Authentication and access control project
ladypatty2003
SecurityTechnicalImplementationGuidesSTIGs.pdf
Security Technical Implementation Guides (STIGs)
The Defense Information Systems
Agency (DISA) publishes and maintains
Security Requirements Guides (SRGs) and
Security Technical Implementation
Guides (STIGs), both of which are
intended to help individuals and IT
systems administrators ensure that their
systems, including operating systems and
database management systems, are
secure. As arms of the federal
government, DISA, the National Security
Agency, and the National Institute of
Standards and Technology (NIST) provide
STIGs as a tool to harden information
technology resources such as routers,
databases, networks, software
development, and other related
technologies. STIGs can be used to
evaluate Access Control and
Authentication on a local machine and
users can reference current guides found
on the DISA website
(https://public.cyber.mil/stigs/).
When searching this resource for
applicable STIGs, select the “Document
Library” on the left side of the page, and
then use the STIG Topics on the right
side of the page to narrow the scope to
topics such as STIG Viewing, Operating
Systems, or Application Security, as
appropriate, to download the specific
guides and details (see figure titled “STIG
Document Library”).
STIG Document Library
Source: DISA DoD Cyber Exchange
The Document Library offers a list of
STIGs:
STIG Topics Listed in the DISA
Document Library
Source: DISA STIG Document Library
How to Use STIGs
Public releasable STIGs can be
downloaded directly from
public.cyber.mil site in Extensible Markup
Language (XML) format. XML is a markup
language commonly used to set encoding
rules for documents so that they are both
machine-readable and understandable to
the human eye.
When retrieving files directly from
public.cyber.mil, they will download as a
ZIP file containing documentation
describing the specific STIG, as well as
the XML file, a stylesheet, and image
logos. The stylesheet defines the set of
elements found within an XML
document. The stylesheet is essentially
the primer defining how to read and
interpret the XML document when it’s
displayed by browsers and other XML
readers.
Most browsers will not read or display
the XML file properly that is stored on
your desktop. The figure titled “Non–
XML-Supported Browser” illustrates the
display if you attempt to read directly in
browsers such as Firefox or Chrome.
Non–XML-Supported Browser
Source: Mozilla Firefox, UMGC
However, Internet Explorer (IE) may
properly display the contents, as shown
in the figure titled “XML-Supported
Browser.”
XML-Supported Browser
Source: Microsoft Internet Explorer, UMGC
To address the inconsistencies in how
they display, publicly available STIGs can
also be downloaded from stigviewer.com.
This site provides additional formats for
download, including XML, Excel, and
JSON. For example, users can navigate to
the website and download the security
guidelines for both an operating system
platform (Windows or Linux) and the
Database Security Requirements Guide.
If the STIG for Windows 10, for example,
is downloaded or viewed, nearly 300
security requirements are listed,
categorized by severity into high,
medium, and low. The user can easily
download the list to an Excel spreadsheet
and use it as a tool to help harden their
operating system (see figure titled “STIG
Viewer for Windows 10”).
STIG Viewer for Windows 10
Source: UCF STIG Viewer
The stigviewer.com site is convenient, as
no downloads or software installations
are required. In addition, multiple formats
are available for ingestion and use by
other tools.
A government-provided STIG Viewer tool
can be downloaded from public.cyber.mil.
This tool requires installation on a
desktop, but it offers additional
functionality for prioritizing and
documenting findings while allowing the
analyst or user to go through a checklist
verifying the security status and posture
of any application or system.
The viewer is found in the STIG
Document Library under the STIG
Viewing Tools search. Select the tool that
matches your desktop operating system
to download the appropriate viewer. See
the figure titled “STIG Viewer Tool.”
STIG Viewer Tool
Source: DISA DoD Cyber Exchange SRG/STIG Tools
After downloading the STIG Viewer,
unzip the file and then run the batch file
(e.g., STIGViewer.bat for a PC) and the
STIG Viewer tool will load. There is a
Help menu and a user’s guide available,
but the tool is easy to navigate.
Use File, Import STIG to load one of the
recently download STIGs. Then you can
create a checklist using Checklist, Create
Checklist. Once a checklist is created,
each vulnerability can be reviewed and
labeled as Not Reviewed, Open, Not a
Finding, or Not Applicable. Open
vulnerabilities are color-coded red; green
represents “not a finding” indicating this
specific vulnerability was not present or
not a concern. See the figure titled “STIG
Viewer Checklist.”
STIG Viewer Checklist
The STIG Viewer allows analysts to
document their findings (and non-
findings) as they proceed through each
potential vulnerability. The time to
complete a STIG depends upon the
number of vulnerability checks to
perform, and the priority and the risk
associated with the system.
Automated scanning tools are available
to reduce the time associated with
manually checking each vulnerability.
However, some items on the checklist—
such as documentation checks related to
backup plans and other configuration
management components—cannot be
automated.
References
DISA. (2020). Security Technical
Implementation Guides.
Retrieved from
https://public.cyber.mil/stigs
DISA. (2020). STIGs Document Library.
Retrieved from
https://public.cyber.mil/stigs/do
wnloads
UCF. (2020). STIG Viewer. Available at
https://www.stigviewer.com/stig
s
© 2021 University of Maryland Global Campus
All links to external sites were verified at the time of
publication. UMGC is not responsible for the validity
or integrity of information located at external sites.
Learning Topic
6/3/21, 1:39 PM Page 1 of 1
