Misconfigurations

Require account sign-in always.

Secure Logon

Category: OS security

OS: Windows

Description

Verifies the local security policy option Interactive logon: Do not require CTRL+ALT+DEL.

This option defines whether users must unlock their computer before logging in to Windows by pressing CTRL+ALT+DEL, as an additional security layer that prevents malware intercepting usernames and passwords.

If this option is set on Enabled, the system is more vulnerable to security threats.

Recommendation

Set this policy to Disabled.

UAC Off

Category: OS security

OS: Windows

Description

Verifies the local security policy option User Account Control: Run all administrators in Admin Approval Mode.

This setting controls the behavior of all UAC policy settings for the endpoint.

UAC (User Account Control) is a security feature that helps preventing unauthorized changes to the OS by potentially harmful programs. UAC requires administrator authorization for actions like installing a program or modifying system settings.

When UAC is set to Never notify, the system is more vulnerable to malware.

Recommendation

Set this policy to Enabled.

UAC Insecure

Category: OS security

OS: Windows

Description

Verifies the configuration for User Account Control policy and registry settings, to check if these comply with the default recommended settings.

The policy settings are located in Security Settings\Local Policies\Security Options, in the Local Security Policy app.

Recommendation

Configure the UAC settings to at least the default level.

Automatic Updates

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure Automatic Updates, located in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

This policy specifies whether the endpoint will receive security updates and other important downloads through the Windows automatic updating service. When disabled, the endpoint is more vulnerable to security threats.

Recommendation

Set this policy to Enabled.

LAN Manager Hash

Category: OS security

OS: Windows

Description

Verifies the local security policy option Network security: Do not store LAN Manager hash value on next password change.

When the user sets a password that contains less than 15 characters, Windows generates a LAN Manager hash (LM hash) of that password.

If the Windows security option is set to store the hash in the local Security Accounts Manager (SAM) database, the passwords can be compromised and the endpoint is prone to brute force attack.

Recommendation

After applying the fix, all affected users must change their domain password. The new password must be at least 15 characters long.

In this case, Windows stores a LM hash value that cannot be used to authenticate the user.

Blank Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Accounts: Limit local account use of blank passwords to console logon only.

This setting verifies if local accounts without password protection can be used to log on from other locations than the physical computer console.

When this option is disabled, endpoints are exposed to a high security risk.

Recommendation

Set this policy to Enabled.

Anonymous User Permissions

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Network access: Do not allow anonymous enumeration of SAM accounts.

This option determines if anonymous connections have the permission to enumerate the names of domain accounts.

Endpoints with this option disabled are vulnerable to attackers trying to obtain usernames or passwords stored locally.

Recommendation

The recommended setting for this policy is Enabled: Do not allow enumeration of SAM accounts.

This option replaces Everyone with Authenticated Users in the security permissions for resources.

Kernel-Mode Printer Drivers

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow installation of printers using kernel-mode drivers, located in Computer Configuration\Administrative Templates\Printers.

This setting determines whether printers using kernel-mode drivers may be installed on the local endpoint. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors.

When this option is Disabled, the printer drivers will run in the kernel space of the operating system, exposing the endpoint to security risks.

Recommendation

Set this policy to Enabled.

Windows Backup Service

Category: OS security

OS: Windows

Description

Verifies the settings for Windows Backup and Restore service (SDRSVC).

When this service is stopped, the system does not have access to native Microsoft backup and restore tools.

Recommendation

Enable this service on all endpoints.

Telephony Service

Category: OS security

OS: Windows

Description

Verifies if the Telephony Service is active.

Recommendation

Set this service to Disabled.

Lock Screen App Notifications

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off app notifications on the lock screen, located in Computer Configuration\Administrative Templates\System\Logon.

This policy setting allows preventing app notifications from appearing on the lock screen.

If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

Recommendation

Set this policy to Enabled.

Microphone Service

Category: OS security

OS: Windows

Description

Verifies if any microphone is enabled.

Recommendation

Disable microphones on endpoints.

Store Domain Credentials

Category: OS security

OS: Windows

Description

Checks if the passwords and credentials used for network authentication are stored on the local computer.

Recommendation

Do not allow storage of passwords and credentials used for network authentication on the local computer.

Digitally Encrypt / Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt or sign secure channel data (always).

This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.

When this policy is disabled, then encryption and signing of all secure channel traffic will depend on the version of Domain Controller and on the settings of the other policies for encryption and signing secure channel data.

Recommendation

Set this policy to Enabled.

Digitally Encrypt Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

Disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Recommendation

Set this policy to Enabled.

Digitally Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally sign secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

If enabled, the domain member will request signing of all secure channel traffic.
If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Recommendation

Set this policy to Enabled.

Change Account Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Disable machine account password changes.

Determines whether a domain member periodically changes its computer account password.

If this setting is enabled, the domain member does not attempt to change its computer account password, which exposes the endpoint to security risks.

Recommendation

Set this policy to Disabled.

Strong Session Key

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Require strong (Windows 2000 or later) session key.

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed.
If this setting is disabled, then the key strength is negotiated with the domain controller.

Recommendation

Set this policy to Enabled.

Insecure Guest Logon

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Enable insecure guest logons, located in Computer Configuration\Administrative Templates\Network\Lanman Workstation.

