Contactați direct echipa noastră de asistență clienți

GravityZone Indicators of Risk

The Endpoint Risk Analytics (ERA) module integrated in GravityZone helps you identify and remediate a large number of network and operating system risks at the endpoint level.

You can send scan tasks based on indicators of risk across your network (via Tasks menu or recurrently, via policy), to identify endpoints with security settings misconfigurations. Afterwards, you can assess your network security risk status from the Risk Management dashboard.

note
Important:
Endpoint Risk Analytics (ERA) module is available only for supported Windows desktop and server operating systems.

Find below the list of risk indicators available with GravityZone Endpoint Risk Analytics module and their detailed description.

The indicators of risk are grouped in two categories:

GravityZone indicators of risk for operating system settings

 

Name Level Description Action
Task Manager
Misconfiguration
Verifies the local group policy settings for “User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > Remove Task Manager”. When “Remove Task Manager” is enabled, the endpoint is vulnerable to security threats. Since Task Manager can list and terminate currently running processes, some malware may disable it to prevent themselves from being closed.
We recommend keeping the Task Manager enabled on all endpoints.
Smart Card Service
Misconfiguration
Verifies the settings for Smart Card local service.
The Smart Card Service provides smart cards read access and public key services support through a process running in the background (scardsvr.exe). Though this Windows service is rated to be quite safe, some malware programs may disguise themselves as scardsvr.exe.
If this service is not used explicitly on endpoints, we recommend disabling it.
Telnet Server Service
Misconfiguration
Verifies if the Telnet Server service is installed and enabled on endpoint.
Telnet is one of the earliest TCP/IP protocols allowing access to remote endpoints via terminal sessions. Telnet provides no built-in security measures (such as data encryption or authentication) and using it exposes endpoints to security risks.
We recommend disabling Telnet Server service on all endpoints and use SSH instead.
Auto Logon
Misconfiguration
Verifies if Windows requires account sign-in. When the user accounts sign-in is disabled, Windows stores the user passwords in the registry database, making possible to bypass the password screen during logon.
We recommend to always require account sign-in.
Secure Logon
Misconfiguration
Verifies the local security policy option "Interactive logon: Do not require CTRL+ALT+DEL".
This option defines whether users must unlock their computer before logging into Windows by pressing CTRL+ALT+DEL, as an additional security layer that prevents malware intercepting usernames and passwords. If this option is set on "Enabled", the system is more vulnerable to security threats.
We recommend setting this policy on "Disabled".
UAC Off
Microsoft Security Baseline
Verifies the local security policy option "User Account Control: Run all administrators in Admin Approval Mode".
This setting controls the behavior of all UAC policy settings for the endpoint.
UAC (User Account Control) is a security feature that helps preventing unauthorized changes to the OS by potentially harmful programs. UAC requires administrator authorization for actions like installing a program or modifying system settings. When UAC is set on "Never notify", the system is more vulnerable to malware.
We recommend setting this policy on "Enabled".
UAC Insecure
Microsoft Security Baseline
Verifies the configuration for User Account Control policy and registry settings, to check if these comply with the default recommended settings. The policy settings are located in "Security Settings\Local Policies\Security Options in the Local Security Policy".
Configure the UAC settings to at least the default level.
Automatic Updates
Misconfiguration
Verifies the local group policy "Configure Automatic Updates", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Update". This policy specifies whether the endpoint will receive security updates and other important downloads through the Windows automatic updating service. When disabled, the endpoint is more vulnerable to security threats.
We recommend setting this policy on "Enabled".
Lan Manager Hash
Microsoft Security Baseline
Verifies the local security policy option "Network security: Do not store LAN Manager hash value on next password change".
When the user sets a password that contains less than 15 characters, Windows generates a LAN Manager hash (LM hash) of that password. If the Windows security option is set to store the hash in the local Security Accounts Manager (SAM) database, the passwords can be compromised and the endpoint is prone to brute force attack.
After applying the fix, all affected users must change their domain password. The new password must be at least 15 characters long. In this case, Windows stores a LM hash value that cannot be used to authenticate the user.
Kernel-Mode Printer Drivers
Misconfiguration
Verifies the local group policy "Disallow installation of printers using kernel-mode drivers", located in "Computer Configuration > Administrative Templates > Printers".
This setting determines whether printers using kernel-mode drivers may be installed on the local endpoint. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors.
When this option is "Disabled", the printer drivers will run in the kernel space of the operating system, exposing the endpoint to security risks.
We recommend setting this policy on "Enabled".
Windows Backup Service
Misconfiguration
Verifies the settings for Windows Backup and Restore service (SDRSVC).
When this service is stopped, the system does not have access to native Microsoft backup and restore tools.

 

