================================= Changes in CCE version 5.20120314 ================================= Total CCE Entries: 10851 Number of new entries: 180 Total number of platform groups: 21 Number of new platform groups: 2 Number of platform groups with updates: 7 - Of those, number with content changes: 6 - With only formatting updates: 1 NOTE: The count of total CCE entries has been incorrect in recent releases. If you noticed that the 180 plus the total reported with the 5.20111130 release doesn't add up to 10851, that's why. Total entries and number of new entries reported above are now believed to be correct. Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie8 office2k7 office2010 rhel4 rhel5 solaris8 solaris9 solaris10 win2k win2k3 New platform groups ------------------- exchange2007 exchange2010 - Initial release of the CCE lists for Microsoft Exchange 2007 and 2010. There are 66 CCEs in the exchange2007 Platform Group, and 76 for exchange2010. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Team in creating this list. Their extremely well-formed submissions of CCE candidates for the two new platform groups were invaluable in creating the final CCE entries and assigning CCE IDs. - NOTE: The Microsoft Security Compliance Manager Baselines for Exchange 2007 and 2010 are currently still in beta, and not yet in general release. Platform groups with content changes ------------------------------------ ie7 - Eight new CCEs: CCE-18394-7, CCE-18552-0, CCE-18467-1, CCE-18731-0, CCE-18230-3, CCE-18912-6, CCE-18738-5, CCE-18137-0, issued for use in USGCB. - Added reference columns for new Resources, USGCB XCCDF and OVAL. References for the eight new CCEs in this release are drawn from these Resources. - Changed representation of registry key technical mechanisms in 20 CCE entries: the delimiter before the EntryName at the end of the key was changed from ! to \ - Various cosmetic changes to normalize formatting winxp - Nine new CCEs: CCE-18099-2, CCE-18173-5, CCE-18559-5, CCE-18149-5, CCE-18962-1, CCE-18306-1, CCE-18692-4, CCE-18634-6, CCE-18782-3, issued for use in USGCB. - Note that CCE-18099-2 is DEPRECATED, because the control described does not itself affect the configuration of aspects of the Windows NTP Client. Rather, it only controls whether Group Policy is used to set those options. - CCE-18167-7, CCE-18870-6, CCE-18307-9, CCE-18959-7: Modified Description and Parameters to clarify that these CCEs relate to whether various Windows XP Components are installed. - DEPRECATED CCE-5407-2 & CCE-5441-1: The POSIX and OS/2 subsystems are not supported on Windows XP, per Microsoft. See KB308259. Also fixed data swap between parameter <-> technical mechanism columns. - Changed representation of registry key technical mechanisms in various CCE entries: the delimiter before the EntryName at the end of the key was changed from ! to \ - Deleted empty row 572 vista - 19 new CCEs: CCE-18320-2, CCE-18987-8, CCE-18388-9, CCE-18220-4, CCE-18356-6, CCE-18589-2, CCE-18626-2, CCE-18386-3, CCE-18324-4, CCE-18594-2, CCE-18115-6, CCE-18938-1, CCE-18358-2, CCE-18686-6, CCE-18303-8, CCE-18881-3, CCE-18715-3, CCE-18414-3, CCE-18913-4 - Note that CCE-18220-4 is DEPRECATED, because the control described does not itself affect the configuration of aspects of the Windows NTP Client. Rather, it only controls whether Group Policy is used to set those options. - CCE-5407-2, CCE-5441-1: Fixed data swap between parameter <-> technical mechanism columns. - CCE-3316-7, CCE-3082-5, CCE-4078-2: Added "automatic (delayed start)" to CCE Parameters. - CCE-18891-2, CCE-18279-0, CCE-18624-7, CCE-18129-7, CCE-18284-0, CCE-18700-5, CCE-18689-0: Modified Description and Parameters to clarify that these CCEs refer to whether various Windows Vista features are turned on or off. win2k8 - CCE-8504-3: Added "automatic (delayed start)" to CCE Parameters. - Changed representation of registry key technical mechanisms in various CCE entries: the delimiter before the EntryName at the end of the key was changed from ! to \ win7 - Two new CCEs: CCE-14986-4 & CCE-14854-4 - Fixed minor cosmetic spreadsheet formatting issues (cell boarders, row heights and column widths, fonts, etc.). win2k8r2 - CCE-10213-7, CCE-10707-8: Fixed issue where each of these CCE IDs appeared in two spreadsheet rows / CCE entries, with different Descriptions. This appears to have been the result of an inadvertent cut-and-paste error in a previous