PARTNERS

Misconfigurations

Windows misconfigurations

Task Manager

Category: OS security

OS: Windows

Description

Verifies the local group policy settings for User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options\Remove Task Manager.

When Remove Task Manager is enabled, the endpoint is vulnerable to security threats. Since Task Manager can list and terminate currently running processes, some malware may disable it to prevent themselves from being closed.

Recommendation

Keep the Task Manager enabled on all endpoints.

Smart Card Service

Category: OS security

OS: Windows

Description

Verifies the settings for Smart Card local service.

The Smart Card Service provides smart cards read access and public key services support through a process running in the background (scardsvr.exe).Though this Windows service is rated to be quite safe, some malware programs may disguise themselves as scardsvr.exe.

Recommendation

Disable this service if it is not used explicitly on endpoints.

Telnet Server Service

Category: Network and credentials

OS: Windows

Description

Verifies if the Telnet Server service is installed and enabled on endpoint.

Telnet is one of the earliest TCP/IP protocols allowing access to remote endpoints via terminal sessions. Telnet provides no built-in security measures (such as data encryption or authentication) and using it exposes endpoints to security risks.

Recommendation

Disable Telnet Server service on all endpoints and use SSH instead.

Auto Logon

Category: Network and credentials

OS: Windows

Description

Verifies if Windows requires account sign-in.

When the user accounts sign-in is disabled, Windows stores the user passwords in the registry database, making possible to bypass the password screen during logon.

Recommendation

Require account sign-in always.

Secure Logon

Category: OS security

OS: Windows

Description

Verifies the local security policy option Interactive logon: Do not require CTRL+ALT+DEL.

This option defines whether users must unlock their computer before logging into Windows by pressing CTRL+ALT+DEL, as an additional security layer that prevents malware intercepting usernames and passwords.

  • If this option is set on Enabled, the system is more vulnerable to security threats.

Recommendation

Set this policy to Disabled.

UAC Off

Category: OS security

OS: Windows

Description

Verifies the local security policy option User Account Control: Run all administrators in Admin Approval Mode.

This setting controls the behavior of all UAC policy settings for the endpoint.

UAC (User Account Control) is a security feature that helps preventing unauthorized changes to the OS by potentially harmful programs. UAC requires administrator authorization for actions like installing a program or modifying system settings.

  • When UAC is set to Never notify, the system is more vulnerable to malware.

Recommendation

Set this policy to Enabled.

UAC Insecure

Category: OS security

OS: Windows

Description

Verifies the configuration for User Account Control policy and registry settings, to check if these comply with the default recommended settings.

The policy settings are located in Security Settings\Local Policies\Security Options, in the Local Security Policy app.

Recommendation

Configure the UAC settings to at least the default level.

Automatic Updates

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure Automatic Updates, located in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

This policy specifies whether the endpoint will receive security updates and other important downloads through the Windows automatic updating service. When disabled, the endpoint is more vulnerable to security threats.

Recommendation

Set this policy to Enabled.

LAN Manager Hash

Category: OS security

OS: Windows

Description

Verifies the local security policy option Network security: Do not store LAN Manager hash value on next password change.

When the user sets a password that contains less than 15 characters, Windows generates a LAN Manager hash (LM hash) of that password.

  • If the Windows security option is set to store the hash in the local Security Accounts Manager (SAM) database, the passwords can be compromised and the endpoint is prone to brute force attack.

Recommendation

After applying the fix, all affected users must change their domain password. The new password must be at least 15 characters long.

In this case, Windows stores a LM hash value that cannot be used to authenticate the user.

Blank Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Accounts: Limit local account use of blank passwords to console logon only.

This setting verifies if local accounts without password protection can be used to log on from other locations than the physical computer console.

  • When this option is disabled, endpoints are exposed to a high security risk.

Recommendation

Set this policy to Enabled.

Anonymous User Permissions

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Network access: Do not allow anonymous enumeration of SAM accounts.

This option determines if anonymous connections have the permission to enumerate the names of domain accounts.

Endpoints with this option disabled are vulnerable to attackers trying to obtain usernames or passwords stored locally.

Recommendation

The recommended setting for this policy is Enabled: Do not allow enumeration of SAM accounts.

This option replaces Everyone with Authenticated Users in the security permissions for resources.

Kernel-Mode Printer Drivers

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow installation of printers using kernel-mode drivers, located in Computer Configuration\Administrative Templates\Printers.

This setting determines whether printers using kernel-mode drivers may be installed on the local endpoint. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors.

  • When this option is Disabled, the printer drivers will run in the kernel space of the operating system, exposing the endpoint to security risks.

Recommendation

Set this policy to Enabled.

Windows Backup Service

Category: OS security

OS: Windows

Description

Verifies the settings for Windows Backup and Restore service (SDRSVC).

  • When this service is stopped, the system does not have access to native Microsoft backup and restore tools.

Recommendation

Enable this service on all endpoints.

Telephony Service

Category: OS security

OS: Windows

Description

Verifies if the Telephony Service is active.

Recommendation

Set this service to Disabled.

Lock Screen App Notifications

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off app notifications on the lock screen, located in Computer Configuration\Administrative Templates\System\Logon.

This policy setting allows preventing app notifications from appearing on the lock screen.

  • If you enable this policy setting, no app notifications are displayed on the lock screen.

  • If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

Recommendation

Set this policy to Enabled.

Microphone Service

Category: OS security

OS: Windows

Description

Verifies if any microphone is enabled.

Recommendation

Disable microphones on endpoints.

Store Domain Credentials

Category: OS security

OS: Windows

Description

Checks if the passwords and credentials used for network authentication are stored on the local computer.

Recommendation

Do not allow storage of passwords and credentials used for network authentication on the local computer.

Digitally Encrypt / Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt or sign secure channel data (always).

This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.

  • When this policy is disabled, then encryption and signing of all secure channel traffic will depend on the version of Domain Controller and on the settings of the other policies for encryption and signing secure channel data.

Recommendation

Set this policy to Enabled.

Digitally Encrypt Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

Disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Recommendation

Set this policy to Enabled.

Digitally Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally sign secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

  • If enabled, the domain member will request signing of all secure channel traffic.

  • If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Recommendation

Set this policy to Enabled.

Change Account Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Disable machine account password changes.

Determines whether a domain member periodically changes its computer account password.

  • If this setting is enabled, the domain member does not attempt to change its computer account password, which exposes the endpoint to security risks.

Recommendation

Set this policy to Disabled.

Strong Session Key

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Require strong (Windows 2000 or later) session key.

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

  • If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed.

  • If this setting is disabled, then the key strength is negotiated with the domain controller.

Recommendation

Set this policy to Enabled.

Insecure Guest Logon

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Enable insecure guest logons, located in Computer Configuration\Administrative Templates\Network\Lanman Workstation.

This policy determines if the SMB client will allow insecure guest logons to an SMB server.

  • If you enable / do not configure this policy, the SMB client will allow insecure guest logons.

    Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

    Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled.

    As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.

Recommendation

Disable insecure Guest logons and configuring file servers to require authenticated access.

Lock Screen Camera

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen camera, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.

Recommendation

Set this policy to Enabled.

Lock Screen Slide Show

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Client Digitally Sign Communications

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Unencrypted passwords

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network client: Send unencrypted password to third-party SMB servers.

  • If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

    Sending unencrypted passwords is a security risk.

Recommendation

Set this policy to Disabled.

Server Digitally Sign Communications

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network server: Digitally sign communications (always).

This security setting determines whether packet signing is required by the Server Message Block (SMB) server component.

The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration.

To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.

  • If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.

Note

All Windows OS support both a client-side SMB component and a server-side SMB component.

To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.

Recommendation

Set this policy to Enabled.

Download Print Drivers Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off downloading of print drivers over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow this client to download print driver packages over HTTP.

  • When disabled or not configured, users can download print drivers over HTTP.

Recommendation

Set this policy to Enabled.

Print Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off printing over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.

  • When disabled or not configured, users can choose to print to printers on the Internet over HTTP.

Recommendation

Set this policy to Enabled.

Strengthen Permissions

Category: OS security

OS: Windows

Description

Verifies the local security policy option System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).

This security setting determines the strength of the default Discretionary Access Control List (DACL) for objects.

Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. This way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

  • If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.

Recommendation

Set this policy to Enabled.

Enumerate Local Users

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate local users on domain-joined computers, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows local users to be enumerated on domain-joined computers.

  • If you enable this policy, Logon UI will enumerate all local users on domain-joined computers.

Recommendation

Set this policy to Disabled.

PIN Sign-In

Category: OS Security

OS: Windows

Description

Verifies the local group policy Turn on convenience PIN sign-in, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows you to control whether a domain user can sign in using a convenience PIN.

  • If you disable or do not configure this policy, a domain user cannot set up and use a convenience PIN. The user's domain password will be cached in the system vault when using this feature.

Recommendation

Set this policy to Disabled.

Restrict Unauthenticated RPC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Restrict Unauthenticated RPC clients, located in Computer Configuration\Administrative Templates\System\Remote Procedure Call.

This policy controls how the Remote Procedure Call (RPC) server runtime handles unauthenticated RPC clients connecting to RPC servers.

In a domain environment, this policy should be used with caution as it can affect a wide range of functionality, including the group policy processing itself.

A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security.

Recommendation

Set this policy to Enabled > Authenticated.

Optional Microsoft Accounts

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Microsoft accounts to be optional, located in Computer Configuration\Administrative Templates\Windows Components\App runtime.

This policy lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.

This policy only affects Windows Store apps that support it.

  • If you enable this policy, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.

  • If you disable or do not configure this policy, users will need to sign in with a Microsoft account.

Recommendation

Set this policy to Enabled.

Autoplay Non-Volume Devices

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

  • When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled > All Drives.

Turn off Autoplay

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

  • When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled: All Drives.

Disable DMA

Category: OS security

OS: Windows

Description

Verifies the local group policy Disable new DMA devices when this computer is locked, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

This policy allows blocking direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Devices already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.

This policy is only enforced when BitLocker or device encryption is enabled.

Note

Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.

Recommendation

Set this policy to Enabled.

Enhanced PIN with BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow enhanced PINs for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy configures whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs allows using characters including uppercase and lowercase letters symbols numbers and spaces.

This policy is applied when BitLocker is turned on.

Note

Not all computers may support enhanced PINs in the pre-boot environment.

It is strongly recommended that users perform a system check during BitLocker setup.

  • If you disable or do not configure this policy, enhanced PINs will not be used.

Recommendation

Set this policy to Enabled.

Secure Boot for BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Secure Boot for integrity validation, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting defines whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers.

Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

  • If you disable this policy, BitLocker will use legacy platform integrity validation even on systems capable of Secure Boot-based integrity validation.

    Warning

    Disabling this policy may result in BitLocker recovery when firmware is updated.

Recommendation

Set this policy to Enabled.

Write Removable Drives with BitLocker

Category: OS Security

OS: Windows

Description

Verifies the local group policy Deny write access to removable drives not protected by BitLocker, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

  • When enabling this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only.

  • When disabling or not configuring this setting, all removable data drives on the computer will be mounted with read and write access.

Recommendation

Set this policy to Enabled.

Microsoft Consumer Experiences

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Microsoft consumer experiences, located in Computer Configuration\Administrative Templates\Windows Components\Cloud Content.

  • If you disable or do not configure this policy setting users may see personalized recommendations from Microsoft and notifications about their Microsoft account.

Note

This setting only applies to Enterprise and Education SKUs.

Recommendation

Set this policy to Enabled.

Enumerate Admin Accounts on Elevation

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate administrator accounts on elevation, located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface.

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.

By default, administrator accounts are not displayed when the user attempts to elevate a running application.

  • If you enable this setting, all the local administrator accounts will be displayed, so the user can choose one and enter the correct password.

  • If you disable this setting, users will always be required to type a user name and password to elevate.

Recommendation

Set this policy to Disabled.

Internet Connection Sharing

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.

Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.

ICS lets administrators configure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DHCP to the local private network.

  • If you enable this setting, ICS cannot be enabled or configured by administrators and it cannot run on the computer.

Note

ICS is only available when two or more network connections are present.

Non-administrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.

Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services.

To prevent the ICS service from running, go to the Network Permissions tab and select the Don't use hosted networks check box.

Recommendation

Set this policy to Enabled.

Connect to Open Hotspots

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services, located in Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings.

This policy configures the access to the following WLAN settings:

  • Connect to suggested open hotspots

  • Connect to networks shared by my contacts

  • Enable paid services

Note

If this policy is disabled, the abovementioned WLAN settings will be turned off and users on this device will not have access to enable them.

If this policy is not configured or is enabled, users can choose to enable or disable either Connect to suggested open hotspots, or Connect to networks shared by my contacts.

Recommendation

Set this policy to Disabled.

Non Domain Network Connections

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit connection to non-domain networks when connected to domain authenticated network, located in Computer Configuration\Administrative Templates\Network\Windows Connection Manager.

This policy prevents computers from connecting to both a domain-based network and a non-domain based network at the same time.

If this policy is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:

  • Automatic connection attempts:

    • When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.

    • When the computer is already connected to a non-domain based network, automatic connection attempts to domain-based networks are blocked.

  • Manual connection attempts:

    • When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.

    • When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

If this policy is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.

Recommendation

Set this policy to Enabled.

Credential Delegation

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Remote host allows delegation of non-exportable credentials, located in Computer Configuration\Administrative Templates\System\Credentials Delegation.

When using credential delegation, devices provide an exportable version of credentials to the remote host.This exposes users to the risk of credential theft from attackers on the remote host.

  • If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.

  • If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard modes are not supported. Users will always need to pass their credentials to the host.

Recommendation

Set this policy to Enabled.

Virtualization Based Security

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn On Virtualization Based Security, located in Computer Configuration\Administrative Templates\System\Device Guard. Specifies whether Virtualization Based Security is enabled.

Virtualization Based Security uses the Windows Hypervisor to provide support for security services.

Virtualization Based Security requires Secure Boot, and, optionally, you can enabled it with the use of DMA Protections.

Recommendation

Set this policy to Enabled with the following options:

  • Select Platform Security Level: SecureBoot and DMA Protection

  • Virtualization Based Protection of Code Integrity: Enabled with lock

  • Credential Guard Configuration: Enabled with lock

Device Installation by ID

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices that match any of these device IDs, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

  • If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create.

  • If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

  • If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

  • Prevent installation of devices that match any of these device IDs: PCI\CC_0C0A

  • Also apply to matching devices that are already installed.

Device Installation by Setup Class

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices using drivers that match these device setup classes, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

  • If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create.

  • If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

  • If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

  • Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}.

  • Also apply to matching devices that are already installed.

Boot-Start Driver

Category: OS security

OS: Windows

Description

Verifies the local group policy Boot-Start Driver Initialization Policy, located in Computer Configuration\Administrative Templates\System\Early Launch Antimalware.

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.

The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

  • Good: The driver has been signed and has not been tampered with.

  • Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.

  • Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.

  • Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.- If you enable this policy, you will be able to choose which boot-start drivers to initialize the next time the computer is started.

Note

If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

Recommendation

Set this policy to Enabled > Good, Unknown and bad but critical.

Anti-Spoofing

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure enhanced anti-spoofing, located in Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features.

This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.

  • If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication.

    This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.

  • If you disable or do not configure this setting, Windows does not require enhanced anti-spoofing for Windows Hello face authentication.

Recommendation

Set this policy to Enabled.

Minimum Startup PIN

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure minimum PIN length for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN.

This policy setting is applied when you turn on BitLocker.

The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

  • If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

  • If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.

Recommendation

Set this policy to Enabled > Minimum characters 7.

Explorer Data Execution Prevention

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Data Execution Prevention for Explorer, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer.

Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

Recommendation

Set this policy to Disabled.

Heap Termination on Corruption

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off heap termination on corruption, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer. Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

Recommendation

Set this policy to Disabled.

Password Manager

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Configure Password Manager, located in Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge.

This policy setting lets you decide whether employees can save their passwords locally, using Password Manager.

By default, Password Manager is turned on.

  • If you enable this setting, employees can use Password Manager to save their passwords locally.

  • If you disable this setting, employees cannot use Password Manager to save their passwords locally.

  • If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally.

Recommendation

Set this policy to Disabled.

Save Passwords from RDC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Do not allow passwords to be saved, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

This policy controls whether passwords can be saved on this computer from Remote Desktop Connection.

  • If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords

When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

Recommendation

Set this policy to Enabled.

Drive Redirection

Category: OS security

OS: Windows

Description

Verifies the local group policy Do not allow drive redirection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection.

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection.

Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

  • If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

Recommendation

Set this policy to Enabled.

RDS Password Prompt

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Always prompt for password upon connection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

  • If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

Recommendation

Set this policy to Enabled.

Secure RPC Communication

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Require secure RPC communication, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

  • If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

Recommendation

Set this policy to Enabled.

Client Encryption Level

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Set client connection encryption level, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended.

This policy does not apply to SSL encryption.

  • If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting.

By default, the encryption level is set to High Level (the recommended option). This setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.

Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection).

Clients that do not support this encryption level cannot connect to RD Session Host servers.

Recommendation

Set this policy to Enabled > High Level.

Download Enclosures

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent downloading of enclosures, located in Computer Configuration\Administrative Templates\Windows Components\RSS Feeds.

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

  • If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

Recommendation

Set this policy to Enabled.

Indexing Encrypted Files

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow indexing of encrypted files, located in Computer Configuration\Administrative Templates\Windows Components\Search.

This policy setting allows encrypted items to be indexed.

  • If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).

  • If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.

    This policy setting is not configured by default.

  • If you do not configure this policy setting, the local setting, configured through Control Panel, will be used.

By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely.

Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.

Recommendation

Set this policy to Disabled.

Modify Exploit Protection Settings

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent users from modifying settings, located in Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\App and browser protection or in Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection (according to the Windows version).

This policy setting allows preventing users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

Recommendation

Set this policy to Enabled.

Game Recording and Broadcasting

Category: OS security

OS: Windows

Description

Verifies the local group policy Enables or disables Windows Game Recording and Broadcasting, located in Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting.

This setting enables or disables the Windows Game Recording and Broadcasting features.

Recommendation

Set this policy to Disabled.

Windows Ink Workspace

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Windows Ink Workspace, located in Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace.

This setting is supported from Windows 10 Redstone.

Recommendation

Set this policy to Enabled > On, but disallow access above lock.

User Control Over Installs

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow user control over installs, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy permits users to change installation options that typically are available only to system administrators.

  • If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.

    This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.

Recommendation

Set this policy to Disabled.

Install with Elevated Privileges

Category: OS security

OS: Windows

Description

Verifies the local group policy Always install with elevated privileges, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.

  • If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel.

    This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

Note

This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.

Warning

Warning: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.

The User Configuration version of this policy setting is not guaranteed to be secure.

Recommendation

Set this policy to Disabled.

Auto Sign-in After Restart

Category: OS security

OS: Windows

Description

Verifies the local group policy Sign-in last interactive user automatically after a system-initiated restart, located in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options.

This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.

  • If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart.

    After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.

  • If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.

Recommendation

Set this policy to Disabled.

PowerShell Script Block Logging

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn on PowerShell Script Block Logging, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.

  • If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.

  • If you disable this policy setting, logging of PowerShell script input is disabled.

Note

This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Recommendation

Set this policy to Enabled.

WinRM Client Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.

  • If you enable this policy setting, the WinRM client uses Basic authentication.

  • If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.

Recommendation

Set this policy to Disabled.

WinRM Client Unencrypted Traffic

Category: OS Security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.

  • If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Client Digest Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow Digest authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.

  • If you enable this policy setting, the WinRM client does not use Digest authentication.

Recommendation

Set this policy to Enabled.

WinRM Service Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.

  • If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.

Recommendation

Set this policy to Disabled.

WinRM Service Unencrypted Traffic

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

  • If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Service RunAs Credentials

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow WinRM from storing RunAs credentials, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.

  • If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins.

  • If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.

Recommendation

Set this policy to Enabled.

Install ActiveX

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent per-user installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.

  • If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.

Recommendation

Set this policy to Enabled.

Security Zones Add / Delete Sites

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to add/delete sites, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)

This policy prevents users from changing site management settings for security zones established by the administrator.

Note

The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy.

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Change Policies

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to change policies, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

Note

The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy.

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Only Machine Settings

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Use only machine settings, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.

This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.

Also, see the Security zones: Do not allow users to change policies policy.

Recommendation

Set this policy to Enabled.

ActiveX Installer Service

Category: Browser security

OS: Windows

Description

Verifies the local group policy Specify use of ActiveX Installer Service for installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to specify how ActiveX controls are installed.

  • If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.

Recommendation

Set this policy to Enabled.

Crash Detection

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off Crash Detection, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to manage the crash detection feature of add-on Management.

  • If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting.

    All policy settings for Windows Error Reporting continue to apply.

  • If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.

Recommendation

Set this policy to Enabled.

Security Settings Check

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off the Security Settings Check feature, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.

  • If you disable or do not configure this policy setting, the feature is turned on.

Recommendation

Set this policy to Disabled.

Certificate Errors

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent ignoring certificate errors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.

This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.

  • If you enable this policy setting, the user cannot continue browsing.

  • If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.

Recommendation

Set this policy to Enabled.

Run Software if Signature Invalid

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow software to run or install even if the signature is invalid, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

  • If you enable this policy setting, users will be prompted to install or run files with an invalid signature.

  • If you disable this policy setting, users cannot run or install files with an invalid signature.

  • If you do not configure this policy, users can choose to run or install files with an invalid signature.

Recommendation

Set this policy to Disabled.

Server Certificate Revocation

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for server certificate revocation, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates.

Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

  • If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.

Recommendation

Set this policy to Enabled.

Downloaded Programs Signatures

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for signatures on downloaded programs, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered with) on user computers before downloading executable programs.

  • If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.

Recommendation

Set this policy to Enabled.

ActiveX Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled.

When a user has an ActiveX control installed, which is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode.

This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.

  • If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. .

    All Protected Mode websites will run in Enhanced Protected Mode.

Recommendation

Set this policy to Enabled.

Encryption Support

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off encryption support, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server.

When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use.

The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.

  • If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

Recommendation

Set this policy to Enabled > Use TLS 1.1; Use TLS 1.2.

IE 64-bit Processes

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

Important

Some ActiveX controls and toolbars may not be available when 64-bit processes are used.

  • If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

  • If you do not configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.

Recommendation

Set this policy to Enabled.

Enhanced Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Enhanced Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

  • If you enable this policy setting, Enhanced Protected Mode will be turned on.

    Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

  • - If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

Recommendation

Set this policy to Enabled.

Intranet UNCs

Category: Browser security

OS: Windows

Description

Verifies the local group policy Intranet Sites: Include all network paths (UNCs), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

  • If you enable this policy setting, all network paths are mapped into the Intranet Zone.

  • If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

Recommendation

Set this policy to Set this policy to Disabled.Disabled.

Certificate Address Mismatch Warning

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on certificate address mismatch warning, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting allows you to turn on the certificate address mismatch security warning.

When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address.

This warning helps prevent spoofing attacks.

  • If you enable this policy setting, the certificate address mismatch warning always appears.

Recommendation

Set this policy to Enabled.

Access Data Across Domains

Category: Browser security

OS: Windows

Description

Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

  • If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer.

    The user cannot change this behavior.

  • If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this policy setting, XAML files are not loaded inside Internet Explorer.

    The user cannot change this behavior.

  • If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone.

    The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this policy setting, script access to the WebBrowser control is allowed.

  • If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security will not apply in this zone.

    The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user cannot run scriptlets.

  • If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

  • If you select Enable in the drop-down box, VBScript can run without user intervention.

  • If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

  • If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.

    Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you disable this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.

  • If you disable the policy setting, signed controls cannot be downloaded.

  • If you do not configure this policy, users are queried whether to download controls signed by publishers who are not trusted.

    Code signed by trusted publishers is silently downloaded.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download unsigned ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you to manage whether users may download unsigned ActiveX controls from the zone.

Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy, users can run unsigned controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable or do not configure this policy, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

  • If you enable this policy and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.

    Users cannot change this setting.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.

    Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy controls if the local path information is sent when the user is uploading a file via an HTML form.

  • If the local path information is sent, some information may be unintentionally revealed to the server.

    For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this policy, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this policy, path information is removed when the user is uploading a file via an HTML form.

  • If you do not configure this policy, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.

By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this policy, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you managing permissions for Java applets.

If you enable this setting, you can choose options from the drop-down box:

  • High Safety: enables applets to run in their sandbox.

    Disable Java to prevent any applets from running.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • Low Safety: enables applets to perform all operations.

  • Custom: to control permissions settings individually.

  • Disable Java: Java applets cannot run.

    • If you do not configure this policy, the permission is set to High Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.

  • If you select Prompt in the drop-down box or do not configure this policy, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable this policy, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable

Internet Explorer: Logon options (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing settings for logon options. If you enable this policy, you can choose from the following logon options:

  • Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

  • Prompt for user name and password: to query users for user IDs and passwords.

    After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.

    After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).

    • If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.

    • If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.

    • If you disable or do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.

Recommendation

Set this policy to Enabled > Prompt for user name and password.

Internet Explorer: Navigate windows and frames across different domains (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing the opening of windows and frames and access of applications across different domains.

  • If you enable or do not configure this policy, users can open windows and frames from other domains and access applications from other domains.

  • If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy, users cannot open windows and frames to access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable or do not configure this setting, Internet Explorer will execute unsigned managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this setting, Internet Explorer will not execute signed managed components.

  • If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Show security warning for potentially unsafe files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Show security warning for potentially unsafe files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this setting and set the drop-down box to Enable, these files open without a security warning.