This policy determines if the SMB client will allow insecure guest logons to an SMB server.

If you enable / do not configure this policy, the SMB client will allow insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.
Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled.
As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.

Recommendation

Disable insecure Guest logons and configuring file servers to require authenticated access.

Lock Screen Camera

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen camera, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.

Recommendation

Set this policy to Enabled.

Lock Screen Slide Show

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Client Digitally Sign Communications

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Unencrypted passwords

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network client: Send unencrypted password to third-party SMB servers.

If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
Sending unencrypted passwords is a security risk.

Recommendation

Set this policy to Disabled.

Server Digitally Sign Communications

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network server: Digitally sign communications (always).

This security setting determines whether packet signing is required by the Server Message Block (SMB) server component.

The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration.

To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.

If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.

Note

All Windows OS support both a client-side SMB component and a server-side SMB component.

To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.

Recommendation

Set this policy to Enabled.

Download Print Drivers Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off downloading of print drivers over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow this client to download print driver packages over HTTP.

When disabled or not configured, users can download print drivers over HTTP.

Recommendation

Set this policy to Enabled.

Print Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off printing over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.

When disabled or not configured, users can choose to print to printers on the Internet over HTTP.

Recommendation

Set this policy to Enabled.

Strengthen Permissions

Category: OS security

OS: Windows

Description

Verifies the local security policy option System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).

This security setting determines the strength of the default Discretionary Access Control List (DACL) for objects.

Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. This way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.

Recommendation

Set this policy to Enabled.

Enumerate Local Users

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate local users on domain-joined computers, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows local users to be enumerated on domain-joined computers.

If you enable this policy, Logon UI will enumerate all local users on domain-joined computers.

Recommendation

Set this policy to Disabled.

PIN Sign-In

Category: OS Security

OS: Windows

Description

Verifies the local group policy Turn on convenience PIN sign-in, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows you to control whether a domain user can sign in using a convenience PIN.

If you disable or do not configure this policy, a domain user cannot set up and use a convenience PIN. The user's domain password will be cached in the system vault when using this feature.

Recommendation

Set this policy to Disabled.

Restrict Unauthenticated RPC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Restrict Unauthenticated RPC clients, located in Computer Configuration\Administrative Templates\System\Remote Procedure Call.

This policy controls how the Remote Procedure Call (RPC) server runtime handles unauthenticated RPC clients connecting to RPC servers.

In a domain environment, this policy should be used with caution as it can affect a wide range of functionality, including the group policy processing itself.

A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security.

Recommendation

Set this policy to Enabled > Authenticated.

Optional Microsoft Accounts

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Microsoft accounts to be optional, located in Computer Configuration\Administrative Templates\Windows Components\App runtime.

This policy lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.

This policy only affects Windows Store apps that support it.

If you enable this policy, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
If you disable or do not configure this policy, users will need to sign in with a Microsoft account.

Recommendation

Set this policy to Enabled.

Autoplay Non-Volume Devices

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled > All Drives.

Turn off Autoplay

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled: All Drives.

Disable DMA

Category: OS security

OS: Windows

Description

Verifies the local group policy Disable new DMA devices when this computer is locked, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

This policy allows blocking direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Devices already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.

This policy is only enforced when BitLocker or device encryption is enabled.

Note

Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.

Recommendation

Set this policy to Enabled.

Enhanced PIN with BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow enhanced PINs for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy configures whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs allows using characters including uppercase and lowercase letters symbols numbers and spaces.

This policy is applied when BitLocker is turned on.

Note

Not all computers may support enhanced PINs in the pre-boot environment.

It is strongly recommended that users perform a system check during BitLocker setup.

If you disable or do not configure this policy, enhanced PINs will not be used.

Recommendation

Set this policy to Enabled.

Secure Boot for BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Secure Boot for integrity validation, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting defines whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers.

Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

If you disable this policy, BitLocker will use legacy platform integrity validation even on systems capable of Secure Boot-based integrity validation.
Warning
Disabling this policy may result in BitLocker recovery when firmware is updated.

Recommendation

Set this policy to Enabled.

Write Removable Drives with BitLocker

Category: OS Security

OS: Windows

Description

Verifies the local group policy Deny write access to removable drives not protected by BitLocker, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

When enabling this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only.
When disabling or not configuring this setting, all removable data drives on the computer will be mounted with read and write access.

Recommendation

Set this policy to Enabled.

Microsoft Consumer Experiences

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Microsoft consumer experiences, located in Computer Configuration\Administrative Templates\Windows Components\Cloud Content.

If you disable or do not configure this policy setting users may see personalized recommendations from Microsoft and notifications about their Microsoft account.

Note

This setting only applies to Enterprise and Education SKUs.

Recommendation

Set this policy to Enabled.

Enumerate Admin Accounts on Elevation

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate administrator accounts on elevation, located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface.

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.

By default, administrator accounts are not displayed when the user attempts to elevate a running application.

If you enable this setting, all the local administrator accounts will be displayed, so the user can choose one and enter the correct password.
If you disable this setting, users will always be required to type a user name and password to elevate.

Recommendation

Set this policy to Disabled.

Internet Connection Sharing

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.

Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.

ICS lets administrators configure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DHCP to the local private network.

If you enable this setting, ICS cannot be enabled or configured by administrators and it cannot run on the computer.

Note

ICS is only available when two or more network connections are present.

Non-administrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.

Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services.

To prevent the ICS service from running, go to the Network Permissions tab and select the Don't use hosted networks check box.

Recommendation

Set this policy to Enabled.

Connect to Open Hotspots

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services, located in Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings.

This policy configures the access to the following WLAN settings:

Connect to suggested open hotspots
Connect to networks shared by my contacts
Enable paid services

Note

If this policy is disabled, the abovementioned WLAN settings will be turned off and users on this device will not have access to enable them.

If this policy is not configured or is enabled, users can choose to enable or disable either Connect to suggested open hotspots, or Connect to networks shared by my contacts.

Recommendation

Set this policy to Disabled.

Non Domain Network Connections

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit connection to non-domain networks when connected to domain authenticated network, located in Computer Configuration\Administrative Templates\Network\Windows Connection Manager.

This policy prevents computers from connecting to both a domain-based network and a non-domain based network at the same time.

If this policy is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:

Automatic connection attempts:
- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
- When the computer is already connected to a non-domain based network, automatic connection attempts to domain-based networks are blocked.
Manual connection attempts:
- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

If this policy is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.

Recommendation

Set this policy to Enabled.

Credential Delegation

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Remote host allows delegation of non-exportable credentials, located in Computer Configuration\Administrative Templates\System\Credentials Delegation.

When using credential delegation, devices provide an exportable version of credentials to the remote host.This exposes users to the risk of credential theft from attackers on the remote host.

If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard modes are not supported. Users will always need to pass their credentials to the host.

Recommendation

Set this policy to Enabled.

Virtualization Based Security

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn On Virtualization Based Security, located in Computer Configuration\Administrative Templates\System\Device Guard. Specifies whether Virtualization Based Security is enabled.

Virtualization Based Security uses the Windows Hypervisor to provide support for security services.

Virtualization Based Security requires Secure Boot, and, optionally, you can enabled it with the use of DMA Protections.

Recommendation

Set this policy to Enabled with the following options:

Select Platform Security Level: SecureBoot and DMA Protection
Virtualization Based Protection of Code Integrity: Enabled with lock
Credential Guard Configuration: Enabled with lock

Device Installation by ID

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices that match any of these device IDs, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

Prevent installation of devices that match any of these device IDs: PCI\CC_0C0A
Also apply to matching devices that are already installed.

Device Installation by Setup Class

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices using drivers that match these device setup classes, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}.
Also apply to matching devices that are already installed.

Boot-Start Driver

Category: OS security

OS: Windows

Description

Verifies the local group policy Boot-Start Driver Initialization Policy, located in Computer Configuration\Administrative Templates\System\Early Launch Antimalware.

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.

The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

Good: The driver has been signed and has not been tampered with.
Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.- If you enable this policy, you will be able to choose which boot-start drivers to initialize the next time the computer is started.

Note

If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

Recommendation

Set this policy to Enabled > Good, Unknown and bad but critical.

Anti-Spoofing

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure enhanced anti-spoofing, located in Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features.

This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.

If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication.
This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or do not configure this setting, Windows does not require enhanced anti-spoofing for Windows Hello face authentication.

Recommendation

Set this policy to Enabled.

Minimum Startup PIN

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure minimum PIN length for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN.

This policy setting is applied when you turn on BitLocker.

The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.

Recommendation

Set this policy to Enabled > Minimum characters 7.

Explorer Data Execution Prevention

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Data Execution Prevention for Explorer, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer.

Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

Recommendation

Set this policy to Disabled.

Heap Termination on Corruption

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off heap termination on corruption, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer. Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

Recommendation

Set this policy to Disabled.

Password Manager

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Configure Password Manager, located in Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge.

This policy setting lets you decide whether employees can save their passwords locally, using Password Manager.

By default, Password Manager is turned on.

If you enable this setting, employees can use Password Manager to save their passwords locally.
If you disable this setting, employees cannot use Password Manager to save their passwords locally.
If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally.

Recommendation

Set this policy to Disabled.

Save Passwords from RDC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Do not allow passwords to be saved, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

This policy controls whether passwords can be saved on this computer from Remote Desktop Connection.

If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords

When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

Recommendation

Set this policy to Enabled.

Drive Redirection

Category: OS security

OS: Windows

Description

Verifies the local group policy Do not allow drive redirection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection.

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection.

Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

Recommendation

Set this policy to Enabled.

RDS Password Prompt

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Always prompt for password upon connection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

Recommendation

Set this policy to Enabled.

Secure RPC Communication

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Require secure RPC communication, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

Recommendation

Set this policy to Enabled.

Client Encryption Level

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Set client connection encryption level, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended.

This policy does not apply to SSL encryption.

If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting.

By default, the encryption level is set to High Level (the recommended option). This setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.

Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection).

Clients that do not support this encryption level cannot connect to RD Session Host servers.

Recommendation

Set this policy to Enabled > High Level.

Download Enclosures

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent downloading of enclosures, located in Computer Configuration\Administrative Templates\Windows Components\RSS Feeds.

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

Recommendation

Set this policy to Enabled.

Indexing Encrypted Files

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow indexing of encrypted files, located in Computer Configuration\Administrative Templates\Windows Components\Search.

This policy setting allows encrypted items to be indexed.

If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).
If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.
This policy setting is not configured by default.
If you do not configure this policy setting, the local setting, configured through Control Panel, will be used.

By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely.

Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.

Recommendation

Set this policy to Disabled.

Modify Exploit Protection Settings

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent users from modifying settings, located in Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\App and browser protection or in Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection (according to the Windows version).

This policy setting allows preventing users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

Recommendation

Set this policy to Enabled.

Game Recording and Broadcasting

Category: OS security

OS: Windows

Description

Verifies the local group policy Enables or disables Windows Game Recording and Broadcasting, located in Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting.

This setting enables or disables the Windows Game Recording and Broadcasting features.

Recommendation

Set this policy to Disabled.

Windows Ink Workspace

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Windows Ink Workspace, located in Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace.

This setting is supported from Windows 10 Redstone.

Recommendation

Set this policy to Enabled > On, but disallow access above lock.

User Control Over Installs

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow user control over installs, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy permits users to change installation options that typically are available only to system administrators.

If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.

Recommendation

Set this policy to Disabled.

Install with Elevated Privileges

Category: OS security

OS: Windows

Description

Verifies the local group policy Always install with elevated privileges, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.

If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel.
This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

Note

This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.

Warning

Warning: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.

The User Configuration version of this policy setting is not guaranteed to be secure.

Recommendation

Set this policy to Disabled.

Auto Sign-in After Restart

Category: OS security

OS: Windows

Description

Verifies the local group policy Sign-in last interactive user automatically after a system-initiated restart, located in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options.

This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.

If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart.
After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.

Recommendation

Set this policy to Disabled.

PowerShell Script Block Logging

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn on PowerShell Script Block Logging, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.

If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.

Note

This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Recommendation

Set this policy to Enabled.

WinRM Client Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.

If you enable this policy setting, the WinRM client uses Basic authentication.
If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.

Recommendation

Set this policy to Disabled.

WinRM Client Unencrypted Traffic

Category: OS Security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.

If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Client Digest Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow Digest authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.

If you enable this policy setting, the WinRM client does not use Digest authentication.

Recommendation

Set this policy to Enabled.

WinRM Service Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.

If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.

Recommendation

Set this policy to Disabled.

WinRM Service Unencrypted Traffic

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Service RunAs Credentials

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow WinRM from storing RunAs credentials, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.

If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins.
If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.

Recommendation

Set this policy to Enabled.

Install ActiveX

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent per-user installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.

If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.

Recommendation

Set this policy to Enabled.

Security Zones Add / Delete Sites

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to add/delete sites, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)

This policy prevents users from changing site management settings for security zones established by the administrator.

Note

The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy.

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Change Policies

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to change policies, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

Note

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Only Machine Settings

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Use only machine settings, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.

If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.

This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.

Also, see the Security zones: Do not allow users to change policies policy.

Recommendation

Set this policy to Enabled.

ActiveX Installer Service

Category: Browser security

OS: Windows

Description

Verifies the local group policy Specify use of ActiveX Installer Service for installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to specify how ActiveX controls are installed.

If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.

Recommendation

Set this policy to Enabled.

Crash Detection

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off Crash Detection, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to manage the crash detection feature of add-on Management.

If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting.
All policy settings for Windows Error Reporting continue to apply.
If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.

Recommendation

Set this policy to Enabled.

Security Settings Check

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off the Security Settings Check feature, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.

If you disable or do not configure this policy setting, the feature is turned on.

Recommendation

Set this policy to Disabled.

Certificate Errors

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent ignoring certificate errors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.

This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.

If you enable this policy setting, the user cannot continue browsing.
If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.

Recommendation

Set this policy to Enabled.

Run Software if Signature Invalid

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow software to run or install even if the signature is invalid, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
If you disable this policy setting, users cannot run or install files with an invalid signature.
If you do not configure this policy, users can choose to run or install files with an invalid signature.

Recommendation

Set this policy to Disabled.

Server Certificate Revocation

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for server certificate revocation, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates.

Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.

Recommendation

Set this policy to Enabled.

Downloaded Programs Signatures

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for signatures on downloaded programs, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered with) on user computers before downloading executable programs.

If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.

Recommendation

Set this policy to Enabled.

ActiveX Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled.

When a user has an ActiveX control installed, which is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode.

This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.

If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. .
All Protected Mode websites will run in Enhanced Protected Mode.

Recommendation

Set this policy to Enabled.

Encryption Support

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off encryption support, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server.

When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use.

The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.

If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

Recommendation

Set this policy to Enabled > Use TLS 1.1; Use TLS 1.2.

IE 64-bit Processes

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

Important

Some ActiveX controls and toolbars may not be available when 64-bit processes are used.

If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you do not configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.

Recommendation

Set this policy to Enabled.

Enhanced Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Enhanced Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

If you enable this policy setting, Enhanced Protected Mode will be turned on.
Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
- If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

Recommendation

Set this policy to Enabled.

Intranet UNCs

Category: Browser security

OS: Windows

Description

Verifies the local group policy Intranet Sites: Include all network paths (UNCs), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

If you enable this policy setting, all network paths are mapped into the Intranet Zone.
If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

Recommendation

Set this policy to Set this policy to Disabled.Disabled.

