STIGs VS SHB #22
Comments
|
Generally, they are the STIGs but sometimes there may be additional configuration settings included. For example, the IE trusted sites list is configured to trust a bunch of .gov and .mil sites. This is not in the IE STIG, but it is included in the IE GPO for the SHB. |
|
I ask because in a comparison of the Adobe Acrobat Reader DC Continuous Track STIG - Ver 1, Rel 2 to the SHB policy, I find the below STIG IDs missing ARDC-CN-000070 Just checking if this is by design or not. |
|
My quick investigation leads me to believe that they are using the "continuous" version for the install, but are using the "classic" version of the STIG in their GPO. Originally, the SHB Framework developers were using the classic version of Adobe Reader but we got them to switch to the continuous version because of the security benefits. It may be that they never changed their GPO settings from classic to continuous. I will bring this up tomorrow during the SHB conference call. |
|
I also just checked the latest SHB 10.1 GPOs and they don't provide an Adobe Reader GPO so we will need to provide an updated GPO here. There are a few non-security settings in the Adobe Reader STIG that shouldn't be in the STIG. DISA had said they were going to remove them, but then they never ended up removing them. I think that might account for a couple settings like the welcome screen (ARDC-CN-000115), repair dialog settings (ARDC-CN-000070), and maybe the certificate settings (ARDC-CN-000330 and ARDC-CN-000335). For ARDC-CN-000340, it isn't an actual setting. |
Are the policies contained within the SHB a mirror of the DISA STIGs for those applications/operating system or is there additional development/tweaks that are done? Thank you in advance.
The text was updated successfully, but these errors were encountered: