014268 Attachment Manager –Preserve Zone Infor
o V0014269 Attachment Manager – Hide Mechanisms to
o V0014270 Attachment Manager – Scan with Antiviru
o V0014252 Logon – Run Once List
o V0014267 Power Management – Require Password on
o V0014253 RPC – Unauthenticated RPC Clients
o V0014254 RPC – Endpoint Mapper Authentication
o V0014260 HTTP - Printer Drivers
o V0014256 Internet Download / Online Ordering
o V0014259 Printing Over HTTP
o V0014258 Search Companion Content File Updates
o V0014255 Publish to Web
o V0014257 Windows Messenger Customer Experience I
o V0014261 Windows Update Device Driver Searching
o V0014246 IE – Turn Off Crash Detection
o V0015666 [A] Windows Peer to Peer Networking
o V0015667 [A] Prohibit Network Bridge
o V0015669 [A] Prohibit Internet Connection Sharing
o V0015670 [A] Error Reporting - Display Error Notif
o V0015671 [A] Root Certificates Update
o V0015673 [A] Internet Connection Wizard ISP Downlo
o V0015674 [A] Internet File Association Service
16
UNCLASSIFIED
UNCLASSIFIED
o V0015675 [A] Windows Registration Wizard

o V0015676 [A] Order Prints Online
o V0015677 [A] Windows Movie Maker Codec Downloads
o V0015678 [A] Windows Movie Maker Web Links
o V0015679 [A] Windows Movie Maker Online Hosting
o V0015680 [A] Classic Logon
o V0015681 [A] Prevent Internet Information System
o V0015682 [A] RSS Attachment Downloads
o V0015683 [A] Windows Explorer – Shell Protocol Pro
o V0015684 [A] Windows Installer – IE Security Promp
o V0015685 [A] Windows Installer – User Control
o V0015686 [A] Windows Installer – Vendor Signed Upd
o V0015687 [A] Media Player – First Use Dialog Boxes
o 2008-B-0016 (V0015739)
o 2008-A-0005 (V0015742)
o 2008-A-0006 (V0015744)
o 2008-A-0007 (V0015741)
o 2008-A-0008 (V0015738)
o 2008-A-0009 (V0015743)
o 2008-A-0010 (V0015745)
o 2008-B-0003 (V0015663)
o 2007-T-0051 (V0015593)
o 2008-B-0001 (V0015600)
o MS08-002
Gold Disk V2 January 2008 Release

 Updated the Gold Disk to run fixes in CD order where possible. This significantly reduces the number of
times users are prompted to change CDs during the remediation process
 DVD/share drive support. See Appendix J
 Microsoft Office 2000, XP, 2003 prescan detection on Windows 2003 64 bit
 Microsoft Office 2007 detection on all Gold Disk supported OSs
 Added check and fix automation for the following IAVMs:
o 2007-A-0053
o 2007-A-0054
o 2005-T-0022
o 2007-A-0056
o 2007-T-0050
o 2007-A-0055
 Added IA control information to the Misc. tab
 Automated IE 7 vulnerabilities on all Gold Disk supported OSs
 Automated several vulnerabilities associated with McAfee
 Updated ACL checking to stay in sync with checklist requirement changes
Gold Disk V2 November 2007 Release

 Please note that the Gold Disk Pre-Scan is not currently detecting many software products to include
Microsoft Office when installed on 2003 64 bit. Undetected products should be manually added to the
asset posture and the associated vulnerabilities addressed in VMS. Pre-Scan detection for Microsoft Office
is currently working on 32 bit Operating Systems.
 Added check and fix automation for the following IAVMs:
o 2007-B-0027
17
UNCLASSIFIED
UNCLASSIFIED
o 2007-T-0038
o 2006-A-0027
o 2006-A-0056
o 2007-T-0040
o 2007-A-0047
 Corrected checking for the following IAVM on Windows 2000 when Jscript 5.1 is installed:
o 2006-B-0009
 Added check and fix automation for the following IAVMs on 2003 64 bit:
o 2006-B-0002
o 2006-T-0018
 Added the following IAVMs to the Oracle Prescan NA checks:
o 2007-A-0052
o 2007-A-0051
o 2007-A-0050
o 2007-A-0049
o 2007-A-0048
 Added Prescan NA (additional information questions) for the following IAVMs:
o 2007-T-0008
o 2001-A-0001
o 2007-A-0039
o 2007-T-0043
o 2007-T-0044
o 2007-B-0033
o 2007-T-0013
o 2007-T-0035
 Added check and fix automation for the following NON-IAVM patch:
o MS07-053
o MS07-054
 Changed the confidentiality level in the Non-Interactive.xml control file to match the default of Sensitive
that is used when running the Gold Disk interactively
 Modified the Gold Disk executable to split out Systems and Enclaves in the edit asset information window.
 Updated the Gold Disk to include .Net and Antispyware vulnerabilities
 Automated the following checks for IIS, and Symantec:
o WA000-WI035
o WA000-WI110
o WA000-WI080
o WA000-WI100
o WA000-WI6080
o WA000-WI6082
o WA000-WI6084
o WA000-WI6086
o WA000-WI6088
o WA000-WI6090
o WA000-WI6092
o WA000-WI6094
o WA000-WI6096
o DTAS060
o DTAS061
o DTAS062
o DTAS063
18
UNCLASSIFIED
UNCLASSIFIED
o DTAS064
o DTAS065
o DTAS066
o DTAS067
o DTAS068
o DTAS069
Gold Disk V2 September 2007 Release

