Findings
Windows findings
Task Manager
Category: OS security
OS: Windows
Description
Verifies the local group policy settings for User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options\Remove Task Manager.
When Remove Task Manager is enabled, the endpoint is vulnerable to security threats. Since Task Manager can list and terminate currently running processes, some malware may disable it to prevent themselves from being closed.
Recommendation
Keep the Task Manager enabled on all endpoints.
Smart Card Service
Category: OS security
OS: Windows
Description
Verifies the settings for Smart Card local service.
The Smart Card Service provides smart cards read access and public key services support through a process running in the background (scardsvr.exe
).Though this Windows service is rated to be quite safe, some malware programs may disguise themselves as scardsvr.exe
.
Recommendation
Disable this service if it is not used explicitly on endpoints.
Telnet Server Service
Category: Network and credentials
OS: Windows
Description
Verifies if the Telnet Server service is installed and enabled on endpoint.
Telnet is one of the earliest TCP/IP protocols allowing access to remote endpoints via terminal sessions. Telnet provides no built-in security measures (such as data encryption or authentication) and using it exposes endpoints to security risks.
Recommendation
Disable Telnet Server service on all endpoints and use SSH instead.
Auto Logon
Category: Network and credentials
OS: Windows
Description
Verifies if Windows requires account sign-in.
When the user accounts sign-in is disabled, Windows stores the user passwords in the registry database, making possible to bypass the password screen during logon.
Recommendation
Require account sign-in always.
Secure Logon
Category: OS security
OS: Windows
Description
Verifies the local security policy option Interactive logon: Do not require CTRL+ALT+DEL.
This option defines whether users must unlock their computer before logging in to Windows by pressing CTRL+ALT+DEL, as an additional security layer that prevents malware intercepting usernames and passwords.
If this option is set on Enabled, the system is more vulnerable to security threats.
Recommendation
Set this policy to Disabled.
UAC Off
Category: OS security
OS: Windows
Description
Verifies the local security policy option User Account Control: Run all administrators in Admin Approval Mode.
This setting controls the behavior of all UAC policy settings for the endpoint.
UAC (User Account Control) is a security feature that helps preventing unauthorized changes to the OS by potentially harmful programs. UAC requires administrator authorization for actions like installing a program or modifying system settings.
When UAC is set to Never notify, the system is more vulnerable to malware.
Recommendation
Set this policy to Enabled.
UAC Insecure
Category: OS security
OS: Windows
Description
Verifies the configuration for User Account Control policy and registry settings, to check if these comply with the default recommended settings.
The policy settings are located in Security Settings\Local Policies\Security Options
, in the Local Security Policy app.
Recommendation
Configure the UAC settings to at least the default level.
Automatic Updates
Category: OS security
OS: Windows
Description
Verifies the local group policy Configure Automatic Updates, located in Computer Configuration\Administrative Templates\Windows Components\Windows Update
.
This policy specifies whether the endpoint will receive security updates and other important downloads through the Windows automatic updating service. When disabled, the endpoint is more vulnerable to security threats.
Recommendation
Set this policy to Enabled.
LAN Manager Hash
Category: OS security
OS: Windows
Description
Verifies the local security policy option Network security: Do not store LAN Manager hash value on next password change.
When the user sets a password that contains less than 15 characters, Windows generates a LAN Manager hash (LM hash) of that password.
If the Windows security option is set to store the hash in the local Security Accounts Manager (SAM) database, the passwords can be compromised and the endpoint is prone to brute force attack.
Recommendation
After applying the fix, all affected users must change their domain password. The new password must be at least 15 characters long.
In this case, Windows stores a LM hash value that cannot be used to authenticate the user.
Blank Password
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Accounts: Limit local account use of blank passwords to console logon only.
This setting verifies if local accounts without password protection can be used to log on from other locations than the physical computer console.
When this option is disabled, endpoints are exposed to a high security risk.
Recommendation
Set this policy to Enabled.
Anonymous User Permissions
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Network access: Do not allow anonymous enumeration of SAM accounts.
This option determines if anonymous connections have the permission to enumerate the names of domain accounts.
Endpoints with this option disabled are vulnerable to attackers trying to obtain usernames or passwords stored locally.
Recommendation
The recommended setting for this policy is Enabled: Do not allow enumeration of SAM accounts.
This option replaces Everyone with Authenticated Users in the security permissions for resources.
Kernel-Mode Printer Drivers
Category: OS security
OS: Windows
Description
Verifies the local group policy Disallow installation of printers using kernel-mode drivers, located in Computer Configuration\Administrative Templates\Printers
.
This setting determines whether printers using kernel-mode drivers may be installed on the local endpoint. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors.
When this option is Disabled, the printer drivers will run in the kernel space of the operating system, exposing the endpoint to security risks.
Recommendation
Set this policy to Enabled.
Windows Backup Service
Category: OS security
OS: Windows
Description
Verifies the settings for Windows Backup and Restore service (SDRSVC).
When this service is stopped, the system does not have access to native Microsoft backup and restore tools.
Recommendation
Enable this service on all endpoints.
Telephony Service
Category: OS security
OS: Windows
Description
Verifies if the Telephony Service is active.
Recommendation
Set this service to Disabled.
Lock Screen App Notifications
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off app notifications on the lock screen, located in Computer Configuration\Administrative Templates\System\Logon
.
This policy setting allows preventing app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
Recommendation
Set this policy to Enabled.
Microphone Service
Category: OS security
OS: Windows
Description
Verifies if any microphone is enabled.
Recommendation
Disable microphones on endpoints.
Store Domain Credentials
Category: OS security
OS: Windows
Description
Checks if the passwords and credentials used for network authentication are stored on the local computer.
Recommendation
Do not allow storage of passwords and credentials used for network authentication on the local computer.
Digitally Encrypt / Sign Data
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Domain member: Digitally encrypt or sign secure channel data (always).
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
When this policy is disabled, then encryption and signing of all secure channel traffic will depend on the version of Domain Controller and on the settings of the other policies for encryption and signing secure channel data.
Recommendation
Set this policy to Enabled.
Digitally Encrypt Data
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Domain member: Digitally encrypt secure channel data (when possible).
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
Disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
Recommendation
Set this policy to Enabled.
Digitally Sign Data
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Domain member: Digitally sign secure channel data (when possible).
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
If enabled, the domain member will request signing of all secure channel traffic.
If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
Recommendation
Set this policy to Enabled.
Change Account Password
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Domain member: Disable machine account password changes.
Determines whether a domain member periodically changes its computer account password.
If this setting is enabled, the domain member does not attempt to change its computer account password, which exposes the endpoint to security risks.
Recommendation
Set this policy to Disabled.
Strong Session Key
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Domain member: Require strong (Windows 2000 or later) session key.
This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed.
If this setting is disabled, then the key strength is negotiated with the domain controller.
Recommendation
Set this policy to Enabled.
Insecure Guest Logon
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Enable insecure guest logons, located in Computer Configuration\Administrative Templates\Network\Lanman Workstation
.
This policy determines if the SMB client will allow insecure guest logons to an SMB server.
If you enable / do not configure this policy, the SMB client will allow insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.
Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled.
As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.
As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.
Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.
Recommendation
Disable insecure Guest logons and configuring file servers to require authenticated access.
Lock Screen Camera
Category: OS Security
OS: Windows
Description
Verifies the local group policy Prevent enabling lock screen camera, located in Computer Configuration\Administrative Templates\Control Panel\Personalization
.
This policy disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
Recommendation
Set this policy to Enabled.
Lock Screen Slide Show
Category: OS Security
OS: Windows
Description
Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization
.
This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
Recommendation
Set this policy to Enabled.
Client Digitally Sign Communications
Category: OS Security
OS: Windows
Description
Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization
.
This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
Recommendation
Set this policy to Enabled.
Unencrypted passwords
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Microsoft network client: Send unencrypted password to third-party SMB servers.
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
Sending unencrypted passwords is a security risk.
Recommendation
Set this policy to Disabled.
Server Digitally Sign Communications
Category: Network and credentials
OS: Windows
Description
Verifies the local security policy option Microsoft network server: Digitally sign communications (always).
This security setting determines whether packet signing is required by the Server Message Block (SMB) server component.
The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration.
To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.
Note
All Windows OS support both a client-side SMB component and a server-side SMB component.
To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.
Recommendation
Set this policy to Enabled.
Download Print Drivers Over HTTP
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Turn off downloading of print drivers over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings
.
This policy specifies whether to allow this client to download print driver packages over HTTP.
When disabled or not configured, users can download print drivers over HTTP.
Recommendation
Set this policy to Enabled.
Print Over HTTP
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Turn off printing over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings
.
This policy specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
When disabled or not configured, users can choose to print to printers on the Internet over HTTP.
Recommendation
Set this policy to Enabled.
Strengthen Permissions
Category: OS security
OS: Windows
Description
Verifies the local security policy option System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).
This security setting determines the strength of the default Discretionary Access Control List (DACL) for objects.
Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. This way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.
If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.
Recommendation
Set this policy to Enabled.
Enumerate Local Users
Category: OS security
OS: Windows
Description
Verifies the local group policy Enumerate local users on domain-joined computers, located in Computer Configuration\Administrative Templates\System\Logon
.
This policy allows local users to be enumerated on domain-joined computers.
If you enable this policy, Logon UI will enumerate all local users on domain-joined computers.
Recommendation
Set this policy to Disabled.
PIN Sign-In
Category: OS Security
OS: Windows
Description
Verifies the local group policy Turn on convenience PIN sign-in, located in Computer Configuration\Administrative Templates\System\Logon
.
This policy allows you to control whether a domain user can sign in using a convenience PIN.
If you disable or do not configure this policy, a domain user cannot set up and use a convenience PIN. The user's domain password will be cached in the system vault when using this feature.
Recommendation
Set this policy to Disabled.
Restrict Unauthenticated RPC
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Restrict Unauthenticated RPC clients, located in Computer Configuration\Administrative Templates\System\Remote Procedure Call
.
This policy controls how the Remote Procedure Call (RPC) server runtime handles unauthenticated RPC clients connecting to RPC servers.
In a domain environment, this policy should be used with caution as it can affect a wide range of functionality, including the group policy processing itself.
A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security.
Recommendation
Set this policy to Enabled > Authenticated.
Optional Microsoft Accounts
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow Microsoft accounts to be optional, located in Computer Configuration\Administrative Templates\Windows Components\App runtime
.
This policy lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.
This policy only affects Windows Store apps that support it.
If you enable this policy, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
If you disable or do not configure this policy, users will need to sign in with a Microsoft account.
Recommendation
Set this policy to Enabled.
Autoplay Non-Volume Devices
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
.
This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).
When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.
Recommendation
Set this policy to Enabled > All Drives.
Turn off Autoplay
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
.
This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).
When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.
Recommendation
Set this policy to Enabled: All Drives.
Disable DMA
Category: OS security
OS: Windows
Description
Verifies the local group policy Disable new DMA devices when this computer is locked, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption
.
This policy allows blocking direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Devices already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.
This policy is only enforced when BitLocker or device encryption is enabled.
Note
Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.
Recommendation
Set this policy to Enabled.
Enhanced PIN with BitLocker
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow enhanced PINs for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
.
This policy configures whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs allows using characters including uppercase and lowercase letters symbols numbers and spaces.
This policy is applied when BitLocker is turned on.
Note
Not all computers may support enhanced PINs in the pre-boot environment.
It is strongly recommended that users perform a system check during BitLocker setup.
If you disable or do not configure this policy, enhanced PINs will not be used.
Recommendation
Set this policy to Enabled.
Secure Boot for BitLocker
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow Secure Boot for integrity validation, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
.
This policy setting defines whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.
Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers.
Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.
If you disable this policy, BitLocker will use legacy platform integrity validation even on systems capable of Secure Boot-based integrity validation.
Warning
Disabling this policy may result in BitLocker recovery when firmware is updated.
Recommendation
Set this policy to Enabled.
Write Removable Drives with BitLocker
Category: OS Security
OS: Windows
Description
Verifies the local group policy Deny write access to removable drives not protected by BitLocker, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
.
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
When enabling this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only.
When disabling or not configuring this setting, all removable data drives on the computer will be mounted with read and write access.
Recommendation
Set this policy to Enabled.
Microsoft Consumer Experiences
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off Microsoft consumer experiences, located in Computer Configuration\Administrative Templates\Windows Components\Cloud Content
.
If you disable or do not configure this policy setting users may see personalized recommendations from Microsoft and notifications about their Microsoft account.
Note
This setting only applies to Enterprise and Education SKUs.
Recommendation
Set this policy to Enabled.
Enumerate Admin Accounts on Elevation
Category: OS security
OS: Windows
Description
Verifies the local group policy Enumerate administrator accounts on elevation, located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
.
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.
By default, administrator accounts are not displayed when the user attempts to elevate a running application.
If you enable this setting, all the local administrator accounts will be displayed, so the user can choose one and enter the correct password.
If you disable this setting, users will always be required to type a user name and password to elevate.
Recommendation
Set this policy to Disabled.
Internet Connection Sharing
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections
.
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.
ICS lets administrators configure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DHCP to the local private network.
If you enable this setting, ICS cannot be enabled or configured by administrators and it cannot run on the computer.
Note
ICS is only available when two or more network connections are present.
Non-administrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.
Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services.
To prevent the ICS service from running, go to the Network Permissions tab and select the Don't use hosted networks check box.
Recommendation
Set this policy to Enabled.
Connect to Open Hotspots
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services, located in Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings
.
This policy configures the access to the following WLAN settings:
Connect to suggested open hotspots
Connect to networks shared by my contacts
Enable paid services
Note
If this policy is disabled, the abovementioned WLAN settings will be turned off and users on this device will not have access to enable them.
If this policy is not configured or is enabled, users can choose to enable or disable either Connect to suggested open hotspots, or Connect to networks shared by my contacts.
Recommendation
Set this policy to Disabled.
Non Domain Network Connections
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Prohibit connection to non-domain networks when connected to domain authenticated network, located in Computer Configuration\Administrative Templates\Network\Windows Connection Manager
.
This policy prevents computers from connecting to both a domain-based network and a non-domain based network at the same time.
If this policy is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:
Automatic connection attempts:
When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
When the computer is already connected to a non-domain based network, automatic connection attempts to domain-based networks are blocked.
Manual connection attempts:
When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.
If this policy is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
Recommendation
Set this policy to Enabled.
Credential Delegation
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Remote host allows delegation of non-exportable credentials, located in Computer Configuration\Administrative Templates\System\Credentials Delegation
.