We recommend enabling this service on all endpoints.
Telephony
Misconfiguration
Verifies the status of Telephony service.
We recommend setting this service startup type on "Disabled".
Lock Screen App Notifications
Misconfiguration
Verifies the local group policy "Turn off app notifications on the lock screen", located in "Computer Configuration > Administrative Templates > System > Logon".
This policy setting allows preventing app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
We recommend setting this policy on "Enabled".
Microphones
Misconfiguration
Verifies if there are any enabled microphones on the endpoint.
We recommend disabling microphones on endpoints.
Store Passwords for Network Authentication
Misconfiguration
Verifies the local security policy option "Network access: Do not allow storage of passwords and credentials for network authentication".
This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
If you enable this setting, Credential Manager does not store passwords and credentials on the computer.
If you disable or do not configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
Note: When configuring this security setting, changes will not take effect until you restart Windows.
We recommend setting this policy on "Enabled".
Lock Screen Camera
Microsoft Security Baseline
Verifies the local group policy "Prevent enabling lock screen camera", located in "Computer Configuration > Administrative Templates > Control Panel > Personalization".
This policy disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
We recommend setting this policy on "Enabled".
Lock Screen Slide Show
Microsoft Security Baseline
Verifies the local group policy "Prevent enabling lock screen slide show", located in "Computer Configuration > Administrative Templates > Control Panel > Personalization".
This policy disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
We recommend setting this policy on "Enabled".
Strengthen Permissions
Microsoft Security Baseline
Verifies the local security policy option "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)".
This security setting determines the strength of the default Discretionary Access Control List (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.
We recommend setting this policy on "Enabled".
Enumerate Local Users
Microsoft Security Baseline
Verifies the local group policy "Enumerate local users on domain-joined computers", located in "Computer Configuration > Administrative Templates > System > Logon".
This policy allows local users to be enumerated on domain-joined computers.
If you enable this policy, Logon UI will enumerate all local users on domain-joined computers.
We recommend setting this policy on "Disabled".
PIN Sign-In
Microsoft Security Baseline
Verifies the local group policy "Turn on convenience PIN sign-in", located in "Computer Configuration > Administrative Templates > System > Logon".
This policy allows you to control whether a domain user can sign in using a convenience PIN.
If you disable or do not configure this policy, a domain user cannot set up and use a convenience PIN. The user's domain password will be cached in the system vault when using this feature.
We recommend setting this policy on "Disabled".
Optional Microsoft Accounts
Misconfiguration
Verifies the local group policy "Allow Microsoft accounts to be optional", located in "Computer Configuration > Administrative Templates > Windows Components > App runtime".
This policy lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
If you enable this policy, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. If you disable or do not configure this policy, users will need to sign in with a Microsoft account.
We recommend setting this policy on "Enabled".
Autoplay Non-Volume Devices
Microsoft Security Baseline
Verifies the local group policy "Disallow Autoplay for non-volume devices", located in "Computer Configuration > Administrative Templates > Windows Components > Autoplay Policies".
This policy disallows AutoPlay for MTP devices like cameras or phones. If you disable or do not configure this policy, AutoPlay is enabled for non-volume devices.
We recommend setting this policy on "Enabled".
Turn off Autoplay
Microsoft Security Baseline
Verifies the local group policy "Turn off Autoplay", located in "Computer Configuration > Administrative Templates > Windows Components > Autoplay Policies".
This policy setting allows you to turn off the Autoplay feature (reading from a drive as soon as inserting media in the drive). When disabled, the setup file of programs and the music on audio media start immediately as soon as inserted in the drive.
We recommend setting this policy on "Enabled: All Drives".
Disable DMA
Microsoft Security Baseline
Verifies the local group policy "Disable new DMA devices when this computer is locked", located in "Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption".
This policy allows blocking direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Devices already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated. This policy is only enforced when BitLocker or device encryption is enabled. Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.
We recommend setting this policy on "Enabled".
Enhanced PIN with BitLocker
Microsoft Security Baseline
Verifies the local group policy "Allow enhanced PINs for startup", located in "Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives".
This policy configures whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs allows using characters including uppercase and lowercase letters symbols numbers and spaces. This policy is applied when BitLocker is turned on.
Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. If you disable or do not configure this policy, enhanced PINs will not be used.
We recommend setting this policy on "Enabled".
Secure Boot for BitLocker
Microsoft Security Baseline
Verifies the local group policy "Allow Secure Boot for integrity validation", located in "Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives".
This policy setting defines whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks. If you disable this policy, BitLocker will use legacy platform integrity validation even on systems capable of Secure Boot-based integrity validation. Warning: Disabling this policy may result in BitLocker recovery when firmware is updated.
We recommend setting this policy on "Enabled".
Write Removable Drives with BitLocker
Microsoft Security Baseline
Verifies the local group policy "Deny write access to removable drives not protected by BitLocker", located in "Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives".
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. When enabling this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. When disabling or not configuring this setting, all removable data drives on the computer will be mounted with read and write access.
We recommend setting this policy on "Enabled".
Microsoft Consumer Experiences
Misconfiguration
Verifies the local group policy "Turn off Microsoft consumer experiences", located in "Computer Configuration > Administrative Templates > Windows Components > Cloud Content".
If you disable or do not configure this policy setting users may see personalized recommendations from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs.
We recommend setting this policy on "Enabled".
Enumerate Admin Accounts on Elevation
Microsoft Security Baseline
Verifies the local group policy "Enumerate administrator accounts on elevation", located in "Computer Configuration > Administrative Templates > Windows Components > Credential User Interface".
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this setting, all the local administrator accounts will be displayed, so the user can choose one and enter the correct password. If you disable this setting, users will always be required to type a user name and password to elevate.
We recommend setting this policy on "Disabled".
File Explorer: Windows Defender SmartScreen
Microsoft Security Baseline
Verifies the local group policy "Configure Windows Defender SmartScreen", located in "Computer Configuration > Administrative Templates > Windows Components > File Explorer".
This policy allows turning Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
If you enable this policy, SmartScreen will be turned on for all users. You can configure this feature by the following options:
- "Warn and prevent bypass": removes the user option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
- "Warn" option SmartScreen's dialogs will warn the user that the app appears suspicious but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app.
If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default but users may change their settings.
We recommend setting this policy on "Enabled: Warn and prevent bypass".
Virtualization Based Security
Microsoft Security Baseline
Verifies the local group policy "Turn On Virtualization Based Security", located in "Computer Configuration > Administrative Templates > System > Device Guard".
Specifies whether Virtualization Based Security is enabled.
Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and, optionally, you can enabled it with the use of DMA Protections.
We recommend setting this policy on "Enabled" with the following options:
- Select Platform Security Level: SecureBoot and DMA Protection
- Virtualization Based Protection of Code Integrity: Enabled with lock.
- Credential Guard Configuration - Enabled with lock
Device Installation by ID
Microsoft Security Baseline
Verifies the local group policy "Prevent installation of devices that match any of these device IDs", located in "Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions".
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
We recommend setting this policy on "Enabled", also selecting the following options:
- Prevent installation of devices that match any of these device IDs: PCI\CC_0C0A
- Also apply to matching devices that are already installed.
Device Installation by Setup Class
Microsoft Security Baseline
Verifies the local group policy "Prevent installation of devices using drivers that match these device setup classes", located in "Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions".
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
We recommend setting this policy on "Enabled", also selecting the following options:
- Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}
- Also apply to matching devices that are already installed.
Boot-Start Driver
Microsoft Security Baseline
Verifies the local group policy "Boot-Start Driver Initialization Policy", located in "Computer Configuration > Administrative Templates > System > Early Launch Antimalware".
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
- "Good": The driver has been signed and has not been tampered with.
- "Bad": The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
- "Bad, but required for boot": The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
- "Unknown": This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
If you enable this policy, you will be able to choose which boot-start drivers to initialize the next time the computer is started.
If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
We recommend setting this policy on "Enabled: Good, Unknown and bad but critical".
Anti-Spoofing
Microsoft Security Baseline
Verifies the local group policy "Configure enhanced anti-spoofing", located in "Computer Configuration > Administrative Templates > Windows Components > Biometrics > Facial Features".
This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or do not configure this setting, Windows does not require enhanced anti-spoofing for Windows Hello face authentication.
We recommend setting this policy on "Enabled".
Minimum Startup PIN
Microsoft Security Baseline
Verifies the local group policy "Configure minimum PIN length for startup", located in "Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives".
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
We recommend setting this policy on "Enabled: Minimum characters 7".
