III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
MFD/Printer Security Policy
Group -
Implementation of an MFD and printer security policy for the protection of classified information.
Department of Defense Manual 5200.01, "Protection of Classified Information" provides policy, assigns responsibilities, and provides procedures for the designation, marking, protection, and dissemi...Rule Low Severity -
MFD Level of Audit and Reviewing
Group -
The level of audit has not been established or the audit logs being collected for the devices and print spoolers are not being reviewed.
If inadequate information is captured in the audit, the identification and prosecution of malicious user will be very difficult. If the audits are not regularly reviewed suspicious activity may go ...Rule Low Severity -
MFD Classified Network
Group -
MFDs with print, copy, scan, or fax capabilities must be prohibited on classified networks without the approval of the DAA.
MFDs with print, copy, scan, or fax capabilities, if compromised, could lead to the compromise of classified data or the compromise of the network. The IAO will ensure MFDs with copy, scan, or fax...Rule High Severity -
MFD Clearing Disk Space Scan to Disk
Group -
A MFD device, with scan to hard disk functionality used, is not configured to clear the hard disk between jobs.
If the MFD is compromised the un-cleared, previously used, space on the hard disk drive can be read which can lead to a compromise of sensitive data. The SA will ensure the device is configured to ...Rule Medium Severity -
MFD Scan Discretionary Access Control
Group -
Scan to a file share is enabled but the file shares do not have the appropriate discretionary access control list in place.
Without appropriate discretionary access controls unauthorized individuals may read the scanned data. This can lead to a compromise of sensitive data. The SA will ensure file shares have the appro...Rule Low Severity -
MFD fax from network auditing
Group -
Auditing of user access and fax logs must be enabled when fax from the network is enabled.
Without auditing the originator and destination of a fax cannot be determined. Prosecuting of an individual who maliciously compromises sensitive data via a fax will be hindered without audits. Th...Rule Low Severity -
MFD scan to SMTP (email)
Group -
MFDs must not allow scan to SMTP (email).
The SMTP engines found on the MFDs reviewed when writing the MFD STIG did not have robust enough security features supporting scan to email. Because of the lack of robust security, scan to email wi...Rule Medium Severity -
MFD Hard Drive Lock
Group -
A MFD device does not have a mechanism to lock and prevent access to the hard drive.
If the hard disk drive of a MFD can be removed from the MFD the data on the drive can be recovered and read. This can lead to a compromise of sensitive data. The IAO will ensure the device has a ...Rule Medium Severity -
MFD/Printer Global Configuration Settings
Group -
The device is not configured to prevent non-printer administrators from altering the global configuration of the device.
If unauthorized users can alter the global configuration of the MFD they can remove all security. This can lead to the compromise of sensitive data or the compromise of the network the MFD is atta...Rule High Severity -
MFD03.002
Group -
The MFD must be configured to prohibit the use of all unnecessary and/or nonsecure functions, physical and logical ports, protocols, and/or services.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.