When using credential delegation, devices provide an exportable version of credentials to the remote host.This exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard modes are not supported. Users will always need to pass their credentials to the host.
Recommendation
Set this policy to Enabled.
Virtualization Based Security
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn On Virtualization Based Security, located in Computer Configuration\Administrative Templates\System\Device Guard
. Specifies whether Virtualization Based Security is enabled.
Virtualization Based Security uses the Windows Hypervisor to provide support for security services.
Virtualization Based Security requires Secure Boot, and, optionally, you can enabled it with the use of DMA Protections.
Recommendation
Set this policy to Enabled with the following options:
Select Platform Security Level: SecureBoot and DMA Protection
Virtualization Based Protection of Code Integrity: Enabled with lock
Credential Guard Configuration: Enabled with lock
Device Installation by ID
Category: OS security
OS: Windows
Description
Verifies the local group policy Prevent installation of devices that match any of these device IDs, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions
.
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing.
This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Recommendation
Set this policy to Enabled, and select the following options:
Prevent installation of devices that match any of these device IDs:
PCI\CC_0C0A
Also apply to matching devices that are already installed.
Device Installation by Setup Class
Category: OS security
OS: Windows
Description
Verifies the local group policy Prevent installation of devices using drivers that match these device setup classes, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions
.
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing.
This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
Recommendation
Set this policy to Enabled, and select the following options:
Prevent installation of devices using drivers for these device setup classes:
{d48179be-ec20-11d1-b6b8-00c04fa372a7}
.Also apply to matching devices that are already installed.
Boot-Start Driver
Category: OS security
OS: Windows
Description
Verifies the local group policy Boot-Start Driver Initialization Policy, located in Computer Configuration\Administrative Templates\System\Early Launch Antimalware
.
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.
The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
Good: The driver has been signed and has not been tampered with.
Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.- If you enable this policy, you will be able to choose which boot-start drivers to initialize the next time the computer is started.
Note
If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
Recommendation
Set this policy to Enabled > Good, Unknown and bad but critical.
Anti-Spoofing
Category: OS security
OS: Windows
Description
Verifies the local group policy Configure enhanced anti-spoofing, located in Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features
.
This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication.
This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or do not configure this setting, Windows does not require enhanced anti-spoofing for Windows Hello face authentication.
Recommendation
Set this policy to Enabled.
Minimum Startup PIN
Category: OS security
OS: Windows
Description
Verifies the local group policy Configure minimum PIN length for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
.
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN.
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
Recommendation
Set this policy to Enabled > Minimum characters 7.
Explorer Data Execution Prevention
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off Data Execution Prevention for Explorer, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer
.
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
Recommendation
Set this policy to Disabled.
Heap Termination on Corruption
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn off heap termination on corruption, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer. Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
Recommendation
Set this policy to Disabled.
Password Manager
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Configure Password Manager, located in Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge.
This policy setting lets you decide whether employees can save their passwords locally, using Password Manager.
By default, Password Manager is turned on.
If you enable this setting, employees can use Password Manager to save their passwords locally.
If you disable this setting, employees cannot use Password Manager to save their passwords locally.
If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally.
Recommendation
Set this policy to Disabled.
Save Passwords from RDC
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Do not allow passwords to be saved, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client
.
This policy controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords
When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
Recommendation
Set this policy to Enabled.
Drive Redirection
Category: OS security
OS: Windows
Description
Verifies the local group policy Do not allow drive redirection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
.
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection.
Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
Recommendation
Set this policy to Enabled.
RDS Password Prompt
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Always prompt for password upon connection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
.
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
Recommendation
Set this policy to Enabled.
Secure RPC Communication
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Require secure RPC communication, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
.
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
Recommendation
Set this policy to Enabled.
Client Encryption Level
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Set client connection encryption level, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
.
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections.
This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended.
This policy does not apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting.
By default, the encryption level is set to High Level (the recommended option). This setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.
Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection).
Clients that do not support this encryption level cannot connect to RD Session Host servers.
Recommendation
Set this policy to Enabled > High Level.
Download Enclosures
Category: OS security
OS: Windows
Description
Verifies the local group policy Prevent downloading of enclosures, located in Computer Configuration\Administrative Templates\Windows Components\RSS Feeds
.
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
Recommendation
Set this policy to Enabled.
Indexing Encrypted Files
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow indexing of encrypted files, located in Computer Configuration\Administrative Templates\Windows Components\Search
.
This policy setting allows encrypted items to be indexed.
If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).
If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.
This policy setting is not configured by default.
If you do not configure this policy setting, the local setting, configured through Control Panel, will be used.
By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely.
Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.
Recommendation
Set this policy to Disabled.
Modify Exploit Protection Settings
Category: OS security
OS: Windows
Description
Verifies the local group policy Prevent users from modifying settings, located in Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\App and browser protection
or in Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection
(according to the Windows version).
This policy setting allows preventing users from making changes to the Exploit protection settings area in the Windows Defender Security Center.
Recommendation
Set this policy to Enabled.
Game Recording and Broadcasting
Category: OS security
OS: Windows
Description
Verifies the local group policy Enables or disables Windows Game Recording and Broadcasting, located in Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting
.
This setting enables or disables the Windows Game Recording and Broadcasting features.
Recommendation
Set this policy to Disabled.
Windows Ink Workspace
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow Windows Ink Workspace, located in Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace
.
This setting is supported from Windows 10 Redstone.
Recommendation
Set this policy to Enabled > On, but disallow access above lock.
User Control Over Installs
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow user control over installs, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer
.
This policy permits users to change installation options that typically are available only to system administrators.
If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.
Recommendation
Set this policy to Disabled.
Install with Elevated Privileges
Category: OS security
OS: Windows
Description
Verifies the local group policy Always install with elevated privileges, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer
.
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.
If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel.
This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
Note
This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
Warning
Warning: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.
The User Configuration version of this policy setting is not guaranteed to be secure.
Recommendation
Set this policy to Disabled.
Auto Sign-in After Restart
Category: OS security
OS: Windows
Description
Verifies the local group policy Sign-in last interactive user automatically after a system-initiated restart, located in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options
.
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart.
After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
Recommendation
Set this policy to Disabled.
PowerShell Script Block Logging
Category: OS security
OS: Windows
Description
Verifies the local group policy Turn on PowerShell Script Block Logging, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell
.
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
Note
This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
Recommendation
Set this policy to Enabled.
WinRM Client Basic Authentication
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
If you enable this policy setting, the WinRM client uses Basic authentication.
If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
Recommendation
Set this policy to Disabled.
WinRM Client Unencrypted Traffic
Category: OS Security
OS: Windows
Description
Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
Recommendation
Set this policy to Disabled.
WinRM Client Digest Authentication
Category: OS security
OS: Windows
Description
Verifies the local group policy Disallow Digest authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
If you enable this policy setting, the WinRM client does not use Digest authentication.
Recommendation
Set this policy to Enabled.
WinRM Service Basic Authentication
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
Recommendation
Set this policy to Disabled.
WinRM Service Unencrypted Traffic
Category: OS security
OS: Windows
Description
Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
Recommendation
Set this policy to Disabled.
WinRM Service RunAs Credentials
Category: OS security
OS: Windows
Description
Verifies the local group policy Disallow WinRM from storing RunAs credentials, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service
.
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs
credentials to be stored for any plug-ins.
If you enable this policy setting, the WinRM service will not allow the
RunAsUser
orRunAsPassword
configuration values to be set for any plug-ins.If a plug-in has already set the
RunAsUser
andRunAsPassword
configuration values, theRunAsPassword
configuration value will be erased from the credential store on this computer.
Recommendation
Set this policy to Enabled.
Install ActiveX
Category: Browser security
OS: Windows
Description
Verifies the local group policy Prevent per-user installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.
If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
Recommendation
Set this policy to Enabled.
Security Zones Add / Delete Sites
Category: Browser security
OS: Windows
Description
Verifies the local group policy Security Zones: Do not allow users to add/delete sites, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
It prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
This policy prevents users from changing site management settings for security zones established by the administrator.
Note
The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
), which removes the Security tab from the interface, takes precedence over this policy.
If it is enabled, this policy is ignored.
Also, see the Security zones: Use only machine settings policy.
Recommendation
Set this policy to Enabled.
Security Zones Change Policies
Category: Browser security
OS: Windows
Description
Verifies the local group policy Security Zones: Do not allow users to change policies, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
It prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
Note
The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy.
If it is enabled, this policy is ignored.
Also, see the Security zones: Use only machine settings policy.
Recommendation
Set this policy to Enabled.
Security Zones Only Machine Settings
Category: Browser security
OS: Windows
Description
Verifies the local group policy Security Zones: Use only machine settings, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.
Also, see the Security zones: Do not allow users to change policies policy.
Recommendation
Set this policy to Enabled.
ActiveX Installer Service
Category: Browser security
OS: Windows
Description
Verifies the local group policy Specify use of ActiveX Installer Service for installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
This policy setting allows you to specify how ActiveX controls are installed.
If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.
Recommendation
Set this policy to Enabled.
Crash Detection
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn off Crash Detection, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
This policy setting allows you to manage the crash detection feature of add-on Management.
If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting.
All policy settings for Windows Error Reporting continue to apply.
If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
Recommendation
Set this policy to Enabled.
Security Settings Check
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn off the Security Settings Check feature, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
.
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
If you disable or do not configure this policy setting, the feature is turned on.
Recommendation
Set this policy to Disabled.
Certificate Errors
Category: Browser security
OS: Windows
Description
Verifies the local group policy Prevent ignoring certificate errors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
.
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
If you enable this policy setting, the user cannot continue browsing.
If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
Recommendation
Set this policy to Enabled.
Run Software if Signature Invalid
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow software to run or install even if the signature is invalid, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
If you disable this policy setting, users cannot run or install files with an invalid signature.
If you do not configure this policy, users can choose to run or install files with an invalid signature.
Recommendation
Set this policy to Disabled.
Server Certificate Revocation
Category: Browser security
OS: Windows
Description
Verifies the local group policy Check for server certificate revocation, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates.
Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.
Recommendation
Set this policy to Enabled.
Downloaded Programs Signatures
Category: Browser security
OS: Windows
Description
Verifies the local group policy Check for signatures on downloaded programs, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered with) on user computers before downloading executable programs.
If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
Recommendation
Set this policy to Enabled.
ActiveX Protected Mode
Category: Browser security
OS: Windows
Description
Verifies the local group policy Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled.
When a user has an ActiveX control installed, which is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode.
This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.
For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.
If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. .
All Protected Mode websites will run in Enhanced Protected Mode.
Recommendation
Set this policy to Enabled.
Encryption Support
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn off encryption support, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server.
When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use.
The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
Recommendation
Set this policy to Enabled > Use TLS 1.1; Use TLS 1.2.
IE 64-bit Processes
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
Important
Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you do not configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
Recommendation
Set this policy to Enabled.
Enhanced Protected Mode
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on Enhanced Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
.
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.
For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
If you enable this policy setting, Enhanced Protected Mode will be turned on.
Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
- If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
Recommendation
Set this policy to Enabled.
Intranet UNCs
Category: Browser security
OS: Windows
Description
Verifies the local group policy Intranet Sites: Include all network paths (UNCs), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
.
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
If you enable this policy setting, all network paths are mapped into the Intranet Zone.
If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
Recommendation
Set this policy to Set this policy to Disabled.Disabled.
Certificate Address Mismatch Warning
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on certificate address mismatch warning, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
.
This policy setting allows you to turn on the certificate address mismatch security warning.
When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address.
This warning helps prevent spoofing attacks.
If you enable this policy setting, the certificate address mismatch warning always appears.
Recommendation
Set this policy to Enabled.
Access Data Across Domains
Category: Browser security
OS: Windows
Description
Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow drag and drop or copy and paste files (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow loading of XAML files (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files.
XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer.
The user cannot change this behavior.
If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this policy setting, XAML files are not loaded inside Internet Explorer.
The user cannot change this behavior.
If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone.
The user can choose to allow the control to run from the current site or from all sites.
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting determines whether a page can control embedded WebBrowser controls via script.
If you enable this policy setting, script access to the WebBrowser control is allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.
By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow script-initiated windows without size or position constraints (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions security will not apply in this zone.
The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow scriptlets (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow updates to status bar via script (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether script is allowed to update the status bar within the zone.
If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow VBScript to run in Internet Explorer (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you select Enable in the drop-down box, VBScript can run without user intervention.
If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Automatic prompting for file downloads (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.
Users can then click the Notification bar to allow the file download prompt.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Don't run antimalware programs against ActiveX controls (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you disable this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Download signed ActiveX control (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows managing whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention.
If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.
If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy, users are queried whether to download controls signed by publishers who are not trusted.
Code signed by trusted publishers is silently downloaded.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Download unsigned ActiveX controls (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows you to manage whether users may download unsigned ActiveX controls from the zone.
Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy, users can run unsigned controls without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable or do not configure this policy, users cannot run unsigned controls.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Enable dragging of content from different domains across windows (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.
If you enable this policy and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.
Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.
Users can change this setting in the Internet Options dialog.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Enable dragging of content from different domains within a window (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.
If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users can change this setting in the Internet Options dialog.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Include local path when user is uploading files to a server (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy controls if the local path information is sent when the user is uploading a file via an HTML form.
If the local path information is sent, some information may be unintentionally revealed to the server.
For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this policy, path information is sent when the user is uploading a file via an HTML form.
If you disable this policy, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this policy, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.
By default, path information is sent.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Initialize and script ActiveX controls not marked as safe (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows managing ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this policy, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Java permissions (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows you managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box:
High Safety: enables applets to run in their sandbox.
Disable Java to prevent any applets from running.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
Low Safety: enables applets to perform all operations.
Custom: to control permissions settings individually.
Disable Java: Java applets cannot run.
If you do not configure this policy, the permission is set to High Safety.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Launching applications and files in an IFRAME (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
If you select Prompt in the drop-down box or do not configure this policy, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable this policy, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
Recommendation
Set this policy to Enabled > Disable
Internet Explorer: Logon options (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Logon options, located in \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows managing settings for logon options. If you enable this policy, you can choose from the following logon options:
Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
Prompt for user name and password: to query users for user IDs and passwords.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).
If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.
If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
If you disable or do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
Recommendation
Set this policy to Enabled > Prompt for user name and password.
Internet Explorer: Navigate windows and frames across different domains (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This policy allows managing the opening of windows and frames and access of applications across different domains.
If you enable or do not configure this policy, users can open windows and frames from other domains and access applications from other domains.
If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy, users cannot open windows and frames to access applications from different domains.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.