Explorer Data Execution Prevention
Microsoft Security Baseline
Verifies the local group policy "Turn off Data Execution Prevention for Explorer", located in "Computer Configuration > Administrative Templates > Windows Components > File Explorer".
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
We recommend setting this policy on "Disabled".
Heap Termination on Corruption
Microsoft Security Baseline
Verifies the local group policy "Turn off heap termination on corruption", located in "Computer Configuration > Administrative Templates > Windows Components > File Explorer".
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
We recommend setting this policy on "Disabled".
Password Manager
Microsoft Security Baseline
Verifies the local group policy "Configure Password Manager", located in "Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge".
This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
We recommend setting this policy on "Disabled".
Edge: Windows Defender SmartScreen
Microsoft Security Baseline
Verifies the local group policy "Configure Windows Defender SmartScreen", located in "Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge".
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.
If you enable this setting, Windows Defender SmartScreen is turned on and employees cannot turn it off.
We recommend setting this policy on "Enabled".
Windows Defender SmartScreen Sites
Microsoft Security Baseline
Verifies the local group policy "Prevent bypassing Windows Defender SmartScreen prompts for sites", located in "Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge".
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.
If you enable this setting, employees cannot ignore Windows Defender SmartScreen warnings and they are blocked from continuing to the site.
We recommend setting this policy on "Enabled".
Windows Defender SmartScreen Files
Microsoft Security Baseline
Verifies the local group policy "Prevent bypassing Windows Defender SmartScreen prompts for files", located in "Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge".
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
If you enable this setting, employees cannot ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files.
We recommend setting this policy on "Enabled".
Save Passwords from RDC
Microsoft Security Baseline
Verifies the local group policy "Do not allow passwords to be saved", located in "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client".
This policy controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting, the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
We recommend setting this policy on "Enabled".
Drive Redirection
Microsoft Security Baseline
Verifies the local group policy "Do not allow drive redirection", located in "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection".
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
We recommend setting this policy on "Enabled".
RDS Password Prompt
Microsoft Security Baseline
Verifies the local group policy "Always prompt for password upon connection", located in "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security".
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
We recommend setting this policy on "Enabled".
Download Enclosures
Microsoft Security Baseline
Verifies the local group policy "Prevent downloading of enclosures", located in "Computer Configuration > Administrative Templates > Windows Components > RSS Feeds".
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
We recommend setting this policy on "Enabled".
Indexing Encrypted Files
Microsoft Security Baseline
Verifies the local group policy "Allow indexing of encrypted files", located in "Computer Configuration > Administrative Templates > Windows Components > Search".
This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content.
When this setting is enabled or disabled, the index is rebuilt completely.
Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.
We recommend setting this policy on "Disabled".
Modify Exploit Protection Settings
Microsoft Security Baseline
Verifies the local group policy "Prevent users from modifying settings", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Defender Security Center > App and browser protection" or in "Computer Configuration > Administrative Templates > Windows Components > Windows Security> App and browser protection" (according to the Windows version).
This policy setting allows preventing users from making changes to the Exploit protection settings area in the Windows Defender Security Center.
We recommend setting this policy on "Enabled".
Game Recording and Broadcasting
Microsoft Security Baseline
Verifies the local group policy "Enables or disables Windows Game Recording and Broadcasting", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Game Recording and Broadcasting".
This setting enables or disables the Windows Game Recording and Broadcasting features.
We recommend setting this policy on "Disabled".
Windows Ink Workspace
Microsoft Security Baseline
Verifies the local group policy "Allow Windows Ink Workspace", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Ink Workspace".
This setting is supported from Windows 10 Redstone.
We recommend setting this policy on "Enabled: On, but disallow access above lock".
User Control Over Installs
Microsoft Security Baseline
Verifies the local group policy "Allow user control over installs", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Installer".
This policy permits users to change installation options that typically are available only to system administrators.
If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.
We recommend setting this policy on "Disabled".
Install with Elevated Privileges
Microsoft Security Baseline
Verifies the local group policy "Always install with elevated privileges", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Installer".
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.
If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
We recommend setting this policy on "Disabled".
Windows Logon: Auto Sign-in After Restart
Microsoft Security Baseline
Verifies the local group policy "Sign-in last interactive user automatically after a system-initiated restart", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options".
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
We recommend setting this policy on "Disabled".
PowerShell Script Block Logging
Microsoft Security Baseline
Verifies the local group policy "Turn on PowerShell Script Block Logging", located in "Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell".
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
We recommend setting this policy on "Enabled".
WinRM Client Basic Authentication
Microsoft Security Baseline
Verifies the local group policy "Allow Basic authentication", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.
We recommend setting this policy on "Disabled".
WinRM Client Unencrypted Traffic
Microsoft Security Baseline
Verifies the local group policy "Allow unencrypted traffic", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network.
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
We recommend setting this policy on "Disabled".
WinRM Client Digest Authentification
Microsoft Security Baseline
Verifies the local group policy "Disallow Digest authentication", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
If you enable this policy setting, the WinRM client does not use Digest authentication.
We recommend setting this policy on "Enabled".
WinRM Service Basic Authentification
Microsoft Security Baseline
Verifies the local group policy "Allow Basic authentication", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client.
We recommend setting this policy on "Disabled".
WinRM Service Unencrypted Traffic
Microsoft Security Baseline
Verifies the local group policy "Allow unencrypted traffic", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network.
We recommend setting this policy on "Disabled".
WinRM Service RunAs Credentials
Microsoft Security Baseline
Verifies the local group policy "Disallow WinRM from storing RunAs credentials", located in "Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service".
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.
If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins.  If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
We recommend setting this policy on "Enabled".
Install ActiveX
Microsoft Security Baseline
Verifies the local group policy "Prevent per-user installation of ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.
If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
We recommend setting this policy on "Enabled".
Security Zones Add / Delete Sites
Microsoft Security Baseline
Verifies the local group policy "Security Zones: Do not allow users to add/delete sites", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
This policy prevents users from changing site management settings for security zones established by the administrator.
Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
We recommend setting this policy on "Enabled".
Security Zones Change Policies
Microsoft Security Baseline
Verifies the local group policy "Security Zones: Do not allow users to change policies", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
We recommend setting this policy on "Enabled".
Security Zones Only Machine Settings
Microsoft Security Baseline
Verifies the local group policy "Security Zones: Use only machine settings", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user.
Also, see the "Security zones: Do not allow users to change policies" policy.
We recommend setting this policy on "Enabled".
ActiveX Installer Service
Microsoft Security Baseline
Verifies the local group policy "Specify use of ActiveX Installer Service for installation of ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
This policy setting allows you to specify how ActiveX controls are installed.
If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.
We recommend setting this policy on "Enabled".
Crash Detection
Microsoft Security Baseline
Verifies the local group policy "Turn off Crash Detection", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
This policy setting allows you to manage the crash detection feature of add-on Management.
If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.
If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional.
We recommend setting this policy on "Enabled".
Security Settings Check
Microsoft Security Baseline
Verifies the local group policy "Turn off the Security Settings Check feature", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer".
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
IIf you disable or do not configure this policy setting, the feature is turned on.
We recommend setting this policy on "Disabled".
Certificate Errors
Microsoft Security Baseline
Verifies the local group policy "Prevent ignoring certificate errors", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel".
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
If you enable this policy setting, the user cannot continue browsing.
If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
We recommend setting this policy on "Enabled".
Run Software if Signature Invalid
Microsoft Security Baseline
Verifies the local group policy "Allow software to run or install even if the signature is invalid", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
If you enable this policy setting, users will be prompted to install or run files with an invalid signature.
If you disable this policy setting, users cannot run or install files with an invalid signature.
If you do not configure this policy, users can choose to run or install files with an invalid signature.
We recommend setting this policy on "Disabled".
Server Certificate Revocation
Microsoft Security Baseline
Verifies the local group policy "Check for server certificate revocation", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.
We recommend setting this policy on "Enabled".
Downloaded Programs Signatures
Microsoft Security Baseline
Verifies the local group policy "Check for signatures on downloaded programs", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered with) on user computers before downloading executable programs.
If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
We recommend setting this policy on "Enabled".
ActiveX Protected Mode
Microsoft Security Baseline
Verifies the local group policy "Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed, that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.
If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.
We recommend setting this policy on "Enabled".
Encryption Support
Microsoft Security Baseline
Verifies the local group policy "Turn off encryption support", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
We recommend setting this policy on "Enabled:  Use TLS 1.1; Use TLS 1.2".
IE 64-bit Processes
Microsoft Security Baseline
Verifies the local group policy "Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you do not configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
We recommend setting this policy on "Enabled".
Enhanced Protected Mode
Microsoft Security Baseline
Verifies the local group policy "Turn on Enhanced Protected Mode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page".
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
We recommend setting this policy on "Enabled".
Intranet UNCs
Microsoft Security Baseline
Verifies the local group policy "Intranet Sites: Include all network paths (UNCs)", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page".
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
If you enable this policy setting, all network paths are mapped into the Intranet Zone.
If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
We recommend setting this policy on "Disabled".
Certificate Address Mismatch Warning
Microsoft Security Baseline
Verifies the local group policy "Turn on certificate address mismatch warning", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page".
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
If you enable this policy setting, the certificate address mismatch warning always appears.
We recommend setting this policy on "Enabled".
Internet: Access Data Across Domains
Microsoft Security Baseline
Verifies the local group policy "Access data sources across domains", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
We recommend setting this policy on "Enabled: Disabled".
Clipboard Script Operations
Microsoft Security Baseline
Verifies the local group policy "Allow cut copy or paste operations from the clipboard via script", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
We recommend setting this policy on "Disabled".
Internet: Drag/Drop/Copy/Paste Files
Microsoft Security Baseline
Verifies the local group policy "Allow drag and drop or copy and paste files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
We recommend setting this policy on "Disabled".
Internet: XAML Files
Microsoft Security Baseline
Verifies the local group policy "Allow loading of XAML files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
We recommend setting this policy on "Enabled: Disable"
Internet: Prompt for ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Allow only approved domains to use ActiveX controls without prompt", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
We recommend setting this policy on "Enabled: Enable".
Internet: Use TDC ActiveX Control
Microsoft Security Baseline
Verifies the local group policy "Allow only approved domains to use the TDC ActiveX control", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
We recommend setting this policy on "Enabled: Enable".
Internet: Scripting WebBrowser Controls
Microsoft Security Baseline
Verifies the local group policy "Allow scripting of Internet Explorer WebBrowser controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting determines whether a page can control embedded WebBrowser controls via script.
If you enable this policy setting, script access to the WebBrowser control is allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
We recommend setting this policy on "Enabled: Disable".
Internet: Script-Initiated Windows
Microsoft Security Baseline
Verifies the local group policy "Allow script-initiated windows without size or position constraints", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
We recommend setting this policy on "Enabled: Disable".
Internet: Use Scriptlets
Microsoft Security Baseline
Verifies the local group policy "Allow scriptlets", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows you to manage whether the user can run scriptlets.
To disallow running scriptlets, set the policy on "Enabled" and select the option "Disabled".
We recommend setting this policy on "Enabled: Disable".
Internet: Update Status Bar Via Script
Microsoft Security Baseline
Verifies the local group policy "Allow updates to status bar via script", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows configuring whether script is allowed to update the status bar within the zone.
We recommend setting this policy on "Enabled: Disable".
Internet: Run VBScript in Internet Explorer
Microsoft Security Baseline
Verifies the local group policy "Allow VBScript to run in Internet Explorer", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows managing whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you selected Enable in the drop-down box, VBScript can run without user intervention.
If you selected "Prompt" in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you selected "Disable" in the drop-down box, VBScript is prevented from running.
If you do not configure or disable this setting, VBScript is prevented from running.
We recommend setting this policy on "Enabled: Disable".
Internet: Automatic Prompt File Download
Microsoft Security Baseline
Verifies the local group policy "Automatic prompting for file downloads", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this policy, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this policy, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
We recommend setting this policy on "Enabled: Disable".
Internet: Antimalware Against ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Don't run antimalware programs against ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you disable this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
We recommend setting this policy on "Enabled: Disable".
Internet: Download Signed ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Download signed ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows managing whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention. If you select "Prompt" in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.
If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.
We recommend setting this policy on "Enabled: Disable".
Internet: Download Unsigned ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Download unsigned ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy, users can run unsigned controls without user intervention. If you select "Prompt" in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable / not configure this policy, users cannot run unsigned controls.
We recommend setting this policy on "Enabled: Disable".
Internet: Drag Content Across Windows
Microsoft Security Baseline
Verifies the local group policy "Enable dragging of content from different domains across windows", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.
If you enable this policy and click "Enable", users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
If you enable this policy setting and click "Disable", users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
We recommend setting this policy on "Enabled: Disable".
Internet: Drag Content Within A Window
Microsoft Security Baseline
Verifies the local group policy "Enable dragging of content from different domains within a window", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.
If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
If you enable this policy setting and click "Disable", users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
We recommend setting this policy on "Enabled: Disable".
Internet: Upload Files Includes Local Path
Microsoft Security Baseline
Verifies the local group policy "Include local path when user is uploading files to a server", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy controls if the local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this policy, path information is sent when the user is uploading a file via an HTML form.
If you disable this policy, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this policy, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
We recommend setting this policy on "Enabled: Disable".
Internet: ActiveX Control Not Marked Safe
Microsoft Security Baseline
Verifies the local group policy "Initialize and script ActiveX controls not marked as safe", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows managing ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy and select "Prompt" in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable / not configure this policy, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
We recommend setting this policy on "Enabled: Disable".
Internet: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows you managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box:
- "High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
- "Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
- "Low Safety" enables applets to perform all operations.
- "Custom", to control permissions settings individually.
- "Disable Java": Java applets cannot run.
If you do not configure this policy, the permission is set to High Safety.
We recommend setting this policy on "Enabled: Disable Java".
Internet: Launch in IFRAME
Microsoft Security Baseline
Verifies the local group policy "Launching applications and files in an IFRAME", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
If you select "Prompt" in the drop-down box or do not configure this policy, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable this policy, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
We recommend setting this policy on "Enabled: Disable".
Internet: Logon Options
Microsoft Security Baseline
Verifies the local group policy "Logon options", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows managing settings for logon options.
If you enable this policy, you can choose from the following logon options:
- "Anonymous logon": to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
- "Prompt for user name and password" to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
- "Automatic logon only in Intranet zone" to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
- "Automatic logon with current user name and password" to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
If you disable or do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.
We recommend setting this policy on "Enabled: Prompt for user name and password".
Internet: Navigate Across Domains
Microsoft Security Baseline
Verifies the local group policy "Navigate windows and frames across different domains", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This policy allows managing the opening of windows and frames and access of applications across different domains.
If you enable / not configure this policy, users can open windows and frames from other domains and access applications from other domains. If you select "Prompt" in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy, users cannot open windows and frames to access applications from different domains.
We recommend setting this policy on "Enabled: Disable".
Internet: Run Not Signed .NET Components
Microsoft Security Baseline
Verifies the local group policy "Run .NET Framework-reliant components not signed with Authenticode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable / not configure this setting, Internet Explorer will execute unsigned managed components.