  • If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this setting, these files do not open.

  • If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

Set this policy to Enabled > Prompt.

Internet Explorer: Turn on Cross-Site Scripting Filter (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows you to turn on Protected Mode.

Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this policy setting, Protected Mode is turned on.

    The user cannot turn off Protected Mode.

  • If you disable this policy setting, Protected Mode is turned off.

    The user cannot turn on Protected Mode.

  • If you do not configure this policy setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

  • If you enable or do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this policy setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable or do not configure this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

  • If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. the security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.

  • If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this setting, the possibly harmful navigations are prevented.

    The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you do not configure this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable or do not configure this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disables Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > High Safety.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable or do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java Permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone.

This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone.

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled.

Internet Explorer: Java permissions (Locked-Down Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone.

This setting allows managing permissions for Java applets. If you enable this setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

    Disable Java: to prevent any applets from running.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this policy setting, Java applets cannot run.

    • If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this policy setting, Java applets cannot run.

    • If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Java permissions (Locked-Down Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone.

This setting allows managing permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Access data sources across domains (Restricted Sites Zone)

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable or do not configure this setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow active scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow active scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows you to manage whether script code on pages in the zone is run.

  • If you enable this setting, script code on pages in the zone can run automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.

  • If you disable or do not configure this setting, script code on pages in the zone is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow binary and script behaviors (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow binary and script behaviors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

  • If you enable this setting, binary and script behaviors are available.

  • If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

  • If you disable or do not configure this setting, binary and script behaviors are not available unless applications have implemented a custom security manager.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

  • If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

  • If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

  • If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow file downloads (Restricted Sites Zone)

Category: Browser category

OS: Windows

Description

Verifies the local group policy Allow file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether file downloads are permitted from the zone.

This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

  • If you enable this setting, files can be downloaded from the zone.

  • If you disable or do not configure this setting, files are prevented from being downloaded from the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior.

  • If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.

  • If you do not configure this setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow META REFRESH (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow META REFRESH, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

  • If you enable this setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.

  • If you disable or do not configure this setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this setting, the user is prompted before ActiveX controls can run from websites in this zone.

    The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this setting, the TDC ActiveX control will not run from websites in this zone.

  • If you disable this setting, the TDC Active X control will run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this setting, script access to the WebBrowser control is allowed.

  • If you disable this setting, script access to the WebBrowser control is not allowed.

  • If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security will not apply in this zone.

    The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user cannot run scriptlets.

  • If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

  • If you select Enable in the drop-down box, VBScript can run without user intervention.

  • If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

  • If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.

    Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

    Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted.

    Code signed by trusted publishers is silently downloaded.

  • If you disable or do not configure this setting, signed controls cannot be downloaded.

Recommendation

Set this policy to Disabled.

Internet Explorer: Download unsigned ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy setting, users can run unsigned controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable or do not configure this setting, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.

    Users cannot change this setting.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.

    Users can change this setting in the Internet Options dialog.

  • In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users can change this setting in the Internet Options dialog.

  • In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not local path information is sent when the user is uploading a file via an HTML form.

  • If the local path information is sent, some information may be unintentionally revealed to the server.

    For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this setting, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this setting, path information is removed when the user is uploading a file via an HTML form.

  • If you do not configure this setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.

    By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable or do not configure this setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Logon options (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing settings for logon options.

  • If you enable this setting, you can choose from the following logon options:

    • Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

    • Prompt for user name and password: to query users for user IDs and passwords.

      After a user is queried, these values can be used silently for the remainder of the session.

    • Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.

      After a user is queried, these values can be used silently for the remainder of the session.

    • Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).

      • If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.

      • If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.

  • If you disable this setting, logon is set to Automatic logon only in Intranet zone.

  • If you do not configure this setting, logon is set to Prompt for username and password.

Recommendation

Set this policy to Enabled > Anonymous logon.

Internet Explorer: Navigate windows and frames across different domains (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains.

  • If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

  • If you disable or do not configure this setting, users cannot open other windows and frames from other domains or access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable or do not configure this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components.

  • If you select Prompt, in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this setting, Internet Explorer will not execute signed managed components.

  • If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run ActiveX controls and plugins (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run ActiveX controls and plugins, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing if ActiveX controls and plug-ins can be run on pages from the specified zone.

  • If you enable this setting, controls and plug-ins can run without user intervention.

  • If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.

  • If you disable or do not configure this setting, controls and plug-ins are prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Script ActiveX controls marked safe for scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Script ActiveX controls marked safe for scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether an ActiveX control marked safe for scripting can interact with a script.

  • If you enable this setting, script interaction can occur automatically without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.

  • If you disable or do not configure this setting, script interaction is prevented from occurring.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Scripting of Java applets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Scripting of Java applets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether applets are exposed to scripts within the zone.

  • If you enable this setting, scripts can access applets automatically without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.

  • If you disable or do not configure this setting, scripts are prevented from accessing applets.

Recommendation

Set this policy to Enabled > Disable.

 

Category:

OS:

Description

 

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this setting and set the drop-down box to Enable, these files open without a security warning.

  • If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this setting, these files do not open.

  • If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

 

Internet Explorer: Turn on Cross-Site Scripting Filter (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows turning on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this setting, Protected Mode is turned on.

    The user cannot turn off Protected Mode.

  • If you disable this setting, Protected Mode is turned off.

    The user cannot turn on Protected Mode.

  • If you do not configure this setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

  • If you enable or do not configure this setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable or do not configure this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.

  • If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable or do not configure this setting, the possibly harmful navigations are prevented.

    The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

    Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting allows managing ActiveX controls not marked as safe.

  • If you enable this setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

  • If you do not configure this setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting allows managing permissions for Java applets.

  • If you enable this setting, you can choose options from the drop-down box:

    • Custom: control permissions settings individually.

    • Low Safety: enable applets to perform all operations.

    • Medium Safety: enable applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

    • High Safety: enable applets to run in their sandbox.

    • Disable Java: to prevent any applets from running.

  • If you disable this policy setting, Java applets cannot run.

  • If you do not configure this policy setting, the permission is set to Low Safety.

Recommendation

Set this policy to Enabled > High safety.

Allow fallback to SSL 3.0 (Internet Explorer)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow fallback to SSL 3.0 (Internet Explorer), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features.

This setting allows blocking an insecure fallback to SSL 3.0.

  • When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.

    Do not allow insecure fallback in order to prevent a man-in-the-middle attack.

    This policy does not affect which security protocols are enabled.

  • If you disable this policy, system defaults will be used.

Recommendation

Set this policy to Enabled > No sites.

Remove Run this time button for outdated ActiveX controls in Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Remove Run this time button for outdated ActiveX controls in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This policy setting allows preventing users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer.

  • If you enable this setting, users will not see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

  • If you disable or don't configure this policy setting, users will see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

    Clicking this button lets the user run the outdated ActiveX control once.

Recommendation

Set this policy to Enabled.

Turn off blocking of outdated ActiveX controls for Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off blocking of outdated ActiveX controls for Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

  • If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.

  • If you disable or do not configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

Recommendation

Set this policy to Disabled.

Internet Explorer Processes Handling

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling.

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.

This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent.

For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

  • If you enable or do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.

  • If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Sniffing

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature.

This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.

  • If you enable or do not configure this setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

  • If you disable this setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes MK Protocol

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction.

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.

  • If you enable or do not configure this setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

  • If you disable this setting, applications can use the MK protocol API.

    Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Security background

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Notification bar.

This setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted.

By default, the Notification bar is displayed for Internet Explorer processes.

  • If you enable or do not configure this setting, the Notification bar will be displayed for Internet Explorer Processes.

  • If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Zone Elevation

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation.

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.).

Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.

Zone Elevation also disables JavaScript navigation if there is no security context.

  • If you enable or do not configure this setting, any zone can be protected from zone elevation by Internet Explorer processes.

  • If you disable this setting, no zone receives such protection for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict ActiveX Install

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install.

This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

  • If you enable this setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.

  • If you disable this setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.

  • If you do not configure this setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict Download

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download.

This setting enables blocking of file download prompts that are not user initiated.

  • If you enable this setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.

  • If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.

  • If you do not configure this setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Window Restrictions

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions.

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types.

The Window Restrictions security feature restricts pop-up windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.

  • If you enable or do not configure this setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.

  • If you disable this setting, scripts can continue to create pop-up windows and windows that obfuscate other windows.

Recommendation

Set this policy to Enabled.

Enable local admin password management

Category: OS security

OS: Windows

Description

Verifies the policy Enable local admin password management located in Computer Configuration\Administrative Templates\LAPS.

This policy enables management of password for local administrator account.