These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable or do not configure this setting, Internet Explorer will execute unsigned managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable this setting, Internet Explorer will not execute unsigned managed components.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.
These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute signed managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
If you do not configure this setting, Internet Explorer will not execute signed managed components.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Show security warning for potentially unsafe files (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Show security warning for potentially unsafe files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this setting and set the drop-down box to Enable, these files open without a security warning.
If you set the drop-down box to Prompt, a security warning appears before the files open.
If you disable this setting, these files do not open.
If you do not configure this setting, the user can configure how the computer handles these files.
By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
Recommendation
Set this policy to Enabled > Prompt.
Internet Explorer: Turn on Cross-Site Scripting Filter (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Turn on Protected Mode (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows you to turn on Protected Mode.
Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
If you enable this policy setting, Protected Mode is turned on.
The user cannot turn off Protected Mode.
If you disable this policy setting, Protected Mode is turned off.
The user cannot turn on Protected Mode.
If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Turn on SmartScreen Filter scan (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note
In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Use Pop-up Blocker (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether unwanted pop-up windows appear.
Pop-up windows that are opened when the end user clicks a link are not blocked.
If you enable or do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
If you disable this policy setting, pop-up windows are not prevented from appearing.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Userdata persistence (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable or do not configure this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
.
This setting allows managing whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. the security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.
If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable this setting, the possibly harmful navigations are prevented.
The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
If you do not configure this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Don't run antimalware programs against ActiveX controls (Intranet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
.
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable or do not configure this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Initialize and script ActiveX controls not marked as safe (Intranet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
.
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Java permissions (Intranet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
.
This policy setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disables Java: to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, the permission is set to Medium Safety.
Recommendation
Set this policy to Enabled > High Safety.
Internet Explorer: Don't run antimalware programs against ActiveX controls (Local Machine Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
.
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable or do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Java permissions (Local Machine Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java Permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
.
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, the permission is set to Medium Safety.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Internet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
.
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note
In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
Recommendation
Set this policy to Enabled.
Internet Explorer: Java permissions (Locked-Down Intranet Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
.
This setting allows managing permissions for Java applets. If you enable this setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Java permissions (Locked-Down Local Machine Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
.
This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Java permissions (Locked-Down Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
.
This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
.
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note
In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Java permissions (Locked-Down Trusted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
.
This setting allows managing permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Access data sources across domains (Restricted Sites Zone)
Category: Network and credentials
OS: Windows
Description
Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This policy setting allows managing whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
If you disable or do not configure this setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow active scripting (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow active scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows you to manage whether script code on pages in the zone is run.
If you enable this setting, script code on pages in the zone can run automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
If you disable or do not configure this setting, script code on pages in the zone is prevented from running.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow binary and script behaviors (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow binary and script behaviors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
If you enable this setting, binary and script behaviors are available.
If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
If you disable or do not configure this setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow drag and drop or copy and paste files (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow file downloads (Restricted Sites Zone)
Category: Browser category
OS: Windows
Description
Verifies the local group policy Allow file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether file downloads are permitted from the zone.
This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
If you enable this setting, files can be downloaded from the zone.
If you disable or do not configure this setting, files are prevented from being downloaded from the zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow loading of XAML files (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing the loading of Extensible Application Markup Language (XAML) files.
XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
If you enable this setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior.
If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
If you do not configure this setting, the user can decide whether to load XAML files inside Internet Explorer.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow META REFRESH (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow META REFRESH, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
If you enable this setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
If you disable or do not configure this setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
If you enable this setting, the user is prompted before ActiveX controls can run from websites in this zone.
The user can choose to allow the control to run from the current site or from all sites.
If you disable this setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this setting, the TDC ActiveX control will not run from websites in this zone.
If you disable this setting, the TDC Active X control will run from all sites in this zone.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting determines whether a page can control embedded WebBrowser controls via script.
If you enable this setting, script access to the WebBrowser control is allowed.
If you disable this setting, script access to the WebBrowser control is not allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.
By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow script-initiated windows without size or position constraints (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions security will not apply in this zone.
The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow scriptlets (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow updates to status bar via script (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether script is allowed to update the status bar within the zone.
If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Allow VBScript to run in Internet Explorer (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you select Enable in the drop-down box, VBScript can run without user intervention.
If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Automatic prompting for file downloads (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.
Users can then click the Notification bar to allow the file download prompt.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Don't run antimalware programs against ActiveX controls (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Don't run antimalware programs against ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Users can turn this behavior on or off, using Internet Explorer Security settings.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Download signed ActiveX controls (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention.
If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted.
Code signed by trusted publishers is silently downloaded.
If you disable or do not configure this setting, signed controls cannot be downloaded.
Recommendation
Set this policy to Disabled.
Internet Explorer: Download unsigned ActiveX controls (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This policy setting allows managing whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy setting, users can run unsigned controls without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable or do not configure this setting, users cannot run unsigned controls.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Enable dragging of content from different domains across windows (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.
If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.
Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.
Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Enable dragging of content from different domains within a window (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.
If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Include local path when user is uploading files to a server (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting controls whether or not local path information is sent when the user is uploading a file via an HTML form.
If the local path information is sent, some information may be unintentionally revealed to the server.
For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this setting, path information is sent when the user is uploading a file via an HTML form.
If you disable this setting, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.
By default, path information is sent.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Initialize and script ActiveX controls not marked as safe (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Java permissions (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:
Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
Recommendation
Set this policy to Enabled > Disable Java.
Internet Explorer: Launching applications and files in an IFRAME (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
If you enable this setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable or do not configure this setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Logon options (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Logon options, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing settings for logon options.
If you enable this setting, you can choose from the following logon options:
Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
Prompt for user name and password: to query users for user IDs and passwords.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).
If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.
If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
If you disable this setting, logon is set to Automatic logon only in Intranet zone.
If you do not configure this setting, logon is set to Prompt for username and password.
Recommendation
Set this policy to Enabled > Anonymous logon.
Internet Explorer: Navigate windows and frames across different domains (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains.
If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
If you disable or do not configure this setting, users cannot open other windows and frames from other domains or access applications from different domains.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.
These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable or do not configure this setting, Internet Explorer will not execute unsigned managed components.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.
These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute signed managed components.
If you select Prompt, in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
If you do not configure this setting, Internet Explorer will not execute signed managed components.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Run ActiveX controls and plugins (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Run ActiveX controls and plugins, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing if ActiveX controls and plug-ins can be run on pages from the specified zone.
If you enable this setting, controls and plug-ins can run without user intervention.
If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
If you disable or do not configure this setting, controls and plug-ins are prevented from running.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Script ActiveX controls marked safe for scripting (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Script ActiveX controls marked safe for scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This policy setting allows managing whether an ActiveX control marked safe for scripting can interact with a script.
If you enable this setting, script interaction can occur automatically without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.
If you disable or do not configure this setting, script interaction is prevented from occurring.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Scripting of Java applets (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Scripting of Java applets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether applets are exposed to scripts within the zone.
If you enable this setting, scripts can access applets automatically without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.
If you disable or do not configure this setting, scripts are prevented from accessing applets.
Recommendation
Set this policy to Enabled > Disable.
Show security warning for potentially unsafe files
Category:
OS:
Description
This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this setting and set the drop-down box to Enable, these files open without a security warning.
If you set the drop-down box to Prompt, a security warning appears before the files open.
If you disable this setting, these files do not open.
If you do not configure this setting, the user can configure how the computer handles these files.
By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
Recommendation
Internet Explorer: Turn on Cross-Site Scripting Filter (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
If you enable this setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Turn on Protected Mode (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows turning on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
If you enable this setting, Protected Mode is turned on.
The user cannot turn off Protected Mode.
If you disable this setting, Protected Mode is turned off.
The user cannot turn on Protected Mode.
If you do not configure this setting, the user can turn on or turn off Protected Mode.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Turn on SmartScreen Filter scan (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note
In Internet Explorer 7, this setting controls whether Phishing Filter scans pages in this zone for malicious content.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Use Pop-up Blocker (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether unwanted pop-up windows appear.
Pop-up windows that are opened when the end user clicks a link are not blocked.
If you enable or do not configure this setting, most unwanted pop-up windows are prevented from appearing.
If you disable this setting, pop-up windows are not prevented from appearing.
Recommendation
Set this policy to Enabled > Enable.
Internet Explorer: Userdata persistence (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable or do not configure this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Restricted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
.
This setting allows managing whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.
If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable or do not configure this setting, the possibly harmful navigations are prevented.
The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Don't run antimalware programs against ActiveX controls (Trusted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
.
This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Users can turn this behavior on or off, using Internet Explorer Security settings.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Initialize and script ActiveX controls not marked as safe (Trusted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
.
This setting allows managing ActiveX controls not marked as safe.
If you enable this setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
If you do not configure this setting, users are queried whether to allow the control to be loaded with parameters or scripted.
Recommendation
Set this policy to Enabled > Disable.
Internet Explorer: Java permissions (Trusted Sites Zone)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
.
This setting allows managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box:
Custom: control permissions settings individually.
Low Safety: enable applets to perform all operations.
Medium Safety: enable applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enable applets to run in their sandbox.
Disable Java: to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to Low Safety.
Recommendation
Set this policy to Enabled > High safety.
Allow fallback to SSL 3.0 (Internet Explorer)
Category: Browser security
OS: Windows
Description
Verifies the local group policy Allow fallback to SSL 3.0 (Internet Explorer), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features
.
This setting allows blocking an insecure fallback to SSL 3.0.
When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
Do not allow insecure fallback in order to prevent a man-in-the-middle attack.
This policy does not affect which security protocols are enabled.
If you disable this policy, system defaults will be used.
Recommendation
Set this policy to Enabled > No sites.
Remove Run this time button for outdated ActiveX controls in Internet Explorer
Category: Browser security
OS: Windows
Description
Verifies the local group policy Remove Run this time button for outdated ActiveX controls in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
.
This policy setting allows preventing users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer.
If you enable this setting, users will not see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
If you disable or don't configure this policy setting, users will see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
Clicking this button lets the user run the outdated ActiveX control once.
Recommendation
Set this policy to Enabled.
Turn off blocking of outdated ActiveX controls for Internet Explorer
Category: Browser security
OS: Windows
Description
Verifies the local group policy Turn off blocking of outdated ActiveX controls for Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
.
This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.
If you disable or do not configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
Recommendation
Set this policy to Disabled.
Internet Explorer Processes Handling
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling
.
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent.
For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
If you enable or do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Sniffing
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature
.
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
If you enable or do not configure this setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
If you disable this setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes MK Protocol
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction
.
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.
If you enable or do not configure this setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
If you disable this setting, applications can use the MK protocol API.
Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Security background
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Notification bar
.
This setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted.
By default, the Notification bar is displayed for Internet Explorer processes.
If you enable or do not configure this setting, the Notification bar will be displayed for Internet Explorer Processes.
If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Zone Elevation
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation
.
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.).
Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.
Zone Elevation also disables JavaScript navigation if there is no security context.
If you enable or do not configure this setting, any zone can be protected from zone elevation by Internet Explorer processes.
If you disable this setting, no zone receives such protection for Internet Explorer processes.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Restrict ActiveX Install
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install
.
This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.
If you enable this setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
If you disable this setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.
If you do not configure this setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Restrict Download
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download
.
This setting enables blocking of file download prompts that are not user initiated.
If you enable this setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
If you do not configure this setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
Recommendation
Set this policy to Enabled.
Internet Explorer Processes Window Restrictions
Category: Browser security
OS: Windows
Description
Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions
.
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types.
The Window Restrictions security feature restricts pop-up windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
If you enable or do not configure this setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.
If you disable this setting, scripts can continue to create pop-up windows and windows that obfuscate other windows.
Recommendation
Set this policy to Enabled.
Enable local admin password management
Category: OS security
OS: Windows
Description
Verifies the policy Enable local admin password management located in:
Computer Configuration\Administrative Templates\system\LAPS - for Windows server 2019-2022
Computer Configuration\Administrative Templates\LAPS - for prior versions
This policy enables management of password for local administrator account.
If you enable this setting, local administrator password is managed.
If you disable or not configure this setting, local administrator password is NOT managed.
Note
This policy is available in local group policy editor after installing Local Administrator Password Solution (LAPS).
Recommendation
Set this policy to Enabled.
Local Account Token Filter Policy
Category: OS security
OS: Windows
Description
MS Security Guide: Apply UAC restrictions to local accounts on network logon.
This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE
, connecting to C$
, etc.).
Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems.
Enabling this policy significantly reduces that risk.
Enabled (recommended): Applies UAC token-filtering to local accounts on network logons.
Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token.
This configures the
LocalAccountTokenFilterPolicy
registry value to0
. This is the default behavior for Windows.Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the
LocalAccountTokenFilterPolicy
registry value to1
.For more information about
LocalAccountTokenFilterPolicy
, see http://support.microsoft.com/kb/951016.
Recommendation
Set this policy to Enabled.
Configure SMB v1 server
Category: OS security
OS: Windows
Description
MS Security Guide: Configure SMB v1 server.
Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).
Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).
Changes to this setting require a reboot to take effect.
For more information, see https://support.microsoft.com/kb/2696547.
Recommendation
Set this to Disabled.
Configure SMB v1 client
Category: OS security
OS: Windows
Description
MS Security Guide: Configure SMB v1 client driver.
Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).
Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).
Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2696547.
Recommendation
Set this to Enabled > Disable driver.
Enable Structured Exception Handling Overwrite Protection (SEHOP)
Category: OS security
OS: Windows
Description
MS Security Guide: Enable Structured Exception Handling Overwrite Protection (SEHOP).
If this setting is enabled, SEHOP is enforced.
For more information, see https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems.
If this setting is disabled or not configured, SEHOP is not enforced for 32-bit processes.
Recommendation
Set this to Enabled.
WDigest Authentication
Category: OS security
OS: Windows
Description
MS Security Guide: WDigest Authentication.
When WDigest authentication is enabled, Lsass.exe
retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.
If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.
Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.
Enabled: Enables WDigest authentication.
Disabled (recommended): Disables WDigest authentication.
For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.
Note
For more information, see http://support.microsoft.com/kb/2871997 and http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Recommendation
Set this to Disabled.
DisableIPSourceRouting IPv6
Category: Network and credentials
OS: Windows
Description
MSS: (DisableIPSourceRouting IPv6
) IP source routing protection level (protects against packet spoofing)
Recommendation
Set this to Highest protection, source routing is completely disabled.
DisableIPSourceRouting
Category: Network and credentials
OS: Windows
Description
MSS: (DisableIPSourceRouting
) IP source routing protection level (protects against packet spoofing)
Recommendation
Set this to Highest protection, source routing is completely disabled.