 Added check and fix automation for the following IAVMs released between July and August:
o 2007-B-0013
o 2007-A-0036
o 2007-A-0037
o 2007-T-0028
o 2007-A-0042
o 2007-A-0043
o 2007-B-0024
o 2007-A-0044
o 2007-B-0025
o 2007-B-0026
o 2007-A-0045
 Added check and fix automation for the following IAVMs on 2003 64 bit:
o 2007-A-0020
o 2007-A-0014
o 2007-B-0009
o 2007-B-0005
o 2007-B-0004
o 2007-B-0003
o 2006-B-0010
o 2006-A-0036
o 2006-B-0011
o 2006-A-0038
o 2006-B-0014
o 2006-T-0026
o 2006-T-0033
o 2006-T-0034
o 2006-B-0020
o 2006-T-0039
 Updated Registry Policy Processing (V0004448) due to a checklist change to look for
“NoGPOListChanges” in the registry
 Updated Secure Channel Data (V0001163 & V0001164) to be closed when Domain Member: Digitally
encrypt or sign secure channel data (always) is set correctly to Enabled
 Updated User Rights (V0001103) to remove checking for the following checks due to a checklist change as
they are separate vulnerabilities. Additionally made changes due to problems found during regression
testing to correctly check and remediate per the checklist for the user rights below:
o Act as part of the operating system
o Deny access to this computer from the network
 Updated the Service Pack check to require SP2 on Windows 2003 per the checklist
 Corrected known problem with the Gold Disk not saving and restoring sessions properly after the first save
and restore
 Improved performance with loading XML and prescan and when running on systems with IIS installed
 Corrected detection for 2005-T-0005. The Gold Disk originally may have given false negatives
19
UNCLASSIFIED
UNCLASSIFIED
 Corrected findings details for auditing settings (V0001080) to more accurately display incorrect audit
settings rather than incorrect permissions
Gold Disk V2 July 2007 Release

 Added check and fix automation for the following IAVMs released between May and June:
o 2007-B-0010
o 2007-A-0029
o 2007-A-0030
o 2007-A-0031
o 2007-A-0028
o 2007-A-0033
o 2007-A-0034
o 2007-B-0011
o 2007-A-0035
o 2007-T-0024
o 2007-A-0022
o 2007-A-0023
o 2007-A-0024
o 2007-A-0025
o 2007-A-0026
 Updated the fix for 2006-A-0052 to work with all versions of windows installer.
 Corrected to include all IE vulnerabilities when IE7 is installed. Previous versions of the Gold Disk did not
list any vulnerabilities when IE7 is installed. These vulnerabilities will be manual review until analysis can
be done to determine how to automate checking on IE7.
 Added XML versioning. If a user changes an XML control file, they will be prompted concerning the
detected change when running the Gold Disk. The user can either run the Gold Disk with the change or not
run at that time. If they choose to run with the change, “Modified” appears on the Gold Disk information
bar to indicate that they are not using the released XML.
 2007-T-0016 added to Bind Manual prescan NA.
 2007-T-0021 added to Firefox manual prescan NA.
 2006-B-0009 Corrected possible false positive that could occur on some Windows 2000 systems.
 Engine fixes to accommodate McAfee AV signature date format inconsistencies that caused the Gold Disk
to crash on some systems. Additionally modified the engine to accommodate a change in where McAfee
anti-virus stores the signature file date.
 Updated automation for the following IAVMs:
o 2007-A-0033
o 2007-A-0034
o 2007-B-0011
o 2007-A-0035
 Updates to the following vulnerabilities to keep in sync with checklist guidance for the release:
o DTBI006 IE – Local Zone - Includes
o DTBI040 IE – Zone Settings
o DTAS017 Antivirus AutoProtect – Check Floppy at Shutdown
o Anonymous Access to Named Pipes and Shares
o Corrected fix for user right: Deny logon through Terminal Service
o Corrected fix for user right: Create Pagefile
 Updated checking for the following IAVMs:
o 2003-A-0017
o 2004-A-0006
o 2004-A-0017
o 2004-A-0018
20
UNCLASSIFIED
UNCLASSIFIED
o 2004-A-0019
o 2005-A-0001
o 2005-A-0017
o 2005-A-0018
o 2005-A-0025
o 2005-A-0029
o 2005-A-0030
o 2006-A-0002
o 2006-A-0015
o 2006-A-0036
o 2006-A-0038
o 2006-A-0051
o 2007-A-0005
o 2007-A-0014
o 2003-B-0004
o 2003-B-0006
o 2004-B-0016
o 2006-B-0007
o 2006-B-0009
o 2006-B-0010
o 2006-B-0011
o 2006-B-0014
o 2006-B-0020
o 2006-B-0021
o 2007-B-0003
o 2007-B-0004
o 2004-T-0031
o 2004-T-0035
o 2004-T-0040
o 2005-T-0001
o 2005-T-0003
o 2005-T-0004
o 2005-T-0019
o 2005-T-0026
o 2005-T-0029
o 2005-T-0041
o 2005-T-0042
o 2006-T-0003
o 2006-T-0015
o 2006-T-0026
o 2006-T-0033
o 2006-T-0034
o 2006-T-0039
Gold Disk V2 May 2007 Release

