One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.
Check DOD Cyber Exchange
Check the website here, to search for Win in SCAP tools, then download & Install
Navigation steps:
Control Panel > Programs > Programs and Features
In the search bar (top right) enter scap (and hit enter)
SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)
Install SCAP application
Extract files from ZIP
Copy folder to repository (my path example below)
Save SCAP zip and files to folder repository and on server to install SCAP on.
Run SCAP application
Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.
Open PowerShell as admin window
Example:
cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe
Hit enter to begin install
On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.
Select Destination location (preferably on non-system disk), and click Next
Change path to non-system disk (like d:)
From the ‘Select Components’ window, click Next
Click Next on the Setup Start Menu folder window
On the SCAP select additional tasks install window, click Next
Click Install on ‘Ready to install’ popup screen
With the new SCAP tool Install window, click Finish to complete.
Refresh Control Panel SCAP search
Remove old versions
Click Continue and go through removal prompts
With the Uninstall screen, click Yes to uninstall.
Click OK on uninstall
Check Control Panel for SCAP installs
Verify control panel only has latest version installed. Close out Programs and Features window
Review SCC (SCAP Compliance Checker) Release Notes
Verify SCAP application functionality
Click on Start > start typing SCAP > Click on SCAP Compliance Checker
From the SCAP checker UAC prompt, click Yes to continue
Click OK to end the install
Run Local Scan
Run local scan to prove functionality.
Select STIG(s) in the middle pane > Click Start Scan
Verify SCAP tool modified files after installation
Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)
Ask the Security Admin to re-scan!
Documentation/Links
DOD Cyber Exchange https://public.cyber.mil/stigs/scap/
Hello I have a question, can I update the checklist so it will be able to differentiate between running on a domain controller and member servers? Thank you for your time
I’m not following your question – if you run the SCAP tools, you will already be logged in as a domain user (or non-domain user). You can still run the checklist, update, install, remove, etc. based on that user’s permissions on the server.
Hope that helps!