EnableICMPRedirect
Category: Network and credentials
OS: Windows
Description
MSS: (EnableICMPRedirect
) Allow ICMP redirects to override OSPF generated routes
Recommendation
Set this to Disabled.
NoNameReleaseOnDemand
Category: OS security
OS: Windows
Description
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Recommendation
Set this to Enabled.
Office Word 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Word 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Word 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Word 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Word 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Word 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Word 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Word 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Word 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Word 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office MSProject 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office MSProject 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office MSProject 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office MSProject 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office MSProject 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office MSProject 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office MSProject 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office MSProject 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office MSProject 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office MSProject 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Excel 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Excel 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Excel 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Excel 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Excel 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Excel 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Excel 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Excel 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Excel 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Excel 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Power Point 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Power Point 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Power Point 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Power Point 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Power Point 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Power Point 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Power Point 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Power Point 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Power Point 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Power Point 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Access 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Access 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Access 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Access 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Access 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Access 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Access 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Access 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Access 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Access 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Publisher 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Publisher 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Publisher 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Publisher 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Publisher 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Publisher 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Publisher 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Publisher 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Publisher 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Publisher 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Outlook 11 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Outlook 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Outlook 12 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Outlook 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Outlook 14 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Outlook 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Outlook 15 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Outlook 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Office Outlook 16 Macro
Category: OS security
OS: Windows
Description
Checks the Macro settings for Office Outlook 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings
.
Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.
Recommendation
Set this to Disable all macros without notification.
Mozilla Passwords
Category: Browser security
OS: Windows
Description
Checks if Mozilla Firefox stores passwords on disk.
An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
WinRM Service
Category: OS security
OS: Windows
Description
Windows Remote Management (WinRM) allows a user to interact with a remote system, to run an executable, modify the registry, or modify services. It may be called with the winrm
command or by various programs, such as PowerShell.
Recommendation
Disable the WinRM Service unless necessary.
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Category: Network and credentials
OS: Windows
Description
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares.
This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
If you do not want to allow anonymous enumeration of SAM accounts and shares, go to
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
, and enable this policy.Default: Disabled.
Recommendation
Set this to Enabled.
Network access: Let Everyone permissions apply to anonymous users
Category: OS security
OS: Windows
Description
This security setting located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
determines what additional permissions are granted for anonymous connections to the computer.
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
By default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users.
If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.
If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections.
In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.
Default: Disabled.
Recommendation
Set this to Disabled.
PowerShell Script Execution
Category: OS security
OS: Windows
Description
Checks the local group policy Turn on Script Execution, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell
.
This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.
If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.
The Allow only signed scripts policy setting allows scripts to execute only if they are signed by a trusted publisher.
The Allow local scripts and remote signed scripts policy setting allows any local scrips to run.
Scripts that originate from the internet must be signed by a trusted publisher.
The Allow all scripts policy setting allows all scripts to run. The Allow all scripts policy setting allows all scripts to run.
If you disable this policy setting, no scripts are allowed to run.
Recommendation
Set this to Disabled.
Robomongo Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Robomongo stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Internet Explorer Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Internet Explorer or Microsoft Edge store passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Apache Directory Studio Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Apache Directory Studio stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Filezilla Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Filezilla stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
FTP Navigator Passwords
Category: Network and credentials
OS: Windows
Description
Checks if FTP Navigator stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
DB Visualizer Passwords
Category: Network and credentials
OS: Windows
Description
Checks if DB Visualizer stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Win SCP Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Win SCP stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
RDP Manager Passwords
Category: Network and credentials
OS: Windows
Description
Checks if RDP Manager stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Winlogon Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Winlogon stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Squirrel Passwords
Category: Network and credentials
OS: Linux
Description
In networking, source routing allows a sender to partially or fully specify the route packets take through a network. If source-routed packets were allowed, they can be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that do not allow this routing.
Recommendation
Ensure the net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route flags are disabled.
Thunderbird Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Thunderbird stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
PostgreSQL Passwords
Category: Network and credentials
OS: Windows
Description
Checks if PostgreSQL stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
PHP Auth Passwords
Category: Network and credentials
OS: Windows
Description
Checks if PHP Auth stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Tortoise SVN Passwords
Category: Network and credentials
OS: Windows
Description
Checks if Tortoise SVN stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.
Recommendation
Do not save credentials locally, especially if not protected by a security solution.
Too many local administrators
Category: OS security
OS: Windows
Description
Checks the number of local administrators on the machine.
Recommendation
Do not allow more than one local administrator account.
SMB Shared Everyone Read
Category: Network and credentials
OS: Windows
Description
Checks the existence of shared folders with read access for the Everyone group.
The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.
A Guest account is a built-in account on a Windows system that is disabled by default.
If enabled, it allows anyone to login without a password.
Recommendation
Restrict access to shared folders for members of the Everyone group.
We also recommend you do not grant shared permissions to Shell Folders.
SMB Shared Everyone Write
Category: Network and credentials
OS: Windows
Description
Checks the existence of shared folders with write access for the Everyone group.
The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.
A Guest account is a built-in account on a Windows system that is disabled by default.
If enabled, it allows anyone to login without a password.
Recommendation
Restrict access to shared folders for members of the Everyone group.
We also recommend you do not grant shared permissions to Shell Folders.
SMB Shared Sensitive Read
Category: Network and credentials
OS: Windows
Description
Checks the existence of sensitive folders that are shared with read access on Server Message Block (SMB).
SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.
Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.
Recommendation
Restrict access to shared folders for members of the Everyone group.
We also recommend you do not grant shared permissions to Shell Folders.
SMB Shared Sensitive Write
Category: Network and credentials
OS: Windows
Description
Checks the existence of sensitive folders that are shared with write access on Server Message Block (SMB).
SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.
Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.
Recommendation
Restrict access to shared folders for members of the Everyone group.
SMBv3 Exploitable
Category: Network and credentials
OS: Windows
Description
Checks if the computer is vulnerable to CVE-2020-0796.
Recommendation
Always watch for, and install security updates.
afmtd Exploitable
Category: OS security
OS: Windows
Description
Checks if the computer is vulnerable to CVE-2020-1020.
Recommendation
Always watch for, and install security updates.
Full Secure Channel Protection
Category: Network and credentials
OS: Windows
Description
Verifies the policy Domain controller: Allow vulnerable Netlogon secure channel connections, located in Computer Configuration\Windows Settings\Security Settings\Security Options
.
This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections, for specified machine accounts.
When this policy is enabled with Allow, the domain controller will allow some specified groups/accounts to use a Netlogon secure channel without secure RPC.
Recommendation
Set this policy to Deny or Not configured.
Print Spooler Service Exploitable
Category: Network and credentials
OS: Windows
Description
Verifies if the endpoint is susceptible to the PrintNightmare attack CVE-2021-34527).
This type of attack exploits a vulnerability within the Windows Print Spooler service, allowing an attacker to run arbitrary code with SYSTEM privileges. An attacker can then install programs; view, change or delete data, or create new accounts with full user rights.
Recommendation
Make sure your endpoint is always up-to-date with your operating system security patches.
If for some reason you are unable to patch the endpoint, make sure you apply one of the workarounds specified in this vulnerability blog post
Disable the Print Spooler Service or Disable inbound remote printing through Group Policy.
NTLM Incoming traffic not restricted
Category: Network and credentials
OS: Windows
Description
Verifies if the group policy Network Security: Restrict NTLM: Incoming NTLM traffic, located in Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\Security Options
is configured to deny incoming traffic from all accounts.
If this setting is not configured properly, an attacker can target a Domain Controller using an NTLM relay attack (dubbed PetitPotam).
Recommendation
To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller. In the event NTLM cannot be turned off for compatibility reasons, the company is urging users to take one of the two steps below:
Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the Certificate Authority Web Enrollment or Certificate Enrollment Web Service services
Log4j with Remote Code Execution Present
Category: Network and credentials
OS: Windows
Description
Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.
Recommendation
Avoid using Log4j versions 2.x to 2.15.0.
Log4j with Denial of Service Present
Category: Network and credentials
OS: Windows
Description
Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.
Recommendation
Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.
HTTP Protocol Stack Remote Code Execution Vulnerability
Category: Vulnerability
OS: Windows
Description
Verifies if http.sys, a kernel mode device driver in Microsoft Windows, is vulnerable of CVE-2022-21907 - a remote code execution vulnerability that requires no authentication.
Recommendation
Stay up-to-date with the security updates and as a mitigation, make sure that EnableTrailerSupport, located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
is either missing or set to 0
.
Win32k Privilege Escalation Vulnerability
Category: Vulnerability
OS: Windows
Description:
This vulnerability can allow an attacker to gain system-level
privileges. This flaw was originally identified as CVE-2021-1732 and was patched, but a technique to bypass the patch was identified and assigned CVE-2022-21882.
Recommendation:
Install the latest security updates.
Spring Cloud Functions vulnerability (Spring4Shell)
Category: Vulnerability
OS: Windows
Description:
Spring Cloud Functions versions 3.1.6, 3.2.2, and older are vulnerable to CVE-2022-22963. This vulnerability allows a user to provide a specially crafted SpEl payload as a routing-expression. This may result in a remote code execution and access to local resources.
Recommendation:
Upgrade Spring Cloud Functions to versions 3.1.7, 3.2.3, or higher.
Tarrask tasks detected
Category: Vulnerability
OS: Windows
Description
Verifies whether there are any scheduled tasks that have no security descriptor associated. These types of tasks are an indicator of Tarrask malware infection.
Recommendation
Navigate to the following registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree
, and check if there are any scheduled tasks where SD
(security descriptor) entry has no value.
Follina Vulnerability
Category: Vulnerability
OS: Windows
Description
Verifies if the system is vulnerable to CVE-2022-30190, also known as Follina Vulnerability. This vulnerability allows remote code execution when Microsoft Windows Support Diagnostic Tool (MSDT) is called using the URL protocol of a calling application, such as Microsoft Word.
Recommendation
Install the latest security updates, or apply the mitigation actions suggested by the vendor.
Microsoft search handler present
Category: OS security
OS: Windows
Description
Verifies if search-ms
handler is present. Adversaries can leverage search-ms
, as it is a URI protocol handler that allows applications and HTML links to launch customized searches on a device.
Recommendation
Create a backup of the registry, and remove search-ms
located at HKEY_CLASSES_ROOT\\search-ms
.
Linux findings
OpenSSH root login is enabled
Category: OS security
OS: Linux
Description
Verifies if login is enabled for user "root".
Recommendation
Ensure remote access is disabled for user "root".
OpenSSH runs on the default port
Category: OS security
OS: Linux
Description
Verifies if the default ssh port is used for the ssh server.
Recommendation
Change the ssh port in order to reduce chances of being targeted.
OpenSSH PermitEmptyPasswords is enabled
Category: OS security
OS: Linux
Description
Verifies if the PermitEmptyPasswords
parameter for the OpenSSH server is set to allow login to accounts with empty password strings.
Recommendation
Ensure OpenSSH server does not allow login to accounts with empty password strings.
OpenSSH HostbasedAuthentication is enabled
Category: OS security
OS: Linux
Description
Verifies if the HostbasedAuthentication
parameter for the OpenSSH server is set to allow authentication through trusted hosts.
Recommendation
Ensure the OpenSSH server does not allow authentication through trusted hosts.
OpenSSH idle timeout interval is not configured
Category: OS security
OS: Linux
Description
Verifies if the ClientAliveInterval
and ClientAliveCountMax
parameters for the OpenSSH server are not configured.
When those parameters are configured, the ssh session will end when the session is idle and ClientAliveCountMax
is reached after sending alive messages at a ClientAliveInterval
interval.
Recommendation
Ensure the idle timeout interval options for the OpenSSH server are configured.
OpenSSH Password login
Category: OS security
OS: Linux
Description
Verifies if password login is enabled for OpenSSH server.
Recommendation
Ensure SSH access is made through public keys.
Automatic login enabled
Category: OS security
OS: Linux
Description
Verifies if automatic login is configured for a user on the endpoint.
Note
Automatic login automatically logs in a user after OS boot.
Recommendation
Ensure the automatic login option is not enabled.
Samba guest access enabled
Category: OS security
OS: Linux
Description
Verifies if the Samba Service is configured to allow guest access.
Recommendation
Ensure guest access is restricted if you do not explicitly need it.
VSftp server anonymous access allowed
Category: OS security
OS: Linux
Description
Verifies if the VSftp service is configured to allow anonymous access.
Recommendation
Ensure anonymous access to the VSftp service is not allowed.
Boot directory access not restricted
Category: OS security
OS: Linux
Description
Verifies if access to the boot directory is restricted for non-root accounts.
Recommendation
Ensure only root account is allowed access to the boot directory.
Users do not own their home directory
Category: OS security
OS: Linux
Description
Verifies if there is at least one user that does not own their home directory.
Recommendation
Ensure every user present on the endpoint is owner of their own home directory.
GPGCheck is globally activated
Category: OS security
OS: Linux
Description
Verifies if the gpg signature check is globally enabled, thus making sure that updates are obtained from a valid source.
Recommendation
Ensure the gpg signature check is globally enabled.
Ensure sudo commands use pty
Category: OS security
OS: Linux
Description
Verifies if sudo is configured to run only from a pseudo-pty.
Attackers can run malicious programs using sudo, causing it to fork a background process that persists even when the main program has finished executing.
Recommendation
Ensure sudo is configured to run other programs from a pseudo-pty.
Permissions on bootloader are not restricted
Category: OS security
OS: Linux
Description
Verifies the permissions on the bootloader configuration file.
If not properly configured, non-root users may read the boot parameters and could identify weaknesses in security upon boot.
Recommendation
Ensure only root can read / write the bootloader configuration file.
Permissions on the motd file are not restricted
Category: OS security
OS: Linux
Description
Verifies if permissions on the /etc/motd file are not restricted. The content of the /etc/motd file is displayed to users after login, and functions as a message of the day for authenticated users.
If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.
Recommendation
Ensure the owner of the motd file is root and permissions to others are restricted to read only.
Permissions on the issue file are not restricted
Category: OS security
OS: Linux
Description
Verifies if permissions on the /etc/issue file are not restricted. The content of the /etc/issue file is displayed to users prior to login from local terminals.
If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.
Recommendation
Ensure the owner of the issue file is root and permissions to others are restricted to read only.
Permissions on the issue.net file are not restricted
Category: OS security
OS: Linux
Description
Verifies if permissions on the /etc/issue.net file are not restricted. The content of the /etc/issue.net file is displayed to users prior to login from remote terminals.