Certificate Address Mismatch Warning

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on certificate address mismatch warning, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting allows you to turn on the certificate address mismatch security warning.

When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address.

This warning helps prevent spoofing attacks.

If you enable this policy setting, the certificate address mismatch warning always appears.

Recommendation

Set this policy to Enabled.

Access Data Across Domains

Category: Browser security

OS: Windows

Description

Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

If you enable this policy setting, a script can perform a clipboard operation.
If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer.
The user cannot change this behavior.
If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this policy setting, XAML files are not loaded inside Internet Explorer.
The user cannot change this behavior.
If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone.
The user can choose to allow the control to run from the current site or from all sites.
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether a page can control embedded WebBrowser controls via script.

If you enable this policy setting, script access to the WebBrowser control is allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

If you enable this policy setting, Windows Restrictions security will not apply in this zone.
The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.
If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether script is allowed to update the status bar within the zone.

If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

If you select Enable in the drop-down box, VBScript can run without user intervention.
If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.
Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

If you disable this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether users may download signed ActiveX controls from a page in the zone.

If you enable this policy, users can download signed controls without user intervention.
If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.
If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy, users are queried whether to download controls signed by publishers who are not trusted.
Code signed by trusted publishers is silently downloaded.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download unsigned ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you to manage whether users may download unsigned ActiveX controls from the zone.

Such code is potentially harmful, especially when coming from an untrusted zone.

If you enable this policy, users can run unsigned controls without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable or do not configure this policy, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

If you enable this policy and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.
Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.
Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy controls if the local path information is sent when the user is uploading a file via an HTML form.

If the local path information is sent, some information may be unintentionally revealed to the server.
For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this policy, path information is sent when the user is uploading a file via an HTML form.
If you disable this policy, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this policy, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.

By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this policy, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you managing permissions for Java applets.

If you enable this setting, you can choose options from the drop-down box:

High Safety: enables applets to run in their sandbox.
Disable Java to prevent any applets from running.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
Low Safety: enables applets to perform all operations.
Custom: to control permissions settings individually.
Disable Java: Java applets cannot run.
- If you do not configure this policy, the permission is set to High Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
If you select Prompt in the drop-down box or do not configure this policy, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable this policy, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable

Internet Explorer: Logon options (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing settings for logon options. If you enable this policy, you can choose from the following logon options:

Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
Prompt for user name and password: to query users for user IDs and passwords.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).
- If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.
- If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
- If you disable or do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.

Recommendation

Set this policy to Enabled > Prompt for user name and password.

Internet Explorer: Navigate windows and frames across different domains (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing the opening of windows and frames and access of applications across different domains.

If you enable or do not configure this policy, users can open windows and frames from other domains and access applications from other domains.
If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy, users cannot open windows and frames to access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable or do not configure this setting, Internet Explorer will execute unsigned managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute signed managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Show security warning for potentially unsafe files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Show security warning for potentially unsafe files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

If you enable this setting and set the drop-down box to Enable, these files open without a security warning.
If you set the drop-down box to Prompt, a security warning appears before the files open.
If you disable this setting, these files do not open.
If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

Set this policy to Enabled > Prompt.

Internet Explorer: Turn on Cross-Site Scripting Filter (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows you to turn on Protected Mode.

Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

If you enable this policy setting, Protected Mode is turned on.
The user cannot turn off Protected Mode.
If you disable this policy setting, Protected Mode is turned off.
The user cannot turn on Protected Mode.
If you do not configure this policy setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

If you enable or do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
If you disable this policy setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable or do not configure this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. the security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.
If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable this setting, the possibly harmful navigations are prevented.
The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
If you do not configure this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Intranet Zone)

Category: Browser security

OS: Windows

Description

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

If you enable or do not configure this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Intranet Zone)

Category: Browser security

OS: Windows

Description

This policy setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disables Java: to prevent any applets from running.
- If you disable this setting, Java applets cannot run.
- If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > High Safety.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Local Machine Zone)

Category: Browser security

OS: Windows

Description

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

If you enable or do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java Permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone.

This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
- If you disable this setting, Java applets cannot run.
- If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Internet Zone)

Category: Browser security

OS: Windows

Description

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled.

Internet Explorer: Java permissions (Locked-Down Intranet Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing permissions for Java applets. If you enable this setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
- If you disable this policy setting, Java applets cannot run.
- If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
- If you disable this policy setting, Java applets cannot run.
- If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Java permissions (Locked-Down Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
- If you disable this setting, Java applets cannot run.
- If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Access data sources across domains (Restricted Sites Zone)

Category: Network and credentials

OS: Windows

Description

This policy setting allows managing whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
If you disable or do not configure this setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow active scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow active scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows you to manage whether script code on pages in the zone is run.

If you enable this setting, script code on pages in the zone can run automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
If you disable or do not configure this setting, script code on pages in the zone is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow binary and script behaviors (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow binary and script behaviors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

If you enable this setting, binary and script behaviors are available.
If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
If you disable or do not configure this setting, binary and script behaviors are not available unless applications have implemented a custom security manager.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

If you enable this policy setting, a script can perform a clipboard operation.
If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether users can drag files or copy and paste files from a source within the zone.

If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.
If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow file downloads (Restricted Sites Zone)

Category: Browser category

OS: Windows

Description

Verifies the local group policy Allow file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether file downloads are permitted from the zone.

This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

If you enable this setting, files can be downloaded from the zone.
If you disable or do not configure this setting, files are prevented from being downloaded from the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

If you enable this setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior.
If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
If you do not configure this setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow META REFRESH (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow META REFRESH, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

If you enable this setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
If you disable or do not configure this setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

If you enable this setting, the user is prompted before ActiveX controls can run from websites in this zone.
The user can choose to allow the control to run from the current site or from all sites.
If you disable this setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

If you enable this setting, the TDC ActiveX control will not run from websites in this zone.
If you disable this setting, the TDC Active X control will run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting determines whether a page can control embedded WebBrowser controls via script.

If you enable this setting, script access to the WebBrowser control is allowed.
If you disable this setting, script access to the WebBrowser control is not allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

If you enable this policy setting, Windows Restrictions security will not apply in this zone.
The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.
This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.
If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether script is allowed to update the status bar within the zone.

If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

If you select Enable in the drop-down box, VBScript can run without user intervention.
If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.
Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

If you enable this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether users may download signed ActiveX controls from a page in the zone.

If you enable this policy, users can download signed controls without user intervention.
If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted.
Code signed by trusted publishers is silently downloaded.
If you disable or do not configure this setting, signed controls cannot be downloaded.

Recommendation

Set this policy to Disabled.

Internet Explorer: Download unsigned ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This policy setting allows managing whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

If you enable this policy setting, users can run unsigned controls without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable or do not configure this setting, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.
Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.
Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows.
Users cannot change this setting.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting.
If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.
Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window.
Users cannot change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether or not local path information is sent when the user is uploading a file via an HTML form.

If the local path information is sent, some information may be unintentionally revealed to the server.
For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this setting, path information is sent when the user is uploading a file via an HTML form.
If you disable this setting, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.
By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

Custom: to control permissions settings individually.
Low Safety: enables applets to perform all operations.
Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety: enables applets to run in their sandbox.
Disable Java: to prevent any applets from running.
- If you disable this setting, Java applets cannot run.
- If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

If you enable this setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable or do not configure this setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Logon options (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing settings for logon options.

If you enable this setting, you can choose from the following logon options:
- Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
- Prompt for user name and password: to query users for user IDs and passwords.
  After a user is queried, these values can be used silently for the remainder of the session.
- Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.
  After a user is queried, these values can be used silently for the remainder of the session.
- Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).
  - If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.
  - If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
If you disable this setting, logon is set to Automatic logon only in Intranet zone.
If you do not configure this setting, logon is set to Prompt for username and password.

Recommendation

Set this policy to Enabled > Anonymous logon.

Internet Explorer: Navigate windows and frames across different domains (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains.
If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
If you disable or do not configure this setting, users cannot open other windows and frames from other domains or access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components.
If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable or do not configure this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute signed managed components.
If you select Prompt, in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run ActiveX controls and plugins (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run ActiveX controls and plugins, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing if ActiveX controls and plug-ins can be run on pages from the specified zone.

If you enable this setting, controls and plug-ins can run without user intervention.
If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
If you disable or do not configure this setting, controls and plug-ins are prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Script ActiveX controls marked safe for scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Script ActiveX controls marked safe for scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether an ActiveX control marked safe for scripting can interact with a script.

If you enable this setting, script interaction can occur automatically without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.
If you disable or do not configure this setting, script interaction is prevented from occurring.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Scripting of Java applets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Scripting of Java applets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether applets are exposed to scripts within the zone.

If you enable this setting, scripts can access applets automatically without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.
If you disable or do not configure this setting, scripts are prevented from accessing applets.

Recommendation

Set this policy to Enabled > Disable.

Show security warning for potentially unsafe files

Category:

OS:

Description

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

If you enable this setting and set the drop-down box to Enable, these files open without a security warning.
If you set the drop-down box to Prompt, a security warning appears before the files open.
If you disable this setting, these files do not open.
If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

Internet Explorer: Turn on Cross-Site Scripting Filter (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

If you enable this setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows turning on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

If you enable this setting, Protected Mode is turned on.
The user cannot turn off Protected Mode.
If you disable this setting, Protected Mode is turned off.
The user cannot turn on Protected Mode.
If you do not configure this setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

If you enable or do not configure this setting, most unwanted pop-up windows are prevented from appearing.
If you disable this setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable or do not configure this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.
If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable or do not configure this setting, the possibly harmful navigations are prevented.
The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

If you enable this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing ActiveX controls not marked as safe.

If you enable this setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.
This setting is not recommended, except for secure and administered zones.
This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
If you do not configure this setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

This setting allows managing permissions for Java applets.

If you enable this setting, you can choose options from the drop-down box:
- Custom: control permissions settings individually.
- Low Safety: enable applets to perform all operations.
- Medium Safety: enable applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
- High Safety: enable applets to run in their sandbox.
- Disable Java: to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to Low Safety.

Recommendation

Set this policy to Enabled > High safety.

Allow fallback to SSL 3.0 (Internet Explorer)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow fallback to SSL 3.0 (Internet Explorer), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features.

This setting allows blocking an insecure fallback to SSL 3.0.

When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
Do not allow insecure fallback in order to prevent a man-in-the-middle attack.
This policy does not affect which security protocols are enabled.
If you disable this policy, system defaults will be used.

