Skip to main content

Misconfigurations

Windows misconfigurations

Task Manager

Category: OS security

OS: Windows

Description

Verifies the local group policy settings for User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options\Remove Task Manager.

When Remove Task Manager is enabled, the endpoint is vulnerable to security threats. Since Task Manager can list and terminate currently running processes, some malware may disable it to prevent themselves from being closed.

Recommendation

Keep the Task Manager enabled on all endpoints.

Smart Card Service

Category: OS security

OS: Windows

Description

Verifies the settings for Smart Card local service.

The Smart Card Service provides smart cards read access and public key services support through a process running in the background (scardsvr.exe).Though this Windows service is rated to be quite safe, some malware programs may disguise themselves as scardsvr.exe.

Recommendation

Disable this service if it is not used explicitly on endpoints.

Telnet Server Service

Category: Network and credentials

OS: Windows

Description

Verifies if the Telnet Server service is installed and enabled on endpoint.

Telnet is one of the earliest TCP/IP protocols allowing access to remote endpoints via terminal sessions. Telnet provides no built-in security measures (such as data encryption or authentication) and using it exposes endpoints to security risks.

Recommendation

Disable Telnet Server service on all endpoints and use SSH instead.

Auto Logon

Category: Network and credentials

OS: Windows

Description

Verifies if Windows requires account sign-in.

When the user accounts sign-in is disabled, Windows stores the user passwords in the registry database, making possible to bypass the password screen during logon.

Recommendation

Require account sign-in always.

Secure Logon

Category: OS security

OS: Windows

Description

Verifies the local security policy option Interactive logon: Do not require CTRL+ALT+DEL.

This option defines whether users must unlock their computer before logging in to Windows by pressing CTRL+ALT+DEL, as an additional security layer that prevents malware intercepting usernames and passwords.

  • If this option is set on Enabled, the system is more vulnerable to security threats.

Recommendation

Set this policy to Disabled.

UAC Off

Category: OS security

OS: Windows

Description

Verifies the local security policy option User Account Control: Run all administrators in Admin Approval Mode.

This setting controls the behavior of all UAC policy settings for the endpoint.

UAC (User Account Control) is a security feature that helps preventing unauthorized changes to the OS by potentially harmful programs. UAC requires administrator authorization for actions like installing a program or modifying system settings.

  • When UAC is set to Never notify, the system is more vulnerable to malware.

Recommendation

Set this policy to Enabled.

UAC Insecure

Category: OS security

OS: Windows

Description

Verifies the configuration for User Account Control policy and registry settings, to check if these comply with the default recommended settings.

The policy settings are located in Security Settings\Local Policies\Security Options, in the Local Security Policy app.

Recommendation

Configure the UAC settings to at least the default level.

Automatic Updates

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure Automatic Updates, located in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

This policy specifies whether the endpoint will receive security updates and other important downloads through the Windows automatic updating service. When disabled, the endpoint is more vulnerable to security threats.

Recommendation

Set this policy to Enabled.

LAN Manager Hash

Category: OS security

OS: Windows

Description

Verifies the local security policy option Network security: Do not store LAN Manager hash value on next password change.

When the user sets a password that contains less than 15 characters, Windows generates a LAN Manager hash (LM hash) of that password.

  • If the Windows security option is set to store the hash in the local Security Accounts Manager (SAM) database, the passwords can be compromised and the endpoint is prone to brute force attack.

Recommendation

After applying the fix, all affected users must change their domain password. The new password must be at least 15 characters long.

In this case, Windows stores a LM hash value that cannot be used to authenticate the user.

Blank Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Accounts: Limit local account use of blank passwords to console logon only.

This setting verifies if local accounts without password protection can be used to log on from other locations than the physical computer console.

  • When this option is disabled, endpoints are exposed to a high security risk.

Recommendation

Set this policy to Enabled.

Anonymous User Permissions

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Network access: Do not allow anonymous enumeration of SAM accounts.

This option determines if anonymous connections have the permission to enumerate the names of domain accounts.

Endpoints with this option disabled are vulnerable to attackers trying to obtain usernames or passwords stored locally.

Recommendation

The recommended setting for this policy is Enabled: Do not allow enumeration of SAM accounts.

This option replaces Everyone with Authenticated Users in the security permissions for resources.

Kernel-Mode Printer Drivers

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow installation of printers using kernel-mode drivers, located in Computer Configuration\Administrative Templates\Printers.

This setting determines whether printers using kernel-mode drivers may be installed on the local endpoint. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors.

  • When this option is Disabled, the printer drivers will run in the kernel space of the operating system, exposing the endpoint to security risks.

Recommendation

Set this policy to Enabled.

Windows Backup Service

Category: OS security

OS: Windows

Description

Verifies the settings for Windows Backup and Restore service (SDRSVC).

  • When this service is stopped, the system does not have access to native Microsoft backup and restore tools.

Recommendation

Enable this service on all endpoints.

Telephony Service

Category: OS security

OS: Windows

Description

Verifies if the Telephony Service is active.

Recommendation

Set this service to Disabled.

Lock Screen App Notifications

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off app notifications on the lock screen, located in Computer Configuration\Administrative Templates\System\Logon.

This policy setting allows preventing app notifications from appearing on the lock screen.

  • If you enable this policy setting, no app notifications are displayed on the lock screen.

  • If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

Recommendation

Set this policy to Enabled.

Microphone Service

Category: OS security

OS: Windows

Description

Verifies if any microphone is enabled.

Recommendation

Disable microphones on endpoints.

Store Domain Credentials

Category: OS security

OS: Windows

Description

Checks if the passwords and credentials used for network authentication are stored on the local computer.

Recommendation

Do not allow storage of passwords and credentials used for network authentication on the local computer.

Digitally Encrypt / Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt or sign secure channel data (always).

This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.

  • When this policy is disabled, then encryption and signing of all secure channel traffic will depend on the version of Domain Controller and on the settings of the other policies for encryption and signing secure channel data.

Recommendation

Set this policy to Enabled.

Digitally Encrypt Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally encrypt secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

Disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Recommendation

Set this policy to Enabled.

Digitally Sign Data

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Digitally sign secure channel data (when possible).

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

  • If enabled, the domain member will request signing of all secure channel traffic.

  • If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Recommendation

Set this policy to Enabled.

Change Account Password

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Disable machine account password changes.

Determines whether a domain member periodically changes its computer account password.

  • If this setting is enabled, the domain member does not attempt to change its computer account password, which exposes the endpoint to security risks.

Recommendation

Set this policy to Disabled.

Strong Session Key

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Domain member: Require strong (Windows 2000 or later) session key.

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

  • If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed.

  • If this setting is disabled, then the key strength is negotiated with the domain controller.

Recommendation

Set this policy to Enabled.

Insecure Guest Logon

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Enable insecure guest logons, located in Computer Configuration\Administrative Templates\Network\Lanman Workstation.

This policy determines if the SMB client will allow insecure guest logons to an SMB server.

  • If you enable / do not configure this policy, the SMB client will allow insecure guest logons.

    Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

    Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled.

    As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware.

Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.

Recommendation

Disable insecure Guest logons and configuring file servers to require authenticated access.

Lock Screen Camera

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen camera, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.

Recommendation

Set this policy to Enabled.

Lock Screen Slide Show

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Client Digitally Sign Communications

Category: OS Security

OS: Windows

Description

Verifies the local group policy Prevent enabling lock screen slide show, located in Computer Configuration\Administrative Templates\Control Panel\Personalization.

This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.

Recommendation

Set this policy to Enabled.

Unencrypted passwords

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network client: Send unencrypted password to third-party SMB servers.

  • If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

    Sending unencrypted passwords is a security risk.

Recommendation

Set this policy to Disabled.

Server Digitally Sign Communications

Category: Network and credentials

OS: Windows

Description

Verifies the local security policy option Microsoft network server: Digitally sign communications (always).

This security setting determines whether packet signing is required by the Server Message Block (SMB) server component.

The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration.

To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.

  • If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.

Note

All Windows OS support both a client-side SMB component and a server-side SMB component.

To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.

Recommendation

Set this policy to Enabled.

Download Print Drivers Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off downloading of print drivers over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow this client to download print driver packages over HTTP.

  • When disabled or not configured, users can download print drivers over HTTP.

Recommendation

Set this policy to Enabled.

Print Over HTTP

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Turn off printing over HTTP, located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings.

This policy specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.

  • When disabled or not configured, users can choose to print to printers on the Internet over HTTP.

Recommendation

Set this policy to Enabled.

Strengthen Permissions

Category: OS security

OS: Windows

Description

Verifies the local security policy option System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links).

This security setting determines the strength of the default Discretionary Access Control List (DACL) for objects.

Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. This way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

  • If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.

Recommendation

Set this policy to Enabled.

Enumerate Local Users

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate local users on domain-joined computers, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows local users to be enumerated on domain-joined computers.

  • If you enable this policy, Logon UI will enumerate all local users on domain-joined computers.

Recommendation

Set this policy to Disabled.

PIN Sign-In

Category: OS Security

OS: Windows

Description

Verifies the local group policy Turn on convenience PIN sign-in, located in Computer Configuration\Administrative Templates\System\Logon.

This policy allows you to control whether a domain user can sign in using a convenience PIN.

  • If you disable or do not configure this policy, a domain user cannot set up and use a convenience PIN. The user's domain password will be cached in the system vault when using this feature.

Recommendation

Set this policy to Disabled.

Restrict Unauthenticated RPC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Restrict Unauthenticated RPC clients, located in Computer Configuration\Administrative Templates\System\Remote Procedure Call.

This policy controls how the Remote Procedure Call (RPC) server runtime handles unauthenticated RPC clients connecting to RPC servers.

In a domain environment, this policy should be used with caution as it can affect a wide range of functionality, including the group policy processing itself.

A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security.

Recommendation

Set this policy to Enabled > Authenticated.

Optional Microsoft Accounts

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Microsoft accounts to be optional, located in Computer Configuration\Administrative Templates\Windows Components\App runtime.

This policy lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.

This policy only affects Windows Store apps that support it.

  • If you enable this policy, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.

  • If you disable or do not configure this policy, users will need to sign in with a Microsoft account.

Recommendation

Set this policy to Enabled.

Autoplay Non-Volume Devices

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

  • When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled > All Drives.

Turn off Autoplay

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive).

  • When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.

Recommendation

Set this policy to Enabled: All Drives.

Disable DMA

Category: OS security

OS: Windows

Description

Verifies the local group policy Disable new DMA devices when this computer is locked, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

This policy allows blocking direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Devices already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.

This policy is only enforced when BitLocker or device encryption is enabled.

Note

Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.

Recommendation

Set this policy to Enabled.

Enhanced PIN with BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow enhanced PINs for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy configures whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs allows using characters including uppercase and lowercase letters symbols numbers and spaces.

This policy is applied when BitLocker is turned on.

Note

Not all computers may support enhanced PINs in the pre-boot environment.

It is strongly recommended that users perform a system check during BitLocker setup.

  • If you disable or do not configure this policy, enhanced PINs will not be used.

Recommendation

Set this policy to Enabled.

Secure Boot for BitLocker

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Secure Boot for integrity validation, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting defines whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers.

Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

  • If you disable this policy, BitLocker will use legacy platform integrity validation even on systems capable of Secure Boot-based integrity validation.

    Warning

    Disabling this policy may result in BitLocker recovery when firmware is updated.

Recommendation

Set this policy to Enabled.

Write Removable Drives with BitLocker

Category: OS Security

OS: Windows

Description

Verifies the local group policy Deny write access to removable drives not protected by BitLocker, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

  • When enabling this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only.

  • When disabling or not configuring this setting, all removable data drives on the computer will be mounted with read and write access.

Recommendation

Set this policy to Enabled.

Microsoft Consumer Experiences

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Microsoft consumer experiences, located in Computer Configuration\Administrative Templates\Windows Components\Cloud Content.

  • If you disable or do not configure this policy setting users may see personalized recommendations from Microsoft and notifications about their Microsoft account.

Note

This setting only applies to Enterprise and Education SKUs.

Recommendation

Set this policy to Enabled.

Enumerate Admin Accounts on Elevation

Category: OS security

OS: Windows

Description

Verifies the local group policy Enumerate administrator accounts on elevation, located in Computer Configuration\Administrative Templates\Windows Components\Credential User Interface.

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.

By default, administrator accounts are not displayed when the user attempts to elevate a running application.

  • If you enable this setting, all the local administrator accounts will be displayed, so the user can choose one and enter the correct password.

  • If you disable this setting, users will always be required to type a user name and password to elevate.

Recommendation

Set this policy to Disabled.

Internet Connection Sharing

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.

Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.

ICS lets administrators configure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DHCP to the local private network.

  • If you enable this setting, ICS cannot be enabled or configured by administrators and it cannot run on the computer.

Note

ICS is only available when two or more network connections are present.

Non-administrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.

Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services.

To prevent the ICS service from running, go to the Network Permissions tab and select the Don't use hosted networks check box.

Recommendation

Set this policy to Enabled.

Connect to Open Hotspots

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services, located in Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings.

This policy configures the access to the following WLAN settings:

  • Connect to suggested open hotspots

  • Connect to networks shared by my contacts

  • Enable paid services

Note

If this policy is disabled, the abovementioned WLAN settings will be turned off and users on this device will not have access to enable them.

If this policy is not configured or is enabled, users can choose to enable or disable either Connect to suggested open hotspots, or Connect to networks shared by my contacts.

Recommendation

Set this policy to Disabled.

Non Domain Network Connections

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Prohibit connection to non-domain networks when connected to domain authenticated network, located in Computer Configuration\Administrative Templates\Network\Windows Connection Manager.

This policy prevents computers from connecting to both a domain-based network and a non-domain based network at the same time.

If this policy is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:

  • Automatic connection attempts:

    • When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.

    • When the computer is already connected to a non-domain based network, automatic connection attempts to domain-based networks are blocked.

  • Manual connection attempts:

    • When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.

    • When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

If this policy is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.

Recommendation

Set this policy to Enabled.

Credential Delegation

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Remote host allows delegation of non-exportable credentials, located in Computer Configuration\Administrative Templates\System\Credentials Delegation.

When using credential delegation, devices provide an exportable version of credentials to the remote host.This exposes users to the risk of credential theft from attackers on the remote host.

  • If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.

  • If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard modes are not supported. Users will always need to pass their credentials to the host.

Recommendation

Set this policy to Enabled.

Virtualization Based Security

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn On Virtualization Based Security, located in Computer Configuration\Administrative Templates\System\Device Guard. Specifies whether Virtualization Based Security is enabled.