If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.
Recommendation
Ensure the owner of issue.net file is root and permissions to others are restricted to read only.
Avahi Server is enabled
Category: OS security
OS: Linux
Description
Verifies if Avahi Server is enabled on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.
Recommendation
Ensure Avahi Server is not enabled in order to reduce the endpoint's potential attack surface.
Rsync Server is enabled
Category: OS security
OS: Linux
Description
Verifies if Rsync Server is enabled on the endpoint. Rsync Service is used to synchronize files between systems over network through unencrypted protocols.
Recommendation
Ensure the rsyncd service is disabled.
SNMP Server is enabled
Category: OS security
OS: Linux
Description
Verifies the Simple Network Management Protocol (SNMP) server is enabled. This service listens for SNMP commands, which it executes, or collects their results and sends them back to the requester.
The SNMP server can communicate using SNMP v1, which transmits data in clear and does not require authentication to execute commands.
Recommendation
Ensure SNMP Server is disabled unless absolutely necessary.
HTTP proxy is enabled
Category: OS security
OS: Linux
Description
Verifies if the squid http proxy server is enabled.
If there is no need for a proxy server, it is recommended to disable or delete it, to reduce the potential attack surface.
Recommendation
Ensure squid http proxy is disabled if not used.
Samba Service is enabled
Category: OS security
OS: Linux
Description
Verifies if Samba Service is enabled on the endpoint. If there is no need to mount directories and file systems, then this service can be disabled in order to reduce the potential attack surface.
Recommendation
Ensure SMB service is disabled if not used, to reduce the potential attack surface.
Authentication not required for rescue mode
Category: OS security
OS: Linux
Description
Verifies if authentication is required for rescue mode. Requiring authentication for rescue mode prevents unauthorized users from rebooting the system while in rescue mode, and gaining root privileges without credentials.
Recommendation
Ensure entering rescue mode requires authentication.
Authentication not required for single user mode
Category: OS security
OS: Linux
Description
Verifies if authentication is required for single user mode. Requiring authentication for single user mode prevents unauthorized users from rebooting the system while in single user mode, and gaining root privileges without credentials.
Recommendation
Ensure entering single user mode requires authentication.
Bootloader password is not set
Category: OS security
OS: Linux
Description
Verifies if there is a password set for the bootloader. Requiring a boot password will prevent unauthorized users from entering boot parameters or changing the boot partition.
Recommendation
Ensure bootloader password is set.
Duplicate group IDs
Category: OS security
OS: Linux
Description
Verifies if there are any duplicate group IDs (GIDs). User groups must be assigned unique GIDs to ensure appropriate access protection.
Recommendation
Ensure no duplicate group IDs are present in the /etc/group file.
Duplicate user IDs
Category: OS security
OS: Linux
Description
Verifies if there are any duplicate user IDs (UIDs). Users must be assigned unique UIDs to ensure appropriate access protection.
Recommendation
Ensure no duplicate user IDs are present in the /etc/passwd file.
Automatic updates disabled
Category: OS security
OS: Linux
Description
Verifies if the unattended-upgrades service is configured to install the latest security (and other) updates automatically.
Recommendation
If the unattended-upgrades service is installed, ensure it is configured to install updates automatically.
Sudo log file not configured
Category: OS security
OS: Linux
Description
Verifies if sudo has a custom log file configured. A sudo log file simplifies auditing of sudo commands.
Recommendation
Ensure custom log file is configured for sudo.
Address space layout randomization disabled
Category: OS security
OS: Linux
Description
Verifies if Address space layout randomization (ASLR) is configured. ASLR is an exploit mitigation technique that increases the difficulty of writing memory page exploits by randomly placing virtual memory regions.
Recommendation
Ensure Address space layout randomization (ASLR) is enabled.
Shadow group is not empty
Category: OS security
OS: Linux
Description
Verifies if the shadow group is empty. Shadow group grants system programs that require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.
Recommendation
Ensure no users are granted read access to the /etc/shadow file.
Duplicate group names
Category: OS security
OS: Linux
Description
Verifies if there are any duplicated group names.
If a group is assigned a duplicate group name, any files it creates will be associated with the first encounter of the GID for that group in /etc/group. The duplicate group name will also have access to any existing files associated with the first encounter GID in /etc/group.
Recommendation
Ensure there are no duplicate group names present in /etc/group.
Duplicate user names
Category: OS security
OS: Linux
Description
Verifies if there are any duplicated user names.
If a user is assigned a duplicate user name, any files it creates will be associated with the first encounter of the UID for that user in /etc/passwd. The duplicate user name will also have access to any existing files associated with the first encounter UID in /etc/passwd.
Recommendation
Ensure there are no duplicate user names present in /etc/passwd.
User has a rhosts file
Category: OS security
OS: Linux
Description
Verifies if there are any users with a .rhosts file. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.
Recommendation
Ensure no .rhosts files are present in user home directories.
User has a netrc file
Category: OS security
OS: Linux
Description
Verifies if there are any users with a .netrc file. .netrc files may contain unencrypted passwords that can be used to attack other systems.
Recommendation
Ensure no .netrc files are present in user home directories.
User has a netrc file group / world accessible
Category: OS security
OS: Linux
Description
Verifies if there are group / world accessible .netrc files. .netrc files may contain unencrypted passwords that may be used to attack other systems.
Recommendation
Ensure there are group / world accessible .netrc files in user home directories.
passwd group not present in group file
Category: OS security
OS: Linux
Description
Verifies if all groups mentioned in the /etc/passwd file are also present in the /etc/group file. Groups that are defined in the /etc/passwd file but not in the /etc/group file pose a thread to system security since group permissions are not properly managed.
Recommendation
Ensure all groups defined in /etc/passwd have a declaration in /etc/group as well.
User with empty password
Category: OS security
OS: Linux
Description
Verifies if all accounts have a non-empty password field. All accounts must have passwords or be locked to prevent unauthorized access to that account.
Recommendation
Ensure all accounts have a password.
Sensitive local login banner message
Category: OS security
OS: Linux
Description
Verifies if the contents of the /etc/issue file are displaying information about the OS release and patch level.
Recommendation
Ensure the content of the /etc/issue file does not include OS release and patch level.
Sensitive remote login banner message
Category: OS security
OS: Linux
Description
Verifies if the contents of the /etc/issue.net file are displaying information about OS release and patch level.
Recommendation
Ensure the content of the /etc/issue.net file does not include OS release and patch level.
Sensitive motd message
Category: OS security
OS: Linux
Description
Verifies if the contents of the /etc/motd file are displaying information about OS release and patch level.
Recommendation
Ensure the content of the /etc/motd file does not include OS release and patch level.
Sensitive gdm login banner message
Category: OS security
OS: Linux
Description
Verifies if the contents of the /etc/gdm3/greeter.dconf-defaults specify that the banner message is enabled and the banner contains information about OS release and patch level.
Recommendation
Ensure the content of the /etc/gdm3/greeter.dconf-defaults config banner does not include OS release and patch level.
User with .forward file in home directory
Category: OS security
OS: Linux
Description
The purpose of a .forward file is to automatically forward mail as it is received to all included addresses, which may pose a risk as sensitive data can be transferred outside the organization.
Recommendation
Ensure no users have a .forward file in their home directory.
User does not own their home directory
Category: OS security
OS: Linux
Description
Verifies if there is any user who does not own his home directory. Since the user is accountable for files stored in his home directory, he must be the owner of the directory.
Recommendation
Ensure every user owns his home directory.
User dot files with wrong permissions
Category: OS security
OS: Linux
Description
Verifies if there is any user who has dot files with wrong permissions. If a user's dot files are group or world-writable, this may enable a malicious user to steal/modify his data or to gain system privileges.
Recommendation
Ensure every user's dot files are not group or world-writable.
User home directory exists
Category: OS security
OS: Linux
Description
Verifies if there is any user with missing home directory. If a user's home directory doesn't exist, it will be placed in '/', and may not be able to write any files.
Recommendation
Ensure every user has a home directory.
Root PATH integrity
Category: OS security
OS: Linux
Description
Because the root user can execute any command on the system, including the current working directory (.) or a group/other writable directory in root's PATH, it creates the possibility for an attacker to gain superuser access.
Recommendation
Ensure the root's executable path does not contain . or any files with group or other write permissions.
Non-root user with UID 0
Category: OS security
OS: Linux
Description
Verifies if any user except root has the UID set to 0
. Any account with UID 0
has superuser privileges on the system.
Recommendation
Ensure root is the only user with UID set to 0
.
Legacy '+' entries in /etc/passwd
Category: OS security
OS: Linux
Description
Verifies if any entries beginning with '+' exist in /etc/passwd. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.
Recommendation
Ensure no legacy '+' entries exist in /etc/passwd.
Legacy '+' entries in /etc/shadow
Category: OS security
OS: Linux
Description
Verifies if any entries beginning with '+' exist in /etc/shadow. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.
Recommendation
Ensure no legacy '+' entries exist in /etc/shadow.
Legacy '+' entries in /etc/group
Category: OS security
OS: Linux
Description
Verifies if any entries beginning with '+' exist in /etc/group. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.
Recommendation
Ensure no legacy '+' entries exist in /etc/group.
Incorrect permissions on /etc/ssh/sshd_config
Category: OS security
OS: Linux
Description
Verifies permissions on the /etc/ssh/sshd_config file. This file needs to be protected from unauthorized changes.
Recommendation
Ensure the /etc/ssh/sshd_config file has the UID and GID set to 0
(root), and does not grant any permissions to group or other users.
Incorrect permissions on SSH private host keys
Category: OS security
OS: Linux
Description
Verifies permissions on all SSH private keys. A SSH private key is a proof of identity.
If an unauthorized user obtains the private key, the owner could be impersonated.
Recommendation
Ensure all SSH private keys have UID and GID set to 0
(root) and do not give any permissions to group or other users.
Incorrect permissions on SSH public host keys
Category: OS security
OS: Linux
Description
Verifies permissions on all SSH public keys. A public key is a key that can be used to verify digital signatures generated using a corresponding private key.
If the public key is modified by and unauthorized user, the SSH service may be compromised
Recommendation
Ensure all SSH public keys have UID and GID set to 0
(root) and do not give any permissions to group or other users.
SSH log level is appropriate
Category: OS security
OS: Linux
Description
Verifies that LogLevel is not set to debug in /etc/ssh/sshd_config, as it provides too much information that can be used by an attacker.
Recommendation
Ensure SSH log level is not set to debug.
SSH X11 forwarding is enabled
Category: OS security
OS: Linux
Description
Verifies that X11Forwarding in /etc/ssh/sshd_config is disabled. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server.
Recommendation
Ensure SSH X11 forwarding is disabled.
SSH IgnoreRhosts is disabled
Category: OS security
OS: Linux
Description
Verifies that IgnoreRhosts in /etc/ssh/sshd_config is set to yes. Setting this parameter forces users to enter a password when authenticating with SSH.
Recommendation
Ensure SSH IgnoreRhosts is enabled.
SSH PermitUserEnvironment is enabled
Category: OS security
OS: Linux
Description
Verifies that PermitUserEnvironment in /etc/ssh/sshd_config is disabled. This options allows users to present environment options to the SSH daemon and could potentially allow users to bypass security controls.
Recommendation
Ensure SSH PermitUserEnvironment is disabled.
SSH uses weak ciphers
Category: OS security
OS: Linux
Description
Verifies that Ciphers in /etc/ssh/sshd_config does not contain any weak ciphers.
Recommendation
Ensure only strong Ciphers are being used.
SSH uses weak MAC algorithms
Category: OS security
OS: Linux
Description
Verifies that MACs in /etc/ssh/sshd_config does not contain any weak MAC algorithms.
Recommendation
Ensure only strong MAC algorithms are being used.
SSH uses weak key exchange algorithms
Category: OS security
OS: Linux
Description
Verifies that KexAlgorithms in /etc/ssh/sshd_config does not contain any weak key exchange algorithms.
Recommendation
Ensure only strong key exchange algorithms are being used.
SSH access is not limited
Category: OS security
OS: Linux
Description
Verifies that at least one option limiting which users and groups can access the system (AllowUsers, AllowGroups, DenyUsers, DenyGroups) is being used. Restricting which users can access the system via SSH will help ensure that only authorized users access the system.
Recommendation
Ensure SSH access is limited.
SSH warning banner is not configured
Category: OS security
OS: Linux
Description
Verifies that Banner in /etc/ssh/sshd_config is set. Banners are used to warn connecting users of the site's particular policy regarding connection.
Recommendation
Ensure SSH warning banner is configured.
SSH UsePam is disabled
Category: OS security
OS: Linux
Description
Verifies that UsePam in /etc/ssh/sshd_config is enabled. When UsePam is enabled, the Pluggable Authentication Modules (PAM) service runs through account and session types properly.
This is important if you want to restrict access to services based off IP.
Recommendation
Ensure SSH PAM is enabled.
SSH AllowTcpForwarding is enabled
Category: OS security
OS: Linux
Description
Verifies that AllowTcpForwarding in /etc/ssh/sshd_config is disabled. Leaving port forwarding enabled can expose the organization to security risks and back-doors.
Recommendation
Ensure SSH AllowTcpForwarding is disabled.
SSH MaxAuthTries is not properly configured
Category: OS security
OS: Linux
Description
Verifies that MaxAuthTries in /etc/ssh/sshd_config is set to 4 or less. Setting MaxAuthTries to a low number will minimize the risk of a successful brute force attack to the SSH server.
Recommendation
Ensure SSH MaxAuthTries option is configured to support up to 4 retries.
SSH LoginGraceTime is not properly configured
Category: OS security
OS: Linux
Description
Verifies that LoginGraceTime in /etc/ssh/sshd_config is set to 1 minute or less. Setting LoginGraceTime to a low number will minimize the risk of a successful brute force attack to the SSH server.
Recommendation
Ensure SSH LoginGraceTime option is configured to wait up to 1 minute.
SSH MaxSessions is not properly configured
Category: OS security
OS: Linux
Description
Verifies that MaxSessions in /etc/ssh/sshd_config is set to 4 or less. Setting MaxSessions to a low number will minimize the risk of overwhelming the SSH daemon.
Recommendation
Ensure SSH MaxSessions option is configure to keep up to 4 sessions.
SSH MaxStartups is not configured
Category: OS security
OS: Linux
Description
Verifies that MaxStartups in /etc/ssh/sshd_config is set to 10:30:60. This parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
Recommendation
Ensure SSH MaxStartups option is properly configured.
Mounting cramfs filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of cramfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of cramfs filesystem is disabled if not used.
Mounting freevxfs filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of freevxfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of freevxfs filesystem is disabled if not used.