Recommendation

Set this policy to Enabled > No sites.

Remove Run this time button for outdated ActiveX controls in Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Remove Run this time button for outdated ActiveX controls in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This policy setting allows preventing users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer.

If you enable this setting, users will not see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
If you disable or don't configure this policy setting, users will see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
Clicking this button lets the user run the outdated ActiveX control once.

Recommendation

Set this policy to Enabled.

Turn off blocking of outdated ActiveX controls for Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off blocking of outdated ActiveX controls for Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.
If you disable or do not configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

Recommendation

Set this policy to Disabled.

Internet Explorer Processes Handling

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling.

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.

This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent.

For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

If you enable or do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Sniffing

Category: Browser security

OS: Windows

Description

This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.

If you enable or do not configure this setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
If you disable this setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes MK Protocol

Category: Browser security

OS: Windows

Description

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.

If you enable or do not configure this setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
If you disable this setting, applications can use the MK protocol API.
Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Security background

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Notification bar.

This setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted.

By default, the Notification bar is displayed for Internet Explorer processes.

If you enable or do not configure this setting, the Notification bar will be displayed for Internet Explorer Processes.
If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Zone Elevation

Category: Browser security

OS: Windows

Description

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.).

Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.

Zone Elevation also disables JavaScript navigation if there is no security context.

If you enable or do not configure this setting, any zone can be protected from zone elevation by Internet Explorer processes.
If you disable this setting, no zone receives such protection for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict ActiveX Install

Category: Browser security

OS: Windows

Description

This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

If you enable this setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
If you disable this setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.
If you do not configure this setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict Download

Category: Browser security

OS: Windows

Description

This setting enables blocking of file download prompts that are not user initiated.

If you enable this setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
If you do not configure this setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Window Restrictions

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions.

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types.

The Window Restrictions security feature restricts pop-up windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.

If you enable or do not configure this setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.
If you disable this setting, scripts can continue to create pop-up windows and windows that obfuscate other windows.

Recommendation

Set this policy to Enabled.

Enable local admin password management

Category: OS security

OS: Windows

Description

Verifies the policy Enable local admin password management located in:

Computer Configuration\Administrative Templates\system\LAPS - for Windows server 2019-2022
Computer Configuration\Administrative Templates\LAPS - for prior versions

This policy enables management of password for local administrator account.

If you enable this setting, local administrator password is managed.
If you disable or not configure this setting, local administrator password is NOT managed.

Note

This policy is available in local group policy editor after installing Local Administrator Password Solution (LAPS).

Recommendation

Set this policy to Enabled.

Local Account Token Filter Policy

Category: OS security

OS: Windows

Description

MS Security Guide: Apply UAC restrictions to local accounts on network logon.

This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.).

Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems.

Enabling this policy significantly reduces that risk.

Enabled (recommended): Applies UAC token-filtering to local accounts on network logons.
Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token.
This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.
Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1.
For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016.

Recommendation

Set this policy to Enabled.

Configure SMB v1 server

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 server.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Disabled.

Configure SMB v1 client

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 client driver.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Enabled > Disable driver.

Enable Structured Exception Handling Overwrite Protection (SEHOP)

Category: OS security

OS: Windows

Description

MS Security Guide: Enable Structured Exception Handling Overwrite Protection (SEHOP).

If this setting is enabled, SEHOP is enforced.
For more information, see https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems.
If this setting is disabled or not configured, SEHOP is not enforced for 32-bit processes.

Recommendation

Set this to Enabled.

WDigest Authentication

Category: OS security

OS: Windows

Description

MS Security Guide: WDigest Authentication.

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.

If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.
Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.
Enabled: Enables WDigest authentication.
Disabled (recommended): Disables WDigest authentication.
For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.

Description

Checks the Macro settings for Office Word 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

Disable all macros without notification - Macros and security alerts about macros are disabled.
Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.
Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.
However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.
Enable all macros (not recommended, potentially dangerous code can run) - All macros run.
This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Mozilla Passwords

Category: Browser security

OS: Windows

Description

Checks if Mozilla Firefox stores passwords on disk.

An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

WinRM Service

Category: OS security

OS: Windows

Description

Windows Remote Management (WinRM) allows a user to interact with a remote system, to run an executable, modify the registry, or modify services. It may be called with the winrm command or by various programs, such as PowerShell.

Recommendation

Disable the WinRM Service unless necessary.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Category: Network and credentials

OS: Windows

Description

This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares.

This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

If you do not want to allow anonymous enumeration of SAM accounts and shares, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable this policy.
Default: Disabled.

Recommendation

Set this to Enabled.

Network access: Let Everyone permissions apply to anonymous users

Category: OS security

OS: Windows

Description

This security setting located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options determines what additional permissions are granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

By default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users.

If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.
If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections.
In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.
Default: Disabled.

Recommendation

Set this to Disabled.

PowerShell Script Execution

Category: OS security

OS: Windows

Description

Checks the local group policy Turn on Script Execution, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.

If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.
- The Allow only signed scripts policy setting allows scripts to execute only if they are signed by a trusted publisher.
- The Allow local scripts and remote signed scripts policy setting allows any local scrips to run.
  Scripts that originate from the internet must be signed by a trusted publisher.
- The Allow all scripts policy setting allows all scripts to run. The Allow all scripts policy setting allows all scripts to run.
If you disable this policy setting, no scripts are allowed to run.