release. - Fixed some 62 CCEs, where groups of two or more CCE IDs had the same CCE Description. In the majority of cases, the duplicates were resolved by adding additional information to the Description to clarify which configuration concept the CCE identifies. E.g., qualifying to which log type, aspect of the Diagnostic Policy Service, packet type, etc. each CCE refers. In a minority of cases, apparent cut-and-paste errors in a previous release were corrected to restore original intent of the CCE entry. Affected CCEs: CCE-11074-2, CCE-11087-4, CCE-10677-3, CCE-11148-4, CCE-10454-7, CCE-11131-0, CCE-11306-8, CCE-12032-9, CCE-11290-4, CCE-11954-5, CCE-11138-5, CCE-11400-9, CCE-11890-1, CCE-12204-4, CCE-10975-1, CCE-11663-2, CCE-12036-0, CCE-10616-1, CCE-10626-0, CCE-11054-4, CCE-11210-2, CCE-11484-3, CCE-11966-9, CCE-12038-6, CCE-10315-0, CCE-10558-5, CCE-11393-6, CCE-11149-2, CCE-11697-0, CCE-11756-4, CCE-12295-2, CCE-10863-9, CCE-11269-8, CCE-11634-3, CCE-10679-9, CCE-11219-3, CCE-11690-5, CCE-11712-7, CCE-10421-6, CCE-11441-3, CCE-11883-6, CCE-12180-6, CCE-11033-8, CCE-11143-5, CCE-11174-0, CCE-11717-6, CCE-11573-3, CCE-11947-9, CCE-12248-1, CCE-11192-2, CCE-11479-3, CCE-11698-8, CCE-10309-3, CCE-10663-3, CCE-10918-1, CCE-11055-1, CCE-10722-7, CCE-11191-4, CCE-10781-3, CCE-11153-4, CCE-10057-8, CCE-10229-3 - Parameters improved for: CCE-11210-2, CCE-10616-1, CCE-10626-0, CCE-11054-4, CCE-11966-9, CCE-11494-2 - Fixed minor cosmetic spreadsheet formatting issues (cell boarders, row heights and column widths, fonts, etc.). Platform groups with non-content changes ---------------------------------------- This release also includes some changes made to the formatting of certain CCE spreadsheets. These did not affect CCE content in any way. exchange2007 exchange2010 ie7 weblogicserver11g [See Note below] vista win2k8 win7 winxp - Removed names from several named cells/ranges, which had been added inadvertently at some point. - Note: Since there were no content changes to any of the CCE entries in the weblogicserver11g platform group, the "Last modified" and "Version" attributes were not updated. (Those attributes may be found in hidden cells B1 and B2, respectively.) The only changes were to remove the named ranges. ================================= Changes in CCE version 5.20111130 ================================= Total CCE Entries: 10667 Number of new entries: 317 Total Number of Platform Groups: 19 Number of new platform groups: 0 Number of platform groups with updates: 1 Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 ie8 office2k7 office2010 rhel4 rhel5 solaris8 solaris9 solaris10 weblogicserver11g winxp win2k win2k3 win2k8 vista windows7 Platform groups with changes ---------------------------- win2k8r2 - Added 317 new entries. New entries begin at row 816 in the spreadsheet. ================================= Changes in CCE version 5.20111007 ================================= Total CCE Entries: 10350 Number of new entries: 34 Total Number of Platform Groups: 19 Number of new platform groups: 0 Number of platform groups with updates: 5 Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 ie8 office2k7 office2010 rhel4 solaris8 solaris9 solaris10 win2k win2k3 win2k8 win2k8r2 Platform groups with changes ---------------------------- rhel5 - Added 2 new entries. New entries begin at row 433 in the spreadsheet. weblogicserver11g - Added 13 new entries. New entries begin at row 103 in the spreadsheet. winxp - Added 4 new entries. New entries begin at row 592 in the spreadsheet. vista - Added 8 new entries. New entries begin at row 468 in the spreadsheet. win7 - Added 7 new entries. New entries begin at row 604 in the spreadsheet. ================================= Changes in CCE version 5.20110602 ================================= Total CCE Entries: 10316 Number of new entries: 16 Total Number of Platform Groups: 19 Number of new platform groups: 0 Number of platform groups with updates: 1 Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 ie8 office2k7 office2010 rhel4 solaris8 solaris9 solaris10 weblogicserver11g vista win2k win2k3 win2k8 win2k8r2 win7 winxp Platform groups with changes ---------------------------- rhel5 - Added 16 new entries, bringing the total to 429, up from 413 in version 5.20100926. New entries begin at row 417 in the spreadsheet. ================================= Changes in CCE version 5.20100926 ================================= Total CCE Entries: 10300 Number of new entries: 4592 Total Number of Platform Groups: 19 Number of new platform groups: 4 Number of platform groups with updates: 2 NOTE: The count of CCEs in version 5.20100428 as reported in the ChangeLog was incorrect. As released, version 5.20100428 actually included 5708 entries, and 5710 elements, rather than 5703 and 5705 as stated. (See the ChangeLog for version 5.20100428 for the reason for the discrepancy between the number of unique CCE IDs and the number of elements in the XML. That discrepancy still remains; there are 10302 elements in cce-COMBINED-5.20100926.xml.) Platform groups with no changes ------------------------------- aix5.3 hpux11.23 ie7 office2k7 rhel4 solaris8 solaris9 solaris10 vista win2k win2k3 win2k8 winxp Platform groups with changes ---------------------------- rhel5 - Added 83 new entries, bringing the total to 413, up from 330 in version 5.20100428. New entries begin at row 334 in the spreadsheet. - The CCE team wishes to acknowledge the assistance of contributors from NSA, NIST, Red Hat in this update. - Added references to Revision 4 of the NSA "Guide to the Secure Configuration of Red Hat Enterprise Linux 5". - DEPRECATED CCE-3762-2 in favor of CCE-14113-5, CCE-14672-0, CCE-14712-4, CCE-14122-6. CCE-3762-2 was created at too high a level of abstraction. Description was: The password strength should meet minimum requirements. win7 - Added 148 new entries, bringing the total to 600, up from 452 in version 5.20100428. NOTE: 18 of these new entries are DEPRECATED, resolving inadvertent duplicate CCEs created while processing win7 submissions from multiple parties. - Added references to USGCB Beta release of 2010-08-31 (XCCDF and OVAL). NOTE: Additional references to USGCB version 1.0.x.0 will be added in a future CCE update. New platform groups ------------------- ie8 - Initial release of the CCE list for Internet Explorer 8. There are 1437 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) IE8 baselines as well as the new setting pack beta released on 2010-09-24. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. - NOTE: Additional references to USGCB version 1.0.x.0 will be added in a future CCE update. office2010 - Initial release of the CCE list for Microsoft Office 2010. There are 2013 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) Office 2010 baselines and setting pack beta. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. weblogicserver11g - Initial release of the CCE list for Oracle WebLogic Server 11g. There are 99 entries, submitted by a MITRE team developing a configuration guide and benchmark for WebLogic Server 11g. win2k8r2 - Initial release of the CCE list for Windows Server 2008 R2. There are 812 entries, including full coverage of all settings included in the Microsoft Security Compliance Manager (SCM) Windows Server 2008 R2 baselines and setting pack beta. - The CCE team wishes to acknowledge the assistance of the Microsoft Solution Accelerators Security Team in creating this list. - NOTE: Windows Server 2008 R2 (win2k8r2) is a new platform group for CCE, distinct from Windows Server 2008 (win2k8). The decision to create a new platform group, rather than expand the number of CCEs related to the Windows Server 2008, was made after discussion with the Microsoft Solution Accelerators Security Team. Technically, Server 2008 R2 bears a similar relationship to Server 2008, as Windows 7 bears to Vista. ================================= Changes in CCE version 5.20100428 ================================= Total CCE Entries: 5703 [Note that there are 5705 elements in the XML. Two CCEs, CCE-4909-8 and CCE-4923-9, appear as DEPRECATED in both the aix5.3 and solaris9 lists. This is due to a historical mistake where, twice, the same ID was assigned to issues for two different platform groups.] Platform groups with no changes ------------------------------- aix5.3 hpux11.23 rhel4 solaris8 solaris9 Platform groups with changes ---------------------------- ie7 rhel5 solaris10 vista win2k winxp win2k8 - Minor changes to normalize parameters, technical mechanisms etc. to facilitate XML generation, plus incidental cleanup: office2k7 - Normalization & cleanup to facilitate XML generation - Restored a number of updates which had inadvertently been dropped in interim (non-release) updates of the list since the 5.20090115 release, due to user error with CCE's reversion control system. These changes should not be visible to anyone who has been working with the 5.20090115 release. However, CCE Working Group members who received the test XML version of the CCE list in June 2009 may notice changes. These include: - Restored the Microsoft Office 2007 Threats and Countermeasures guide references. Also, updated the resource ID (column header) for this resource for clarity. - Restored improved descriptions, technical mechanisms, and certain references for a small number of CCEs. - Restored CCE-4277-0, CCE-4280-4, CCE-4283-8, CCE-5276-1, and CCE-4440-4, which had been dropped. win2k3 - Normalization & cleanup to facilitate XML generation - Added references from the April 26, 2006 version of the Microsoft Windows Server 2003 Security Guide. - Added references to Microsoft TechNet articles and other Microsoft online documentation and resources. - Added specific GPO technical mechanisms to various CCEs. - CCE-3788-7, CCE-3806-7, CCE-3608-7, CCE-3740-8, CCE-3277-1, CCE-3661-6, CCE-3730-9: Description fixed, parameters & tech mechs added. - New CCEs: CCE-9994-5, CCE-10633-6, CCE-9710-5, CCE-10688-0, CCE-10710-2, CCE-10463-8 New platform group ------------------ win7 - First publication of CCE entries for Windows 7. These CCEs were assigned in collaboration with Microsoft. The CCE team would like to express thanks to the developers of the Microsoft Security Compliance Management Toolkit for Windows 7 for their assistance in creating these CCEs. In reviewing the original CCE ID assignments made by Microsoft, and the Windows 7 setting documentation provided to the CCE team, certain additions and modifications were made as follows: - CCE-10814-2, CCE-10303-6: These two new CCEs are for settings (administrative shares, auto reboot) which were present in the data from Microsoft but for some reason had not been assigned CCE IDs. - CCE-9915-0, CCE-10417-4: New CCEs for the sub-options for Registry policy processing. - CCE-10700-3, CCE-9924-2: New CCEs for the scheduled install day and time sub-options for automatic updates. - CCE-9506-7: Recast slightly to clarify that it relates to whether user-initiated solicitations for remote assistance (aka 'Solicited Remote Assistance') are enabled or disabled. - CCE-10519-7, CCE-10753-2, CCE-10312-7, CCE-9929-1: New CCEs for the sub-options for the 'Solicited Remote Assistance' setting. - CCE-10887-8, CCE-10777-1, CCE-10904-1: These three CCEs (plus CCE-9534-9) represent a SPLIT of the original casting of CCE-9534-9 by Microsoft. CCE-9534-9 as originally cast related to the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' policy. However, this policy is actually just a container for four sub-options (Require message integrity, Require message confidentiality, Require NTLMv2 session security, and Require 128-bit encryption). There is no directly configurable control at the level of abstraction of the "container" policy. These four CCEs (including the recast CCE-9534-9) now each relate to one of the sub-options. The state displayed in the Group Policy editor as a value of "No minimum" for this container policy corresponds to specifying a parameter value of "disabled" for all four of these CCEs. NOTE: This SPLIT will also be applied to the CCE entries for similar controls in other Windows platform groups in a future release of CCE. - CCE-9736-0, CCE-10916-5, CCE-10281-4, CCE-10924-9: As above, except for SSP-based servers rather than clients. CCE-9736-0 was the original CCE in this case. Again, this SPLIT will be applied to appropriate CCE entries for other Windows platform groups in a future release of CCE. - CCE-9764-2: Recast slightly to clarify that this CCE relates to whether the server enforcement of the encryption level in Remote Desktop Services client connections is enabled or disabled. The specific encryption level enforced is a separately configurable control and hence has been assigned its own CCE (see below). - CCE-10779-7: New entry relating to what encryption level is enforced by the server for Remote Desktop Services client connections. - CCE-9960-6: Recast slightly to clarify that it relates to whether unsolicited offers of remote assistance (aka 'Offer Remote Assistance') are automatically rejected or passed to the user for confirmation. - CCE-10690-6, CCE-9931-7: New CCEs for the sub-options of the 'Offer Remote Assistance' setting. - Added references to MS TechNet articles for several CCEs, mostly related to BitLocker settings.