Mounting jffs2 filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of jffs2 filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of jffs2 filesystem is disabled if not used.
Mounting hfs filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of hfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of hfs filesystem is disabled if not used.
Mounting hfsplus filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of hfsplus filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of hfsplus filesystem is disabled if not used.
Mounting squashfs filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of squashfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of squashfs filesystem is disabled if not used.
Mounting udf filesystems is enabled
Category: OS security
OS: Linux
Description
Verifies that the mounting of udf filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.
Recommendation
Ensure mounting of udf filesystem is disabled if not used.
No separate partition for /tmp directory
Category: OS security
OS: Linux
Description
Verifies that /tmp is a filesystem by either mounting tmpfs or a separate partition to /tmp. Making /tmp its own file system allows an administrator to set the noexec option on the mount, rendering /tmp useless in case an attacker attempts to install executable code.
Recommendation
Ensure /tmp is a mountpoint.
nodev option is not set on /tmp partition
Category: OS security
OS: Linux
Description
Verifies that nodev option is set on the /tmp partition. This option ensures that users cannot attempt to create block or character-special devices in /tmp.
Recommendation
Ensure nodev option is set on the /tmp partition.
nosuid option is not set on /tmp partition
Category: OS security
OS: Linux
Description
Verifies that nosuid option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.
Recommendation
Ensure nosuid option is set on the /tmp partition.
noexec option is not set on /tmp partition
Category: OS security
OS: Linux
Description
Verifies that noexec option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /tmp.
Recommendation
Ensure noexec option is set on the /tmp partition.
No separate partition for /var folder
Category: OS security
OS: Linux
Description
Verifies the existence of a separate partition for /var. /var may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition.
Recommendation
Ensure a separate partition is in place for /var.
No separate partition for /var/tmp directory
Category: OS security
OS: Linux
Description
Verifies the existence of a separate partition for /var/tmp. /var/tmp may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition. This also allows to set the nodev, nosuid, noexec options to prevent more vulnerabilities.
Recommendation
Ensure a separate partition is in place for /var/tmp.
nodev option is not set on /var/tmp partition
Category: OS security
OS: Linux
Description
Verifies that nodev option is set on the /var/tmp partition. This option ensures that users cannot attempt to create block or character special devices in /var/tmp.
Recommendation
Ensure the nodev option is set on the /var/tmp partition.
nosuid option is not set on /var/tmp partition
Category: OS security
OS: Linux
Description
Verifies that nosuid option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.
Recommendation
Ensure the nosuid option is set on the /var/tmp partition.
noexec option is not set on /var/tmp partition
Category: OS security
OS: Linux
Description
Verifies that noexec option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /var/tmp.
Recommendation
Ensure the noexec option is set on the /var/tmp partition.
No separate partition for /var/log directory
Category: OS security
OS: Linux
Description
Verifies the existence of a separate partition for the /var/log directory. /var/log should be on a separate partition to prevent resource exhaustion and protect audit data.
Recommendation
Ensure a separate partition is in place for /var/log.
No separate partition for /var/log/audit directory
Category: OS security
OS: Linux
Description
Verifies the existence of a separate partition for /var/log/audit. /var/log/audit should be on a separate partition to prevent resource exhaustion and protect audit data.
Recommendation
Ensure a separate partition is in place for /var/log/audit.
No separate partition for /home directory
Category: OS security
OS: Linux
Description
Verifies the existence of a separate partition for /home. This protects against resource exhaustion and can restrict the type of files that can be stored under /home.
Recommendation
Ensure a separate partition is in place for /home.
nodev option is not set on /home partition
Category: OS security
OS: Linux
Description
Verifies that the nodev option is set on the /home partition. This option ensures that users cannot attempt to create block or character special devices in /home.
Recommendation
Ensure the nodev option is set on /home partition.
nodev option is not set on /dev/shm partition
Category: OS security
OS: Linux
Description
Verifies that the nodev option is set on the /dev/shm partition. This option ensures that users cannot attempt to create block or character special devices in /dev/shm.
Recommendation
Ensure the nodev option is set on the /dev/shm partition.
nosuid option is not set on /dev/shm partition
Category: OS security
OS: Linux
Description
Verifies that the nosuid option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.
Recommendation
Ensure the nosuid option is set on the /dev/shm partition.
noexec option is not set on /dev/shm partition
Category: OS security
OS: Linux
Description
Verifies that the noexec option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /dev/shm.
Recommendation
Ensure the noexec option is set on the /dev/shm partition.
USB Storage is enabled
Category: OS security
OS: Linux
Description
Verifies that usb-storage is disabled. Restricting USB access on the system will decrease the physical attack surface for a device.
Recommendation
Ensure USB Storage is disabled if not used.
Automounting is enabled
Category: OS security
OS: Linux
Description
Verifies that autofs is disabled. autofs allows automounting of devices.
With automounting enabled, anyone with physical access can attach a device and have its contents available in the system even if they lack permissions to mount it.
Recommendation
Ensure Automounting is disabled.
SSH protocol version should be set to 2
Category: OS security
OS: Linux
Description
Verifies that Protocol in /etc/ssh/sshd_config is set to 2. SSH v1 suffers from insecurities that do not affect SSH v2.
Recommendation
Ensure SSH Protocol is set to 2.
MongoDB authentication is not configured
Category: OS security
OS: Linux
Description
Verifies that authorization in /etc/mongod.conf is enabled. This ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.
Recommendation
Ensure MongoDB authentication is configured.
MongoDB allows authentication bypass via localhost exception
Category: OS security
OS: Linux
Description
Verifies that enableLocalhostAuthBypass in /etc/mongod.conf is set to false. This will prevent unauthorized local access to the MongoDB database and ensure traceability of each database activity to a specific user.
Recommendation
Ensure that MongoDB does not bypass authentication via the localhost exception.
MongoDB authentication is not enabled in the sharded cluster
Category: OS security
OS: Linux
Description
Verifies that certificateKeyFile, CAFile and clusterFile in /etc/mongod.conf are configured, and that clusterAuthMode is set to x509
. Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component.
Recommendation
Ensure MongoDB authentication is enabled in the sharded cluster.
MongoDB listens on all interfaces
Category: OS security
OS: Linux
Description
Verifies that bindIp in /etc/mongod.conf is configured. This configuration blocks connections from untrusted networks (not included in bindIp values), leaving only systems on authorized and trusted networks able to attempt to connect to the MongoDB.
Recommendation
Ensure MongoDB only listens for network connections on authorized interfaces.
MongoDB does not use TLS
Category: OS security
OS: Linux
Description
Verifies that mode (under tls) in /etc/mongod.conf is set to 'requireTLS'. This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB.
Recommendation
Ensure Encryption of Data in Transit TLS.
xinetd is enabled
Category: OS security
OS: Linux
Description
The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. If there are no xinetd services required, we recommend you disable the daemon.
Recommendation
Ensure xinetd.service is not enabled in systemd.
chargen services are enabled
Category: OS security
OS: Linux
Description
daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.
Recommendation
Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.
daytime services are enabled
Category: OS security
OS: Linux
Description
daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.
Recommendation
Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.
discard services are enabled
Category: OS security
OS: Linux
Description
discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.
Recommendation
Ensure discard is disabled in /etc/inetd.* and /etc/xinetd.*.
echo services are enabled
Category: OS security
OS: Linux
Description
echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.
Recommendation
Ensure echo is disabled in /etc/inetd.* and /etc/xinetd.*.
time services are enabled
Category: OS security
OS: Linux
Description
time is a network service that responds with the server's current date and time as a 32-bit integer. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.
Recommendation
Ensure time is disabled in /etc/inetd.* and /etc/xinetd.*.
Berkley rsh-server services are enabled
Category: Network and credentials
OS: Linux
Description
The Berkeley rsh-server (rsh , rlogin, rexec) package contains legacy services that exchange clear-text credentials. These legacy services contain numerous security exposures and have been replaced with the more secure SSH package.
Recommendation
Ensure the shell, login, exec services are disabled in /etc/inetd.* and /etc/xinetd.*.
talk server is enabled
Category: Network and credentials
OS: Linux
Description
The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default. The software presents a security risk as it uses unencrypted protocols for communication.
Recommendation
Ensure talk and ntalk are disabled in /etc/inetd.* and /etc/xinetd.*.
telnet server is enabled
Category: Network and credentials
OS: Linux
Description
The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security.
Recommendation
Ensure telnetis disabled in /etc/inetd.* and /etc/xinetd.*.
TFTP server is enabled
Category: Network and credentials
OS: Linux
Description
The TFTP server does not support authentication nor does it ensure the confidentiality or integrity of data. We recommend you remove TFTP unless there is a specific need for it, in which case, extreme caution must be used when configuring the services.
Recommendation
Ensure tftp is disabled in /etc/inetd.* and /etc/xinetd.*.
CUPS is disabled
Category: Network and credentials
OS: Linux
Description
The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to print jobs or accept print jobs from other systems, we recommend you remove CUPS to reduce the potential attack surface.
Recommendation
Ensure cups is disabled in systemd.
DHCP server is enabled
Category: Network and credentials
OS: Linux
Description
The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Unless a system is specifically set up to act as a DHCP server, we recommend you disable this service to reduce the potential attack surface.
Recommendation
Ensure dhcpd and isc-dhcp-server are disabled in systemd.
LDAP server is enabled
Category: Network and credentials
OS: Linux
Description
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP server, we recommend you disable this service to reduce the potential attack surface.
Recommendation
Ensure slapd is disabled in systemd.
NFS is enabled
Category: Network and credentials
OS: Linux
Description
The Network File System (NFS) provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, we recommend you disable this service to reduce the remote attack surface.
Recommendation
Ensure nfs-server is disabled in systemd.
RPC is enabled
Category: Network and credentials
OS: Linux
Description
Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. If RPC is not required, we recommend you disable this service to reduce the remote attack surface.
Recommendation
Ensure rpcbind is disabled in systemd.
DNS Server is enabled
Category: Network and credentials
OS: Linux
Description
The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Unless a system is specifically designated to act as a DNS server, we recommend you disable the service to reduce the potential attack surface.
Recommendation
Ensure named and bind9 are disabled in systemd.
HTTP Server is enabled
Category: Network and credentials
OS: Linux
Description
HTTP or web servers provide the ability to host web site content. Unless there is a need to run the system as a web server, we recommend you disable the service to reduce the potential attack surface.
Recommendation
Ensure httpd and apache2 are disabled in systemd.
IMAP and POP3 Servers are enabled
Category: Network and credentials
OS: Linux
Description
Unless POP3 and/or IMAP servers are to be provided by the operating system, we recommend you disable the service to reduce the potential attack surface.
Recommendation
Ensure dovecot is disabled in systemd.
NIS Server is enabled
Category: Network and credentials
OS: Linux
Description
The NIS server is a collection of programs that allow the distribution of configuration files. The NIS service is inherently an insecure system that has been vulnerable to DOS attacks. We recommend you remove this service and use other, more secure services.
Recommendation
Ensure nis, ypserv are disabled in systemd.
IP Forwarding is enabled
Category: Network and credentials
OS: Linux
Description
Thenet.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not. Setting the flags to 0
ensures that a system with multiple interfaces (for example, a hard proxy) will never be able to forward packets, and consequently, never serve as a router.
Recommendation
Ensure the net.ipv4.ip and net.ipv6.conf.all.forwarding flags are set to false
.
Packet redirect sending is enabled
Category: Network and credentials
OS: Linux
Description
An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker, as opposed to a valid system.
Recommendation
Ensure the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects flags are set to false
.
Source-routed packets are accepted
Category: Network and credentials
OS: Linux
Description
In networking, source routing allows a sender to partially or fully specify the route packets take through a network. If source-routed packets were allowed, they can be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that do not allow this routing.
Recommendation
Ensure the net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route flags are disabled.
ICMP redirects are accepted
Category: Network and credentials
OS: Linux
Description
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
Recommendation
Ensure the net.ipv4.conf.all.accept_redirects and net.ipv6.conf.all.accept_redirects flags are disabled.
Secure ICMP redirects are accepted
Category: Network and credentials
OS: Linux
Description
Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. Nevertheless, it is still possible even for known gateways to be compromised.
Recommendation
Ensure the net.ipv4.conf.all.secure_redirects flag is disabled.
Make sure suspicious martians packets are logged
Category: Network and credentials
OS: Linux
Description
Enabling the logging of suspicious martian packets allows an administrator to investigate if an attacker is sending spoofed packets to their system.
Recommendation
Ensure the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians flags are set to true
.
Broadcast ICMP requests are not ignored
Category: Network and credentials
OS: Linux
Description
Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack.
Recommendation
Ensure the net.ipv4.icmp_echo_ignore_broadcasts flag is set to true
.
Bogus ICMP responses are not ignored
Category: Network and credentials
OS: Linux
Description
Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.
Recommendation
Ensure the icmp_ignore_bogus_error_responses flag is enabled.
Reverse Path Filtering is disabled
Category: Network and credentials
OS: Linux
Description
Reverse Path Filtering is a method used by the Linux Kernel to help prevent attacks used by Spoofing IP Addresses. Enabling Reverse Path Filtering is a good way to deter attackers from sending your system bogus packets that cannot be responded to.
Recommendation
Ensure net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter are set to 1
.
TCP SYN Cookies is disabled
Category: Network and credentials
OS: Linux
Description
Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending multiple SYN packets without completing the three-way handshake.
Recommendation
Ensure net.ipv4.tcp_syncookies is set to 1
.
IPv6 router advertisements are accepted
Category: Network and credentials
OS: Linux
Description
We recommend you set up systems to not accept router advertisements, as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.
Recommendation
Ensure the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra flags are disabled.
Permissions on /etc/hosts.allow are not configured
Category: OS security
OS: Linux
Description
It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.
Recommendation
Ensure /etc/hosts.allow is owned by root and has permission 644.
Permissions on /etc/hosts.deny are not configured
Category: OS security
OS: Linux
Description
It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.
Recommendation
Ensure /etc/hosts.deny is owned by root and has permission 644.
DCCP is enabled
Category: Network and credentials
OS: Linux
Description
The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. If the protocol is not required, we recommend you to not install these drivers, to reduce the potential attack surface.
Recommendation
Ensure the dccp module is not loaded.
SCTP is enabled
Category: Network and credentials
OS: Linux
Description
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.
Recommendation
Ensure the sctp module is not loaded.
RDS is enabled
Category: Network and credentials
OS: Linux
Description
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.
Recommendation
Ensure the rds module is not loaded.
TIPC is enabled
Category: OS security
OS: Linux
Description
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.
