================================= Changes in CCE version 5.20110602 ================================= Total CCE Entries: 10316 Number of new entries: 16 Total Number of Platform Groups: 19 Number of new platform groups: 0 Number of platform groups with updates: 1 Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 ie8 office2k7 office2010 rhel4 solaris8 solaris9 solaris10 weblogicserver11g vista win2k win2k3 win2k8 win2k8r2 win7 winxp Platform groups with changes ---------------------------- rhel5 - Added 16 new entries, bringing the total to 429, up from 413 in version 5.20100926. New entries begin at row 417 in the spreadsheet. ================================= Changes in CCE version 5.20100926 ================================= Total CCE Entries: 10300 Number of new entries: 4592 Total Number of Platform Groups: 19 Number of new platform groups: 4 Number of platform groups with updates: 2 NOTE: The count of CCEs in version 5.20100428 as reported in the ChangeLog was incorrect. As released, version 5.20100428 actually included 5708 entries, and 5710 elements, rather than 5703 and 5705 as stated. (See the ChangeLog for version 5.20100428 for the reason for the discrepancy between the number of unique CCE IDs and the number of elements in the XML. That discrepancy still remains; there are 10302 elements in cce-COMBINED-5.20100926.xml.) Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 office2k7 rhel4 solaris8 solaris9 solaris10 vista win2k win2k3 win2k8 winxp Platform groups with changes ---------------------------- rhel5 - Added 83 new entries, bringing the total to 413, up from 330 in version 5.20100428. New entries begin at row 334 in the spreadsheet. - The CCE team wishes to acknowledge the assistance of contributors from NSA, NIST, Red Hat in this update. - Added references to Revision 4 of the NSA "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". - DEPRECATED CCE-3762-2 in favor of CCE-14113-5, CCE-14672-0, CCE-14712-4, CCE-14122-6. CCE-3762-2 was created at too high a level of abstraction. Description was: The password strength should meet minimum requirements. win7 - Added 148 new entries, bringing the total to 600, up from 452 in version 5.20100428. NOTE: 18 of these new entries are DEPRECATED, resolving inadvertent duplicate CCEs created while processing win7 submissions from multiple parties. - Added references to USGCB Beta release of 2010-08-31 (XCCDF and OVAL). NOTE: Additional references to USGCB version 1.0.x.0 will be added in a future CCE update. New platform groups ------------------- ie8 - Initial release of the CCE list for Internet Explorer 8. There are 1437 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) IE8 baselines as well as the new setting pack beta released on 2010-09-24. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. - NOTE: Additional references to USGCB version 1.0.x.0 will be added in a future CCE update. office2010 - Initial release of the CCE list for Microsoft Office 2010. There are 2013 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) Office 2010 baselines and setting pack beta. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. weblogicserver11g - Initial release of the CCE list for Oracle WebLogic Server 11g. There are 99 entries, submitted by a MITRE team developing a configuration guide and benchmark for WebLogic Server 11g. win2k8r2 - Initial release of the CCE list for Windows Server 2008 R2. There are 812 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) Windows Server 2008 R2 baselines and setting pack beta. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. - NOTE: Windows Server 2008 R2 (win2k8r2) is a new platform group for CCE, distinct from Windows Server 2008 (win2k8). The decision to create a new platform group, rather than expand the number of CCEs related to the Windows Server 2008, was made after discussion with the Microsoft Solution Accelerators Security Team. Technically, Server 2008 R2 bears a similar relationship to Server 2008, as Windows 7 bears to Vista. ================================= Changes in CCE version 5.20100428 ================================= Total CCE Entries: 5703 [Note that there are 5705 elements in the XML. Two CCEs, CCE-4909-8 and CCE-4923-9, appear as DEPRECATED in both the aix5.3 and solaris9 lists. This is due to a historical mistake where, twice, the same ID was assigned to issues for two different platform groups.] Platform groups with no changes ------------------------------- aix5.3 hpux11.23 rhel4 solaris8 solaris9 Platform groups with changes ---------------------------- ie7 rhel5 solaris10 vista win2k winxp win2k8 - Minor changes to normalize parameters, technical mechanisms etc. to facilitate XML generation, plus incidental