CCE List (draft)

This draft of the Common Configuration Enumeration (CCE) focuses on security-related configuration issues for Windows 2000, Windows XP, and Windows Server 2003. It is a proof-of-concept and will be modified based upon community input in future versions of the list.

Comments or concerns: cce@mitre.org .

Key

Entries in the CCE List contain the following five attributes:

CCE Identifier Number - Like CVE, CCE assigns identifier tags to each commonly recognized configuration issue. These identifiers are intended to be unique tags or keys, not descriptive names. By way of a loose analogy, CCE IDs are like scientific names for animals, providing a precise identifier for a species that is agreed upon by the technical community but which may have little or no meaning in common language usage.

Description - CCE entries contain a humanly understandable description of the configuration issue. This description is intended to describe the generic issue. In particular, it is not intended to make an assertion as to what particular configuration should or should not be made. For example, a valid CCE description might be "The minimum password length should be set appropriately". CCE makes no assertion whether the minimum password length should be 8, 10, or 14. It only describes the generic and non-qualified issue of minimum password length.

Logical Parameters - CCE entries contain a list of logical parameters that would be needed to be specified in order to implement a CCE on a system. For example, for the CCE associated with "The start up permissions on telnet should be set appropriately" (for Windows) the logical parameters would be Automatic, Manual, and Disabled. CCE entries distinguish between such humanly understandable logical parameters and machine understandable parameters such as the specific registry key values that might be associated with the logical notions of "Automatic", "Manual", and "Disabled".

Associated Technical Mechanisms - For any given configuration issue there may be more than one way to implement the desired result. For example, in Windows the issue of "The Autoplay feature should be set correctly for all drives" issue can be set either with a direct registry key edit or by way of a Group Policy Object if the system participates in an Active Directory domain. And in most forms of Unix and Linux, the issue of "The start up permissions for FTP should be set correctly" can be done in multiple ways.

One way to understand the distinction between the Description and its corresponding set of Technical Mechanisms is that the former describes a goal and the latter describes a set of ways to achieve that goal. It should be noted that this distinction has been and continues to be topic of lively discussion among the CCE participants and may change significantly as CCE matures.

References - Each CCE entry has a set of references into published configuration guidance documents such as the NSA Security Guides , the Center for Internet Security Benchmark , and DISA Stigs . These references point to the specific sections of the documents or tools in which the configuration issue is described in more detail. These references serve three purposes: first, they provide a logical linkage to more detailed information; second, the references validate the need for a CCE ID for any given configuration issue; and third, the reference validates that the CCE ID is described at a level of abstraction that used and accepted within the community.

Page Last Updated: January 24, 2007

CVE is funded by the U.S. Department of Homeland Security .

This Web site is hosted by The MITRE Corporation .
Copyright 2007, The MITRE Corporation. CVE and the CVE logo are trademarks of The MITRE Corporation.

Contact cve@mitre.org for more information.