Recommendation
Ensure the tipc module is not loaded.
iptables is not installed
Category: OS security
OS: Linux
Description
iptables allows configuration of the IPv4 and IPv6 tables in the Linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.
Recommendation
Ensure the iptables package is installed.
IPv6 default deny firewall policy is not enforced
Category: OS security
OS: Linux
Description
A default deny all policy on connections ensures that any unconfigured network usage will be rejected. With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to whitelist acceptable usage than to black list unacceptable usage.
Recommendation
In case IPv6 is enabled, verify that the policy for the INPUT, OUTPUT, and FORWARD chains is set to DROP
or REJECT
in ip6tables.
IPv6 loopback traffic is not configured
Category: OS security
OS: Linux
Description
Loopback traffic is generated between processes on machine and is typically critical to system operation. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Recommendation
In case IPv6 is enabled, make sure the loopback interface accepts traffic. Ensure all other interfaces deny traffic to the loopback network (::1).
Default deny firewall policy is not enforced
Category: OS security
OS: Linux
Description
A default deny all policy on connections ensures that any unconfigured network usage will be rejected. With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.
Recommendation
Verify that the policy for the INPUT, OUTPUT, and FORWARD chains is set to DROP
or REJECT
in ip6tables.
Loopback traffic is not configured
Category: OS security
OS: Linux
Description
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Recommendation
Make sure the loopback interface accepts traffic. Ensure all other interfaces deny traffic to the loopback network (127.0.0.0/8).
AIDE is not installed
Category: OS security
OS: Linux
Description
AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.
Recommendation
Ensure the AIDE package is installed.
Filesystem integrity is not checked regularly
Category: OS security
OS: Linux
Description
Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.
Recommendation
Ensure aidcheck.service and aidcheck.timer are enabled in systemctl, or that a cron job is scheduled to run aide check.
prelink is enabled
Category: OS security
OS: Linux
Description
prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Prelinking can increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.
Recommendation
Ensure the prelink package is not installed.
Core dumps are allowed
Category: OS security
OS: Linux
Description
A core dump is the memory of an executable program. It is generally used to determine why a program was aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.
Recommendation
Ensure that /etc/security/limits.* has the core limit set to 0
, the fs.suid_dumpable flag is set to false
in /etc/sysctl.*, Storage is none
and ProcessSizeMax is 0
in /etc/systemd/coredump.conf.
SELinux or AppArmor are not installed
Category: OS security
OS: Linux
Description
SELinux and AppArmor provide Mandatory Access Controls. Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.
Recommendation
Ensure that at least one of the apparmor, libselinux, or libselinux1 packages is installed.
All AppArmor Profiles are not enforced
Category: OS security
OS: Linux
Description
AppArmor profiles define what resources applications are able to access.
Recommendation
Verifies all profiles are set to enforce mode.
AppArmor is disabled in bootloader configuration
Category: OS security
OS: Linux
Description
AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.
Recommendation
Ensure that /boot/grub/grub.cfg has the flags linux.apparmor set to 1
and linux.security set to apparmor
. Check if /etc/default/grub has apparmor = 1
and security = apparmor
.
rsh client is installed
Category: OS security
OS: Linux
Description
The rsh package contains the client commands for the rsh services. These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package.
Recommendation
Ensure the rsh and rsh-client packages are not installed.
NIS client is installed
Category: OS security
OS: Linux
Description
The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.
Recommendation
Ensure the nis and ypbind packages are not installed.
talk client is installed
Category: OS security
OS: Linux
Description
The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default. The software presents a security risk as it uses unencrypted protocols for communication.
Recommendation
Ensure the talk package is not installed.
telnet client is installed
Category: OS security
OS: Linux
Description
The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions
Recommendation
Ensure the telnet package is not installed.
LDAP client is installed
Category: OS security
OS: Linux
Description
The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP client, we recommend you remove the software to reduce the potential attack surface.
Recommendation
Ensure the ldap, ldap-utils, openldap-clients, openldap2-client, libpam-ldap, and libnss-ldap packages are not installed.
auditd is not installed
Category: OS security
OS: Linux
Description
The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.
Recommendation
Ensure the auditd and auditd-plugins packages are installed.
auditd service is disabled
Category: OS security
OS: Linux
Description
The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.
Recommendation
Ensure auditd is enabled in systemctl.
Auditing for processes that start before auditd is disabled
Category: OS security
OS: Linux
Description
Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.
Recommendation
Verify grub is configured so that processes that are capable of being audited can be audited even if they start up prior to auditd startup by the audit = 1
flag in /boot/grub/grub.cfg.
audit_backlog_limit is not sufficient
Category: OS security
OS: Linux
Description
During boot, if audit = 1
, the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.
Recommendation
Ensure the audit_backlog_limit is set higher than 8192
in /boot/grub/grub.cfg.
Audit log storage size is not configured
Category: OS security
OS: Linux
Description
It is important that an appropriate size is determined for log files so that they do not impact the system, and audit data is not lost.
Recommendation
Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.
Audit logs are automatically deleted
Category: OS security
OS: Linux
Description
In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.
Recommendation
Ensure that max_log_file_action = keep_logs
in /etc/audit/auditd.conf.
System is not disabled when audit logs are full
Category: OS security
OS: Linux
Description
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Recommendation
Ensure the auditd daemon is configured to halt the system when the audit logs are full.
Date and time altering events are not collected
Category: OS security
OS: Linux
Description
Unexpected changes in system date and/or time could be a sign of malicious activity on the system.
Recommendation
Ensure that adjtimex, settimeofday, clock_settime, and stime syscalls write an audit record to /var/log/audit.log, tagged with time-change
.
User/group altering events are not collected
Category: OS security
OS: Linux
Description
Unexpected changes to group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd can be an indicator that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.
Recommendation
Ensure that /etc/audit/rules.d/ is configured to record changes to group, passwd, shadow, gshadow and /etc/security/password.
System network environment altering events are not collected
Category: OS security
OS: Linux
Description
Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. Changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder.
Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised.
All audit records will be tagged with the identifier system-locale
.
Recommendation
Ensure that /etc/audit/rules.d/ is configured to record changes to sethostname, setdomainname, /etc/issue, /etc/issue.net, /etc/hosts and /etc/network.
System Mandatory Access Controls altering events are collected
Category: OS security
OS: Linux
Description
Changes to /etc/apparmor and /etc/apparmor.d directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.
Recommendation
Ensure that /etc/audit/rules.d/ is configured to record changes to /etc/apparmor and /etc/apparmor.d.
Login and logout events are not collected
Category: OS security
OS: Linux
Description
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Recommendation
Ensure that /etc/audit/rules.d/ is configured to record changes to /var/log/faillog, /var/log/lastlog, and /var/log/tallylog.
Session initiation information is not collected
Category: OS security
OS: Linux
Description
Monitoring /var/run/utmp, /var/log/wtmp, /var/log/btmp files for changes could alert a system administrator of logins occurring at unusual hours, which can indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).
Recommendation
Ensure that /etc/audit/rules.d/ is configured to record changes to /var/run/utmp, /var/log/wtmp, and /var/log/btmp.
Discretionary access control permission altering events are not collected
Category: OS security
OS: Linux
Description
Monitoring for changes in file attributes could alert a system administrator to activity that can indicate intruder activity or policy violation.
Recommendation
Ensures all system calls that modify file owners, permissions or extended attributes are recorded by rules in /etc/audit/rules.d.
Unsuccessful unauthorized file access attempts are not collected
Category: OS security
OS: Linux
Description
Failed attempts to open, create or truncate files could be an indicator that an individual or process is trying to gain unauthorized access to the system.
Recommendation
Verify that all creat, open, openat, truncate, and ftruncate syscalls are recorded by correctly configuring /etc/audit/rules.d.
Successful file system mounts are not collected
Category: OS security
OS: Linux
Description
Tracking mount commands can help track potentially malicious data export to external media.
Recommendation
Verify that all mount and umount syscalls are recorded by correctly configuring /etc/audit/rules.d.
File deletion events by users are not collected
Category: OS security
OS: Linux
Description
Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators may want to look for specific privileged files that are being deleted or altered.
Recommendation
Verify that all unlink, unlinkat, rename, renameat syscalls are recorded by correctly configuring /etc/audit/rules.d.
Changes to system administration scope (sudoers) are not collected
Category: OS security
OS: Linux
Description
Audit rules should be in place to monitor scope changes, when an administrator logs in to use sudo.
Recommendation
Ensure that audit rules include collecting scope changes.
Changes to system administrator command executions (sudo) are not collected
Category: OS security
OS: Linux
Description
Audit rules should be in place to monitor an administrator with temporary elevated privileges, while using sudo, and the operation(s) they are performing.
Recommendation
Ensure that audit rules include collecting sudo activity.
Ensure kernel module loading and unloading is collected
Category: OS security
OS: Linux
Description
Verifies that Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules.
Recommendation
Ensure audit rules include collecting kernel module loading and unloading activity.
Audit configuration is not immutable
Category: OS security
OS: Linux
Description
Audit rules would be in immutable mode, so they cannot be modified using auditctl. While in immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity, and then set the audit rules back.
Recommendation
Ensure that audit rules cannot be changed without performing a system reboot.
rsyslog is not installed
Category: OS security
OS: Linux
Description
The rsyslog software should be installed. rsyslog is a recommended replacement to the original syslogd daemon, providing overall improvements over syslogd.
Recommendation
Ensure that rsyslog is installed.
The rsyslog service is disabled
Category: OS security
OS: Linux
Description
The rsyslog service would be activated. If the rsyslog service is not activated the system may instead default to the syslogd service, or lack logging.
Recommendation
Ensure the rsyslog service is enabled.
The rsyslog default file permission is configured
Category: OS security
OS: Linux
Description
Logfiles created by rsyslog must have correct file permissions. It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.
Recommendation
Ensure the rsyslog default file permissions are set to 0640
or more restrictive.
journald is not configured to send logs to rsyslog
Category: OS security
OS: Linux
Description
journald should be set to send logs to a remote host through rsyslog, thus being protected from tampering. It requires that rsyslog be set to send logs to a remote host.
Recommendation
Ensure journald is configured to forward logs to rsyslog.
journald is not configured to compress large log files
Category: OS security
OS: Linux
Description
journald should be set to compress large log files, to avoid sudden, unexpected filesystem impacts.
Recommendation
Ensure journald is configured to compress large files.
journald is not configured to write logfiles to persistent disk
Category: OS security
OS: Linux
Description
journald should not store data in volatile memory, but save it locally on the server. Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.
Recommendation
Ensure that storage is set to persistent
for journald.
Permissions on all logfiles are not configured
Category: OS security
OS: Linux
Description
Permissions on logfiles should be set so that sensitive data is archived and protected.
Recommendation
Ensure all logs have permissions set to none
for other and read-only
for group.
logrotate does not assign appropriate permissions
Category: OS security
OS: Linux
Description
logrotate should be set to assign permissions correctly, so that sensitive data is archived and protected.
Recommendation
Ensure that logrotate is configured to set permissions to 0640
or more restrictive.
cron daemon is not enabled and running
Category: OS security
OS: Linux
Description
The cron daemon should be enabled and running, to be used for both user jobs, as well as system maintenance jobs that may include security monitoring.
Recommendation
Ensure that cron is enabled using systemctl.
Permissions on /etc/crontab are not configured
Category: OS security
OS: Linux
Description
Cron's job file permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/crontab/ are set to 0600
.
Permissions on /etc/cron.hourly are not configured
Category: OS security
OS: Linux
Description
Cron's hourly job directory permissions should set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/cron.hourly are set to 0700
.
Permissions on /etc/cron.daily are not configured
Category: OS security
OS: Linux
Description
Cron's daily job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/cron.hourly are set to 0700
.
Permissions on /etc/cron.weekly are not configured
Category: OS security
OS: Linux
Description
Cron's weekly job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/cron.weekly are set to 0700
.
Permissions on /etc/cron.monthly are not configured
Category: OS security
OS: Linux
Description
Cron's monthly job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/cron.monthly are set to 0700
.
Permissions on /etc/cron.d are not configured
Category: OS security
OS: Linux
Description
Cron's manual job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.
Recommendation
Ensure that permissions on /etc/cron.d are set to 0700
.
cron is not restricted to authorized users
Category: OS security
OS: Linux
Description
Access to cron should be restricted via an allow list by using /etc/cron.allow. Additionally, /etc/cron.allow must be owned by root and have permissions set to 0640
or more restrictive.
Recommendation
Ensure /etc/cron.deny does not exist, and that /etc/cron.allow is properly configured.
Ensure at is restricted to authorized users
Category: OS security
OS: Linux
Description
Verifies that access to at is restricted by using an allow list, using /etc/at.allow. Additionally, /etc/at.allow must be owned by root and have permissions set to 0640
or more restrictive.
Recommendation
Ensure /etc/at.deny does not exist, and that /etc/at.allow is properly configured.
Password creation requirements are not configured
Category: OS security
OS: Linux
Description
Password creation requirements must be configured to require strong passwords, as well as a maximum of 3 retries.
Recommendation
Ensure that strong password requirements and a maximum of 3 retries are set.
Password expiration interval is short enough
Category: OS security
OS: Linux
Description
Password expiration must be set to 365 days or less, to make sure that the timeframe for a brute force attack is limited.
Recommendation
Ensure that password expiration is properly configured.
Minimum days between password changes is not configured
Category: OS security
OS: Linux
Description
The minimum number of days between password changes must be configured, so that users are prevented from repeatedly changing their password in an attempt to circumvent password reuse controls.
Recommendation
Ensure that a minimum of 1 day between password changes is enforced.
Password expiration warning days interval is long enough
Category: OS security
OS: Linux
Description
Password expiration warnings must be sent in an interval that leaves the user sufficient time to think of a secure password.
Recommendation
Ensure that password expiration warnings are sent at least 7 days in advance.
Inactive password lock interval is short enough
Category: OS security
OS: Linux
Description
User accounts that have been inactive for over 30 days must automatically be disabled.
Recommendation
Ensure that inactive accounts are automatically disabled after 30 days.
Default group for the root account is not 0
Category: OS security
OS: Linux
Description
The root user has must have the default group set to 0
. Using GID 0
for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users.
Recommendation
Ensure that the default group for the root account is set to 0
.
Default file creation mask is not restrictive enough
Category: OS security
OS: Linux
Description
Permissions mask for newly created files must be restrictive enough.
Recommendation
Ensure that user file-creation mode mask is set to 027
or more restrictive.
Default user shell timeout is not short enough
Category: OS security
OS: Linux
Description
An inactive user shell session must be ended with a reasonable timeout, to prevent unauthorized access by using unattended shell sessions.