  • If you enable this setting, local administrator password is managed.

  • If you disable or not configure this setting, local administrator password is NOT managed.

Note

This policy is available in local group policy editor after installing Local Administrator Password Solution (LAPS).

Recommendation

Set this policy to Enabled.

Local Account Token Filter Policy

Category: OS security

OS: Windows

Description

MS Security Guide: Apply UAC restrictions to local accounts on network logon.

This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.).

Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems.

Enabling this policy significantly reduces that risk.

  • Enabled (recommended): Applies UAC token-filtering to local accounts on network logons.

    Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token.

    This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.

  • Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1.

    For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016.

Recommendation

Set this policy to Enabled.

Configure SMB v1 server

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 server.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Disabled.

Configure SMB v1 client

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 client driver.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Enabled > Disable driver.

Enable Structured Exception Handling Overwrite Protection (SEHOP)

Category: OS security

OS: Windows

Description

MS Security Guide: Enable Structured Exception Handling Overwrite Protection (SEHOP).

Recommendation

Set this to Enabled.

WDigest Authentication

Category: OS security

OS: Windows

Description

MS Security Guide: WDigest Authentication.

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.

  • If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.

    Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.

  • Enabled: Enables WDigest authentication.

  • Disabled (recommended): Disables WDigest authentication.

    For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.

Recommendation

Set this to Disabled.

DisableIPSourceRouting IPv6

Category: Network and credentials

OS: Windows

Description

MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Recommendation

Set this to Highest protection, source routing is completely disabled.

DisableIPSourceRouting

Category: Network and credentials

OS: Windows

Description

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Recommendation

Set this to Highest protection, source routing is completely disabled.

EnableICMPRedirect

Category: Network and credentials

OS: Windows

Description

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Recommendation

Set this to Disabled.

NoNameReleaseOnDemand

Category: OS security

OS: Windows

Description

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

Recommendation

Set this to Enabled.

Office Word 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Mozilla Passwords

Category: Browser security

OS: Windows

Description

Checks if Mozilla Firefox stores passwords on disk.

An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

WinRM Service

Category: OS security

OS: Windows

Description

Windows Remote Management (WinRM) allows a user to interact with a remote system, to run an executable, modify the registry, or modify services. It may be called with the winrm command or by various programs, such as PowerShell.

Recommendation

Disable the WinRM Service unless necessary.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Category: Network and credentials

OS: Windows

Description

This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares.

This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

  • If you do not want to allow anonymous enumeration of SAM accounts and shares, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable this policy.

    Default: Disabled.

Recommendation

Set this to Enabled.

Network access: Let Everyone permissions apply to anonymous users

Category: OS security

OS: Windows

Description

This security setting located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options determines what additional permissions are granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

By default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users.

  • If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.

  • If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections.

    In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.

    Default: Disabled.

Recommendation

Set this to Disabled.

PowerShell Script Execution

Category: OS security

OS: Windows

Description

Checks the local group policy Turn on Script Execution, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.

  • If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.

    • The Allow only signed scripts policy setting allows scripts to execute only if they are signed by a trusted publisher.

    • The Allow local scripts and remote signed scripts policy setting allows any local scrips to run.

      Scripts that originate from the internet must be signed by a trusted publisher.

    • The Allow all scripts policy setting allows all scripts to run. The Allow all scripts policy setting allows all scripts to run.

  • If you disable this policy setting, no scripts are allowed to run.

Recommendation

Set this to Disabled.

Robomongo Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Robomongo stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Internet Explorer Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Internet Explorer or Microsoft Edge store passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Apache Directory Studio Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Apache Directory Studio stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Filezilla Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Filezilla stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

FTP Navigator Passwords

Category: Network and credentials

OS: Windows

Description

Checks if FTP Navigator stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

DB Visualizer Passwords

Category: Network and credentials

OS: Windows

Description

Checks if DB Visualizer stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Win SCP Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Win SCP stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

RDP Manager Passwords

Category: Network and credentials

OS: Windows

Description

Checks if RDP Manager stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Winlogon Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Winlogon stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Squirrel Passwords

Category: Network and credentials

OS: Linux

Description

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. If source-routed packets were allowed, they can be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that do not allow this routing.

Recommendation

Ensure the net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route flags are disabled.

Thunderbird Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Thunderbird stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

PostgreSQL Passwords

Category: Network and credentials

OS: Windows

Description

Checks if PostgreSQL stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

PHP Auth Passwords

Category: Network and credentials

OS: Windows

Description

Checks if PHP Auth stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Tortoise SVN Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Tortoise SVN stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Too many local administrators

Category: OS security

OS: Windows

Description

Checks the number of local administrators on the machine.

Recommendation

Do not allow more than one local administrator account.

SMB Shared Everyone Read

Category: Network and credentials

OS: Windows

Description

Checks the existence of shared folders with read access for the Everyone group.

The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default.

  • If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Everyone Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of shared folders with write access for the Everyone group.

The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default.

  • If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Read

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with read access on Server Message Block (SMB).

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with write access on Server Message Block (SMB).

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

SMBv3 Exploitable

Category: Network and credentials

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-0796.

Recommendation

Always watch for, and install security updates.

afmtd Exploitable

Category: OS security

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-1020.

Recommendation

Always watch for, and install security updates.

Full Secure Channel Protection

Category: Network and credentials

OS: Windows

Description

Verifies the policy Domain controller: Allow vulnerable Netlogon secure channel connections, located in Computer Configuration\Windows Settings\Security Settings\Security Options.

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections, for specified machine accounts.

When this policy is enabled with Allow, the domain controller will allow some specified groups/accounts to use a Netlogon secure channel without secure RPC.

Recommendation

Set this policy to Deny or Not configured.

Print Spooler Service Exploitable

Category: Network and credentials

OS: Windows

Description

Verifies if the endpoint is susceptible to the PrintNightmare attack CVE-2021-34527).

This type of attack exploits a vulnerability within the Windows Print Spooler service, allowing an attacker to run arbitrary code with SYSTEM privileges. An attacker can then install programs; view, change or delete data, or create new accounts with full user rights.

Recommendation

Make sure your endpoint is always up-to-date with your operating system security patches.

  • If for some reason you are unable to patch the endpoint, make sure you apply one of the workarounds specified in this vulnerability blog post

Disable the Print Spooler Service or Disable inbound remote printing through Group Policy.

NTLM Incoming traffic not restricted

Category: Network and credentials

OS: Windows

Description

Verifies if the group policy Network Security: Restrict NTLM: Incoming NTLM traffic, located in Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\Security Options is configured to deny incoming traffic from all accounts.

  • If this setting is not configured properly, an attacker can target a Domain Controller using an NTLM relay attack (dubbed PetitPotam).

Recommendation

To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller. In the event NTLM cannot be turned off for compatibility reasons, the company is urging users to take one of the two steps below:

  • Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic

  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the Certificate Authority Web Enrollment or Certificate Enrollment Web Service services

Log4j with Remote Code Execution Present

Category: Network and credentials

OS: Windows

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.

Recommendation

Avoid using Log4j versions 2.x to 2.15.0.

Log4j with Denial of Service Present

Category: Network and credentials

OS: Windows

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.

Recommendation

Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.

Linux misconfigurations

OpenSSH root login is enabled

Category: OS security

OS: Linux

Description

Verifies if login is enabled for user "root".

Recommendation

Ensure remote access is disabled for user "root".

OpenSSH runs on the default port

Category: OS security

OS: Linux

Description

Verifies if the default ssh port is used for the ssh server.

Recommendation

Change the ssh port in order to reduce chances of being targeted.

OpenSSH PermitEmptyPasswords is enabled

Category: OS security

OS: Linux

Description

Verifies if the PermitEmptyPasswords parameter for the OpenSSH server is set to allow login to accounts with empty password strings.

Recommendation

Ensure OpenSSH server does not allow login to accounts with empty password strings.

OpenSSH HostbasedAuthentication is enabled

Category: OS security

OS: Linux

Description

Verifies if the HostbasedAuthentication parameter for the OpenSSH server is set to allow authentication through trusted hosts.

Recommendation

Ensure the OpenSSH server does not allow authentication through trusted hosts.

OpenSSH idle timeout interval is not configured

Category: OS security

OS: Linux

Description

Verifies if the ClientAliveInterval and ClientAliveCountMax parameters for the OpenSSH server are not configured.

When those parameters are configured, the ssh session will end when the session is idle and ClientAliveCountMax is reached after sending alive messages at a ClientAliveInterval interval.

Recommendation

Ensure the idle timeout interval options for the OpenSSH server are configured.

OpenSSH Password login

Category: OS security

OS: Linux

Description

Verifies if password login is enabled for OpenSSH server.

Recommendation

Ensure SSH access is made through public keys.