If you select "Prompt" in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable this setting, Internet Explorer will not execute unsigned managed components.
We recommend setting this policy on "Enabled: Disable".
Run Signed .NET Components
Microsoft Security Baseline
Verifies the local group policy "Run .NET Framework-reliant components signed with Authenticode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable or do not configure this setting, Internet Explorer will execute signed managed components. If you select "Prompt" in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
We recommend setting this policy on "Enabled: Disable".
Internet: Show Warning For Unsafe Files
Microsoft Security Baseline
Verifies the local group policy "Show security warning for potentially unsafe files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this policy setting and set the drop-down box to "Enable", these files open without a security warning. If you set the drop-down box to "Prompt", a security warning appears before the files open.
If you disable this policy setting, these files do not open.
If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
We recommend setting this policy on "Enabled: Prompt".
Internet: Cross-Site Scripting Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on Cross-Site Scripting Filter", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
We recommend setting this policy on "Enabled: Enable".
Internet: Protected Mode
Microsoft Security Baseline
Verifies the local group policy "Turn on Protected Mode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
We recommend setting this policy on "Enabled: Enable".
Internet: SmartScreen Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on SmartScreen Filter scan", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
We recommend setting this policy on "Enabled: Enable".
Internet: Pop-up Blocker
Microsoft Security Baseline
Verifies the local group policy "Use Pop-up Blocker", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows managing whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
If you enable or do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.
If you disable this policy setting, pop-up windows are not prevented from appearing.
We recommend setting this policy on "Enabled: Enable".
Internet: Userdata Persistence
Microsoft Security Baseline
Verifies the local group policy "Userdata persistence", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable or do not configure this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
We recommend setting this policy on "Enabled: Disable".
Internet: Less Privileged Content Zones
Microsoft Security Baseline
Verifies the local group policy "Web sites in less privileged Web content zones can navigate into this zone", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone".
This setting allows managing whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  he security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature.
If you select "Prompt" in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable this setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
If you do not configure this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
We recommend setting this policy on "Enabled: Disable".
Intranet: Antimalware Against ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Don't run antimalware programs against ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone".
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable or do not configure this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
We recommend setting this policy on "Disabled".
Intranet: ActiveX Control Not Marked As Safe
Microsoft Security Baseline
Verifies the local group policy "Initialize and script ActiveX controls not marked as safe", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone".
This policy setting allows you to manage ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select "Prompt" in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
We recommend setting this policy on "Disabled".
Intranet: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone".
This policy setting allows managing permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
"Low Safety" enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, the permission is set to Medium Safety.
We recommend setting this policy on "Enabled: High Safety".
Local Machine: Antimalware Against ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Don't run antimalware programs against ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone".
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable or do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
We recommend setting this policy on "Disabled".
Local Machine: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java Permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone".
This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
Low Safety enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, the permission is set to "Medium Safety".
We recommend setting this policy on "Enable: Disable Java".
Locked-Down Internet: SmartScreen Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on SmartScreen Filter scan", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone".
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
We recommend setting this policy on "Enabled".
Locked-Down Intranet: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone".
This setting allows managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
"Low Safety" enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. "Disable Java" to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
We recommend setting this policy on "Enabled: Disable Java".
Locked-Down Local Machine: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone".
This policy setting allows managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
"Low Safety" enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. "Disable Java" to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
We recommend setting this policy on "Enabled: Disable Java".
Locked-Down Restricted Sites: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone".
This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
Low Safety enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
We recommend setting this policy on "Enabled: Disable Java".
Locked-Down Restricted Sites: SmartScreen Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on SmartScreen Filter scan", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone".
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
We recommend setting this policy on "Enabled".
Locked-Down Trusted Sites: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone".
This setting allows managing permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box.
-  "Custom", to control permissions settings individually.
- "Low Safety" enables applets to perform all operations.
- "Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
- "High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
We recommend setting this policy on "Enabled: Disable Java".
Locked-Down Restricted Sites: Access Data Sources
Microsoft Security Baseline
Verifies the local group policy "Access data sources across domains", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone".
This policy setting allows managing whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select "Prompt" in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
If you disable or do not configure this setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
We recommend setting this policy on "Disabled".
Active Scripting
Microsoft Security Baseline
Verifies the local group policy "Allow active scripting", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows you to manage whether script code on pages in the zone is run.
If you enable this setting, script code on pages in the zone can run automatically.
If you select "Prompt" in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
If you disable or do not configure this setting, script code on pages in the zone is prevented from running.
We recommend setting this policy on "Enabled: Disable".
Binary And Script Behaviors
Microsoft Security Baseline
Verifies the local group policy "Allow binary and script behaviors", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
If you enable this setting, binary and script behaviors are available. If you select "Administrator approved" in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.
If you disable or do not configure this setting, binary and script behaviors are not available unless applications have implemented a custom security manager.
We recommend setting this policy on "Enabled: Disable".
Cut/Copy/Paste Via Script
Microsoft Security Baseline
Verifies the local group policy "Allow cut, copy or paste operations from the clipboard via script", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
If you select "Prompt" in the drop-down box, users are queried as to whether to perform clipboard operations.
If you disable or do not configure this policy setting, a script cannot perform a clipboard operation.
We recommend setting this policy on "Disabled".
Restricted Sites: Drag/Drop/Copy/Paste Files
Microsoft Security Baseline
Verifies the local group policy "Allow drag and drop or copy and paste files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select "Prompt" in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.
If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.
We recommend setting this policy on "Disabled".
File Downloads
Microsoft Security Baseline
Verifies the local group policy "Allow file downloads", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
If you enable this setting, files can be downloaded from the zone.
If you disable or do not configure this setting, files are prevented from being downloaded from the zone.
We recommend setting this policy on "Enabled: Disable".
Restricted Sites: XAML Files
Microsoft Security Baseline
Verifies the local group policy "Allow loading of XAML files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
If you enable this setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.
If you disable this setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.
If you do not configure this setting, the user can decide whether to load XAML files inside Internet Explorer.
We recommend setting this policy on "Enabled: Disable".
Meta Refresh
Microsoft Security Baseline
Verifies the local group policy "Allow META REFRESH", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
If you enable this setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
If you disable or do not configure this setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.
We recommend setting this policy on "Enabled: Disable".
Restricted Sites: Prompt for ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Allow only approved domains to use ActiveX controls without prompt", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
If you enable this setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
If you disable this setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
We recommend setting this policy on "Enabled".
Restricted Sites: Use TDC ActiveX Control
Microsoft Security Baseline
Verifies the local group policy "Allow only approved domains to use the TDC ActiveX control", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this setting, the TDC ActiveX control will not run from websites in this zone.
If you disable this setting, the TDC Active X control will run from all sites in this zone.
We recommend setting this policy on "Enabled".
Restricted Sites: Scripting WebBrowser Controls
Microsoft Security Baseline
Verifies the local group policy "Allow scripting of Internet Explorer WebBrowser controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting determines whether a page can control embedded WebBrowser controls via script.
If you enable this setting, script access to the WebBrowser control is allowed.