Virtualization Based Security uses the Windows Hypervisor to provide support for security services.

Virtualization Based Security requires Secure Boot, and, optionally, you can enabled it with the use of DMA Protections.

Recommendation

Set this policy to Enabled with the following options:

  • Select Platform Security Level: SecureBoot and DMA Protection

  • Virtualization Based Protection of Code Integrity: Enabled with lock

  • Credential Guard Configuration: Enabled with lock

Device Installation by ID

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices that match any of these device IDs, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

  • If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create.

  • If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

  • If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

  • Prevent installation of devices that match any of these device IDs: PCI\CC_0C0A

  • Also apply to matching devices that are already installed.

Device Installation by Setup Class

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent installation of devices using drivers that match these device setup classes, located in Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing.

This policy setting takes precedence over any other policy setting that allows Windows to install a device.

  • If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create.

  • If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

  • If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

Recommendation

Set this policy to Enabled, and select the following options:

  • Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}.

  • Also apply to matching devices that are already installed.

Boot-Start Driver

Category: OS security

OS: Windows

Description

Verifies the local group policy Boot-Start Driver Initialization Policy, located in Computer Configuration\Administrative Templates\System\Early Launch Antimalware.

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.

The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

  • Good: The driver has been signed and has not been tampered with.

  • Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.

  • Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.

  • Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.- If you enable this policy, you will be able to choose which boot-start drivers to initialize the next time the computer is started.

Note

If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

Recommendation

Set this policy to Enabled > Good, Unknown and bad but critical.

Anti-Spoofing

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure enhanced anti-spoofing, located in Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features.

This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.

  • If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication.

    This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.

  • If you disable or do not configure this setting, Windows does not require enhanced anti-spoofing for Windows Hello face authentication.

Recommendation

Set this policy to Enabled.

Minimum Startup PIN

Category: OS security

OS: Windows

Description

Verifies the local group policy Configure minimum PIN length for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN.

This policy setting is applied when you turn on BitLocker.

The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

  • If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

  • If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.

Recommendation

Set this policy to Enabled > Minimum characters 7.

Explorer Data Execution Prevention

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off Data Execution Prevention for Explorer, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer.

Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

Recommendation

Set this policy to Disabled.

Heap Termination on Corruption

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn off heap termination on corruption, located in Computer Configuration\Administrative Templates\Windows Components\File Explorer. Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

Recommendation

Set this policy to Disabled.

Password Manager

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Configure Password Manager, located in Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge.

This policy setting lets you decide whether employees can save their passwords locally, using Password Manager.

By default, Password Manager is turned on.

  • If you enable this setting, employees can use Password Manager to save their passwords locally.

  • If you disable this setting, employees cannot use Password Manager to save their passwords locally.

  • If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally.

Recommendation

Set this policy to Disabled.

Save Passwords from RDC

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Do not allow passwords to be saved, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

This policy controls whether passwords can be saved on this computer from Remote Desktop Connection.

  • If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords

When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

Recommendation

Set this policy to Enabled.

Drive Redirection

Category: OS security

OS: Windows

Description

Verifies the local group policy Do not allow drive redirection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection.

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection.

Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

  • If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

Recommendation

Set this policy to Enabled.

RDS Password Prompt

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Always prompt for password upon connection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

  • If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

Recommendation

Set this policy to Enabled.

Secure RPC Communication

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Require secure RPC communication, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

  • If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

Recommendation

Set this policy to Enabled.

Client Encryption Level

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Set client connection encryption level, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended.

This policy does not apply to SSL encryption.

  • If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting.

By default, the encryption level is set to High Level (the recommended option). This setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption.

Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection).

Clients that do not support this encryption level cannot connect to RD Session Host servers.

Recommendation

Set this policy to Enabled > High Level.

Download Enclosures

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent downloading of enclosures, located in Computer Configuration\Administrative Templates\Windows Components\RSS Feeds.

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

  • If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

Recommendation

Set this policy to Enabled.

Indexing Encrypted Files

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow indexing of encrypted files, located in Computer Configuration\Administrative Templates\Windows Components\Search.

This policy setting allows encrypted items to be indexed.

  • If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply).

  • If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.

    This policy setting is not configured by default.

  • If you do not configure this policy setting, the local setting, configured through Control Panel, will be used.

By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely.

Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.

Recommendation

Set this policy to Disabled.

Modify Exploit Protection Settings

Category: OS security

OS: Windows

Description

Verifies the local group policy Prevent users from modifying settings, located in Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\App and browser protection or in Computer Configuration\Administrative Templates\Windows Components\Windows Security\App and browser protection (according to the Windows version).

This policy setting allows preventing users from making changes to the Exploit protection settings area in the Windows Defender Security Center.

Recommendation

Set this policy to Enabled.

Game Recording and Broadcasting

Category: OS security

OS: Windows

Description

Verifies the local group policy Enables or disables Windows Game Recording and Broadcasting, located in Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting.

This setting enables or disables the Windows Game Recording and Broadcasting features.

Recommendation

Set this policy to Disabled.

Windows Ink Workspace

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Windows Ink Workspace, located in Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace.

This setting is supported from Windows 10 Redstone.

Recommendation

Set this policy to Enabled > On, but disallow access above lock.

User Control Over Installs

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow user control over installs, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy permits users to change installation options that typically are available only to system administrators.

  • If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.

    This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.

Recommendation

Set this policy to Disabled.

Install with Elevated Privileges

Category: OS security

OS: Windows

Description

Verifies the local group policy Always install with elevated privileges, located in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.

  • If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel.

    This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

Note

This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.

Warning

Warning: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.

The User Configuration version of this policy setting is not guaranteed to be secure.

Recommendation

Set this policy to Disabled.

Auto Sign-in After Restart

Category: OS security

OS: Windows

Description

Verifies the local group policy Sign-in last interactive user automatically after a system-initiated restart, located in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options.

This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.

  • If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart.

    After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.

  • If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.

Recommendation

Set this policy to Disabled.

PowerShell Script Block Logging

Category: OS security

OS: Windows

Description

Verifies the local group policy Turn on PowerShell Script Block Logging, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.

  • If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.

  • If you disable this policy setting, logging of PowerShell script input is disabled.

Note

This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Recommendation

Set this policy to Enabled.

WinRM Client Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.

  • If you enable this policy setting, the WinRM client uses Basic authentication.

  • If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.

Recommendation

Set this policy to Disabled.

WinRM Client Unencrypted Traffic

Category: OS Security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.

  • If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Client Digest Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow Digest authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.

  • If you enable this policy setting, the WinRM client does not use Digest authentication.

Recommendation

Set this policy to Enabled.

WinRM Service Basic Authentication

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow Basic authentication, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.

  • If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.

Recommendation

Set this policy to Disabled.

WinRM Service Unencrypted Traffic

Category: OS security

OS: Windows

Description

Verifies the local group policy Allow unencrypted traffic, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

  • If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.

Recommendation

Set this policy to Disabled.

WinRM Service RunAs Credentials

Category: OS security

OS: Windows

Description

Verifies the local group policy Disallow WinRM from storing RunAs credentials, located in Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service.

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.

  • If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins.

  • If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.

Recommendation

Set this policy to Enabled.

Install ActiveX

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent per-user installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.

  • If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.

Recommendation

Set this policy to Enabled.

Security Zones Add / Delete Sites

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to add/delete sites, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)

This policy prevents users from changing site management settings for security zones established by the administrator.

Note

The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy.

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Change Policies

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Do not allow users to change policies, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

It prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

Note

The Disable the Security page policy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy.

If it is enabled, this policy is ignored.

Also, see the Security zones: Use only machine settings policy.

Recommendation

Set this policy to Enabled.

Security Zones Only Machine Settings

Category: Browser security

OS: Windows

Description

Verifies the local group policy Security Zones: Use only machine settings, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.

  • If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.

This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.

Also, see the Security zones: Do not allow users to change policies policy.

Recommendation

Set this policy to Enabled.

ActiveX Installer Service

Category: Browser security

OS: Windows

Description

Verifies the local group policy Specify use of ActiveX Installer Service for installation of ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to specify how ActiveX controls are installed.

  • If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.

Recommendation

Set this policy to Enabled.

Crash Detection

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off Crash Detection, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting allows you to manage the crash detection feature of add-on Management.

  • If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting.

    All policy settings for Windows Error Reporting continue to apply.

  • If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.

Recommendation

Set this policy to Enabled.

Security Settings Check

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off the Security Settings Check feature, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.

  • If you disable or do not configure this policy setting, the feature is turned on.

Recommendation

Set this policy to Disabled.

Certificate Errors

Category: Browser security

OS: Windows

Description

Verifies the local group policy Prevent ignoring certificate errors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.

This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.

  • If you enable this policy setting, the user cannot continue browsing.

  • If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.

Recommendation

Set this policy to Enabled.

Run Software if Signature Invalid

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow software to run or install even if the signature is invalid, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

  • If you enable this policy setting, users will be prompted to install or run files with an invalid signature.

  • If you disable this policy setting, users cannot run or install files with an invalid signature.

  • If you do not configure this policy, users can choose to run or install files with an invalid signature.

Recommendation

Set this policy to Disabled.

Server Certificate Revocation

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for server certificate revocation, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates.

Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

  • If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.

Recommendation

Set this policy to Enabled.

Downloaded Programs Signatures

Category: Browser security

OS: Windows

Description

Verifies the local group policy Check for signatures on downloaded programs, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered with) on user computers before downloading executable programs.

  • If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.

Recommendation

Set this policy to Enabled.

ActiveX Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled.

When a user has an ActiveX control installed, which is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode.

This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.

  • If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. .

    All Protected Mode websites will run in Enhanced Protected Mode.

Recommendation

Set this policy to Enabled.

Encryption Support

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off encryption support, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server.

When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use.

The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.

  • If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

Recommendation

Set this policy to Enabled > Use TLS 1.1; Use TLS 1.2.

IE 64-bit Processes

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.

Important

Some ActiveX controls and toolbars may not be available when 64-bit processes are used.

  • If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.

  • If you do not configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.

Recommendation

Set this policy to Enabled.

Enhanced Protected Mode

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Enhanced Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows.

For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

  • If you enable this policy setting, Enhanced Protected Mode will be turned on.

    Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

  • - If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

Recommendation

Set this policy to Enabled.

Intranet UNCs

Category: Browser security

OS: Windows

Description

Verifies the local group policy Intranet Sites: Include all network paths (UNCs), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

  • If you enable this policy setting, all network paths are mapped into the Intranet Zone.

  • If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

Recommendation

Set this policy to Set this policy to Disabled.Disabled.

Certificate Address Mismatch Warning

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on certificate address mismatch warning, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

This policy setting allows you to turn on the certificate address mismatch security warning.

When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address.

This warning helps prevent spoofing attacks.

  • If you enable this policy setting, the certificate address mismatch warning always appears.

Recommendation

Set this policy to Enabled.

Access Data Across Domains

Category: Browser security

OS: Windows

Description

Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

  • If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer.

    The user cannot change this behavior.

  • If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this policy setting, XAML files are not loaded inside Internet Explorer.

    The user cannot change this behavior.

  • If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone.

    The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this policy setting, script access to the WebBrowser control is allowed.

  • If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security will not apply in this zone.

    The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user cannot run scriptlets.

  • If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

  • If you select Enable in the drop-down box, VBScript can run without user intervention.

  • If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

  • If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.

    Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you disable this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX control (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.

  • If you disable the policy setting, signed controls cannot be downloaded.

  • If you do not configure this policy, users are queried whether to download controls signed by publishers who are not trusted.

    Code signed by trusted publishers is silently downloaded.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download unsigned ActiveX controls (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you to manage whether users may download unsigned ActiveX controls from the zone.

Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy, users can run unsigned controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable or do not configure this policy, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

  • If you enable this policy and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.

    Users cannot change this setting.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.

    Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users can change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy controls if the local path information is sent when the user is uploading a file via an HTML form.

  • If the local path information is sent, some information may be unintentionally revealed to the server.

    For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this policy, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this policy, path information is removed when the user is uploading a file via an HTML form.

  • If you do not configure this policy, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.

By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this policy, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows you managing permissions for Java applets.

If you enable this setting, you can choose options from the drop-down box:

  • High Safety: enables applets to run in their sandbox.

    Disable Java to prevent any applets from running.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • Low Safety: enables applets to perform all operations.

  • Custom: to control permissions settings individually.

  • Disable Java: Java applets cannot run.

    • If you do not configure this policy, the permission is set to High Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.

  • If you select Prompt in the drop-down box or do not configure this policy, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable this policy, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable

Internet Explorer: Logon options (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing settings for logon options. If you enable this policy, you can choose from the following logon options:

  • Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

  • Prompt for user name and password: to query users for user IDs and passwords.

    After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.

    After a user is queried, these values can be used silently for the remainder of the session.

  • Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).

    • If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.

    • If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.

    • If you disable or do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.

Recommendation

Set this policy to Enabled > Prompt for user name and password.

Internet Explorer: Navigate windows and frames across different domains (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This policy allows managing the opening of windows and frames and access of applications across different domains.

  • If you enable or do not configure this policy, users can open windows and frames from other domains and access applications from other domains.

  • If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

  • If you disable this policy, users cannot open windows and frames to access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable or do not configure this setting, Internet Explorer will execute unsigned managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this setting, Internet Explorer will not execute signed managed components.

  • If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Show security warning for potentially unsafe files (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Show security warning for potentially unsafe files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this setting and set the drop-down box to Enable, these files open without a security warning.

  • If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this setting, these files do not open.

  • If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

Set this policy to Enabled > Prompt.

Internet Explorer: Turn on Cross-Site Scripting Filter (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows you to turn on Protected Mode.

Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this policy setting, Protected Mode is turned on.

    The user cannot turn off Protected Mode.

  • If you disable this policy setting, Protected Mode is turned off.

    The user cannot turn on Protected Mode.

  • If you do not configure this policy setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

  • If you enable or do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this policy setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable or do not configure this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone.

This setting allows managing whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

  • If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. the security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.

  • If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable this setting, the possibly harmful navigations are prevented.

    The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

  • If you do not configure this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable or do not configure this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting allows you to manage ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone.

This policy setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disables Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > High Safety.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone.

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable or do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java Permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone.

This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, the permission is set to Medium Safety.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Internet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone.

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled.

Internet Explorer: Java permissions (Locked-Down Intranet Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone.

This setting allows managing permissions for Java applets. If you enable this setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

    Disable Java: to prevent any applets from running.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Local Machine Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this policy setting, Java applets cannot run.

    • If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Java permissions (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone.

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this policy setting, Java applets cannot run.

    • If you do not configure this policy setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Turn on SmartScreen Filter scan (Locked-Down Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Java permissions (Locked-Down Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone.

This setting allows managing permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Access data sources across domains (Restricted Sites Zone)

Category: Network and credentials

OS: Windows

Description

Verifies the local group policy Access data sources across domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

  • If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

  • If you disable or do not configure this setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow active scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow active scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows you to manage whether script code on pages in the zone is run.

  • If you enable this setting, script code on pages in the zone can run automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.

  • If you disable or do not configure this setting, script code on pages in the zone is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow binary and script behaviors (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow binary and script behaviors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

  • If you enable this setting, binary and script behaviors are available.

  • If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

  • If you disable or do not configure this setting, binary and script behaviors are not available unless applications have implemented a custom security manager.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow cut, copy or paste operations from the clipboard via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow cut, copy or paste operations from the clipboard via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

  • If you enable this policy setting, a script can perform a clipboard operation.

  • If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

  • If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow drag and drop or copy and paste files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow drag and drop or copy and paste files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether users can drag files or copy and paste files from a source within the zone.

  • If you enable this policy setting, users can drag files or copy and paste files from this zone automatically.

  • If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

  • If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

  • If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow file downloads (Restricted Sites Zone)

Category: Browser category

OS: Windows

Description

Verifies the local group policy Allow file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether file downloads are permitted from the zone.

This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

  • If you enable this setting, files can be downloaded from the zone.

  • If you disable or do not configure this setting, files are prevented from being downloaded from the zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow loading of XAML files (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow loading of XAML files, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the loading of Extensible Application Markup Language (XAML) files.

XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

  • If you enable this setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior.

  • If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

  • If you disable this setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.

  • If you do not configure this setting, the user can decide whether to load XAML files inside Internet Explorer.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow META REFRESH (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow META REFRESH, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

  • If you enable this setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.

  • If you disable or do not configure this setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow only approved domains to use ActiveX controls without prompt (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use ActiveX controls without prompt, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

  • If you enable this setting, the user is prompted before ActiveX controls can run from websites in this zone.

    The user can choose to allow the control to run from the current site or from all sites.

  • If you disable this setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow only approved domains to use the TDC ActiveX control (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow only approved domains to use the TDC ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

  • If you enable this setting, the TDC ActiveX control will not run from websites in this zone.

  • If you disable this setting, the TDC Active X control will run from all sites in this zone.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Allow scripting of Internet Explorer WebBrowser controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scripting of Internet Explorer WebBrowser controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether a page can control embedded WebBrowser controls via script.

  • If you enable this setting, script access to the WebBrowser control is allowed.

  • If you disable this setting, script access to the WebBrowser control is not allowed.

  • If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control.

By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow script-initiated windows without size or position constraints (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow script-initiated windows without size or position constraints, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.

  • If you enable this policy setting, Windows Restrictions security will not apply in this zone.

    The security zone runs without the added layer of security provided by this feature.

  • If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

  • If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run.

    This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow scriptlets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow scriptlets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether the user can run scriptlets.

  • If you enable this policy setting, the user can run scriptlets.

  • If you disable this policy setting, the user cannot run scriptlets.

  • If you do not configure this policy setting, the user can enable or disable scriptlets.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow updates to status bar via script (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow updates to status bar via script, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether script is allowed to update the status bar within the zone.

  • If you enable this policy setting, script is allowed to update the status bar.

  • If you disable or do not configure this policy setting, script is not allowed to update the status bar.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Allow VBScript to run in Internet Explorer (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow VBScript to run in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

  • If you select Enable in the drop-down box, VBScript can run without user intervention.

  • If you select Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

  • If you select Disable in the drop-down box or do not configure this setting, VBScript is prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Automatic prompting for file downloads (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Automatic prompting for file downloads, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

  • If you enable this setting, users will receive a file download dialog for automatic download attempts.

  • If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog.

    Users can then click the Notification bar to allow the file download prompt.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX control, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

    Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Download signed ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download signed ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether users may download signed ActiveX controls from a page in the zone.

  • If you enable this policy, users can download signed controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted.

    Code signed by trusted publishers is silently downloaded.

  • If you disable or do not configure this setting, signed controls cannot be downloaded.

Recommendation

Set this policy to Disabled.

Internet Explorer: Download unsigned ActiveX controls (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Download unsigned ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

  • If you enable this policy setting, users can run unsigned controls without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

  • If you disable or do not configure this setting, users cannot run unsigned controls.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains across windows (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains across windows, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows.

    Users cannot change this setting.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows.

    Users can change this setting in the Internet Options dialog.

  • In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows.

    Users cannot change this setting.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Enable dragging of content from different domains within a window (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Enable dragging of content from different domains within a window, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.

  • If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting.

  • If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

  • In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window.

    Users can change this setting in the Internet Options dialog.

  • In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window.

    Users cannot change this setting in the Internet Options dialog.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Include local path when user is uploading files to a server (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Include local path when user is uploading files to a server, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not local path information is sent when the user is uploading a file via an HTML form.

  • If the local path information is sent, some information may be unintentionally revealed to the server.

    For instance, files sent from the user's desktop may contain the user name as a part of the path.

  • If you enable this setting, path information is sent when the user is uploading a file via an HTML form.

  • If you disable this setting, path information is removed when the user is uploading a file via an HTML form.

  • If you do not configure this setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form.

    By default, path information is sent.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing ActiveX controls not marked as safe.

  • If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable or do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box:

  • Custom: to control permissions settings individually.

  • Low Safety: enables applets to perform all operations.

  • Medium Safety: enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

  • High Safety: enables applets to run in their sandbox.

  • Disable Java: to prevent any applets from running.

    • If you disable this setting, Java applets cannot run.

    • If you do not configure this setting, Java applets are disabled.

Recommendation

Set this policy to Enabled > Disable Java.

Internet Explorer: Launching applications and files in an IFRAME (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Launching applications and files in an IFRAME, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

  • If you enable this setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

  • If you disable or do not configure this setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Logon options (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Logon options, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing settings for logon options.

  • If you enable this setting, you can choose from the following logon options:

    • Anonymous logon: to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

    • Prompt for user name and password: to query users for user IDs and passwords.

      After a user is queried, these values can be used silently for the remainder of the session.

    • Automatic logon only in Intranet zone: to query users for user IDs and passwords in other zones.

      After a user is queried, these values can be used silently for the remainder of the session.

    • Automatic logon with current user name and password: to attempt logon using Windows NT Challenge Response (also known as NTLM authentication).

      • If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon.

      • If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.

  • If you disable this setting, logon is set to Automatic logon only in Intranet zone.

  • If you do not configure this setting, logon is set to Prompt for username and password.

Recommendation

Set this policy to Enabled > Anonymous logon.

Internet Explorer: Navigate windows and frames across different domains (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Navigate windows and frames across different domains, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the opening of windows and frames and access of applications across different domains.

  • If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains.

  • If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

  • If you disable or do not configure this setting, users cannot open other windows and frames from other domains or access applications from different domains.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components not signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components not signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute unsigned managed components.

  • If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

  • If you disable or do not configure this setting, Internet Explorer will not execute unsigned managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run .NET Framework-reliant components signed with Authenticode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run .NET Framework-reliant components signed with Authenticode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer.

These components include managed controls referenced from an object tag and managed executables referenced from a link.

  • If you enable this policy setting, Internet Explorer will execute signed managed components.

  • If you select Prompt, in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

  • If you disable this setting, Internet Explorer will not execute signed managed components.

  • If you do not configure this setting, Internet Explorer will not execute signed managed components.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Run ActiveX controls and plugins (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Run ActiveX controls and plugins, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing if ActiveX controls and plug-ins can be run on pages from the specified zone.

  • If you enable this setting, controls and plug-ins can run without user intervention.

  • If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.

  • If you disable or do not configure this setting, controls and plug-ins are prevented from running.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Script ActiveX controls marked safe for scripting (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Script ActiveX controls marked safe for scripting, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This policy setting allows managing whether an ActiveX control marked safe for scripting can interact with a script.

  • If you enable this setting, script interaction can occur automatically without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.

  • If you disable or do not configure this setting, script interaction is prevented from occurring.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Scripting of Java applets (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Scripting of Java applets, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether applets are exposed to scripts within the zone.

  • If you enable this setting, scripts can access applets automatically without user intervention.

  • If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.

  • If you disable or do not configure this setting, scripts are prevented from accessing applets.

Recommendation

Set this policy to Enabled > Disable.

Show security warning for potentially unsafe files

Category:

OS:

Description

 

This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

  • If you enable this setting and set the drop-down box to Enable, these files open without a security warning.

  • If you set the drop-down box to Prompt, a security warning appears before the files open.

  • If you disable this setting, these files do not open.

  • If you do not configure this setting, the user can configure how the computer handles these files.

By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

Recommendation

 

Internet Explorer: Turn on Cross-Site Scripting Filter (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Cross-Site Scripting Filter, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

  • If you enable this setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

  • If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on Protected Mode (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on Protected Mode, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows turning on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

  • If you enable this setting, Protected Mode is turned on.

    The user cannot turn off Protected Mode.

  • If you disable this setting, Protected Mode is turned off.

    The user cannot turn on Protected Mode.

  • If you do not configure this setting, the user can turn on or turn off Protected Mode.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Turn on SmartScreen Filter scan (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn on SmartScreen Filter scan, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

  • If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.

  • If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.

  • If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

Note

In Internet Explorer 7, this setting controls whether Phishing Filter scans pages in this zone for malicious content.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Use Pop-up Blocker (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Use Pop-up Blocker, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether unwanted pop-up windows appear.

Pop-up windows that are opened when the end user clicks a link are not blocked.

  • If you enable or do not configure this setting, most unwanted pop-up windows are prevented from appearing.

  • If you disable this setting, pop-up windows are not prevented from appearing.

Recommendation

Set this policy to Enabled > Enable.

Internet Explorer: Userdata persistence (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Userdata persistence, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

  • If you enable this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

  • If you disable or do not configure this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Web sites in less privileged Web content zones can navigate into this zone (Restricted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Web sites in less privileged Web content zones can navigate into this zone, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.

This setting allows managing whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

  • If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.

  • If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

  • If you disable or do not configure this setting, the possibly harmful navigations are prevented.

    The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Don't run antimalware programs against ActiveX controls (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Don't run antimalware programs against ActiveX controls, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.

  • If you enable this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.

  • If you do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.

    Users can turn this behavior on or off, using Internet Explorer Security settings.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Initialize and script ActiveX controls not marked as safe (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Initialize and script ActiveX controls not marked as safe, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting allows managing ActiveX controls not marked as safe.

  • If you enable this setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts.

    This setting is not recommended, except for secure and administered zones.

    This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

  • If you enable this setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

  • If you disable this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

  • If you do not configure this setting, users are queried whether to allow the control to be loaded with parameters or scripted.

Recommendation

Set this policy to Enabled > Disable.

Internet Explorer: Java permissions (Trusted Sites Zone)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Java permissions, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

This setting allows managing permissions for Java applets.

  • If you enable this setting, you can choose options from the drop-down box:

    • Custom: control permissions settings individually.

    • Low Safety: enable applets to perform all operations.

    • Medium Safety: enable applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

    • High Safety: enable applets to run in their sandbox.

    • Disable Java: to prevent any applets from running.

  • If you disable this policy setting, Java applets cannot run.

  • If you do not configure this policy setting, the permission is set to Low Safety.

Recommendation

Set this policy to Enabled > High safety.

Allow fallback to SSL 3.0 (Internet Explorer)

Category: Browser security

OS: Windows

Description

Verifies the local group policy Allow fallback to SSL 3.0 (Internet Explorer), located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features.

This setting allows blocking an insecure fallback to SSL 3.0.

  • When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.

    Do not allow insecure fallback in order to prevent a man-in-the-middle attack.

    This policy does not affect which security protocols are enabled.

  • If you disable this policy, system defaults will be used.

Recommendation

Set this policy to Enabled > No sites.

Remove Run this time button for outdated ActiveX controls in Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Remove Run this time button for outdated ActiveX controls in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This policy setting allows preventing users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer.

  • If you enable this setting, users will not see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

  • If you disable or don't configure this policy setting, users will see the Run this time button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

    Clicking this button lets the user run the outdated ActiveX control once.

Recommendation

Set this policy to Enabled.

Turn off blocking of outdated ActiveX controls for Internet Explorer

Category: Browser security

OS: Windows

Description

Verifies the local group policy Turn off blocking of outdated ActiveX controls for Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

  • If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.

  • If you disable or do not configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

Recommendation

Set this policy to Disabled.

Internet Explorer Processes Handling

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling.

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.

This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent.

For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

  • If you enable or do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.

  • If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Sniffing

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature.

This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.

  • If you enable or do not configure this setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

  • If you disable this setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes MK Protocol

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction.

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.

  • If you enable or do not configure this setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

  • If you disable this setting, applications can use the MK protocol API.

    Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Security background

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Notification bar.

This setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted.

By default, the Notification bar is displayed for Internet Explorer processes.

  • If you enable or do not configure this setting, the Notification bar will be displayed for Internet Explorer Processes.

  • If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Zone Elevation

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation.

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.).

Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.

Zone Elevation also disables JavaScript navigation if there is no security context.

  • If you enable or do not configure this setting, any zone can be protected from zone elevation by Internet Explorer processes.

  • If you disable this setting, no zone receives such protection for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict ActiveX Install

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install.

This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

  • If you enable this setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.

  • If you disable this setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.

  • If you do not configure this setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Restrict Download

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download.

This setting enables blocking of file download prompts that are not user initiated.

  • If you enable this setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.

  • If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.

  • If you do not configure this setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.

Recommendation

Set this policy to Enabled.

Internet Explorer Processes Window Restrictions

Category: Browser security

OS: Windows

Description

Verifies the local group policy Internet Explorer Processes, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions.

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types.

The Window Restrictions security feature restricts pop-up windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.

  • If you enable or do not configure this setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.

  • If you disable this setting, scripts can continue to create pop-up windows and windows that obfuscate other windows.

Recommendation

Set this policy to Enabled.

Enable local admin password management

Category: OS security

OS: Windows

Description

Verifies the policy Enable local admin password management located in Computer Configuration\Administrative Templates\LAPS.

This policy enables management of password for local administrator account.

  • If you enable this setting, local administrator password is managed.

  • If you disable or not configure this setting, local administrator password is NOT managed.

Note

This policy is available in local group policy editor after installing Local Administrator Password Solution (LAPS).

Recommendation

Set this policy to Enabled.

Local Account Token Filter Policy

Category: OS security

OS: Windows

Description

MS Security Guide: Apply UAC restrictions to local accounts on network logon.

This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.).

Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems.

Enabling this policy significantly reduces that risk.

  • Enabled (recommended): Applies UAC token-filtering to local accounts on network logons.

    Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token.

    This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.

  • Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1.

    For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016.

Recommendation

Set this policy to Enabled.

Configure SMB v1 server

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 server.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect.

For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Disabled.

Configure SMB v1 client

Category: OS security

OS: Windows

Description

MS Security Guide: Configure SMB v1 client driver.

Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended).

Enabling this setting enables server-side processing of the SMBv1 protocol. (Default).

Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2696547.

Recommendation

Set this to Enabled > Disable driver.

Enable Structured Exception Handling Overwrite Protection (SEHOP)

Category: OS security

OS: Windows

Description

MS Security Guide: Enable Structured Exception Handling Overwrite Protection (SEHOP).

Recommendation

Set this to Enabled.

WDigest Authentication

Category: OS security

OS: Windows

Description

MS Security Guide: WDigest Authentication.

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.

  • If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.

    Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.

  • Enabled: Enables WDigest authentication.

  • Disabled (recommended): Disables WDigest authentication.

    For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.

Recommendation

Set this to Disabled.

DisableIPSourceRouting IPv6

Category: Network and credentials

OS: Windows

Description

MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Recommendation

Set this to Highest protection, source routing is completely disabled.

DisableIPSourceRouting

Category: Network and credentials

OS: Windows

Description

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Recommendation

Set this to Highest protection, source routing is completely disabled.

EnableICMPRedirect

Category: Network and credentials

OS: Windows

Description

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Recommendation

Set this to Disabled.

NoNameReleaseOnDemand

Category: OS security

OS: Windows

Description

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

Recommendation

Set this to Enabled.

Office Word 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Word 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Word 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office MSProject 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office MSProject 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Excel 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Excel 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Power Point 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Power Point 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Access 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Access 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Publisher 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Publisher 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 11 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 11, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 12 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 12, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 14 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 14, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 15 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 15, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Office Outlook 16 Macro

Category: OS security

OS: Windows

Description

Checks the Macro settings for Office Outlook 16, located in File\Options\Trust Center\Trust Center Settings\Macro Settings.

  • Disable all macros without notification - Macros and security alerts about macros are disabled.

  • Disable all macros with notification - Macros are disabled, but security alerts will be triggered if macros are present.

  • Disable all macros except digitally signed macros - Macros are disabled, but security alerts will be triggered if macros are present.

    However, for macros digitally signed by a trusted publisher, these will run if the trust access for that publisher has been enabled.

  • Enable all macros (not recommended, potentially dangerous code can run) - All macros run.

    This setting makes your computer vulnerable to potentially malicious code. Trust access to the VBA project object model.

Recommendation

Set this to Disable all macros without notification.

Mozilla Passwords

Category: Browser security

OS: Windows

Description

Checks if Mozilla Firefox stores passwords on disk.

An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

WinRM Service

Category: OS security

OS: Windows

Description

Windows Remote Management (WinRM) allows a user to interact with a remote system, to run an executable, modify the registry, or modify services. It may be called with the winrm command or by various programs, such as PowerShell.

Recommendation

Disable the WinRM Service unless necessary.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Category: Network and credentials

OS: Windows

Description

This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares.

This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

  • If you do not want to allow anonymous enumeration of SAM accounts and shares, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable this policy.

    Default: Disabled.

Recommendation

Set this to Enabled.

Network access: Let Everyone permissions apply to anonymous users

Category: OS security

OS: Windows

Description

This security setting located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options determines what additional permissions are granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

By default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users.

  • If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.

  • If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections.

    In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.

    Default: Disabled.

Recommendation

Set this to Disabled.

PowerShell Script Execution

Category: OS security

OS: Windows

Description

Checks the local group policy Turn on Script Execution, located in Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell.

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.

  • If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.

    • The Allow only signed scripts policy setting allows scripts to execute only if they are signed by a trusted publisher.

    • The Allow local scripts and remote signed scripts policy setting allows any local scrips to run.

      Scripts that originate from the internet must be signed by a trusted publisher.

    • The Allow all scripts policy setting allows all scripts to run. The Allow all scripts policy setting allows all scripts to run.

  • If you disable this policy setting, no scripts are allowed to run.

Recommendation

Set this to Disabled.

Robomongo Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Robomongo stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Internet Explorer Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Internet Explorer or Microsoft Edge store passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Apache Directory Studio Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Apache Directory Studio stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Filezilla Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Filezilla stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

FTP Navigator Passwords

Category: Network and credentials

OS: Windows

Description

Checks if FTP Navigator stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

DB Visualizer Passwords

Category: Network and credentials

OS: Windows

Description

Checks if DB Visualizer stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Win SCP Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Win SCP stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

RDP Manager Passwords

Category: Network and credentials

OS: Windows

Description

Checks if RDP Manager stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Winlogon Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Winlogon stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Squirrel Passwords

Category: Network and credentials

OS: Linux

Description

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. If source-routed packets were allowed, they can be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that do not allow this routing.

Recommendation

Ensure the net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route flags are disabled.

Thunderbird Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Thunderbird stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

PostgreSQL Passwords

Category: Network and credentials

OS: Windows

Description

Checks if PostgreSQL stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

PHP Auth Passwords

Category: Network and credentials

OS: Windows

Description

Checks if PHP Auth stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Tortoise SVN Passwords

Category: Network and credentials

OS: Windows

Description

Checks if Tortoise SVN stores passwords on disk. An attacker who gains ownership of your system may steal stored credentials.

Recommendation

Do not save credentials locally, especially if not protected by a security solution.

Too many local administrators

Category: OS security

OS: Windows

Description

Checks the number of local administrators on the machine.

Recommendation

Do not allow more than one local administrator account.

SMB Shared Everyone Read

Category: Network and credentials

OS: Windows

Description

Checks the existence of shared folders with read access for the Everyone group.

The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default.

  • If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Everyone Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of shared folders with write access for the Everyone group.

The Everyone group includes all users who have logged in with a password (members of the Authenticated Users group) as well as built-in, non-password protected accounts such as Guest, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default.

  • If enabled, it allows anyone to login without a password.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Read

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with read access on Server Message Block (SMB).

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

We also recommend you do not grant shared permissions to Shell Folders.

SMB Shared Sensitive Write

Category: Network and credentials

OS: Windows

Description

Checks the existence of sensitive folders that are shared with write access on Server Message Block (SMB).

SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

Not only does SMB allow computers to share files, but it also enables computers to share printers and even serial ports from other computers within the network.

Recommendation

Restrict access to shared folders for members of the Everyone group.

SMBv3 Exploitable

Category: Network and credentials

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-0796.

Recommendation

Always watch for, and install security updates.

afmtd Exploitable

Category: OS security

OS: Windows

Description

Checks if the computer is vulnerable to CVE-2020-1020.

Recommendation

Always watch for, and install security updates.

Full Secure Channel Protection

Category: Network and credentials

OS: Windows

Description

Verifies the policy Domain controller: Allow vulnerable Netlogon secure channel connections, located in Computer Configuration\Windows Settings\Security Settings\Security Options.

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections, for specified machine accounts.

When this policy is enabled with Allow, the domain controller will allow some specified groups/accounts to use a Netlogon secure channel without secure RPC.

Recommendation

Set this policy to Deny or Not configured.

Print Spooler Service Exploitable

Category: Network and credentials

OS: Windows

Description

Verifies if the endpoint is susceptible to the PrintNightmare attack CVE-2021-34527).

This type of attack exploits a vulnerability within the Windows Print Spooler service, allowing an attacker to run arbitrary code with SYSTEM privileges. An attacker can then install programs; view, change or delete data, or create new accounts with full user rights.

Recommendation

Make sure your endpoint is always up-to-date with your operating system security patches.

  • If for some reason you are unable to patch the endpoint, make sure you apply one of the workarounds specified in this vulnerability blog post

Disable the Print Spooler Service or Disable inbound remote printing through Group Policy.

NTLM Incoming traffic not restricted

Category: Network and credentials

OS: Windows

Description

Verifies if the group policy Network Security: Restrict NTLM: Incoming NTLM traffic, located in Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\Security Options is configured to deny incoming traffic from all accounts.

  • If this setting is not configured properly, an attacker can target a Domain Controller using an NTLM relay attack (dubbed PetitPotam).

Recommendation

To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller. In the event NTLM cannot be turned off for compatibility reasons, the company is urging users to take one of the two steps below:

  • Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic

  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the Certificate Authority Web Enrollment or Certificate Enrollment Web Service services

Log4j with Remote Code Execution Present

Category: Network and credentials

OS: Windows

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.

Recommendation

Avoid using Log4j versions 2.x to 2.15.0.

Log4j with Denial of Service Present

Category: Network and credentials

OS: Windows

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.

Recommendation

Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.

HTTP Protocol Stack Remote Code Execution Vulnerability

Category: Vulnerability

OS: Windows

Description

Verifies if http.sys, a kernel mode device driver in Microsoft Windows, is vulnerable of CVE-2022-21907 - a remote code execution vulnerability that requires no authentication.

Recommendation

Stay up-to-date with the security updates and as a mitigation, make sure that EnableTrailerSupport, located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters is either missing or set to 0.

Win32k Privilege Escalation Vulnerability

Category: Vulnerability

OS: Windows

Description:

This vulnerability can allow an attacker to gain system-level privileges. This flaw was originally identified as CVE-2021-1732 and was patched, but a technique to bypass the patch was identified and assigned CVE-2022-21882.

Recommendation:

Install the latest security updates.

Spring Cloud Functions vulnerability (Spring4Shell)

Category: Vulnerability

OS: Windows

Description:

Spring Cloud Functions versions 3.1.6, 3.2.2, and older are vulnerable to CVE-2022-22963. This vulnerability allows a user to provide a specially crafted SpEl payload as a routing-expression. This may result in a remote code execution and access to local resources.

Recommendation:

Upgrade Spring Cloud Functions to versions 3.1.7, 3.2.3, or higher.

Tarrask tasks detected

Category: Vulnerability

OS: Windows

Description

Verifies whether there are any scheduled tasks that have no security descriptor associated. These types of tasks are an indicator of Tarrask malware infection.

Recommendation

Navigate to the following registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree, and check if there are any scheduled tasks where SD (security descriptor) entry has no value.

Follina Vulnerability

Category: Vulnerability

OS: Windows

Description

Verifies if the system is vulnerable to CVE-2022-30190, also known as Follina Vulnerability. This vulnerability allows remote code execution when Microsoft Windows Support Diagnostic Tool (MSDT) is called using the URL protocol of a calling application, such as Microsoft Word.

Recommendation

Install the latest security updates, or apply the mitigation actions suggested by the vendor.

Microsoft search handler present

Category: OS security

OS: Windows

Description

Verifies if search-ms handler is present. Adversaries can leverage search-ms, as it is a URI protocol handler that allows applications and HTML links to launch customized searches on a device.

Recommendation

Create a backup of the registry, and remove search-ms located at HKEY_CLASSES_ROOT\\search-ms.

Linux misconfigurations

OpenSSH root login is enabled

Category: OS security

OS: Linux

Description

Verifies if login is enabled for user "root".

Recommendation

Ensure remote access is disabled for user "root".

OpenSSH runs on the default port

Category: OS security

OS: Linux

Description

Verifies if the default ssh port is used for the ssh server.

Recommendation

Change the ssh port in order to reduce chances of being targeted.

OpenSSH PermitEmptyPasswords is enabled

Category: OS security

OS: Linux

Description

Verifies if the PermitEmptyPasswords parameter for the OpenSSH server is set to allow login to accounts with empty password strings.

Recommendation

Ensure OpenSSH server does not allow login to accounts with empty password strings.

OpenSSH HostbasedAuthentication is enabled

Category: OS security

OS: Linux

Description

Verifies if the HostbasedAuthentication parameter for the OpenSSH server is set to allow authentication through trusted hosts.

Recommendation

Ensure the OpenSSH server does not allow authentication through trusted hosts.

OpenSSH idle timeout interval is not configured

Category: OS security

OS: Linux

Description

Verifies if the ClientAliveInterval and ClientAliveCountMax parameters for the OpenSSH server are not configured.

When those parameters are configured, the ssh session will end when the session is idle and ClientAliveCountMax is reached after sending alive messages at a ClientAliveInterval interval.

Recommendation

Ensure the idle timeout interval options for the OpenSSH server are configured.

OpenSSH Password login

Category: OS security

OS: Linux

Description

Verifies if password login is enabled for OpenSSH server.

Recommendation

Ensure SSH access is made through public keys.

Automatic login enabled

Category: OS security

OS: Linux

Description

Verifies if automatic login is configured for a user on the endpoint.

Note

Automatic login automatically logs in a user after OS boot.

Recommendation

Ensure the automatic login option is not enabled.

Samba guest access enabled

Category: OS security

OS: Linux

Description

Verifies if the Samba Service is configured to allow guest access.

Recommendation

Ensure guest access is restricted if you do not explicitly need it.

VSftp server anonymous access allowed

Category: OS security

OS: Linux

Description

Verifies if the VSftp service is configured to allow anonymous access.

Recommendation

Ensure anonymous access to the VSftp service is not allowed.

Boot directory access not restricted

Category: OS security

OS: Linux

Description

Verifies if access to the boot directory is restricted for non-root accounts.

Recommendation

Ensure only root account is allowed access to the boot directory.

Users do not own their home directory

Category: OS security

OS: Linux

Description

Verifies if there is at least one user that does not own their home directory.

Recommendation

Ensure every user present on the endpoint is owner of their own home directory.

GPGCheck is globally activated

Category: OS security

OS: Linux

Description

Verifies if the gpg signature check is globally enabled, thus making sure that updates are obtained from a valid source.

Recommendation

Ensure the gpg signature check is globally enabled.

Ensure sudo commands use pty

Category: OS security

OS: Linux

Description

Verifies if sudo is configured to run only from a pseudo-pty.

Attackers can run malicious programs using sudo, causing it to fork a background process that persists even when the main program has finished executing.

Recommendation

Ensure sudo is configured to run other programs from a pseudo-pty.

Permissions on bootloader are not restricted

Category: OS security

OS: Linux

Description

Verifies the permissions on the bootloader configuration file.

If not properly configured, non-root users may read the boot parameters and could identify weaknesses in security upon boot.

Recommendation

Ensure only root can read / write the bootloader configuration file.

Permissions on the motd file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/motd file are not restricted. The content of the /etc/motd file is displayed to users after login, and functions as a message of the day for authenticated users.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of the motd file is root and permissions to others are restricted to read only.

Permissions on the issue file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/issue file are not restricted. The content of the /etc/issue file is displayed to users prior to login from local terminals.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of the issue file is root and permissions to others are restricted to read only.

Permissions on the issue.net file are not restricted

Category: OS security

OS: Linux

Description

Verifies if permissions on the /etc/issue.net file are not restricted. The content of the /etc/issue.net file is displayed to users prior to login from remote terminals.

If the permissions and ownership of this file are not properly configured, it could allow other users to corrupt it with incorrect or misleading information.

Recommendation

Ensure the owner of issue.net file is root and permissions to others are restricted to read only.

Avahi Server is enabled

Category: OS security

OS: Linux

Description

Verifies if Avahi Server is enabled on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.

Recommendation

Ensure Avahi Server is not enabled in order to reduce the endpoint's potential attack surface.

Rsync Server is enabled

Category: OS security

OS: Linux

Description

Verifies if Rsync Server is enabled on the endpoint. Rsync Service is used to synchronize files between systems over network through unencrypted protocols.

Recommendation

Ensure the rsyncd service is disabled.

SNMP Server is enabled

Category: OS security

OS: Linux

Description

Verifies the Simple Network Management Protocol (SNMP) server is enabled. This service listens for SNMP commands, which it executes, or collects their results and sends them back to the requester.

The SNMP server can communicate using SNMP v1, which transmits data in clear and does not require authentication to execute commands.

Recommendation

Ensure SNMP Server is disabled unless absolutely necessary.

HTTP proxy is enabled

Category: OS security

OS: Linux

Description

Verifies if the squid http proxy server is enabled.

If there is no need for a proxy server, it is recommended to disable or delete it, to reduce the potential attack surface.

Recommendation

Ensure squid http proxy is disabled if not used.

Samba Service is enabled

Category: OS security

OS: Linux

Description

Verifies if Samba Service is enabled on the endpoint. If there is no need to mount directories and file systems, then this service can be disabled in order to reduce the potential attack surface.

Recommendation

Ensure SMB service is disabled if not used, to reduce the potential attack surface.

Authentication not required for rescue mode

Category: OS security

OS: Linux

Description

Verifies if authentication is required for rescue mode. Requiring authentication for rescue mode prevents unauthorized users from rebooting the system while in rescue mode, and gaining root privileges without credentials.

Recommendation

Ensure entering rescue mode requires authentication.

Authentication not required for single user mode

Category: OS security

OS: Linux

Description

Verifies if authentication is required for single user mode. Requiring authentication for single user mode prevents unauthorized users from rebooting the system while in single user mode, and gaining root privileges without credentials.

Recommendation

Ensure entering single user mode requires authentication.

Bootloader password is not set

Category: OS security

OS: Linux

Description

Verifies if there is a password set for the bootloader. Requiring a boot password will prevent unauthorized users from entering boot parameters or changing the boot partition.

Recommendation

Ensure bootloader password is set.

Duplicate group IDs

Category: OS security

OS: Linux

Description

Verifies if there are any duplicate group IDs (GIDs). User groups must be assigned unique GIDs to ensure appropriate access protection.

Recommendation

Ensure no duplicate group IDs are present in the /etc/group file.

Duplicate user IDs

Category: OS security

OS: Linux

Description

Verifies if there are any duplicate user IDs (UIDs). Users must be assigned unique UIDs to ensure appropriate access protection.

Recommendation

Ensure no duplicate user IDs are present in the /etc/passwd file.

Automatic updates disabled

Category: OS security

OS: Linux

Description

Verifies if the unattended-upgrades service is configured to install the latest security (and other) updates automatically.

Recommendation

If the unattended-upgrades service is installed, ensure it is configured to install updates automatically.

Sudo log file not configured

Category: OS security

OS: Linux

Description

Verifies if sudo has a custom log file configured. A sudo log file simplifies auditing of sudo commands.

Recommendation

Ensure custom log file is configured for sudo.

Address space layout randomization disabled

Category: OS security

OS: Linux

Description

Verifies if Address space layout randomization (ASLR) is configured. ASLR is an exploit mitigation technique that increases the difficulty of writing memory page exploits by randomly placing virtual memory regions.

Recommendation

Ensure Address space layout randomization (ASLR) is enabled.

Shadow group is not empty

Category: OS security

OS: Linux

Description

Verifies if the shadow group is empty. Shadow group grants system programs that require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Recommendation

Ensure no users are granted read access to the /etc/shadow file.

Duplicate group names

Category: OS security

OS: Linux

Description

Verifies if there are any duplicated group names.

If a group is assigned a duplicate group name, any files it creates will be associated with the first encounter of the GID for that group in /etc/group. The duplicate group name will also have access to any existing files associated with the first encounter GID in /etc/group.

Recommendation

Ensure there are no duplicate group names present in /etc/group.

Duplicate user names

Category: OS security

OS: Linux

Description

Verifies if there are any duplicated user names.

If a user is assigned a duplicate user name, any files it creates will be associated with the first encounter of the UID for that user in /etc/passwd. The duplicate user name will also have access to any existing files associated with the first encounter UID in /etc/passwd.

Recommendation

Ensure there are no duplicate user names present in /etc/passwd.

User has a rhosts file

Category: OS security

OS: Linux

Description

Verifies if there are any users with a .rhosts file. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems.

Recommendation

Ensure no .rhosts files are present in user home directories.

User has a netrc file

Category: OS security

OS: Linux

Description

Verifies if there are any users with a .netrc file. .netrc files may contain unencrypted passwords that can be used to attack other systems.

Recommendation

Ensure no .netrc files are present in user home directories.

User has a netrc file group / world accessible

Category: OS security

OS: Linux

Description

Verifies if there are group / world accessible .netrc files. .netrc files may contain unencrypted passwords that may be used to attack other systems.

Recommendation

Ensure there are group / world accessible .netrc files in user home directories.

passwd group not present in group file

Category: OS security

OS: Linux

Description

Verifies if all groups mentioned in the /etc/passwd file are also present in the /etc/group file. Groups that are defined in the /etc/passwd file but not in the /etc/group file pose a thread to system security since group permissions are not properly managed.

Recommendation

Ensure all groups defined in /etc/passwd have a declaration in /etc/group as well.

User with empty password

Category: OS security

OS: Linux

Description

Verifies if all accounts have a non-empty password field. All accounts must have passwords or be locked to prevent unauthorized access to that account.

Recommendation

Ensure all accounts have a password.

Sensitive local login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/issue file are displaying information about the OS release and patch level.

Recommendation

Ensure the content of the /etc/issue file does not include OS release and patch level.

Sensitive remote login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/issue.net file are displaying information about OS release and patch level.

Recommendation

Ensure the content of the /etc/issue.net file does not include OS release and patch level.

Sensitive motd message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/motd file are displaying information about OS release and patch level.

Recommendation

Ensure the content of the /etc/motd file does not include OS release and patch level.

Sensitive gdm login banner message

Category: OS security

OS: Linux

Description

Verifies if the contents of the /etc/gdm3/greeter.dconf-defaults specify that the banner message is enabled and the banner contains information about OS release and patch level.

Recommendation

Ensure the content of the /etc/gdm3/greeter.dconf-defaults config banner does not include OS release and patch level.

User with .forward file in home directory

Category: OS security

OS: Linux

Description

The purpose of a .forward file is to automatically forward mail as it is received to all included addresses, which may pose a risk as sensitive data can be transferred outside the organization.

Recommendation

Ensure no users have a .forward file in their home directory.

User does not own their home directory

Category: OS security

OS: Linux

Description

Verifies if there is any user who does not own his home directory. Since the user is accountable for files stored in his home directory, he must be the owner of the directory.

Recommendation

Ensure every user owns his home directory.

User dot files with wrong permissions

Category: OS security

OS: Linux

Description

Verifies if there is any user who has dot files with wrong permissions. If a user's dot files are group or world-writable, this may enable a malicious user to steal/modify his data or to gain system privileges.

Recommendation

Ensure every user's dot files are not group or world-writable.

User home directory exists

Category: OS security

OS: Linux

Description

Verifies if there is any user with missing home directory. If a user's home directory doesn't exist, it will be placed in '/', and may not be able to write any files.

Recommendation

Ensure every user has a home directory.

Root PATH integrity

Category: OS security

OS: Linux

Description

Because the root user can execute any command on the system, including the current working directory (.) or a group/other writable directory in root's PATH, it creates the possibility for an attacker to gain superuser access.

Recommendation

Ensure the root's executable path does not contain . or any files with group or other write permissions.

Non-root user with UID 0

Category: OS security

OS: Linux

Description

Verifies if any user except root has the UID set to 0. Any account with UID 0 has superuser privileges on the system.

Recommendation

Ensure root is the only user with UID set to 0.

Legacy '+' entries in /etc/passwd

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/passwd. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/passwd.

Legacy '+' entries in /etc/shadow

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/shadow. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/shadow.

Legacy '+' entries in /etc/group

Category: OS security

OS: Linux

Description

Verifies if any entries beginning with '+' exist in /etc/group. '+' entries were used as markers to insert data from NIS maps, but are no longer required. This may provide attackers a way to gain access.

Recommendation

Ensure no legacy '+' entries exist in /etc/group.

Incorrect permissions on /etc/ssh/sshd_config

Category: OS security

OS: Linux

Description

Verifies permissions on the /etc/ssh/sshd_config file. This file needs to be protected from unauthorized changes.

Recommendation

Ensure the /etc/ssh/sshd_config file has the UID and GID set to 0 (root), and does not grant any permissions to group or other users.

Incorrect permissions on SSH private host keys

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH private keys. A SSH private key is a proof of identity.

  • If an unauthorized user obtains the private key, the owner could be impersonated.

Recommendation

Ensure all SSH private keys have UID and GID set to 0 (root) and do not give any permissions to group or other users.

Incorrect permissions on SSH public host keys

Category: OS security

OS: Linux

Description

Verifies permissions on all SSH public keys. A public key is a key that can be used to verify digital signatures generated using a corresponding private key.

  • If the public key is modified by and unauthorized user, the SSH service may be compromised

Recommendation

Ensure all SSH public keys have UID and GID set to 0 (root) and do not give any permissions to group or other users.

SSH log level is appropriate

Category: OS security

OS: Linux

Description

Verifies that LogLevel is not set to debug in /etc/ssh/sshd_config, as it provides too much information that can be used by an attacker.

Recommendation

Ensure SSH log level is not set to debug.

SSH X11 forwarding is enabled

Category: OS security

OS: Linux

Description

Verifies that X11Forwarding in /etc/ssh/sshd_config is disabled. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server.

Recommendation

Ensure SSH X11 forwarding is disabled.

SSH IgnoreRhosts is disabled

Category: OS security

OS: Linux

Description

Verifies that IgnoreRhosts in /etc/ssh/sshd_config is set to yes. Setting this parameter forces users to enter a password when authenticating with SSH.

Recommendation

Ensure SSH IgnoreRhosts is enabled.

SSH PermitUserEnvironment is enabled

Category: OS security

OS: Linux

Description

Verifies that PermitUserEnvironment in /etc/ssh/sshd_config is disabled. This options allows users to present environment options to the SSH daemon and could potentially allow users to bypass security controls.

Recommendation

Ensure SSH PermitUserEnvironment is disabled.

SSH uses weak ciphers

Category: OS security

OS: Linux

Description

Verifies that Ciphers in /etc/ssh/sshd_config does not contain any weak ciphers.

Recommendation

Ensure only strong Ciphers are being used.

SSH uses weak MAC algorithms

Category: OS security

OS: Linux

Description

Verifies that MACs in /etc/ssh/sshd_config does not contain any weak MAC algorithms.

Recommendation

Ensure only strong MAC algorithms are being used.

SSH uses weak key exchange algorithms

Category: OS security

OS: Linux

Description

Verifies that KexAlgorithms in /etc/ssh/sshd_config does not contain any weak key exchange algorithms.

Recommendation

Ensure only strong key exchange algorithms are being used.

SSH access is not limited

Category: OS security

OS: Linux

Description

Verifies that at least one option limiting which users and groups can access the system (AllowUsers, AllowGroups, DenyUsers, DenyGroups) is being used. Restricting which users can access the system via SSH will help ensure that only authorized users access the system.

Recommendation

Ensure SSH access is limited.

SSH warning banner is not configured

Category: OS security

OS: Linux

Description

Verifies that Banner in /etc/ssh/sshd_config is set. Banners are used to warn connecting users of the site's particular policy regarding connection.

Recommendation

Ensure SSH warning banner is configured.

SSH UsePam is disabled

Category: OS security

OS: Linux

Description

Verifies that UsePam in /etc/ssh/sshd_config is enabled. When UsePam is enabled, the Pluggable Authentication Modules (PAM) service runs through account and session types properly.

This is important if you want to restrict access to services based off IP.

Recommendation

Ensure SSH PAM is enabled.

SSH AllowTcpForwarding is enabled

Category: OS security

OS: Linux

Description

Verifies that AllowTcpForwarding in /etc/ssh/sshd_config is disabled. Leaving port forwarding enabled can expose the organization to security risks and back-doors.

Recommendation

Ensure SSH AllowTcpForwarding is disabled.

SSH MaxAuthTries is not properly configured

Category: OS security

OS: Linux

Description

Verifies that MaxAuthTries in /etc/ssh/sshd_config is set to 4 or less. Setting MaxAuthTries to a low number will minimize the risk of a successful brute force attack to the SSH server.

Recommendation

Ensure SSH MaxAuthTries option is configured to support up to 4 retries.

SSH LoginGraceTime is not properly configured

Category: OS security

OS: Linux

Description

Verifies that LoginGraceTime in /etc/ssh/sshd_config is set to 1 minute or less. Setting LoginGraceTime to a low number will minimize the risk of a successful brute force attack to the SSH server.

Recommendation

Ensure SSH LoginGraceTime option is configured to wait up to 1 minute.

SSH MaxSessions is not properly configured

Category: OS security

OS: Linux

Description

Verifies that MaxSessions in /etc/ssh/sshd_config is set to 4 or less. Setting MaxSessions to a low number will minimize the risk of overwhelming the SSH daemon.

Recommendation

Ensure SSH MaxSessions option is configure to keep up to 4 sessions.

SSH MaxStartups is not configured

Category: OS security

OS: Linux

Description

Verifies that MaxStartups in /etc/ssh/sshd_config is set to 10:30:60. This parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.

Recommendation

Ensure SSH MaxStartups option is properly configured.

Mounting cramfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of cramfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of cramfs filesystem is disabled if not used.

Mounting freevxfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of freevxfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of freevxfs filesystem is disabled if not used.

Mounting jffs2 filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of jffs2 filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of jffs2 filesystem is disabled if not used.

Mounting hfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of hfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of hfs filesystem is disabled if not used.

Mounting hfsplus filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of hfsplus filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of hfsplus filesystem is disabled if not used.

Mounting squashfs filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of squashfs filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of squashfs filesystem is disabled if not used.

Mounting udf filesystems is enabled

Category: OS security

OS: Linux

Description

Verifies that the mounting of udf filesystems is disabled. Removing support for unneeded filesystem types reduces the local attack surface of the server.

Recommendation

Ensure mounting of udf filesystem is disabled if not used.

No separate partition for /tmp directory

Category: OS security

OS: Linux

Description

Verifies that /tmp is a filesystem by either mounting tmpfs or a separate partition to /tmp. Making /tmp its own file system allows an administrator to set the noexec option on the mount, rendering /tmp useless in case an attacker attempts to install executable code.

Recommendation

Ensure /tmp is a mountpoint.

nodev option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that nodev option is set on the /tmp partition. This option ensures that users cannot attempt to create block or character-special devices in /tmp.

Recommendation

Ensure nodev option is set on the /tmp partition.

nosuid option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that nosuid option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure nosuid option is set on the /tmp partition.

noexec option is not set on /tmp partition

Category: OS security

OS: Linux

Description

Verifies that noexec option is set on the /tmp partition. Since /tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /tmp.

Recommendation

Ensure noexec option is set on the /tmp partition.

No separate partition for /var folder

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var. /var may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition.

Recommendation

Ensure a separate partition is in place for /var.

No separate partition for /var/tmp directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var/tmp. /var/tmp may contain word-writable files and directories, thus raising the risk of resource exhaustion if not bound to a separate partition. This also allows to set the nodev, nosuid, noexec options to prevent more vulnerabilities.

Recommendation

Ensure a separate partition is in place for /var/tmp.

nodev option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that nodev option is set on the /var/tmp partition. This option ensures that users cannot attempt to create block or character special devices in /var/tmp.

Recommendation

Ensure the nodev option is set on the /var/tmp partition.

nosuid option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that nosuid option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure the nosuid option is set on the /var/tmp partition.

noexec option is not set on /var/tmp partition

Category: OS security

OS: Linux

Description

Verifies that noexec option is set on the /var/tmp partition. Since /var/tmp filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /var/tmp.

Recommendation

Ensure the noexec option is set on the /var/tmp partition.

No separate partition for /var/log directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for the /var/log directory. /var/log should be on a separate partition to prevent resource exhaustion and protect audit data.

Recommendation

Ensure a separate partition is in place for /var/log.

No separate partition for /var/log/audit directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /var/log/audit. /var/log/audit should be on a separate partition to prevent resource exhaustion and protect audit data.

Recommendation

Ensure a separate partition is in place for /var/log/audit.

No separate partition for /home directory

Category: OS security

OS: Linux

Description

Verifies the existence of a separate partition for /home. This protects against resource exhaustion and can restrict the type of files that can be stored under /home.

Recommendation

Ensure a separate partition is in place for /home.

nodev option is not set on /home partition

Category: OS security

OS: Linux

Description

Verifies that the nodev option is set on the /home partition. This option ensures that users cannot attempt to create block or character special devices in /home.

Recommendation

Ensure the nodev option is set on /home partition.

nodev option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the nodev option is set on the /dev/shm partition. This option ensures that users cannot attempt to create block or character special devices in /dev/shm.

Recommendation

Ensure the nodev option is set on the /dev/shm partition.

nosuid option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the nosuid option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to create setuid files.

Recommendation

Ensure the nosuid option is set on the /dev/shm partition.

noexec option is not set on /dev/shm partition

Category: OS security

OS: Linux

Description

Verifies that the noexec option is set on the /dev/shm partition. Since /dev/shm filesystem is only intended for temporary file storage, this option ensures that users cannot attempt to run executable binaries from /dev/shm.

Recommendation

Ensure the noexec option is set on the /dev/shm partition.

USB Storage is enabled

Category: OS security

OS: Linux

Description

Verifies that usb-storage is disabled. Restricting USB access on the system will decrease the physical attack surface for a device.

Recommendation

Ensure USB Storage is disabled if not used.

Automounting is enabled

Category: OS security

OS: Linux

Description

Verifies that autofs is disabled. autofs allows automounting of devices.

With automounting enabled, anyone with physical access can attach a device and have its contents available in the system even if they lack permissions to mount it.

Recommendation

Ensure Automounting is disabled.

SSH protocol version should be set to 2

Category: OS security

OS: Linux

Description

Verifies that Protocol in /etc/ssh/sshd_config is set to 2. SSH v1 suffers from insecurities that do not affect SSH v2.

Recommendation

Ensure SSH Protocol is set to 2.

MongoDB authentication is not configured

Category: OS security

OS: Linux

Description

Verifies that authorization in /etc/mongod.conf is enabled. This ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.

Recommendation

Ensure MongoDB authentication is configured.

MongoDB allows authentication bypass via localhost exception

Category: OS security

OS: Linux

Description

Verifies that enableLocalhostAuthBypass in /etc/mongod.conf is set to false. This will prevent unauthorized local access to the MongoDB database and ensure traceability of each database activity to a specific user.

Recommendation

Ensure that MongoDB does not bypass authentication via the localhost exception.

MongoDB authentication is not enabled in the sharded cluster

Category: OS security

OS: Linux

Description

Verifies that certificateKeyFile, CAFile and clusterFile in /etc/mongod.conf are configured, and that clusterAuthMode is set to x509. Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component.

Recommendation

Ensure MongoDB authentication is enabled in the sharded cluster.

MongoDB listens on all interfaces

Category: OS security

OS: Linux

Description

Verifies that bindIp in /etc/mongod.conf is configured. This configuration blocks connections from untrusted networks (not included in bindIp values), leaving only systems on authorized and trusted networks able to attempt to connect to the MongoDB.

Recommendation

Ensure MongoDB only listens for network connections on authorized interfaces.

MongoDB does not use TLS

Category: OS security

OS: Linux

Description

Verifies that mode (under tls) in /etc/mongod.conf is set to 'requireTLS'. This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB.

Recommendation

Ensure Encryption of Data in Transit TLS.

xinetd is enabled

Category: OS security

OS: Linux

Description

The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. If there are no xinetd services required, we recommend you disable the daemon.

Recommendation

Ensure xinetd.service is not enabled in systemd.

chargen services are enabled

Category: OS security

OS: Linux

Description

daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.

daytime services are enabled

Category: OS security

OS: Linux

Description

daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure daytime is disabled in /etc/inetd.* and /etc/xinetd.*.

discard services are enabled

Category: OS security

OS: Linux

Description

discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure discard is disabled in /etc/inetd.* and /etc/xinetd.*.

echo services are enabled

Category: OS security

OS: Linux

Description

echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure echo is disabled in /etc/inetd.* and /etc/xinetd.*.

time services are enabled

Category: OS security

OS: Linux

Description

time is a network service that responds with the server's current date and time as a 32-bit integer. This service is intended for debugging and testing purposes. We recommend you keep this service disabled.

Recommendation

Ensure time is disabled in /etc/inetd.* and /etc/xinetd.*.

Berkley rsh-server services are enabled

Category: Network and credentials

OS: Linux

Description

The Berkeley rsh-server (rsh , rlogin, rexec) package contains legacy services that exchange clear-text credentials. These legacy services contain numerous security exposures and have been replaced with the more secure SSH package.

Recommendation

Ensure the shell, login, exec services are disabled in /etc/inetd.* and /etc/xinetd.*.

talk server is enabled

Category: Network and credentials

OS: Linux

Description

The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default. The software presents a security risk as it uses unencrypted protocols for communication.

Recommendation

Ensure talk and ntalk are disabled in /etc/inetd.* and /etc/xinetd.*.

telnet server is enabled

Category: Network and credentials

OS: Linux

Description

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security.

Recommendation

Ensure telnetis disabled in /etc/inetd.* and /etc/xinetd.*.

TFTP server is enabled

Category: Network and credentials

OS: Linux

Description

The TFTP server does not support authentication nor does it ensure the confidentiality or integrity of data. We recommend you remove TFTP unless there is a specific need for it, in which case, extreme caution must be used when configuring the services.

Recommendation

Ensure tftp is disabled in /etc/inetd.* and /etc/xinetd.*.

CUPS is disabled

Category: Network and credentials

OS: Linux

Description

The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to print jobs or accept print jobs from other systems, we recommend you remove CUPS to reduce the potential attack surface.

Recommendation

Ensure cups is disabled in systemd.

DHCP server is enabled

Category: Network and credentials

OS: Linux

Description

The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Unless a system is specifically set up to act as a DHCP server, we recommend you disable this service to reduce the potential attack surface.

Recommendation

Ensure dhcpd and isc-dhcp-server are disabled in systemd.

LDAP server is enabled

Category: Network and credentials

OS: Linux

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP server, we recommend you disable this service to reduce the potential attack surface.

Recommendation

Ensure slapd is disabled in systemd.

NFS is enabled

Category: Network and credentials

OS: Linux

Description

The Network File System (NFS) provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, we recommend you disable this service to reduce the remote attack surface.

Recommendation

Ensure nfs-server is disabled in systemd.

RPC is enabled

Category: Network and credentials

OS: Linux

Description

Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. If RPC is not required, we recommend you disable this service to reduce the remote attack surface.

Recommendation

Ensure rpcbind is disabled in systemd.

DNS Server is enabled

Category: Network and credentials

OS: Linux

Description

The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Unless a system is specifically designated to act as a DNS server, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure named and bind9 are disabled in systemd.

HTTP Server is enabled

Category: Network and credentials

OS: Linux

Description

HTTP or web servers provide the ability to host web site content. Unless there is a need to run the system as a web server, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure httpd and apache2 are disabled in systemd.

IMAP and POP3 Servers are enabled

Category: Network and credentials

OS: Linux

Description

Unless POP3 and/or IMAP servers are to be provided by the operating system, we recommend you disable the service to reduce the potential attack surface.

Recommendation

Ensure dovecot is disabled in systemd.

NIS Server is enabled

Category: Network and credentials

OS: Linux

Description

The NIS server is a collection of programs that allow the distribution of configuration files. The NIS service is inherently an insecure system that has been vulnerable to DOS attacks. We recommend you remove this service and use other, more secure services.

Recommendation

Ensure nis, ypserv are disabled in systemd.

IP Forwarding is enabled

Category: Network and credentials

OS: Linux

Description

Thenet.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not. Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy) will never be able to forward packets, and consequently, never serve as a router.

Recommendation

Ensure the net.ipv4.ip and net.ipv6.conf.all.forwarding flags are set to false.

Packet redirect sending is enabled

Category: Network and credentials

OS: Linux

Description

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker, as opposed to a valid system.

Recommendation

Ensure the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects flags are set to false.

Source-routed packets are accepted

Category: Network and credentials

OS: Linux

Description

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. If source-routed packets were allowed, they can be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that do not allow this routing.

Recommendation

Ensure the net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route flags are disabled.

ICMP redirects are accepted

Category: Network and credentials

OS: Linux

Description

Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.

Recommendation

Ensure the net.ipv4.conf.all.accept_redirects and net.ipv6.conf.all.accept_redirects flags are disabled.

Secure ICMP redirects are accepted

Category: Network and credentials

OS: Linux

Description

Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. Nevertheless, it is still possible even for known gateways to be compromised.

Recommendation

Ensure the net.ipv4.conf.all.secure_redirects flag is disabled.

Make sure suspicious martians packets are logged

Category: Network and credentials

OS: Linux

Description

Enabling the logging of suspicious martian packets allows an administrator to investigate if an attacker is sending spoofed packets to their system.

Recommendation

Ensure the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians flags are set to true.

Broadcast ICMP requests are not ignored

Category: Network and credentials

OS: Linux

Description

Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack.

Recommendation

Ensure the net.ipv4.icmp_echo_ignore_broadcasts flag is set to true.

Bogus ICMP responses are not ignored

Category: Network and credentials

OS: Linux

Description

Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.

Recommendation

Ensure the icmp_ignore_bogus_error_responses flag is enabled.

Reverse Path Filtering is disabled

Category: Network and credentials

OS: Linux

Description

Reverse Path Filtering is a method used by the Linux Kernel to help prevent attacks used by Spoofing IP Addresses. Enabling Reverse Path Filtering is a good way to deter attackers from sending your system bogus packets that cannot be responded to.

Recommendation

Ensure net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter are set to 1.

TCP SYN Cookies is disabled

Category: Network and credentials

OS: Linux

Description

Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending multiple SYN packets without completing the three-way handshake.

Recommendation

Ensure net.ipv4.tcp_syncookies is set to 1.

IPv6 router advertisements are accepted

Category: Network and credentials

OS: Linux

Description

We recommend you set up systems to not accept router advertisements, as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

Recommendation

Ensure the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra flags are disabled.

Permissions on /etc/hosts.allow are not configured

Category: OS security

OS: Linux

Description

It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

Recommendation

Ensure /etc/hosts.allow is owned by root and has permission 644.

Permissions on /etc/hosts.deny are not configured

Category: OS security

OS: Linux

Description

It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

Recommendation

Ensure /etc/hosts.deny is owned by root and has permission 644.

DCCP is enabled

Category: Network and credentials

OS: Linux

Description

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. If the protocol is not required, we recommend you to not install these drivers, to reduce the potential attack surface.

Recommendation

Ensure the dccp module is not loaded.

SCTP is enabled

Category: Network and credentials

OS: Linux

Description

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.

Recommendation

Ensure the sctp module is not loaded.

RDS is enabled

Category: Network and credentials

OS: Linux

Description

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.

Recommendation

Ensure the rds module is not loaded.

TIPC is enabled

Category: OS security

OS: Linux

Description

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. If the protocol is not being used, it is recommended that kernel module not be loaded, thus disabling the service to reduce the potential attack surface.

Recommendation

Ensure the tipc module is not loaded.

iptables is not installed

Category: OS security

OS: Linux

Description

iptables allows configuration of the IPv4 and IPv6 tables in the Linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.

Recommendation

Ensure the iptables package is installed.

IPv6 default deny firewall policy is not enforced

Category: OS security

OS: Linux

Description

A default deny all policy on connections ensures that any unconfigured network usage will be rejected. With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to whitelist acceptable usage than to black list unacceptable usage.