Automatic login enabled

Category: OS security

OS: Linux

Description

Verifies if automatic login is configured for a user on the endpoint.

Note

Automatic login automatically logs in a user after OS boot.

Recommendation

Ensure the automatic login option is not enabled.

Samba guest access enabled

Category: OS security

OS: Linux

Description

Verifies if the Samba Service is configured to allow guest access.

Recommendation

Ensure guest access is restricted if you do not explicitly need it.

VSftp server anonymous access allowed

Category: OS security

OS: Linux

Description

Verifies if the VSftp service is configured to allow anonymous access.

Recommendation

Ensure anonymous access to the VSftp service is not allowed.

Boot directory access not restricted

Category: OS security

OS: Linux

Description

Verifies if access to the boot directory is restricted for non-root accounts.

Recommendation

Ensure only root account is allowed access to the boot directory.

Users do not own their home directory

Category: OS security

OS: Linux

Description

Verifies if there is at least one user that does not own their home directory.

Recommendation

Ensure every user present on the endpoint is owner of their own home directory.

GPGCheck is globally activated

Category: OS security

OS: Linux

Description

Verifies if the gpg signature check is globally enabled, thus making sure that updates are obtained from a valid source.

Recommendation

Ensure the gpg signature check is globally enabled.

Ensure sudo commands use pty

Category: OS security

OS: Linux

Description

Verifies if sudo is configured to run only from a pseudo-pty.

Attackers can run malicious programs using sudo, causing it to fork a background process that persists even when the main program has finished executing.

Recommendation

Ensure sudo is configured to run other programs from a pseudo-pty.

Permissions on bootloader are not restricted

Category: OS security

OS: Linux

Description

Verifies the permissions on the bootloader configuration file.

If not properly configured, non-root users may read the boot parameters and could identify weaknesses in security upon boot.

Recommendation

Ensure only root can read / write the bootloader configuration file.

Permissions on the motd file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/motd file are not restricted. The content of the /etc/motd file is displayed to users after login, and functions as a message of the day for authenticated users.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of the motd file is root and permissions to others are restricted to read only.

Permissions on the issue file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/issue file are not restricted. The content of the /etc/issue file is displayed to users prior to login from local terminals.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of the issue file is root and permissions to others are restricted to read only.

Permissions on the issue.net file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/issue.net file are not restricted. The content of the /etc/issue.net file is displayed to users prior to login from remote terminals.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of issue.net file is root and permissions to others are restricted to read only.

Avahi Server is enabled

Category: OS security

OS: Linux

Description

Verifies if Avahi Server is enabled on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.

Recommendation

Ensure Avahi Server is not enabled in order to reduce the endpoint's potential attack surface.

Rsync Server is enabled

Category: OS security

OS: Linux

Description

Verifies if Rsync Server is enabled on the endpoint. Rsync Service is used to synchronize files between systems over network through unencrypted protocols.

Recommendation

Ensure the rsyncd service is disabled.

SNMP Server is enabled

Category: OS security

OS: Linux

Description

Verifies the Simple Network Management Protocol (SNMP) server is enabled. This service listens for SNMP commands, which it executes, or collects their results and sends them back to the requester.

The SNMP server can communicate using SNMP v1, which transmits data in clear and does not require authentication to execute commands.

Recommendation

Ensure SNMP Server is disabled unless absolutely necessary.

HTTP proxy is enabled

Category: OS security

OS: Linux

Description

Verifies if the squid http proxy server is enabled.

If there is no need for a proxy server, it is recommended to disable or delete it, to reduce the potential attack surface.

Recommendation

Ensure squid http proxy is disabled if not used.

Samba Service is enabled

Category: OS security

OS: Linux

Description

Verifies if Samba Service is enabled on the endpoint. If there is no need to mount directories and file systems, then this service can be disabled in order to reduce the potential attack surface.

Recommendation

Ensure SMB service is disabled if not used, to reduce the potential attack surface.

Authentication not required for rescue mode

Category: OS security

OS: Linux

Description

Verifies if authentication is required for rescue mode. Requiring authentication for rescue mode prevents unauthorized users from rebooting the system while in rescue mode, and gaining root privileges without credentials.

Recommendation

Ensure entering rescue mode requires authentication.

Authentication not required for single user mode

Category: OS security

OS: Linux

Description

Verifies if authentication is required for single user mode. Requiring authentication for single user mode prevents unauthorized users from rebooting the system while in single user mode, and gaining root privileges without credentials.

Recommendation

Ensure entering single user mode requires authentication.

Bootloader password is not set

Category: OS security

OS: Linux

Description

Verifies if there is a password set for the bootloader. Requiring a boot password will prevent unauthorized users from entering boot parameters or changing the boot partition.

Recommendation

Ensure bootloader password is set.

Duplicate group IDs

Category: OS security

OS: Linux

Description

Verifies if there are any duplicate group IDs (GIDs). User groups must be assigned unique GIDs to ensure appropriate access protection.

Recommendation

Ensure no duplicate group IDs are present in the /etc/group file.

Duplicate user IDs

Category: OS security

OS: Linux

Description

Verifies if there are any duplicate user IDs (UIDs). Users must be assigned unique UIDs to ensure appropriate access protection.

Recommendation

Ensure no duplicate user IDs are present in the /etc/passwd file.

Automatic updates disabled

Category: OS security

OS: Linux

Description

Verifies if the unattended-upgrades service is configured to install the latest security (and other) updates automatically.

Recommendation

If the unattended-upgrades service is installed, ensure it is configured to install updates automatically.

Sudo log file not configured

Category: OS security

OS: Linux

Description

Verifies if sudo has a custom log file configured. A sudo log file simplifies auditing of sudo commands.

Recommendation

Ensure custom log file is configured for sudo.

Address space layout randomization disabled

Category: OS security

OS: Linux

Description

Verifies if Address space layout randomization (ASLR) is configured. ASLR is an exploit mitigation technique that increases the difficulty of writing memory page exploits by randomly placing virtual memory regions.

Recommendation

Ensure Address space layout randomization (ASLR) is enabled.

Shadow group is not empty

Category: OS security

OS: Linux

Description

Verifies if the shadow group is empty. Shadow group grants system programs that require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Recommendation

Ensure no users are granted read access to the /etc/shadow file.

Duplicate group names

Category: OS security

OS: Linux

Description

Verifies if there are any duplicated group names.

If a group is assigned a duplicate group name, any files it creates will be associated with the first encounter of the GID for that group in /etc/group. The duplicate group name will also have access to any existing files associated with the first encounter GID in /etc/group.

Recommendation

Ensure there are no duplicate group names present in /etc/group.

Duplicate user names

Category: OS security

OS: Linux

Description

Verifies if there are any duplicated user names.

If a user is assigned a duplicate user name, any files it creates will be associated with the first encounter of the UID for that user in /etc/passwd. The duplicate user name will also have access to any existing files associated with the first encounter UID in /etc/passwd.

Recommendation

Ensure there are no duplicate user names present in /etc/passwd.

User has a rhosts file

Category: OS security

OS: Linux

Description

Verifies if there are any users with a .rhosts file. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Recommendation

Ensure no .rhosts files are present in user home directories.

User has a netrc file

Category: OS security

OS: Linux

Description

Verifies if there are any users with a .netrc file. .netrc files may contain unencrypted passwords that can be used to attack other systems.

Recommendation

Ensure no .netrc files are present in user home directories.

User has a netrc file group / world accessible

Category: OS security

OS: Linux

Description

Verifies if there are group / world accessible .netrc files. .netrc files may contain unencrypted passwords that may be used to attack other systems.

Recommendation

Ensure there are group / world accessible .netrc files in user home directories.

passwd group not present in group file

Category: OS security

OS: Linux

Description

Verifies if all groups mentioned in the /etc/passwd file are also present in the /etc/group file. Groups that are defined in the /etc/passwd file but not in the /etc/group file pose a thread to system security since group permissions are not properly managed.

Recommendation

Ensure all groups defined in /etc/passwd have a declaration in /etc/group as well.

User with empty password

Category: OS security

OS: Linux

Description

Verifies if all accounts have a non-empty password field. All accounts must have passwords or be locked to prevent unauthorized access to that account.

Recommendation

Ensure all accounts have a password.

Sensitive local login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/issue file are displaying information about the OS release and patch level.

Recommendation

Ensure the content of the /etc/issue file does not include OS release and patch level.

Sensitive remote login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/issue.net file are displaying information about OS release and patch level.

Recommendation

Ensure the content of the /etc/issue.net file does not include OS release and patch level.

Sensitive motd message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/motd file are displaying information about OS release and patch level.

Recommendation

Ensure the content of the /etc/motd file does not include OS release and patch level.