Recommendation
Ensure default user shell timeout is set to 900
or less.
Access to su command is not restricted
Category: OS security
OS: Linux
Description
Access to the su command must be restricted, forcing the use of sudo, which allows for better control of escalation, and better logging and audit.
Recommendation
Ensure the group that is allowed to use the su command is empty.
Permissions on /etc/passwd are not configured
Category: OS security
OS: Linux
Description
Permissions on the user accounts file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/passwd are set to 644
.
Permissions on /etc/passwd- are not configured
Category: OS security
OS: Linux
Description
Permissions on the user accounts backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/passwd- are set to 644
or more restrictive.
Permissions on /etc/group are not configured
Category: OS security
OS: Linux
Description
Permissions on the groups file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/group are set to 644
.
Permissions on /etc/group- are not configured
Category: OS security
OS: Linux
Description
Permissions on the groups backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/group- are set to 644
or more restrictive.
Permissions on /etc/shadow are not configured
Category: OS security
OS: Linux
Description
Permissions on the users credentials file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/shadow are set to 640
.
Permissions on /etc/shadow- are not configured
Category: OS security
OS: Linux
Description
Permissions on the users credentials backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/shadow- are set to 640
.
Permissions on /etc/gshadow are not configured
Category: OS security
OS: Linux
Description
Permissions on the groups credentials file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/gshadow are set to 640
.
Permissions on /etc/gshadow- are not configured
Category: OS security
OS: Linux
Description
Permissions on the groups credentials backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.
Recommendation
Ensure that permissions on /etc/gshadow- are set to 640
.
World writable files do exist
Category: OS security
OS: Linux
Description
No world writable files must be present on the machine, as they may indicate a potential security risk.
Recommendation
Ensure there are no world writable files, or that those that are world-writable are necessarily so.
Unowned files or directories do exist
Category: OS security
OS: Linux
Description
Files that used to be owned by deleted users should not remain on the system, as this might lead to a new user with the deleted user's ID to end up owning these files, leading to more access on the system than was intended.
Recommendation
Ensure that no files owned by an inactive user exist on the system.
Ungrouped files or directories do exist
Category: OS security
OS: Linux
Description
Files that used to be owned by deleted groups should not remain on the system, as this might lead to a new user with the deleted group's GID to end up owning these files, leading to more access on the system than was intended.
Recommendation
Ensure that no files owned by an inactive group exist on the system.
Accounts in etc/passwd do not use shadowed passwords
Category: OS security
OS: Linux
Description
All accounts must use shadowed passwords, to avoid allowing access to sensitive information (like password hashes) to an attacker.
Recommendation
Ensure all accounts are set to use shadowed passwords.
sudo is not installed
Category: OS security
OS: Linux
Description
The sudo package must be installed on the system. Sudo allows configuring which users and under what conditions they can run a command as superuser or another user.
Recommendation
Ensure the sudo or sudo-ldap (if sudo support for LDAP users is required) package is installed.
/dev/shm is not configured
Category: OS security
OS: Linux
Description
/dev/shm must be mounted properly at boot, with the noexec option.
Recommendation
Ensure that /dev/shm is mounted with the noexec option.
Permissions on bootloader config are overridden
Category: OS security
OS: Linux
Description
Permissions on /boot/grub/grub.cfg must be changed to root-only
when gub.cfg is updated by the update-grub command.
Recommendation
Ensure the update-grub command changes the permissions of /boot/grub/grub.cfg to 400
.
Prelink is installed
Category: OS security
OS: Linux
Description
Prelink should not be installed on the endpoint. Prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.
Recommendation
Ensure that the prelink package is not installed, as to not interfere with AIDE and also decrease the vulnerability of the system.
Disable-user-list is not enabled
Category: OS security
OS: Linux
Description
Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on.
Recommendation
Ensure the GDM paramater disable-user-list is set to true
.
XDCMP is enabled
Category: OS security
OS: Linux
Description
X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays. XDMCP is vulnerable to man-in-the-middle attacks.
This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.
Recommendation
Ensure the Enable flag is set to false
in /etc/gdm3/custom.conf.
X Window System is installed
Category: OS security
OS: Linux
Description
The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add-ons. Unless your organization specifically requires graphical login access via X Window, remove it to reduce the potential attack surface.
Recommendation
Ensure the xserver-xorg package is not installed.
Avahi Server is installed
Category: OS security
OS: Linux
Description
Avahi Server should not installed on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.
Recommendation
Ensure the avahi-daemon package is not installed, to reduce the endpoint's potential attack surface.
CUPS is installed
Category: OS security
OS: Linux
Description
The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to print jobs or accept print jobs from other systems, we recommend you remove CUPS to reduce the potential attack surface.
Recommendation
Ensure the cups package is not installed.
DHCP Server is installed
Category: OS security
OS: Linux
Description
The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Unless a system is specifically set up to act as a DHCP server, we recommend you remove this package to reduce the potential attack surface.
Recommendation
Ensure the isc-dhcp-server package is not installed.
LDAP server is installed
Category: OS security
OS: Linux
Description
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP server, we recommend you remove this software to reduce the potential attack surface.
Recommendation
Ensure the slapd package is not installed.
NFS is installed
Category: OS security
OS: Linux
Description
The Network File System (NFS) provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, we recommend you remove these services to reduce the remote attack surface.
Recommendation
Ensure the nfs-kernel-server package is not installed.
DNS Server is installed
Category: OS security
OS: Linux
Description
The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Unless a system is specifically designated to act as a DNS server, we recommend you delete this package to reduce the potential attack surface.
Recommendation
Ensure the bind9 package is not installed.
FTP Server is installed
Category: OS security
OS: Linux
Description
The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. FTP does not protect the confidentiality of data or authentication credentials.
Recommendation
Ensure the vsftpd package is not installed.
HTTP server is installed
Category: OS security
OS: Linux
Description
HTTP or web servers provide the ability to host web site content. Unless there is a need to run the system as a web server, we recommend you delete this package to reduce the potential attack surface.
Recommendation
Ensure the apache2 package is not installed.
IMAP and POP3 servers are installed
Category: OS security
OS: Linux
Description
Unless POP3 and/or IMAP servers are to be provided by this system, we recommend you remove these packages to reduce the potential attack surface.
Recommendation
Ensure the dovecot-imapd and dovecot-pop3d packages are not installed.
Samba is installed
Category: OS security
OS: Linux
Description
The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface.
Recommendation
Ensure the samba package is not installed.
HTTP Proxy Server is installed
Category: OS security
OS: Linux
Description
Squid is a standard proxy server used in many distributions and environments. If there is no need for a proxy server, we recommend you delete the squid proxy to reduce the potential attack surface.
Recommendation
Ensure the squid package is not installed.
SNMP Server is installed
Category: OS security
OS: Linux
Description
Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. If the SNMP service is not required, it should be removed to reduce the attack surface of the system. If SNMP is required, the server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured.
Recommendation
Ensure the snmpd package is not installed.
The rsync service is installed
Category: OS security
OS: Linux
Description
The rsync service can be used to synchronize files between systems over network links. The rsync service presents a security risk as it uses unencrypted protocols for communication. The rsync package should be removed to reduce the attack area of the system.
Recommendation
Ensure the rsync package is not installed.
NIS Server is installed
Category: OS security
OS: Linux
Description
The NIS server is a collection of programs that allow for the distribution of configuration files. The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, we recommend you remove this service, and use other, more secure services.
Recommendation
Ensure the nis package is not installed.
RPC is installed
Category: OS security
OS: Linux
Description
Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. If RPC is not required, we recommend you remove these services to reduce the remote attack surface.
Recommendation
Ensure the rpcbind package is not installed.
Mail transfer agent is not configured for local-only mode
Category: OS security
OS: Linux
Description
If the system is not intended to be a mail server, we recommend you configure the MTA to only process local mail.
Recommendation
Ensure that the MTA is not listening on any non-loopback address (127.0.0.1 or::1), port 25.
Time synchronization is not in use
Category: OS security
OS: Linux
Description
System time should be synchronized between all systems in an environment. Time synchronization is important to support time sensitive security mechanisms like Kerberos.
Recommendation
Ensure one of the systemd-timesyncd, chrony, ntp packages are installed and configured correctly.
Wireless interfaces are not disabled
Category: OS security
OS: Linux
Description
If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface.
Recommendation
Ensure no wireless drivers are loaded into the kernel.
Log4j with Denial of Service Present
Category: Network and credentials
OS: Linux
Description
Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.
Recommendation
Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.
Pkexec with Local Privilege Escalation Present
Category: Vulnerability
OS: Linux
Description
Verifies if a vulnerable version of the Polkit package is installed on the endpoint. The vulnerable module could be affected by CVE-2021-4034, which allows any unprivileged user to gain full root privileges by exploiting this vulnerability in its default configuration.
Recommendation
Apply the latest available patches for this vulnerability.
systemd-timesyncd is configured
Category: OS security
OS: Linux
Description
systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. This recommendation only applies if timesyncd is in use on the system.
Recommendation
Ensure that timesyncd is enabled and started. Review /etc/systemd/timesyncd.conf and ensure that NTP, FallbackNTP and RootDistanceMax are listed in accordance with local policy.
chrony is configured
Category: OS security
OS: Linux
Description
chrony is a daemon which implements the Network Time Protocol (NTP), which is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. This recommendation only applies if chrony is used on the system.
Recommendation
Review /etc/chrony.conf and ensure that the remote server is configured properly.
ntp is configured
Category: OS security
OS: Linux
Description
ntp is a daemon that implements the Network Time Protocol (NTP), which is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. This recommendation only applies if ntp is used on the system.
Recommendation
Review /etc/ntp.conf and ensure that the remote server is configured properly and the restrict
option is set. Verify that ntp is configured to run as the ntp user
.
telnet server is not installed
Category: OS security
OS: Linux
Description
The telnet-server package contains the telnet daemon. The telnet protocol is insecure and unencrypted.
Recommendation
Check if telnet-server is installed.
XD NX support is enabled
Category: OS security
OS: Linux
Description
Recent processors in the x86 family support the ability to prevent code execution on a per-memory-page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD).
Recommendation
Check if XD/NX support is enabled.
IPv4 firewall rules exist for all open ports
Category: OS security
OS: Linux
Description
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. This recommendation only applies if iptables is used on the system.
Recommendation
For each open port, check if an iptables firewall rule exists.
All users last password change is in the past
Category: OS security
OS: Linux
Description
All users should have a password change date in the past. If a user recorded password change date is in the future then they could bypass any set password expiration.
Recommendation
Verify that no user has a password change date in the future.
System accounts are secured
Category: OS security
OS: Linux
Description
There are a number of accounts provided with most distributions that are used to manage applications and are not intended to provide an interactive shell.
Recommendation
Verify that every system account shell is set to either nologin or /bin/false.
System administrator actions are collected
Category: OS security
OS: Linux
Description
Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first, then all administrator commands will be logged to /var/log/sudo.log.
Recommendation
Check if a audit rule exists for /var/log/sudo.log.
SELinux is not disabled in bootloader configuration
Category: OS security
OS: Linux
Description
Configure SELinux to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.
Recommendation
SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.
SELinux state is enforcing
Category:
OS:
Description
When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules.
Recommendation
Verify that SELINUX=enforcing is set in /etc/selinux/config.
SELinux policy is configured
Category: OS security
OS: Linux
Description
Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy. This item is intended to ensure that at least the default recommendations are met.
Recommendation
Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.
SETroubleshoot is not installed
Category: OS security
OS: Linux
Description
The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions and other potential errors.
Recommendation
The SETroubleshoot service is an unnecessary daemon to have running on a server. Verify setroubleshoot is not installed.
MCS Translation Service is not installed
Category: OS security
OS: Linux
Description
The mcstransd daemon provides category label information to client processes requesting information. Since the service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system.
Recommendation
Verify mcstrans is not installed.
System-wide crypto policy is not legacy
Category: OS security
OS: Linux
Description
The system-wide cypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.
Recommendation
Verify in /etc/crypto-policies/config that the system-wide crypto policy is not LEGACY.
System-wide crypto policy is FUTURE or FIPS
Category: OS security
OS: Linux
Description
The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.
Recommendation
Verify in /etc/crypto-policies/config that the system-wide crypto policy is Future or FIPS.
Only one firewall service enabled
Category: OS security
OS: Linux
Description
A firewall provides defense against external and internal threats by refusing unauthorized connections, to stop intrusion and provide a strong method of access control policy.
Recommendation
Verifies that only one of firewalld, iptables or nftables is installed.
System-wide crypto policy is not overridden
Category: OS security
OS: Linux
Description
The system-wide crypto policy can be overridden or opted out of for openSSH. Overriding or opting out of the system-wide crypto policy could allow for the use of less.
Recommendation
Verify in /etc/sysconfig/sshd that CRYPTO_POLICY is not set.
Last logged in user display is disabled
Category: OS security
OS: Linux
Description
Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on.
Recommendation
Verify that the gdm configuration has disabled-user-list=true.
Net Snmp is not installed
Category: OS security
OS: Linux
Description
Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment. If SNMP is required the server should use only SNMP v3.
Recommendation
Verify that net-snmp is not installed.
Dirty Pipe Vulnerability
Category: OS security
OS: Linux
Description
Dirty Pipe is a vulnerability in the Linux kernel since version 5.8, allowing an attacker to overwrite data in arbitrary read-only files. This leads to Privilege escalation, as unprivileged processes can inject code into root processes. The vulnerability has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Recommendation
Make sure the kernel version is always up to date.
Log4j with Remote Code Execution Present
Category: Network and credentials
OS: Linux
Description
Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.
Recommendation
Avoid using Log4j versions 2.x to 2.15.0.
Cr8escape Vulnerability
Category: Vulnerability
OS: Linux
Description:
Cr8escape is a vulnerability in the CRI-O module caused by the way it sets kernel options for a pod. Users with rights to deploy pods on vulnerable kubernets clusters can escape the container, gain access to the host, and be able to execute arbitrary code as root in the cluster node.
Recommendation:
Update to a patched version of CRI-O. Versions that address the issue: 1.23.2, 1.22.3, v1.21.6, 1.20.7, and 1.19.6.
Spring Cloud Functions vulnerability (Spring4Shell)
Category: Vulnerability
OS: Linux
Description:
Spring Cloud Functions versions 3.1.6, 3.2.2, and older are vulnerable to CVE-2022-22963. This vulnerability allows a user to provide a specially crafted SpEl payload as a routing-expression. This may result in a remote code execution and access to local resources.
Recommendation:
Upgrade Spring Cloud Functions to versions 3.1.7, 3.2.3, or higher.