The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default.

If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Everyone Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of shared folders with write access for the Everyone group.

A Guest account is a built-in account on a Windows system that is disabled by default.

If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Read

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with read access on Server Message Block (SMB).

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with write access on Server Message Block (SMB).

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

SMBv3 Exploitable

Category: Network and credentials

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-0796.

Recommendation

Always watch for, and install security updates.

afmtd Exploitable

Category: OS security

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-1020.

Recommendation

Always watch for, and install security updates.

Full Secure Channel Protection

Category: Network and credentials

OS: Windows

Description

Verifies the policy Domain controller: Allow vulnerable Netlogon secure channel connections, located in Computer Configuration\Windows Settings\Security Settings\Security Options.

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections, for specified machine accounts.

When this policy is enabled with Allow, the domain controller will allow some specified groups/accounts to use a Netlogon secure channel without secure RPC.

Recommendation

Set this policy to Deny or Not configured.

Print Spooler Service Exploitable

Category: Network and credentials

OS: Windows

Description

Verifies if the endpoint is susceptible to the PrintNightmare attack CVE-2021-34527).

This type of attack exploits a vulnerability within the Windows Print Spooler service, allowing an attacker to run arbitrary code with SYSTEM privileges. An attacker can then install programs; view, change or delete data, or create new accounts with full user rights.

Recommendation

Make sure your endpoint is always up-to-date with your operating system security patches.

If for some reason you are unable to patch the endpoint, make sure you apply one of the workarounds specified in this vulnerability blog post

Disable the Print Spooler Service or Disable inbound remote printing through Group Policy.

NTLM Incoming traffic not restricted

Category: Network and credentials

OS: Windows

Description

Verifies if the group policy Network Security: Restrict NTLM: Incoming NTLM traffic, located in Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\Security Options is configured to deny incoming traffic from all accounts.

If this setting is not configured properly, an attacker can target a Domain Controller using an NTLM relay attack (dubbed PetitPotam).

Recommendation

To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller. In the event NTLM cannot be turned off for compatibility reasons, the company is urging users to take one of the two steps below:

Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the Certificate Authority Web Enrollment or Certificate Enrollment Web Service services

Category: OS security

OS: Linux

Description

Verifies if the ClientAliveInterval and ClientAliveCountMax parameters for the OpenSSH server are not configured.

When those parameters are configured, the ssh session will end when the session is idle and ClientAliveCountMax is reached after sending alive messages at a ClientAliveInterval interval.

Recommendation

Ensure the idle timeout interval options for the OpenSSH server are configured.

OpenSSH Password login

Category: OS security

OS: Linux

Description

Verifies if password login is enabled for OpenSSH server.

Recommendation

Ensure SSH access is made through public keys.

Automatic login enabled

Category: OS security

OS: Linux

Category: OS security

OS: Linux

Description

Verifies if Avahi Server is enabled on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.

Recommendation

Ensure Avahi Server is not enabled in order to reduce the endpoint's potential attack surface.

Duplicate user names

Category: OS security

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH private keys. A SSH private key is a proof of identity.

If an unauthorized user obtains the private key, the owner could be impersonated.

Recommendation

Ensure all SSH private keys have UID and GID set to 0 (root) and do not give any permissions to group or other users.

Incorrect permissions on SSH public host keys

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH public keys. A public key is a key that can be used to verify digital signatures generated using a corresponding private key.

If the public key is modified by and unauthorized user, the SSH service may be compromised

Category: OS security

OS: Linux

X Window System is installed

Category: OS security

OS: Linux

Description

The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add-ons. Unless your organization specifically requires graphical login access via X Window, remove it to reduce the potential attack surface.

Recommendation

Ensure the xserver-xorg package is not installed.

Avahi Server is installed

Category: OS security

OS: Linux

Description

Avahi Server should not installed on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.

Recommendation

Ensure the avahi-daemon package is not installed, to reduce the endpoint's potential attack surface.

Category: OS security

OS: Linux

Description

Dirty Pipe is a vulnerability in the Linux kernel since version 5.8, allowing an attacker to overwrite data in arbitrary read-only files. This leads to Privilege escalation, as unprivileged processes can inject code into root processes. The vulnerability has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

Recommendation

Make sure the kernel version is always up to date.

Log4j with Remote Code Execution Present

Category: Network and credentials

OS: Linux

Description

Recommendation

Avoid using Log4j versions 2.x to 2.15.0.

Cr8escape Vulnerability

Category: Vulnerability

OS: Linux

Description:

Cr8escape is a vulnerability in the CRI-O module caused by the way it sets kernel options for a pod. Users with rights to deploy pods on vulnerable kubernets clusters can escape the container, gain access to the host, and be able to execute arbitrary code as root in the cluster node.

Recommendation:

Update to a patched version of CRI-O. Versions that address the issue: 1.23.2, 1.22.3, v1.21.6, 1.20.7, and 1.19.6.

Spring Cloud Functions vulnerability (Spring4Shell)

Category: Vulnerability

OS: Linux

Description:

Recommendation:

Upgrade Spring Cloud Functions to versions 3.1.7, 3.2.3, or higher.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.