If you disable this setting, script access to the WebBrowser control is not allowed.
If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
We recommend setting this policy on "Disabled".
Restricted Sites: Script-Initiated Windows
Microsoft Security Baseline
Verifies the local group policy "Allow script-initiated windows without size or position constraints", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing restrictions on script-initiated pop-up windows and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
We recommend setting this policy on "Disabled".
Restricted Sites: Use Scriptlets
Microsoft Security Baseline
Verifies the local group policy "Allow scriptlets", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
We recommend setting this policy on "Disabled".
Restricted Sites: Update Status Bar Via Script
Microsoft Security Baseline
Verifies the local group policy "Allow updates to status bar via script", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether script is allowed to update the status bar within the zone.
If you enable this policy setting, script is allowed to update the status bar.
If you disable or do not configure this policy setting, script is not allowed to update the status bar.
We recommend setting this policy on "Disabled".
Restricted Sites: Run VBScript in Internet Explorer
Microsoft Security Baseline
Verifies the local group policy "Allow VBScript to run in Internet Explorer", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you select "Enable" in the drop-down box, VBScript can run without user intervention.
If you select "Prompt" in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you select "Disable" in the drop-down box or do not configure this setting, VBScript is prevented from running.
We recommend setting this policy on "Disabled".
Restricted Sites: Automatic Prompt File Download
Microsoft Security Baseline
Verifies the local group policy "Automatic prompting for file downloads", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
We recommend setting this policy on "Disabled".
Restricted Sites: Antimalware Against ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Don't run antimalware programs against ActiveX control", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable this policy setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this policy setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
We recommend setting this policy on "Disabled".
Restricted Sites: Download Signed ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Download signed ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who are not trusted. Code signed by trusted publishers is silently downloaded.
If you disable or do not configure this setting, signed controls cannot be downloaded.
We recommend setting this policy on "Disabled".
Restricted Sites: Download Unsigned ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Download unsigned ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This policy setting allows managing whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy setting, users can run unsigned controls without user intervention. If you select "Prompt" in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable or do not configure this setting, users cannot run unsigned controls.
We recommend setting this policy on "Disabled".
Restricted Sites: Drag Content Across Windows
Microsoft Security Baseline
Verifies the local group policy "Enable dragging of content from different domains across windows", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in different windows.
If you enable this policy setting and click "Enable", users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
If you enable this policy setting and click "Disable", users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
We recommend setting this policy on "Disabled".
Restricted Sites: Drag Content Within A Window
Microsoft Security Baseline
Verifies the local group policy "Enable dragging of content from different domains within a window", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows setting options for dragging content from one domain to a different domain when the source and destination are in the same window.
If you enable this policy setting and click "Enable", users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
If you enable this policy setting and click "Disable", users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
We recommend setting this policy on "Disabled".
Restricted Sites: Upload Files Includes Local Path
Microsoft Security Baseline
Verifies the local group policy "Include local path when user is uploading files to a server", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this setting, path information is sent when the user is uploading a file via an HTML form.
If you disable this setting, path information is removed when the user is uploading a file via an HTML form.
If you do not configure this setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
We recommend setting this policy on "Disabled".
Restricted Sites: ActiveX Control Not Marked Safe
Microsoft Security Baseline
Verifies the local group policy "Initialize and script ActiveX controls not marked as safe", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this policy setting and select "Prompt" in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable or do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
We recommend setting this policy on "Disabled".
Restricted Sites: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. "Custom", to control permissions settings individually.
"Low Safety" enables applets to perform all operations.
"Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
"High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this setting, Java applets cannot run.
If you do not configure this setting, Java applets are disabled.
We recommend setting this policy on "Enabled: Disable Java".
Restricted Sites: Launch in IFRAME
Microsoft Security Baseline
Verifies the local group policy "Launching applications and files in an IFRAME", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
If you enable this setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select "Prompt" in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable or do not configure this setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
We recommend setting this policy on "Disabled".
Restricted Sites: Logon Options
Microsoft Security Baseline
Verifies the local group policy "Logon options", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing settings for logon options.
If you enable this setting, you can choose from the following logon options: - "Anonymous logon" to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
- "Prompt for user name and password" to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. - "Automatic logon only in Intranet zone" to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
- "Automatic logon with current user name and password" to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
If you disable this setting, logon is set to "Automatic logon only in Intranet zone".
If you do not configure this setting, logon is set to "Prompt for username and password".
We recommend setting this policy on "Enabled: Anonymous logon".
Restricted Sites: Navigate Across Domains
Microsoft Security Baseline
Verifies the local group policy "Navigate windows and frames across different domains", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing the opening of windows and frames and access of applications across different domains.
If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select "Prompt" in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
If you disable or do not configure this setting, users cannot open other windows and frames from other domains or access applications from different domains.
We recommend setting this policy on "Disabled".
Restricted Sites: Run Not Signed .NET Components
Microsoft Security Baseline
Verifies the local group policy "Run .NET Framework-reliant components not signed with Authenticode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select "Prompt" in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
If you disable or do not configure this setting, Internet Explorer will not execute unsigned managed components.
We recommend setting this policy on "Disabled".
Restricted Sites: Run Signed .NET Components
Microsoft Security Baseline
Verifies the local group policy "Run .NET Framework-reliant components signed with Authenticode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
If you enable this policy setting, Internet Explorer will execute signed managed components. If you select "Prompt" in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
If you disable this setting, Internet Explorer will not execute signed managed components.
If you do not configure this setting, Internet Explorer will not execute signed managed components.
We recommend setting this policy on "Disabled".
ActiveX Controls And Plugins
Microsoft Security Baseline
Verifies the local group policy "Run ActiveX controls and plugins", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing if ActiveX controls and plug-ins can be run on pages from the specified zone.
If you enable this setting, controls and plug-ins can run without user intervention.
If you selected "Prompt" in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.
If you disable or do not configure this setting, controls and plug-ins are prevented from running.
We recommend setting this policy on "Enabled: Disable".
ActiveX Control Marked Safe
Microsoft Security Baseline
Verifies the local group policy "Script ActiveX controls marked safe for scripting", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This policy setting allows managing whether an ActiveX control marked safe for scripting can interact with a script.
If you enable this setting, script interaction can occur automatically without user intervention.
If you select "Prompt" in the drop-down box, users are queried to choose whether to allow script interaction.
If you disable or do not configure this setting, script interaction is prevented from occurring.
We recommend setting this policy on "Enabled: Disable".
Scripting Of Java Applets
Microsoft Security Baseline
Verifies the local group policy "Scripting of Java applets", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether applets are exposed to scripts within the zone.
If you enable this setting, scripts can access applets automatically without user intervention.
If you select "Prompt" in the drop-down box, users are queried to choose whether to allow scripts to access applets.
If you disable or do not configure this setting, scripts are prevented from accessing applets.
We recommend setting this policy on "Enabled: Disable".
Restricted Sites: Show Warning For Unsafe Files
Microsoft Security Baseline
Verifies the local group policy "Show security warning for potentially unsafe files", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to "Prompt", a security warning appears before the files open.
If you disable this setting, these files do not open.
If you do not configure this setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
We recommend setting this policy on "Enabled: Disable".
Restricted Sites: Cross-Site Scripting Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on Cross-Site Scripting Filter", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
If you enable this setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
We recommend setting this policy on "Enable".
Restricted Sites: Protected Mode
Microsoft Security Baseline
Verifies the local group policy "Turn on Protected Mode", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows turning on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
If you enable this setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
If you disable this setting, Protected Mode is turned off. The user cannot turn on Protected Mode.
If you do not configure this setting, the user can turn on or turn off Protected Mode.
