The Trust Providers Software Publishing State must be set to 0x23C00.

From Microsoft Dot Net Framework 4.0 STIG

Part of APPNET0046 Test Root certificates

SV-7444r3_rule The Trust Providers Software Publishing State must be set to 0x23C00.

Vulnerability discussion

Microsoft Windows operating systems provide a feature called Authenticode. Authenticode technology and its underlying code signing mechanisms serve to provide a structure to identify software publishers and ensure that software applications have not been tampered with. Authenticode technology relies on digital certificates and is based on Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms.The manner in which the Authenticode technology validates a certificate and determines what is considered a valid certificate can be modified to meet the mission of the Microsoft Windows system. Each facade of certificate validation is controlled through the bits that makeup the hexadecimal value for the Authenticode setting. An improper setting will allow non-valid certificates to be accepted and can put the integrity of the system into jeopardy.The hexadecimal value of 0x23C00 will implement the following certificate enforcement policy:- Trust the Test Root = FALSE- Use expiration date on certificates = TRUE- Check the revocation list = TRUE- Offline revocation server OK (Individual) = TRUE- Offline revocation server OK (Commercial) = TRUE- Java offline revocation server OK (Individual) = TRUE- Java offline revocation server OK (Commercial) = TRUE- Invalidate version 1 signed objects = FALSE- Check the revocation list on Time Stamp Signer = FALSE- Only trust items found in the Trust DB = FALSE

Check content

If the system or application being reviewed is SIPR based, this finding is NA. This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.

Fix text

This fix must be performed for each user on the system. Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key to 0x23C00.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer