deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

added seccon 4

Browse Source
This commit is contained in:
Justin Hall 2019-04-08 11:46:32 -07:00
parent b81534b16a
commit cc6223daec
1 changed files with 186 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md
View File

@ -22,3 +22,189 @@ ms.date: 04/05/2018
- Windows Server 2016
- Office 2016
SECCON 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most Enterprise organizations.
A SECCON 4 configuration should include all the configurations from SECCON 5 and add the following security controls.
## Behaviors
The behaviors recommended in SECCON 4 implement a more sophisticated security
process. While they may require a more sophisticated organization, they enforce
a level of security more commensurate with the risks facing users with access to
sensitive information.
| Feature Set| Feature | Description |
|------------|----------|--------------|
| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. |
| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access constraining the value of these Helpdesk credentials |
## Controls
The controls enforced in SECCON 4 implement more controls and a more sophisticated security
configuration than SECCON 5. While they may have a slightly higher impact to
users or to applications, they enforce a level of security more commensurate
with the risks facing users with access to sensitive information. Microsoft
recommends using the Audit/Enforce methodology for controls with an Audit mode,
and the rings methodology for those that do not, with a moderate timeline that
is anticipated to be slightly longer than the process in SECCON 5.
| Feature Set | Feature | Description |
|-------------------------------------------------------------|-------------------------------------------------------|----------------|
| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls: <br>- Control flow guard (CFG)<br>- Data Execution Protection (DEP)<br>- Mandatory ASLR<br>- Bottom-Up ASLR<br>- High-entropy ASLR<br>- Validate Exception Chains (SEHOP)<br>- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. |
| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:<br>- Block executable content from email client and webmail<br>- Block all Office applications from creating child processes<br>- Block Office applications from creating executable content<br>- Block Office applications from injecting code into other processes<br>- Block JavaScript or VBScript from launching downloaded executable content<br>- Block execution of potentially obfuscated scripts<br>- Block Win32 API calls from Office macro<br>- Block executable files from running unless they meet a prevalence, age, or trusted list criterion<br>- Use advanced protection against ransomware<br>- Block credential stealing from the Windows local security authority subsystem (lsass.exe)<br>- Block process creations originating from PSExec and WMI commands<br>- Block untrusted and unsigned processes that run from USB<br>- Block Office communication applications from creating child processes<br>- Block Adobe Reader from creating child processes<br>| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):<br>1) Audit enable the controls in audit mode, and gather audit data in a centralized location<br>2) Review review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure<br>3) Enforce Deploy the configuration of any exemptions and convert the control to enforce mode |
| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
## Policies
The policies enforced in SECCON 4 implement more controls and a more sophisticated security
configuration than SECCON 5. While they may have a slightly higher impact to
users or to applications, they enforce a level of security more commensurate
with the risks facing users with access to sensitive information. Microsoft
recommends using the rings methodology for these security configurations and
controls, with a moderate timeline that is anticipated to be slightly longer
than the process in SECCON 5.
### Security Template Policies
| Feature | Policy Setting | Policy Value | Description |
|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Security Options | Microsoft network client: Send unencrypted password to third party | Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | Enabled: Administrators (allowed) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
| User Rights Assignment | Lock pages in memory | No One (blank) | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
### Computer Policies
| Feature | Policy Setting | Policy Value | Description |
|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
| Network / Network Provider | Hardened UNC Paths | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
| System / Device Guard | Turn on Virtualization Based Security | Enabled: Virtualization-Based Protection of Code Integrity Enabled with UEFI Lock | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature. |
| System / Internet Communication Management / Internet Communication | Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
| System / Remote Assistance | Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
| Windows Components / File Explorer | Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
| Windows Components / File Explorer | Turn off heap termination on corruption | Disabled | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. |
| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | Enabled: High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
| Windows Components / Windows Security / App and browser protection | Prevent users from modifying settings | Enabled | Prevent users from making changes to the Exploit protection settings area in Windows Security. |
| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
### Windows Defender Antivirus Policies
| Feature | Policy Setting | Policy Value | Description |
|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
### IE Computer Policies
| Feature | Policy Setting | Policy Value | Description |
|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. |
| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Enabled: Use | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Enabled: Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Enabled: Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Enabled: Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Enabled: Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Enabled: Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Enabled: Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Enabled: Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Enabled: Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Enabled: Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | Enabled: High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
### Custom Policies
| Feature | Policy Setting | Policy Value | Description |
|-------------------|---------------------------------|-------------------------|------------------------|
| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
| MS Security Guide | Configure SMB v1 client driver | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
| MS Security Guide | Block Flash activation in Office documents | Enabled | Prevents the Adobe Flash ActiveX control from being loaded by Office applications. |
| MSS (Legacy) | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
| MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
| MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
| MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |