Saturday, August 27, 2016

SHB, or Secure Hardened Baseline

On November 20, 2015, the DoD put out a memo affecting all computers and computer-centric systems.  It mandates that all computing equipments that runs Windows must run Windows-10 ... and not just Windows-10, but Windows-10 Secure Host Baseline, or SHB ... and security is provided by "Level 2" STIGs.

Security Technical Implementation Guides (STIGs):
STIGs are guidelines on how to setup the configurations of software, and they are available for most of the common software and applications we all use daily.  What is not generally known is that STIGs come in two (2) levels ... first, there are the STIGs you and I can get (PA, or Publically Available), and the second level at the ones that require a CAC card ...they are FOUO, or For Official Use Only.  

The Differences between the STIGs:
While I do not know (or could even talk about) are the "exact" differences, but people I have talked to say, basically, "If you implement the PA STIG,s, the 'vast majority' of FOUO STIGs are addressed".

When is SHB required?
The memo I talked about at the introduction says it best ... repeating it here:

This memo serves as notification that the DoD will direct Combatant Commands,
Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations starting in January 2016. This applies to all DoD information systems currently using Microsoft operating systems. The Department's objective is to complete the deployment by January 2017. The CC/S/A's are encouraged to begin planning for this upgrade to include developing cost estimates.

The Defense Information Systems Agency (DISA) and National Security Agency (NSA)
are co-leading ajoint Secure Host Baseline (SHB) working group to prepare a Windows 10
Standard Desktop framework. The WIN 10 SHB will bring consistency to DoD host security
configuration management activities and will be available to CC/S/A's on DISA's Information
Assurance Support Environment Portal site at, in January.

A Secretary of Defense Execution Order will be forthcoming with details on the release
of the Windows 10 SHB. Once the order is published, it will be CC/S/A's responsibility to
implement and promulgate the image across their respective organizations by January 2017.  CC/SIA Chieflnformation Officers will have limited waiver authority over their respective implementation plans on a case-by-case basis for up to 12 months. Any waivers over 12 months must be approved by the Department of Defense Chief Information Officer (DoD CIO).

What I have been told is that waivers will be almost impossible to get, and that anything that has Windows on it, WHETHER OR NOT IT IS CONNECTED ON A NETWORK, must have Windows-10 and the SHB.  

Another interesting part is the STIG validation. As you research this, you'll find XML files to help you validate.  But what I found interesting is this ... suppose you are implementing the STIGs and you get to the STIG that says something like "Support Floppies" and the STIG says "set to NO".  When you validate your software, if you have not changed it from YES to NO, the fact that it is set to YES is a "finding" ... a point against you.  Now the interesting part ... if you don't even find the setting in the registry, that is a "finding" as well, and a point against you.  Therefore, in this case, you MUST CREATE THE FIELD IN THE REGISTRY AND SET IT TO NO ... because not having it in there is like a YES ... and it is a finding.

Hope this helps someone.

Search This Blog

My Passions