 Browse for executable screen during remediation now displays the Disk Label of the needed CD.
 Anti-virus disk prompting now displays the Disk Label of the needed CD.
 Icon indicators on the Remediation warning screen.
21
UNCLASSIFIED
UNCLASSIFIED
 Enumeration for websites now enumerates more accurately.

 Added automation (where possible) for IAVMs released between March and April.
 Content Management Progress for May 2007 release.
 21 new interactive pre-scan questions covering 33 IAVMs.
Gold Disk V2 March 2007 Release

 Resizable tree-view within the Gold Disk GUI.
 Allow for editing of the IP Address/MAC Address information.
 Display totals for all severities.
 Added automation (where possible) for IAVMs released between January and February.
 Performance improvements reduce processing time by approximately 60 to 80 percent.
 Ability to do an “interview-based” pre-scan for products which are not directly available to do
signature assessments.
Gold Disk V2 Jan 2007 Release

 Save Session capability
o Allows the Gold Disk user to save the current state of the review session to a file. This session
file can later be reloaded to complete the analysis of the system under review.
 Vulnerability Status report.
o Rich-text format that can be saved to disk or printed. User parameters allow selection of
affected software components, vulnerability status and selection of fields to include in the
report.
 File ACL content is now generated out of the database. This was previously post-processed and
added after automated XML generation was completed.
 Added automation (where possible) for IAVMs released between November and December.
 Internet Explorer 7.0 Pre-scan detection.
 Pre-scan Not Applicable Expansion:
o Ability to detect Symantec and Microsoft Exchange Server products. IAVMs affecting these
products set to NA if the product is not found on the system during pre-scan.
Gold Disk V2 Nov 2006 Release

 Corrected checking and fixing for Bad Logon Counter Reset.
 Corrected checking and fixing for Password Expiration.
 Updated 2005-A-0001 to use an updated Microsoft patch.
 Corrected checking and fixing for 2006-A-0028.
 Added automation (where possible) for IAVMs released between September and October.
 Added automated prescan for the following software:
o Oracle
o Adobe Reader and Flash Player
o Winzip
22
UNCLASSIFIED
This page is intentionally left blank
UNCLASSIFIED

U Gold Disk Version 2.0 Release Notes

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

U Gold Disk Version 2.0 Release Notes

Cargado por

Copyright:

Formatos disponibles

UNCLASSIFIED

DISA Field Security Operations

This page is intentionally left blank

Gold Disk V2 August 2010 Release

Gold Disk V2 June 2010 Release

Gold Disk V2 April 2010 Release

 Updated automated checking for WA000-WI6082 (V0013715) to correct required value

Gold Disk V2 February 2010 Release

Gold Disk V2 December 2009 Release

Gold Disk V2 October 2009 Release

Gold Disk V2 August 2009 Release

o Windows Vista Service Pack 2

o V0015717 o V0015722 o V0015727 o V0015696

 Automated patching for V0001073 on Windows Vista

Gold Disk V2 June 2009 Release

Gold Disk V2 April 2009 Release

Gold Disk V2 February 2009 Release

Gold Disk V2 December 2008 Release

o V0016007 8dot3 Name Creation XP FDCC

Gold Disk V2 September 2008 Release

Gold Disk V2 July 2008 Release

Gold Disk V2 May 2008 Release

Gold Disk V2 March 2008 Release

o V0015675 [A] Windows Registration Wizard

Gold Disk V2 January 2008 Release

Gold Disk V2 November 2007 Release

Gold Disk V2 September 2007 Release

Gold Disk V2 July 2007 Release

Gold Disk V2 May 2007 Release

 Enumeration for websites now enumerates more accurately.

Gold Disk V2 March 2007 Release

Gold Disk V2 Jan 2007 Release

Gold Disk V2 Nov 2006 Release

También podría gustarte