We recommend setting this policy on "Enable".
Restricted Sites: SmartScreen Filter
Microsoft Security Baseline
Verifies the local group policy "Turn on SmartScreen Filter scan", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
If you enable this setting, SmartScreen Filter scans pages in this zone for malicious content.
If you disable this setting, SmartScreen Filter does not scan pages in this zone for malicious content.
If you do not configure this setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
Note: In Internet Explorer 7, this setting controls whether Phishing Filter scans pages in this zone for malicious content.
We recommend setting this policy on "Enable".
Restricted Sites: Pop-up Blocker
Microsoft Security Baseline
Verifies the local group policy "Use Pop-up Blocker", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
If you enable or do not configure this setting, most unwanted pop-up windows are prevented from appearing.
If you disable this setting, pop-up windows are not prevented from appearing.
We recommend setting this policy on "Enable".
Restricted Sites: Userdata Persistence
Microsoft Security Baseline
Verifies the local group policy "Userdata persistence", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
If you enable this setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
If you disable or do not configure this setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
We recommend setting this policy on "Disable".
Restricted Sites: Less Privileged Content Zones
Microsoft Security Baseline
Verifies the local group policy "Web sites in less privileged Web content zones can navigate into this zone", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone".
This setting allows managing whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
If you disable or do not configure this setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
We recommend setting this policy on "Disable".
Trusted Sites: Antimalware Against ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Don't run antimalware programs against ActiveX controls", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone".
This setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they are safe to load on pages.
If you enable this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you disable this setting, Internet Explorer always checks with your antimalware program to see if it is safe to create an instance of the ActiveX control.
If you do not configure this setting, Internet Explorer will not check with your antimalware program to see if it is safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
We recommend setting this policy on "Disable".
Trusted Sites: ActiveX Control Not Marked Safe
Microsoft Security Baseline
Verifies the local group policy "Initialize and script ActiveX controls not marked as safe", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone".
This setting allows managing ActiveX controls not marked as safe.
If you enable this setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
If you enable this setting and select "Prompt" in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
If you disable this setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
If you do not configure this setting, users are queried whether to allow the control to be loaded with parameters or scripted.
We recommend setting this policy on "Disable".
Trusted Sites: Java Permissions
Microsoft Security Baseline
Verifies the local group policy "Java permissions", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone".
This setting allows managing permissions for Java applets.
If you enable this setting, you can choose options from the drop-down box:
- "Custom", to control permissions settings individually.
- "Low Safety" enables applets to perform all operations.
- "Medium Safety" enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
- "High Safety" enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, the permission is set to "Low Safety".
We recommend setting this policy on "Enabled: High Safety".
Fallback to SSL 3.0
Microsoft Security Baseline
Verifies the local group policy "Allow fallback to SSL 3.0 (Internet Explorer)", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features".
This setting allows blocking an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.
This policy does not affect which security protocols are enabled.
If you disable this policy, system defaults will be used.
We recommend setting this policy on "Enabled: No sites".
"Run this time" Button
Microsoft Security Baseline
Verifies the local group policy "Remove Run this time button for outdated ActiveX controls in Internet Explorer", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management".
This policy setting allows preventing users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
If you enable this setting, users will not see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
We recommend setting this policy on "Enabled".
Blocking Outdated ActiveX Controls
Microsoft Security Baseline
Verifies the local group policy "Turn off blocking of outdated ActiveX controls for Internet Explorer", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management".
This setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
If you enable this setting, Internet Explorer stops blocking outdated ActiveX controls.
If you disable or do not configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
We recommend setting this policy on "Disabled".
Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Consistent Mime Handling".
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
If you enable or do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.
If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files.
We recommend setting this policy on "Enabled".
MIME Sniffing: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature".
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
If you enable or do not configure this setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
If you disable this setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
We recommend setting this policy on "Enabled".
MK Protocol: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction".
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.
If you enable or do not configure this setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
If you disable this setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.
We recommend setting this policy on "Enabled".
Notification bar: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Notification bar".
This setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
If you enable or do not configure this setting, the Notification bar will be displayed for Internet Explorer Processes.
If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.
We recommend setting this policy on "Enabled".
Protection From Zone Elevation: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation".
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.
If you enable or do not configure this setting, any zone can be protected from zone elevation by Internet Explorer processes.
If you disable this setting, no zone receives such protection for Internet Explorer processes.
We recommend setting this policy on "Enabled".
Restrict ActiveX Install: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install".
This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.
If you enable this setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
If you disable this setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.
If you do not configure this setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
We recommend setting this policy on "Enabled".
Restrict File Download: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Restrict File Download".
This setting enables blocking of file download prompts that are not user initiated.
If you enable this setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
If you do not configure this setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
We recommend setting this policy on "Enabled".
Scripted Window Security Restrictions: Internet Explorer Processes
Microsoft Security Baseline
Verifies the local group policy "Internet Explorer Processes", located in "Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions".
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
If you enable or do not configure this setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
If you disable this setting, scripts can continue to create popup windows and windows that obfuscate other windows.
We recommend setting this policy on "Enabled".
LAPS: Local Admin Password
Microsoft Security Baseline
Verifies the Microsoft LAPS policy for "Enable local admin password management".
We recommend setting this policy on "Enabled".
Local Accounts UAC Restrictions
Microsoft Security Baseline
MS Security Guide: Apply UAC restrictions to local accounts on network logon. This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk.
Enabled (recommended): Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.
Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1.
For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016.
We recommend setting this policy on "Enabled".
SMB V1 Server Driver
Microsoft Security Baseline
MS Security Guide: Configure SMB v1 server. Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)
Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)
Changes to this setting require a reboot to take effect.
For more information, see https://support.microsoft.com/kb/2696547
We recommend setting this policy on "Disabled".
SMB V1 Client Driver
Microsoft Security Baseline
MS Security Guide: Configure SMB v1 client driver. Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended)
Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.)
Changes to this setting require a reboot to take effect.
For more information, see https://support.microsoft.com/kb/2696547.
We recommend setting this policy on "Enabled: Disable driver".
SEHOP
Microsoft Security Baseline
MS Security Guide: Enabled Structured Exception Handling Overwrite Protection (SEHOP) (MS Security Guide). If this setting is enabled, SEHOP is enforced.
For more information, see https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems.
If this setting is disabled or not configured, SEHOP is not enforced for 32-bit processes.
We recommend setting this policy on "Enabled".
Windows Defender Against PUA
Microsoft Security Baseline
MS Security Guide: Turn on Windows Defender protection against Potentially Unwanted Applications. If this setting is enabled, Windows Defender protects against Potentially Unwanted Applications.
For more information, see https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/. If this setting is disabled or not configured, Potentially Unwanted Application protection is disabled.
We recommend setting this policy on "Enabled".
WDigest Authentication
Microsoft Security Baseline
MS Security Guide: WDigest Authentication. When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.
Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.
- Enabled: Enables WDigest authentication.
- Disabled (recommended): Disables WDigest authentication. For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed. For more information, see http://support.microsoft.com/kb/2871997 and http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
We recommend setting this policy on "Disabled".
IP Source Routing IPv6
MSS (Legacy)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing).
The Highest Protection, source routing is completely disabled.
IP Source Routing
MSS (Legacy)
MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing).
The Highest Protection, source routing is completely disabled.
ICMPR Redirects
MSS (Legacy)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes.
We recommend setting this policy on "Disabled".
NetBIOS Name Release
MSS (Legacy)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers.
We recommend setting this policy on "Enabled".