Sensitive gdm login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/gdm3/greeter.dconf-defaults specify that the banner message is enabled and the banner contains information about OS release and patch level.

Recommendation

Ensure the content of the /etc/gdm3/greeter.dconf-defaults config banner does not include OS release and patch level.

User with .forward file in home directory

Category: OS security

OS: Linux

Description

The purpose of a .forward file is to automatically forward mail as it is received to all included addresses, which may pose a risk as sensitive data can be transferred outside the organization.

Recommendation

Ensure no users have a .forward file in their home directory.

User does not own their home directory

Category: OS security

OS: Linux

Description

Verifies if there is any user who does not own his home directory. Since the user is accountable for files stored in his home directory, he must be the owner of the directory.

Recommendation

Ensure every user owns his home directory.

User dot files with wrong permissions

Category: OS security

OS: Linux

Description

Verifies if there is any user who has dot files with wrong permissions. If a user's dot files are group or world-writable, this may enable a malicious user to steal/modify his data or to gain system privileges.

Recommendation

Ensure every user's dot files are not group or world-writable.

User home directory exists

Category: OS security

OS: Linux

Description

Verifies if there is any user with missing home directory. If a user's home directory doesn't exist, it will be placed in '/', and may not be able to write any files.

Recommendation

Ensure every user has a home directory.

Root PATH integrity

Category: OS security

OS: Linux

Description

Because the root user can execute any command on the system, including the current working directory (.) or a group/other writable directory in root's PATH, it creates the possibility for an attacker to gain superuser access.

Recommendation

Ensure the root's executable path does not contain . or any files with group or other write permissions.

Non-root user with UID 0

Category: OS security

OS: Linux

Description

Verifies if any user except root has the UID set to 0. Any account with UID 0 has superuser privileges on the system.

Recommendation

Ensure root is the only user with UID set to 0.

Legacy '+' entries in /etc/passwd

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/passwd. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/passwd.

Legacy '+' entries in /etc/shadow

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/shadow. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/shadow.

Legacy '+' entries in /etc/group

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/group. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/group.

Incorrect permissions on /etc/ssh/sshd_config

Category: OS security

OS: Linux

Description

Verifies permissions on the /etc/ssh/sshd_config file. This file needs to be protected from unauthorized changes.

Recommendation

Ensure the /etc/ssh/sshd_config file has the UID and GID set to 0 (root), and does not grant any permissions to group or other users.

Incorrect permissions on SSH private host keys

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH private keys. A SSH private key is a proof of identity.

  • If an unauthorized user obtains the private key, the owner could be impersonated.

Recommendation

Ensure all SSH private keys have UID and GID set to 0 (root) and do not give any permissions to group or other users.

Incorrect permissions on SSH public host keys

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH public keys. A public key is a key that can be used to verify digital signatures generated using a corresponding private key.

  • If the public key is modified by and unauthorized user, the SSH service may be compromised

Recommendation

Ensure all SSH public keys have UID and GID set to 0 (root) and do not give any permissions to group or other users.

SSH log level is appropriate

Category: OS security

OS: Linux

Description

Verifies that LogLevel is not set to debug in /etc/ssh/sshd_config, as it provides too much information that can be used by an attacker.

Recommendation

Ensure SSH log level is not set to debug.

SSH X11 forwarding is enabled

Category: OS security

OS: Linux

Description

Verifies that X11Forwarding in /etc/ssh/sshd_config is disabled. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server.

Recommendation

Ensure SSH X11 forwarding is disabled.

SSH IgnoreRhosts is disabled

Category: OS security

OS: Linux

Description

Verifies that IgnoreRhosts in /etc/ssh/sshd_config is set to yes. Setting this parameter forces users to enter a password when authenticating with SSH.

Recommendation

Ensure SSH IgnoreRhosts is enabled.

SSH PermitUserEnvironment is enabled

Category: OS security

OS: Linux

Description

Verifies that PermitUserEnvironment in /etc/ssh/sshd_config is disabled. This options allows users to present environment options to the SSH daemon and could potentially allow users to bypass security controls.

Recommendation

Ensure SSH PermitUserEnvironment is disabled.

SSH uses weak ciphers

Category: OS security

OS: Linux

Description

Verifies that Ciphers in /etc/ssh/sshd_config does not contain any weak ciphers.

Recommendation

Ensure only strong Ciphers are being used.

SSH uses weak MAC algorithms

Category: OS security

OS: Linux

Description

Verifies that MACs in /etc/ssh/sshd_config does not contain any weak MAC algorithms.

Recommendation

Ensure only strong MAC algorithms are being used.

SSH uses weak key exchange algorithms

Category: OS security

OS: Linux

Description

Verifies that KexAlgorithms in /etc/ssh/sshd_config does not contain any weak key exchange algorithms.

Recommendation

Ensure only strong key exchange algorithms are being used.

SSH access is not limited

Category: OS security

OS: Linux

Description

Verifies that at least one option limiting which users and groups can access the system (AllowUsers, AllowGroups, DenyUsers, DenyGroups) is being used. Restricting which users can access the system via SSH will help ensure that only authorized users access the system.

Recommendation

Ensure SSH access is limited.

SSH warning banner is not configured

Category: OS security

OS: Linux

Description

Verifies that Banner in /etc/ssh/sshd_config is set. Banners are used to warn connecting users of the site's particular policy regarding connection.

Recommendation

Ensure SSH warning banner is configured.

SSH UsePam is disabled

Category: OS security

OS: Linux

Description

Verifies that UsePam in /etc/ssh/sshd_config is enabled. When UsePam is enabled, the Pluggable Authentication Modules (PAM) service runs through account and session types properly.

This is important if you want to restrict access to services based off IP.

Recommendation

Ensure SSH PAM is enabled.

SSH AllowTcpForwarding is enabled

Category: OS security

OS: Linux

Description

Verifies that AllowTcpForwarding in /etc/ssh/sshd_config is disabled. Leaving port forwarding enabled can expose the organization to security risks and back-doors.

Recommendation

Ensure SSH AllowTcpForwarding is disabled.

SSH MaxAuthTries is not properly configured

Category: OS security

OS: Linux

Description

Verifies that MaxAuthTries in /etc/ssh/sshd_config is set to 4 or less. Setting MaxAuthTries to a low number will minimize the risk of a successful brute force attack to the SSH server.

Recommendation

Ensure SSH MaxAuthTries option is configured to support up to 4 retries.

SSH LoginGraceTime is not properly configured

Category: OS security

OS: Linux

Description

Verifies that LoginGraceTime in /etc/ssh/sshd_config is set to 1 minute or less. Setting LoginGraceTime to a low number will minimize the risk of a successful brute force attack to the SSH server.

Recommendation

Ensure SSH LoginGraceTime option is configured to wait up to 1 minute.

SSH MaxSessions is not properly configured

Category: OS security

OS: Linux

Description

Verifies that MaxSessions in /etc/ssh/sshd_config is set to 4 or less. Setting MaxSessions to a low number will minimize the risk of overwhelming the SSH daemon.

Recommendation

Ensure SSH MaxSessions option is configure to keep up to 4 sessions.

SSH MaxStartups is not configured

Category: OS security

OS: Linux

Description

Verifies that MaxStartups in /etc/ssh/sshd_config is set to 10:30:60. This parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.

Recommendation

Ensure SSH MaxStartups option is properly configured.

Mounting cramfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of cramfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of cramfs filesystem is disabled if not used.

Mounting freevxfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of freevxfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of freevxfs filesystem is disabled if not used.

Mounting jffs2 filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of jffs2 filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of jffs2 filesystem is disabled if not used.

Mounting hfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of hfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of hfs filesystem is disabled if not used.

Mounting hfsplus filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of hfsplus filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of hfsplus filesystem is disabled if not used.

Mounting squashfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of squashfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of squashfs filesystem is disabled if not used.

Mounting udf filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of udf filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of udf filesystem is disabled if not used.

No separate partition for /tmp directory

Category: OS security

OS: Linux

Description

Verifies that /tmp is a filesystem by either mounting tmpfs or a separate partition to /tmp. Making /tmp its own file system allows an administrator to set the noexec option on the mount, rendering /tmp useless in case an attacker attempts to install executable code.

Recommendation

Ensure /tmp is a mountpoint.

nodev option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that nodev option is set on the /tmp partition. This option ensures that users cannot attempt to create block or character-special devices in /tmp.

Recommendation

Ensure nodev option is set on the /tmp partition.

nosuid option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that nosuid option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure nosuid option is set on the /tmp partition.

noexec option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that noexec option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /tmp.

Recommendation

Ensure noexec option is set on the /tmp partition.

No separate partition for /var folder

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var. /var may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition.

Recommendation

Ensure a separate partition is in place for /var.