Recommendation

In case IPv6 is enabled, verify that the policy for the INPUT, OUTPUT, and FORWARD chains is set to DROP or REJECT in ip6tables.

IPv6 loopback traffic is not configured

Category: OS security

OS: Linux

Description

Loopback traffic is generated between processes on machine and is typically critical to system operation. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Recommendation

In case IPv6 is enabled, make sure the loopback interface accepts traffic. Ensure all other interfaces deny traffic to the loopback network (::1).

Default deny firewall policy is not enforced

Category: OS security

OS: Linux

Description

A default deny all policy on connections ensures that any unconfigured network usage will be rejected. With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.

Recommendation

Verify that the policy for the INPUT, OUTPUT, and FORWARD chains is set to DROP or REJECT in ip6tables.

Loopback traffic is not configured

Category: OS security

OS: Linux

Description

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Recommendation

Make sure the loopback interface accepts traffic. Ensure all other interfaces deny traffic to the loopback network (127.0.0.0/8).

AIDE is not installed

Category: OS security

OS: Linux

Description

AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.

Recommendation

Ensure the AIDE package is installed.

Filesystem integrity is not checked regularly

Category: OS security

OS: Linux

Description

Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.

Recommendation

Ensure aidcheck.service and aidcheck.timer are enabled in systemctl, or that a cron job is scheduled to run aide check.

prelink is enabled

Category: OS security

OS: Linux

Description

prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Prelinking can increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.

Recommendation

Ensure the prelink package is not installed.

Core dumps are allowed

Category: OS security

OS: Linux

Description

A core dump is the memory of an executable program. It is generally used to determine why a program was aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.

Recommendation

Ensure that /etc/security/limits.* has the core limit set to 0, the fs.suid_dumpable flag is set to false in /etc/sysctl.*, Storage is none and ProcessSizeMax is 0 in /etc/systemd/coredump.conf.

SELinux or AppArmor are not installed

Category: OS security

OS: Linux

Description

SELinux and AppArmor provide Mandatory Access Controls. Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.

Recommendation

Ensure that at least one of the apparmor, libselinux, or libselinux1 packages is installed.

All AppArmor Profiles are not enforced

Category: OS security

OS: Linux

Description

AppArmor profiles define what resources applications are able to access.

Recommendation

Verifies all profiles are set to enforce mode.

AppArmor is disabled in bootloader configuration

Category: OS security

OS: Linux

Description

AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Recommendation

Ensure that /boot/grub/grub.cfg has the flags linux.apparmor set to 1 and linux.security set to apparmor. Check if /etc/default/grub has apparmor = 1 and security = apparmor.

rsh client is installed

Category: OS security

OS: Linux

Description

The rsh package contains the client commands for the rsh services. These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package.

Recommendation

Ensure the rsh and rsh-client packages are not installed.

NIS client is installed

Category: OS security

OS: Linux

Description

The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.

Recommendation

Ensure the nis and ypbind packages are not installed.

talk client is installed

Category: OS security

OS: Linux

Description

The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default. The software presents a security risk as it uses unencrypted protocols for communication.

Recommendation

Ensure the talk package is not installed.

telnet client is installed

Category: OS security

OS: Linux

Description

The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions

Recommendation

Ensure the telnet package is not installed.

LDAP client is installed

Category: OS security

OS: Linux

Description

The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP client, we recommend you remove the software to reduce the potential attack surface.

Recommendation

Ensure the ldap, ldap-utils, openldap-clients, openldap2-client, libpam-ldap, and libnss-ldap packages are not installed.

auditd is not installed

Category: OS security

OS: Linux

Description

The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.

Recommendation

Ensure the auditd and auditd-plugins packages are installed.

auditd service is disabled

Category: OS security

OS: Linux

Description

The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.

Recommendation

Ensure auditd is enabled in systemctl.

Auditing for processes that start before auditd is disabled

Category: OS security

OS: Linux

Description

Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

Recommendation

Verify grub is configured so that processes that are capable of being audited can be audited even if they start up prior to auditd startup by the audit = 1 flag in /boot/grub/grub.cfg.

audit_backlog_limit is not sufficient

Category: OS security

OS: Linux

Description

During boot, if audit = 1, the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected.

Recommendation

Ensure the audit_backlog_limit is set higher than 8192 in /boot/grub/grub.cfg.

Audit log storage size is not configured

Category: OS security

OS: Linux

Description

It is important that an appropriate size is determined for log files so that they do not impact the system, and audit data is not lost.

Recommendation

Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.

Audit logs are automatically deleted

Category: OS security

OS: Linux

Description

In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.

Recommendation

Ensure that max_log_file_action = keep_logs in /etc/audit/auditd.conf.

System is not disabled when audit logs are full

Category: OS security

OS: Linux

Description

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Recommendation

Ensure the auditd daemon is configured to halt the system when the audit logs are full.

Date and time altering events are not collected

Category: OS security

OS: Linux

Description

Unexpected changes in system date and/or time could be a sign of malicious activity on the system.

Recommendation

Ensure that adjtimex, settimeofday, clock_settime, and stime syscalls write an audit record to /var/log/audit.log, tagged with time-change.

User/group altering events are not collected

Category: OS security

OS: Linux

Description

Unexpected changes to group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd can be an indicator that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.

Recommendation

Ensure that /etc/audit/rules.d/ is configured to record changes to group, passwd, shadow, gshadow and /etc/security/password.

System network environment altering events are not collected

Category: OS security

OS: Linux

Description

Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. Changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder.

Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised.

All audit records will be tagged with the identifier system-locale.

Recommendation

Ensure that /etc/audit/rules.d/ is configured to record changes to sethostname, setdomainname, /etc/issue, /etc/issue.net, /etc/hosts and /etc/network.

System Mandatory Access Controls altering events are collected

Category: OS security

OS: Linux

Description

Changes to /etc/apparmor and /etc/apparmor.d directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

Recommendation

Ensure that /etc/audit/rules.d/ is configured to record changes to /etc/apparmor and /etc/apparmor.d.

Login and logout events are not collected

Category: OS security

OS: Linux

Description

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Recommendation

Ensure that /etc/audit/rules.d/ is configured to record changes to /var/log/faillog, /var/log/lastlog, and /var/log/tallylog.

Session initiation information is not collected

Category: OS security

OS: Linux

Description

Monitoring /var/run/utmp, /var/log/wtmp, /var/log/btmp files for changes could alert a system administrator of logins occurring at unusual hours, which can indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Recommendation

Ensure that /etc/audit/rules.d/ is configured to record changes to /var/run/utmp, /var/log/wtmp, and /var/log/btmp.

Discretionary access control permission altering events are not collected

Category: OS security

OS: Linux

Description

Monitoring for changes in file attributes could alert a system administrator to activity that can indicate intruder activity or policy violation.

Recommendation

Ensures all system calls that modify file owners, permissions or extended attributes are recorded by rules in /etc/audit/rules.d.

Unsuccessful unauthorized file access attempts are not collected

Category: OS security

OS: Linux

Description

Failed attempts to open, create or truncate files could be an indicator that an individual or process is trying to gain unauthorized access to the system.

Recommendation

Verify that all creat, open, openat, truncate, and ftruncate syscalls are recorded by correctly configuring /etc/audit/rules.d.

Successful file system mounts are not collected

Category: OS security

OS: Linux

Description

Tracking mount commands can help track potentially malicious data export to external media.

Recommendation

Verify that all mount and umount syscalls are recorded by correctly configuring /etc/audit/rules.d.

File deletion events by users are not collected

Category: OS security

OS: Linux

Description

Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators may want to look for specific privileged files that are being deleted or altered.

Recommendation

Verify that all unlink, unlinkat, rename, renameat syscalls are recorded by correctly configuring /etc/audit/rules.d.

Changes to system administration scope (sudoers) are not collected

Category: OS security

OS: Linux

Description

Audit rules should be in place to monitor scope changes, when an administrator logs in to use sudo.

Recommendation

Ensure that audit rules include collecting scope changes.

Changes to system administrator command executions (sudo) are not collected

Category: OS security

OS: Linux

Description

Audit rules should be in place to monitor an administrator with temporary elevated privileges, while using sudo, and the operation(s) they are performing.

Recommendation

Ensure that audit rules include collecting sudo activity.

Ensure kernel module loading and unloading is collected

Category: OS security

OS: Linux

Description

Verifies that Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules.

Recommendation

Ensure audit rules include collecting kernel module loading and unloading activity.

Audit configuration is not immutable

Category: OS security

OS: Linux

Description

Audit rules would be in immutable mode, so they cannot be modified using auditctl. While in immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity, and then set the audit rules back.

Recommendation

Ensure that audit rules cannot be changed without performing a system reboot.

rsyslog is not installed

Category: OS security

OS: Linux

Description

The rsyslog software should be installed. rsyslog is a recommended replacement to the original syslogd daemon, providing overall improvements over syslogd.

Recommendation

Ensure that rsyslog is installed.

The rsyslog service is disabled

Category: OS security

OS: Linux

Description

The rsyslog service would be activated. If the rsyslog service is not activated the system may instead default to the syslogd service, or lack logging.

Recommendation

Ensure the rsyslog service is enabled.

The rsyslog default file permission is configured

Category: OS security

OS: Linux

Description

Logfiles created by rsyslog must have correct file permissions. It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.

Recommendation

Ensure the rsyslog default file permissions are set to 0640 or more restrictive.

journald is not configured to send logs to rsyslog

Category: OS security

OS: Linux

Description

journald should be set to send logs to a remote host through rsyslog, thus being protected from tampering. It requires that rsyslog be set to send logs to a remote host.

Recommendation

Ensure journald is configured to forward logs to rsyslog.

journald is not configured to compress large log files

Category: OS security

OS: Linux

Description

journald should be set to compress large log files, to avoid sudden, unexpected filesystem impacts.

Recommendation

Ensure journald is configured to compress large files.

journald is not configured to write logfiles to persistent disk

Category: OS security

OS: Linux

Description

journald should not store data in volatile memory, but save it locally on the server. Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.

Recommendation

Ensure that storage is set to persistent for journald.

Permissions on all logfiles are not configured

Category: OS security

OS: Linux

Description

Permissions on logfiles should be set so that sensitive data is archived and protected.

Recommendation

Ensure all logs have permissions set to none for other and read-only for group.

logrotate does not assign appropriate permissions

Category: OS security

OS: Linux

Description

logrotate should be set to assign permissions correctly, so that sensitive data is archived and protected.

Recommendation

Ensure that logrotate is configured to set permissions to 0640 or more restrictive.

cron daemon is not enabled and running

Category: OS security

OS: Linux

Description

The cron daemon should be enabled and running, to be used for both user jobs, as well as system maintenance jobs that may include security monitoring.

Recommendation

Ensure that cron is enabled using systemctl.

Permissions on /etc/crontab are not configured

Category: OS security

OS: Linux

Description

Cron's job file permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/crontab/ are set to 0600.

Permissions on /etc/cron.hourly are not configured

Category: OS security

OS: Linux

Description

Cron's hourly job directory permissions should set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/cron.hourly are set to 0700.

Permissions on /etc/cron.daily are not configured

Category: OS security

OS: Linux

Description

Cron's daily job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/cron.hourly are set to 0700.

Permissions on /etc/cron.weekly are not configured

Category: OS security

OS: Linux

Description

Cron's weekly job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/cron.weekly are set to 0700.

Permissions on /etc/cron.monthly are not configured

Category: OS security

OS: Linux

Description

Cron's monthly job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/cron.monthly are set to 0700.

Permissions on /etc/cron.d are not configured

Category: OS security

OS: Linux

Description

Cron's manual job directory permissions should be set correctly, so that users cannot have insight on system jobs, or access to the ability to elevate their privileges.

Recommendation

Ensure that permissions on /etc/cron.d are set to 0700.

cron is not restricted to authorized users

Category: OS security

OS: Linux

Description

Access to cron should be restricted via an allow list by using /etc/cron.allow. Additionally, /etc/cron.allow must be owned by root and have permissions set to 0640 or more restrictive.

Recommendation

Ensure /etc/cron.deny does not exist, and that /etc/cron.allow is properly configured.

Ensure at is restricted to authorized users

Category: OS security

OS: Linux

Description

Verifies that access to at is restricted by using an allow list, using /etc/at.allow. Additionally, /etc/at.allow must be owned by root and have permissions set to 0640 or more restrictive.

Recommendation

Ensure /etc/at.deny does not exist, and that /etc/at.allow is properly configured.

Password creation requirements are not configured

Category: OS security

OS: Linux

Description

Password creation requirements must be configured to require strong passwords, as well as a maximum of 3 retries.

Recommendation

Ensure that strong password requirements and a maximum of 3 retries are set.

Password expiration interval is short enough

Category: OS security

OS: Linux

Description

Password expiration must be set to 365 days or less, to make sure that the timeframe for a brute force attack is limited.

Recommendation

Ensure that password expiration is properly configured.

Minimum days between password changes is not configured

Category: OS security

OS: Linux

Description

The minimum number of days between password changes must be configured, so that users are prevented from repeatedly changing their password in an attempt to circumvent password reuse controls.

Recommendation

Ensure that a minimum of 1 day between password changes is enforced.

Password expiration warning days interval is long enough

Category: OS security

OS: Linux

Description

Password expiration warnings must be sent in an interval that leaves the user sufficient time to think of a secure password.

Recommendation

Ensure that password expiration warnings are sent at least 7 days in advance.

Inactive password lock interval is short enough

Category: OS security

OS: Linux

Description

User accounts that have been inactive for over 30 days must automatically be disabled.

Recommendation

Ensure that inactive accounts are automatically disabled after 30 days.

Default group for the root account is not 0

Category: OS security

OS: Linux

Description

The root user has must have the default group set to 0. Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users.

Recommendation

Ensure that the default group for the root account is set to 0.

Default file creation mask is not restrictive enough

Category: OS security

OS: Linux

Description

Permissions mask for newly created files must be restrictive enough.

Recommendation

Ensure that user file-creation mode mask is set to 027 or more restrictive.

Default user shell timeout is not short enough

Category: OS security

OS: Linux

Description

An inactive user shell session must be ended with a reasonable timeout, to prevent unauthorized access by using unattended shell sessions.

Recommendation

Ensure default user shell timeout is set to 900 or less.

Access to su command is not restricted

Category: OS security

OS: Linux

Description

Access to the su command must be restricted, forcing the use of sudo, which allows for better control of escalation, and better logging and audit.

Recommendation

Ensure the group that is allowed to use the su command is empty.

Permissions on /etc/passwd are not configured

Category: OS security

OS: Linux

Description

Permissions on the user accounts file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/passwd are set to 644.