cleanup: office2k7 - Normalization & cleanup to facilitate XML generation - Restored a number of updates which had inadvertently been dropped in interim (non-release) updates of the list since the 5.20090115 release, due to user error with CCE's reversion control system. These changes should not be visible to anyone who has been working with the 5.20090115 release. However, CCE Working Group members who received the test XML version of the CCE list in June 2009 may notice changes. These include: - Restored the Microsoft Office 2007 Threats and Countermeasures guide references. Also, updated the resource ID (column header) for this resource for clarity. - Restored improved descriptions, technical mechanisms, and certain references for a small number of CCEs. - Restored CCE-4277-0, CCE-4280-4, CCE-4283-8, CCE-5276-1, and CCE-4440-4, which had been dropped. win2k3 - Normalization & cleanup to facilitate XML generation - Added references from the April 26, 2006 version of the Microsoft Windows Server 2003 Security Guide. - Added references to Microsoft TechNet articles and other Microsoft online documentation and resources. - Added specific GPO technical mechanisms to various CCEs. - CCE-3788-7, CCE-3806-7, CCE-3608-7, CCE-3740-8, CCE-3277-1, CCE-3661-6, CCE-3730-9: Description fixed, parameters & tech mechs added. - New CCEs: CCE-9994-5, CCE-10633-6, CCE-9710-5, CCE-10688-0, CCE-10710-2, CCE-10463-8 New platform group ------------------ win7 - First publication of CCE entries for Windows 7. These CCEs were assigned in collaboration with Microsoft. The CCE team would like to express thanks to the developers of the Microsoft Security Compliance Management Toolkit for Windows 7 for their assistance in creating these CCEs. In reviewing the original CCE ID assignments made by Microsoft, and the Windows 7 setting documentation provided to the CCE team, certain additions and modifications were made as follows: - CCE-10814-2, CCE-10303-6: These two new CCEs are for settings (administrative shares, auto reboot) which were present in the data from Microsoft but for some reason had not been assigned CCE IDs. - CCE-9915-0, CCE-10417-4: New CCEs for the sub-options for Registry policy processing. - CCE-10700-3, CCE-9924-2: New CCEs for the scheduled install day and time sub-options for automatic updates. - CCE-9506-7: Recast slightly to clarify that it relates to whether user-initiated solicitations for remote assistance (aka 'Solicited Remote Assistance') are enabled or disabled. - CCE-10519-7, CCE-10753-2, CCE-10312-7, CCE-9929-1: New CCEs for the sub-options for the 'Solicited Remote Assistance' setting. - CCE-10887-8, CCE-10777-1, CCE-10904-1: These three CCEs (plus CCE-9534-9) represent a SPLIT of the original casting of CCE-9534-9 by Microsoft. CCE-9534-9 as originally cast related to the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' policy. However, this policy is actually just a container for four sub-options (Require message integrity, Require message confidentiality, Require NTLMv2 session security, and Require 128-bit encryption). There is no directly configurable control at the level of abstraction of the "container" policy. These four CCEs (including the recast CCE-9534-9) now each relate to one of the sub-options. The state displayed in the Group Policy editor as a value of "No minimum" for this container policy corresponds to specifying a parameter value of "disabled" for all four of these CCEs. NOTE: This SPLIT will also be applied to the CCE entries for similar controls in other Windows platform groups in a future release of CCE. - CCE-9736-0, CCE-10916-5, CCE-10281-4, CCE-10924-9: As above, except for SSP-based servers rather than clients. CCE-9736-0 was the original CCE in this case. Again, this SPLIT will be applied to appropriate CCE entries for other Windows platform groups in a future release of CCE. - CCE-9764-2: Recast slightly to clarify that this CCE relates to whether the server enforcement of the encryption level in Remote Desktop Services client connections is enabled or disabled. The specific encryption level enforced is a separately configurable control and hence has been assigned its own CCE (see below). - CCE-10779-7: New entry relating to what encryption level is enforced by the server for Remote Desktop Services client connections. - CCE-9960-6: Recast slightly to clarify that it relates to whether unsolicited offers of remote assistance (aka 'Offer Remote Assistance') are automatically rejected or passed to the user for confirmation. - CCE-10690-6, CCE-9931-7: New CCEs for the sub-options of the 'Offer Remote Assistance' setting. - Added references to MS TechNet articles for several CCEs, mostly related to BitLocker settings.