STIG V-253255 - TPM - Windows 11

KD Sec-n-Tech Secure Your Computer

Introduction:

Hello and Welcome!

We're thrilled to have you join us on this journey towards greater cybersecurity awareness and implementation. Our bi-weekly newsletter is designed to keep you up-to-date with the latest in Security Technical Implementation Guides (STIGs) and general security best practices.

Whether you're a seasoned professional in the cybersecurity field or someone who's simply interested in improving your security posture, our goal is to make this information accessible and valuable to you.

In each issue, we'll delve into specific STIGs, discuss why they're important, and explain how vulnerabilities could be exploited if left unaddressed. We'll also provide detailed implementation guidance, and even PowerShell scripts for those comfortable with a bit of scripting.

Remember, security is not a one-time task, but an ongoing endeavor. We're here to support you every step of the way. We encourage you to reach out with any questions, comments, or suggestions you may have – your feedback is what makes our community stronger.

So, sit back, grab your favorite beverage, and let's dive into this issue's STIGs!

Summary:

Security Technical Implementation Guide (STIG) V-253255 stipulates that Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.

Importance:

The TPM is essential for leveraging Credential Guard, a feature in Windows that uses virtualization-based security to protect information potentially used in credential theft attacks. TPM provides a hardware-based security layer, making the system more robust against software attacks. If TPM is not enabled, the Credential Guard keys are stored using a less secure software-based method, making them more susceptible to theft or compromise.

Exploitation:

If TPM is not enabled, an attacker could potentially exploit the system's vulnerabilities to steal sensitive credential information, leading to unauthorized access to systems or data, potentially resulting in significant damage or data loss.

Checking for Compliance:

You can verify the TPM's status by running the command "tpm.msc" in the Windows run dialog. The status should indicate it is ready for use, with messages such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". The TPM Manufacturer Information should also show a specific version equal to 2.0.

Remediation:

To fix the issue if a TPM is not found or is not ready for use, ensure that the TPM (Version 2.0 supports Credential Guard) is enabled in the firmware. You can access the configuration options for TPM in Windows by running "tpm.msc".

PowerShell

#Script
# Set the vulnerability number
$vulnNumber = "V-253255"

# Set the Working Directory
$WorkingDirectory = "C:\Add\The\Directory\Here"

# Set the file path
$filePath = "$($WorkingDirectory)\$vulnNumber.txt"

# Create or clear the status file
$existingStatusFile = Test-Path $filePath
if (-not $existingStatusFile) {
    New-Item -Path $filePath -ItemType File -Force -Confirm:$false
} else {
    Clear-Content -Path $filePath
}

# Define the vulnerability details
$status = "Open"
$findingDetails = "Domain-joined systems do not have a Trusted Platform Module (TPM) enabled."
$comments = "Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 support Credential Guard.) The TPM must be enabled in the firmware. Run ""tpm.msc"" for configuration options in Windows."

# Check if TPM is enabled and ready for use
$tpmStatus = (Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm).SpecVersion
$tpmEnabled = (Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm).IsEnabled_InitialValue

if ($tpmStatus -eq "2.0" -and $tpmEnabled) {
    $status = "NotAFinding"
    $findingDetails = "Domain-joined systems have a Trusted Platform Module (TPM) enabled."
}

# Write the variables to the status file
$status         | Set-Content -Path $filePath
$findingDetails | Add-Content -Path $filePath
$comments       | Add-Content -Path $filePath

# Write the variables to the screen
Write-Host "The status is as follows: $status"
Write-Host "The finding details are as follows: $findingDetails"
Write-Host "The finding details are as follows: $comments"

PowerShell Script Explanation:

The provided PowerShell script automates the process of checking the status of TPM and documenting the results. Here's a step-by-step breakdown of what the script does:

  1. It sets the vulnerability number and the working directory.

  2. It defines the file path for a text file, where it will store the status of the TPM check. The script creates this file if it doesn't already exist or clears the existing file's contents.

  3. The script defines initial values for the status of the vulnerability, details of the finding, and comments to provide remediation guidance.

  4. The script then checks if TPM is enabled and ready for use by querying Windows Management Instrumentation (WMI) for TPM status and whether it's enabled.

  5. If the TPM status is 2.0 and TPM is enabled, the script updates the status and finding details to reflect that there's no issue.

  6. The script then writes the status, finding details, and comments to the text file and outputs them to the console.

  7. To run this script, you need to replace "C:\Add\The\Directory\Here" with the actual directory where you want to store the status file.

This script allows you to automate the process of checking TPM status and documenting the results, making compliance with this STIG more manageable.

Remember, you need to run this script with an account that has administrative privileges because it queries the WMI, which requires these permissions. Also, make sure that your system's Execution Policy setting allows the script to run. If not, you might need to change it using the Set-ExecutionPolicy cmdlet in PowerShell.

Overall, this STIG is crucial in enhancing the security of domain-joined Windows 11 systems by leveraging TPM's hardware-based protections.

Note from the Author:

This is the first of many implementation guides for Defense Information Systems Agency (DISA) public Security Technical Implementation Guides (STIGs). My goal is to help everyone secure their systems if they want to put in a little effort. Eventually, I will provide software that automates the process. Thanks for subscribing. I will send the next email on Monday.

Links:

Kingdom Dominion Security & Technology: https://www.kdsecntech.com/

Reply

or to participate.