No separate partition for /var/tmp directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var/tmp. /var/tmp may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition. This also allows to set the nodev, nosuid, noexec options to prevent more vulnerabilities.

Recommendation

Ensure a separate partition is in place for /var/tmp.

nodev option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that nodev option is set on the /var/tmp partition. This option ensures that users cannot attempt to create block or character special devices in /var/tmp.

Recommendation

Ensure the nodev option is set on the /var/tmp partition.

nosuid option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that nosuid option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure the nosuid option is set on the /var/tmp partition.

noexec option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that noexec option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /var/tmp.

Recommendation

Ensure the noexec option is set on the /var/tmp partition.

No separate partition for /var/log directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for the /var/log directory. /var/log should be on a separate partition to prevent resource exhaustion and protect audit data.

Recommendation

Ensure a separate partition is in place for /var/log.

No separate partition for /var/log/audit directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var/log/audit. /var/log/audit should be on a separate partition to prevent resource exhaustion and protect audit data.

Recommendation

Ensure a separate partition is in place for /var/log/audit.

No separate partition for /home directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /home. This protects against resource exhaustion and can restrict the type of files that can be stored under /home.

Recommendation

Ensure a separate partition is in place for /home.

nodev option is not set on /home partition

Category: OS security

OS: Linux

Description

Verifies that the nodev option is set on the /home partition. This option ensures that users cannot attempt to create block or character special devices in /home.

Recommendation

Ensure the nodev option is set on /home partition.

nodev option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the nodev option is set on the /dev/shm partition. This option ensures that users cannot attempt to create block or character special devices in /dev/shm.

Recommendation

Ensure the nodev option is set on the /dev/shm partition.

nosuid option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the nosuid option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure the nosuid option is set on the /dev/shm partition.

noexec option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the noexec option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /dev/shm.

Recommendation

Ensure the noexec option is set on the /dev/shm partition.

USB Storage is enabled

Category: OS security

OS: Linux

Description

Verifies that usb-storage is disabled. Restricting USB access on the system will decrease the physical attack surface for a device.

Recommendation

Ensure USB Storage is disabled if not used.

Automounting is enabled

Category: OS security

OS: Linux

Description

Verifies that autofs is disabled. autofs allows automounting of devices.

With automounting enabled, anyone with physical access can attach a device and have its contents available in the system even if they lack permissions to mount it.

Recommendation

Ensure Automounting is disabled.

SSH protocol version should be set to 2

Category: OS security

OS: Linux

Description

Verifies that Protocol in /etc/ssh/sshd_config is set to 2. SSH v1 suffers from insecurities that do not affect SSH v2.

Recommendation

Ensure SSH Protocol is set to 2.

MongoDB authentication is not configured

Category: OS security

OS: Linux

Description

Verifies that authorization in /etc/mongod.conf is enabled. This ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.

Recommendation

Ensure MongoDB authentication is configured.

MongoDB allows authentication bypass via localhost exception

Category: OS security

OS: Linux

Description

Verifies that enableLocalhostAuthBypass in /etc/mongod.conf is set to false. This will prevent unauthorized local access to the MongoDB database and ensure traceability of each database activity to a specific user.

Recommendation

Ensure that MongoDB does not bypass authentication via the localhost exception.

MongoDB authentication is not enabled in the sharded cluster

Category: OS security

OS: Linux

Description

Verifies that certificateKeyFile, CAFile and clusterFile in /etc/mongod.conf are configured, and that clusterAuthMode is set to x509. Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component.

Recommendation

Ensure MongoDB authentication is enabled in the sharded cluster.

MongoDB listens on all interfaces

Category: OS security

OS: Linux

Description

Verifies that bindIp in /etc/mongod.conf is configured. This configuration blocks connections from untrusted networks (not included in bindIp values), leaving only systems on authorized and trusted networks able to attempt to connect to the MongoDB.

Recommendation

Ensure MongoDB only listens for network connections on authorized interfaces.

MongoDB does not use TLS

Category: OS security

OS: Linux

Description

Verifies that mode (under tls) in /etc/mongod.conf is set to 'requireTLS'. This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB.

Recommendation

Ensure Encryption of Data in Transit TLS.

xinetd is enabled

Category: OS security

OS: Linux

Description

The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. If there are no xinetd services required, we recommend you disable the daemon.

Recommendation

Ensure xinetd.service is not enabled in systemd.

chargen services are enabled

Category: OS security

OS: Linux

Description

daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.

daytime services are enabled

Category: OS security

OS: Linux

Description

daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.

discard services are enabled

Category: OS security

OS: Linux

Description

discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure discard is disabled in /etc/inetd.* and /etc/xinetd.*.

echo services are enabled

Category: OS security

OS: Linux

Description

echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure echo is disabled in /etc/inetd.* and /etc/xinetd.*.

time services are enabled

Category: OS security

OS: Linux

Description

time is a network service that responds with the server's current date and time as a 32-bit integer. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure time is disabled in /etc/inetd.* and /etc/xinetd.*.

Berkley rsh-server services are enabled

Category: Network and credentials

OS: Linux

Description

The Berkeley rsh-server (rsh , rlogin, rexec) package contains legacy services that exchange clear-text credentials. These legacy services contain numerous security exposures and have been replaced with the more secure SSH package.

Recommendation

Ensure the shell, login, exec services are disabled in /etc/inetd.* and /etc/xinetd.*.

talk server is enabled

Category: Network and credentials

OS: Linux

Description

The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default. The software presents a security risk as it uses unencrypted protocols for communication.

Recommendation

Ensure talk and ntalk are disabled in /etc/inetd.* and /etc/xinetd.*.

telnet server is enabled

Category: Network and credentials

OS: Linux

Description

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security.

Recommendation

Ensure telnetis disabled in /etc/inetd.* and /etc/xinetd.*.

TFTP server is enabled

Category: Network and credentials

OS: Linux

Description

The TFTP server does not support authentication nor does it ensure the confidentiality or integrity of data. We recommend you remove TFTP unless there is a specific need for it, in which case, extreme caution must be used when configuring the services.

Recommendation

Ensure tftp is disabled in /etc/inetd.* and /etc/xinetd.*.

CUPS is disabled

Category: Network and credentials

OS: Linux

Description

The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to print jobs or accept print jobs from other systems, we recommend you remove CUPS to reduce the potential attack surface.

Recommendation

Ensure cups is disabled in systemd.

DHCP server is enabled

Category: Network and credentials

OS: Linux

Description

The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Unless a system is specifically set up to act as a DHCP server, we recommend you disable this service to reduce the potential attack surface.

Recommendation

Ensure dhcpd and isc-dhcp-server are disabled in systemd.

LDAP server is enabled

Category: Network and credentials

OS: Linux

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP server, we recommend you disable this service to reduce the potential attack surface.

Recommendation

Ensure slapd is disabled in systemd.

NFS is enabled

Category: Network and credentials

OS: Linux

Description

The Network File System (NFS) provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, we recommend you disable this service to reduce the remote attack surface.

Recommendation

Ensure nfs-server is disabled in systemd.

RPC is enabled

Category: Network and credentials

OS: Linux

Description

Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. If RPC is not required, we recommend you disable this service to reduce the remote attack surface.

Recommendation

Ensure rpcbind is disabled in systemd.

DNS Server is enabled

Category: Network and credentials

OS: Linux

Description

The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Unless a system is specifically designated to act as a DNS server, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure named and bind9 are disabled in systemd.

HTTP Server is enabled

Category: Network and credentials

OS: Linux

Description

HTTP or web servers provide the ability to host web site content. Unless there is a need to run the system as a web server, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure httpd and apache2 are disabled in systemd.

IMAP and POP3 Servers are enabled

Category: Network and credentials

OS: Linux

Description

Unless POP3 and/or IMAP servers are to be provided by the operating system, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure dovecot is disabled in systemd.

NIS Server is enabled

Category: Network and credentials

OS: Linux

Description

The NIS server is a collection of programs that allow the distribution of configuration files. The NIS service is inherently an insecure system that has been vulnerable to DOS attacks. We recommend you remove this service and use other, more secure services.

Recommendation

Ensure nis, ypserv are disabled in systemd.

IP Forwarding is enabled

Category: Network and credentials

OS: Linux

Description

Thenet.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not. Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy) will never be able to forward packets, and consequently, never serve as a router.

Recommendation

Ensure the net.ipv4.ip and net.ipv6.conf.all.forwarding flags are set to false.

Log4j with Denial of Service Present

Category: Network and credentials

OS: Linux

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.

Recommendation

Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.

Log4j with Remote Code Execution Present

Category: Network and credentials

OS: Linux

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.

Recommendation

Avoid using Log4j versions 2.x to 2.15.0.