 

GravityZone indicators of risk for network settings

 

Name Level Description Action
Anonymous Users Permissions
Microsoft Security Baseline
Verifies the local security policy option "Network access: Do not allow anonymous enumeration of SAM accounts". This option determines if anonymous connections have the permission to enumerate the names of domain accounts. Endpoints with this option disabled are vulnerable to attackers trying to obtain usernames or passwords stored locally.
The recommended setting for this policy is "Enabled: Do not allow enumeration of SAM accounts". This option replaces "Everyone" with "Authenticated Users" in the security permissions for resources.
Digitally Encrypt / Sign Data
Microsoft Security Baseline
Verifies the local security policy option "Domain member: Digitally encrypt or sign secure channel data (always)".
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
When this policy is disabled, then encryption and signing of all secure channel traffic will depend on the version of Domain Controller and on the settings of the other policies for encryption and signing secure channel data.
We recommend setting this policy on "Enabled".
Digitally Encrypt Data
Microsoft Security Baseline
Verifies the local security policy option "Domain member: Digitally encrypt secure channel data (when possible).
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
Disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
We recommend setting this policy on "Enabled".
Digitally Sign Data
Microsoft Security Baseline
Verifies the local security policy option "Domain member: Digitally sign secure channel data (when possible)".
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
We recommend setting this policy on "Enabled".
Change Account Password
Microsoft Security Baseline
Verifies the local security policy option "Domain member: Disable machine account password changes".
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password, which exposes the endpoint to security risks.
We recommend setting this policy on "Disabled".
Strong Session Key
Microsoft Security Baseline
Verifies the local security policy option "Domain member: Require strong (Windows 2000 or later) session key".
This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
We recommend setting this policy on "Enabled".
Insecure Guest Logon
Microsoft Security Baseline
Verifies the local group policy "Enable insecure guest logons", located in
"Computer Configuration > Administrative Templates > Network > Lanman Workstation".
This policy determines if the SMB client will allow insecure guest logons to an SMB server. If you enable / do not configure this policy, the SMB client will allow insecure guest logons. Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.
We recommend disabling insecure guest logons and configuring file servers to require authenticated access.
Client Digitally Sign Communications
Microsoft Security Baseline
Verifies the local security policy option "Microsoft network client: Digitally sign communications (always)".
This security setting determines whether packet signing is required by the Server Message Block (SMB) client component.
The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.
Note: all Windows OS support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.
We recommend setting this policy on "Enabled".
Unencrypted passwords
Microsoft Security Baseline
Verifies the local security policy option "Microsoft network client: Send unencrypted password to third-party SMB servers".
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk.
We recommend setting this policy on "Disabled".
Server Digitally Sign Communications
Microsoft Security Baseline
Verifies the local security policy option "Microsoft network server: Digitally sign communications (always)".
This security setting determines whether packet signing is required by the Server Message Block (SMB) server component.
The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
If this policy is disabled, SMB packet signing is negotiated between the Microsoft network client and server.
Note: all Windows OS support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.
We recommend setting this policy on "Enabled".
Download Print Drivers Over HTTP
Microsoft Security Baseline
Verifies the local group policy "Turn off downloading of print drivers over HTTP", located in "Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings".
This policy specifies whether to allow this client to download print driver packages over HTTP.
When disabled or not configured, users can download print drivers over HTTP.
We recommend setting this policy on "Enabled".
Print Over HTTP
Microsoft Security Baseline
Verifies the local group policy "Turn off printing over HTTP", located in "Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings".
This policy specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
When disabled or not configured, users can choose to print to printers on the Internet over HTTP.
We recommend setting this policy on "Enabled".
Internet Connection Sharing
Microsoft Security Baseline
Verifies the local group policy "Prohibit use of Internet Connection Sharing on your DNS domain network", located in "Computer Configuration > Administrative Templates > Network > Network Connections".
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DHCP to the local private network. If you enable this setting, ICS cannot be enabled or configured by administrators and it cannot run on the computer.
Notes:
- ICS is only available when two or more network connections are present.
- Non-administrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.
- Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services.
To prevent the ICS service from running, go to the Network Permissions tab and select the "Don't use hosted networks" check box.
We recommend setting this policy on "Enabled".
Connect to Open Hotspots
Microsoft Security Baseline
Verifies the local group policy "Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services", located in "Computer Configuration > Administrative Templates > Network > WLAN Service > WLAN Settings".
This policy configures the access to the following WLAN settings: "Connect to suggested open hotspots". "Connect to networks shared by my contacts" and "Enable paid services".
If this policy is disabled, the abovementioned WLAN settings will be turned off and users on this device will not have access to enable them.
If this policy is not configured or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots", or "Connect to networks shared by my contacts".
We recommend setting this policy on "Disabled".
Non Domain Network Connections
Microsoft Security Baseline
Verifies the local group policy "Prohibit connection to non-domain networks when connected to domain authenticated network", located in "Computer Configuration > Administrative Templates > Network > Windows Connection Manager".
This policy prevents computers from connecting to both a domain-based network and a non-domain based network at the same time.
If this policy is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:
Automatic connection attempts:
- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
- When the computer is already connected to a non-domain based network, automatic connection attempts to domain-based networks are blocked.
Manual connection attempts:
- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.
If this policy is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
We recommend setting this policy on "Enabled".
Credential Delegation
Microsoft Security Baseline
Verifies the local group policy "Remote host allows delegation of non-exportable credentials", located in "Computer Configuration > Administrative Templates > System > Credentials Delegation".
When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
We recommend setting this policy on "Enabled".
Secure RPC Communication
Microsoft Security Baseline
Verifies the local group policy "Require secure RPC communication", located in "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security".
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
We recommend setting this policy on "Enabled".
Client Encryption Level
Microsoft Security Baseline
Verifies the local group policy "Set client connection encryption level", located in "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security".
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting.
By default, the encryption level is set to "High Level" (the recommended option). This setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
We recommend setting this policy on "Enabled: High Level".
Blank Password
Microsoft Security Baseline
Verifies the local security policy option "Accounts: Limit local account use of blank passwords to console logon only".
This setting verifies if local accounts without password protection can be used to log on from other locations than the physical computer console.
When this option is disabled, endpoints are exposed to a high security risk.
We recommend setting this policy on "Enabled".
Restrict Unauthenticated RPC
Microsoft Security Baseline
Verifies the local group policy "Restrict Unauthenticated RPC clients", located in "Computer Configuration > Administrative Templates > System > Remote Procedure Call".
This policy controls how the Remote Procedure Call (RPC) server runtime handles unauthenticated RPC clients connecting to RPC servers.
In a domain environment, this policy should be used with caution as it can affect a wide range of functionality, including the group policy processing itself.
A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security.

 

We recommend setting this policy on "Enabled: Authenticated".
Nu ai gasit o soluție pentru problema ta? Trimite-ne un e-mail si vom răspunde la întrebarea ta în cel mai scurt timp posibil.

Evaluează acest articol:

Trimite