Permissions on /etc/passwd- are not configured

Category: OS security

OS: Linux

Description

Permissions on the user accounts backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/passwd- are set to 644 or more restrictive.

Permissions on /etc/group are not configured

Category: OS security

OS: Linux

Description

Permissions on the groups file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/group are set to 644.

Permissions on /etc/group- are not configured

Category: OS security

OS: Linux

Description

Permissions on the groups backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/group- are set to 644 or more restrictive.

Permissions on /etc/shadow are not configured

Category: OS security

OS: Linux

Description

Permissions on the users credentials file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/shadow are set to 640.

Permissions on /etc/shadow- are not configured

Category: OS security

OS: Linux

Description

Permissions on the users credentials backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/shadow- are set to 640.

Permissions on /etc/gshadow are not configured

Category: OS security

OS: Linux

Description

Permissions on the groups credentials file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/gshadow are set to 640.

Permissions on /etc/gshadow- are not configured

Category: OS security

OS: Linux

Description

Permissions on the groups credentials backup file must be set to allow reading for various system utilities, while being protected from unauthorized write access.

Recommendation

Ensure that permissions on /etc/gshadow- are set to 640.

World writable files do exist

Category: OS security

OS: Linux

Description

No world writable files must be present on the machine, as they may indicate a potential security risk.

Recommendation

Ensure there are no world writable files, or that those that are world-writable are necessarily so.

Unowned files or directories do exist

Category: OS security

OS: Linux

Description

Files that used to be owned by deleted users should not remain on the system, as this might lead to a new user with the deleted user's ID to end up owning these files, leading to more access on the system than was intended.

Recommendation

Ensure that no files owned by an inactive user exist on the system.

Ungrouped files or directories do exist

Category: OS security

OS: Linux

Description

Files that used to be owned by deleted groups should not remain on the system, as this might lead to a new user with the deleted group's GID to end up owning these files, leading to more access on the system than was intended.

Recommendation

Ensure that no files owned by an inactive group exist on the system.

Accounts in etc/passwd do not use shadowed passwords

Category: OS security

OS: Linux

Description

All accounts must use shadowed passwords, to avoid allowing access to sensitive information (like password hashes) to an attacker.

Recommendation

Ensure all accounts are set to use shadowed passwords.

sudo is not installed

Category: OS security

OS: Linux

Description

The sudo package must be installed on the system. Sudo allows configuring which users and under what conditions they can run a command as superuser or another user.

Recommendation

Ensure the sudo or sudo-ldap (if sudo support for LDAP users is required) package is installed.

/dev/shm is not configured

Category: OS security

OS: Linux

Description

/dev/shm must be mounted properly at boot, with the noexec option.

Recommendation

Ensure that /dev/shm is mounted with the noexec option.

Permissions on bootloader config are overridden

Category: OS security

OS: Linux

Description

Permissions on /boot/grub/grub.cfg must be changed to root-only when gub.cfg is updated by the update-grub command.

Recommendation

Ensure the update-grub command changes the permissions of /boot/grub/grub.cfg to 400.

Prelink is installed

Category: OS security

OS: Linux

Description

Prelink should not be installed on the endpoint. Prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.

Recommendation

Ensure that the prelink package is not installed, as to not interfere with AIDE and also decrease the vulnerability of the system.

Disable-user-list is not enabled

Category: OS security

OS: Linux

Description

Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Recommendation

Ensure the GDM paramater disable-user-list is set to true.

XDCMP is enabled

Category: OS security

OS: Linux

Description

X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays. XDMCP is vulnerable to man-in-the-middle attacks.

This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.

Recommendation

Ensure the Enable flag is set to false in /etc/gdm3/custom.conf.

X Window System is installed

Category: OS security

OS: Linux

Description

The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add-ons. Unless your organization specifically requires graphical login access via X Window, remove it to reduce the potential attack surface.

Recommendation

Ensure the xserver-xorg package is not installed.

Avahi Server is installed

Category: OS security

OS: Linux

Description

Avahi Server should not installed on the endpoint. Avahi Server allows programs to publish and discover services and hosts running on the local network.

Recommendation

Ensure the avahi-daemon package is not installed, to reduce the endpoint's potential attack surface.

CUPS is installed

Category: OS security

OS: Linux

Description

The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. If the system does not need to print jobs or accept print jobs from other systems, we recommend you remove CUPS to reduce the potential attack surface.

Recommendation

Ensure the cups package is not installed.

DHCP Server is installed

Category: OS security

OS: Linux

Description

The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Unless a system is specifically set up to act as a DHCP server, we recommend you remove this package to reduce the potential attack surface.

Recommendation

Ensure the isc-dhcp-server package is not installed.

LDAP server is installed

Category: OS security

OS: Linux

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. If the system will not need to act as an LDAP server, we recommend you remove this software to reduce the potential attack surface.

Recommendation

Ensure the slapd package is not installed.

NFS is installed

Category: OS security

OS: Linux

Description

The Network File System (NFS) provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, we recommend you remove these services to reduce the remote attack surface.

Recommendation

Ensure the nfs-kernel-server package is not installed.

DNS Server is installed

Category: OS security

OS: Linux

Description

The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Unless a system is specifically designated to act as a DNS server, we recommend you delete this package to reduce the potential attack surface.

Recommendation

Ensure the bind9 package is not installed.

FTP Server is installed

Category: OS security

OS: Linux

Description

The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. FTP does not protect the confidentiality of data or authentication credentials.

Recommendation

Ensure the vsftpd package is not installed.

HTTP server is installed

Category: OS security

OS: Linux

Description

HTTP or web servers provide the ability to host web site content. Unless there is a need to run the system as a web server, we recommend you delete this package to reduce the potential attack surface.

Recommendation

Ensure the apache2 package is not installed.

IMAP and POP3 servers are installed

Category: OS security

OS: Linux

Description

Unless POP3 and/or IMAP servers are to be provided by this system, we recommend you remove these packages to reduce the potential attack surface.

Recommendation

Ensure the dovecot-imapd and dovecot-pop3d packages are not installed.

Samba is installed

Category: OS security

OS: Linux

Description

The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface.

Recommendation

Ensure the samba package is not installed.

HTTP Proxy Server is installed

Category: OS security

OS: Linux

Description

Squid is a standard proxy server used in many distributions and environments. If there is no need for a proxy server, we recommend you delete the squid proxy to reduce the potential attack surface.

Recommendation

Ensure the squid package is not installed.

SNMP Server is installed

Category: OS security

OS: Linux

Description

Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. If the SNMP service is not required, it should be removed to reduce the attack surface of the system. If SNMP is required, the server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured.

Recommendation

Ensure the snmpd package is not installed.

The rsync service is installed

Category: OS security

OS: Linux

Description

The rsync service can be used to synchronize files between systems over network links. The rsync service presents a security risk as it uses unencrypted protocols for communication. The rsync package should be removed to reduce the attack area of the system.

Recommendation

Ensure the rsync package is not installed.

NIS Server is installed

Category: OS security

OS: Linux

Description

The NIS server is a collection of programs that allow for the distribution of configuration files. The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, we recommend you remove this service, and use other, more secure services.

Recommendation

Ensure the nis package is not installed.

RPC is installed

Category: OS security

OS: Linux

Description

Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. If RPC is not required, we recommend you remove these services to reduce the remote attack surface.

Recommendation

Ensure the rpcbind package is not installed.

Mail transfer agent is not configured for local-only mode

Category: OS security

OS: Linux

Description

If the system is not intended to be a mail server, we recommend you configure the MTA to only process local mail.

Recommendation

Ensure that the MTA is not listening on any non-loopback address (127.0.0.1 or::1), port 25.

Time synchronization is not in use

Category: OS security

OS: Linux

Description

System time should be synchronized between all systems in an environment. Time synchronization is important to support time sensitive security mechanisms like Kerberos.

Recommendation

Ensure one of the systemd-timesyncd, chrony, ntp packages are installed and configured correctly.

Wireless interfaces are not disabled

Category: OS security

OS: Linux

Description

If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface.

Recommendation

Ensure no wireless drivers are loaded into the kernel.

Log4j with Denial of Service Present

Category: Network and credentials

OS: Linux

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-45105, and submitting a specially crafted request to it might cause a denial of service when a crafted string is interpreted.

Recommendation

Avoid using Log4j versions 2.x to 2.16.0, except version 2.12.3, which fixes the issue.

Pkexec with Local Privilege Escalation Present

Category: Vulnerability

OS: Linux

Description

Verifies if a vulnerable version of the Polkit package is installed on the endpoint. The vulnerable module could be affected by CVE-2021-4034, which allows any unprivileged user to gain full root privileges by exploiting this vulnerability in its default configuration.

Recommendation

Apply the latest available patches for this vulnerability.

systemd-timesyncd is configured

Category: OS security

OS: Linux

Description

systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. This recommendation only applies if timesyncd is in use on the system.

Recommendation

Ensure that timesyncd is enabled and started. Review /etc/systemd/timesyncd.conf and ensure that NTP, FallbackNTP and RootDistanceMax are listed in accordance with local policy.

chrony is configured

Category: OS security

OS: Linux

Description

chrony is a daemon which implements the Network Time Protocol (NTP), which is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. This recommendation only applies if chrony is used on the system.

Recommendation

Review /etc/chrony.conf and ensure that the remote server is configured properly.

ntp is configured

Category: OS security

OS: Linux

Description

ntp is a daemon that implements the Network Time Protocol (NTP), which is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. This recommendation only applies if ntp is used on the system.

Recommendation

Review /etc/ntp.conf and ensure that the remote server is configured properly and the restrict option is set. Verify that ntp is configured to run as the ntp user.

telnet server is not installed

Category: OS security

OS: Linux

Description

The telnet-server package contains the telnet daemon. The telnet protocol is insecure and unencrypted.

Recommendation

Check if telnet-server is installed.

XD NX support is enabled

Category: OS security

OS: Linux

Description

Recent processors in the x86 family support the ability to prevent code execution on a per-memory-page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD).

Recommendation

Check if XD/NX support is enabled.

IPv4 firewall rules exist for all open ports

Category: OS security

OS: Linux

Description

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. This recommendation only applies if iptables is used on the system.

Recommendation

For each open port, check if an iptables firewall rule exists.

All users last password change is in the past

Category: OS security

OS: Linux

Description

All users should have a password change date in the past. If a user recorded password change date is in the future then they could bypass any set password expiration.

Recommendation

Verify that no user has a password change date in the future.

System accounts are secured

Category: OS security

OS: Linux

Description

There are a number of accounts provided with most distributions that are used to manage applications and are not intended to provide an interactive shell.

Recommendation

Verify that every system account shell is set to either nologin or /bin/false.

System administrator actions are collected

Category: OS security

OS: Linux

Description

Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first, then all administrator commands will be logged to /var/log/sudo.log.

Recommendation

Check if a audit rule exists for /var/log/sudo.log.

SELinux is not disabled in bootloader configuration

Category: OS security

OS: Linux

Description

Configure SELinux to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.

Recommendation

SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.

SELinux state is enforcing

Category:

OS:

Description

When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules.

Recommendation

Verify that SELINUX=enforcing is set in /etc/selinux/config.

SELinux policy is configured

Category: OS security

OS: Linux

Description

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy. This item is intended to ensure that at least the default recommendations are met.

Recommendation

Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.

SETroubleshoot is not installed

Category: OS security

OS: Linux

Description

The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions and other potential errors.

Recommendation

The SETroubleshoot service is an unnecessary daemon to have running on a server. Verify setroubleshoot is not installed.

MCS Translation Service is not installed

Category: OS security

OS: Linux

Description

The mcstransd daemon provides category label information to client processes requesting information. Since the service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system.

Recommendation

Verify mcstrans is not installed.

System-wide crypto policy is not legacy

Category: OS security

OS: Linux

Description

The system-wide cypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.

Recommendation

Verify in /etc/crypto-policies/config that the system-wide crypto policy is not LEGACY.

System-wide crypto policy is FUTURE or FIPS

Category: OS security

OS: Linux

Description

The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.

Recommendation

Verify in /etc/crypto-policies/config that the system-wide crypto policy is Future or FIPS.

Only one firewall service enabled

Category: OS security

OS: Linux

Description

A firewall provides defense against external and internal threats by refusing unauthorized connections, to stop intrusion and provide a strong method of access control policy.

Recommendation

Verifies that only one of firewalld, iptables or nftables is installed.

System-wide crypto policy is not overridden

Category: OS security

OS: Linux

Description

The system-wide crypto policy can be overridden or opted out of for openSSH. Overriding or opting out of the system-wide crypto policy could allow for the use of less.

Recommendation

Verify in /etc/sysconfig/sshd that CRYPTO_POLICY is not set.

Last logged in user display is disabled

Category: OS security

OS: Linux

Description

Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on.

Recommendation

Verify that the gdm configuration has disabled-user-list=true.

Net Snmp is not installed

Category: OS security

OS: Linux

Description

Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment. If SNMP is required the server should use only SNMP v3.

Recommendation

Verify that net-snmp is not installed.

Dirty Pipe Vulnerability

Category: OS security

OS: Linux

Description

Dirty Pipe is a vulnerability in the Linux kernel since version 5.8, allowing an attacker to overwrite data in arbitrary read-only files. This leads to Privilege escalation, as unprivileged processes can inject code into root processes. The vulnerability has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

Recommendation

Make sure the kernel version is always up to date.

Log4j with Remote Code Execution Present

Category: Network and credentials

OS: Linux

Description

Verifies if a vulnerable version of log4j module is present on the disk. The vulnerable module could be affected by CVE-2021-44228 and CVE-2021-45046, and submitting a specially crafted request to it might lead into download and subsequently execute a malicious payload.

Recommendation

Avoid using Log4j versions 2.x to 2.15.0.

Cr8escape Vulnerability

Category: Vulnerability

OS: Linux

Description:

Cr8escape is a vulnerability in the CRI-O module caused by the way it sets kernel options for a pod. Users with rights to deploy pods on vulnerable kubernets clusters can escape the container, gain access to the host, and be able to execute arbitrary code as root in the cluster node.

Recommendation:

Update to a patched version of CRI-O. Versions that address the issue: 1.23.2, 1.22.3, v1.21.6, 1.20.7, and 1.19.6.

Spring Cloud Functions vulnerability (Spring4Shell)

Category: Vulnerability

OS: Linux

Description:

Spring Cloud Functions versions 3.1.6, 3.2.2, and older are vulnerable to CVE-2022-22963. This vulnerability allows a user to provide a specially crafted SpEl payload as a routing-expression. This may result in a remote code execution and access to local resources.

Recommendation:

Upgrade Spring Cloud Functions to versions 3.1.7, 3.2.3, or higher.