Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Microsoft IE Version 6

  • Version/Release: V4R11
  • Published: 2014-12-17
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
Internet Explorer is not configured to require consistent security zone settings to all users.
Medium - V-3427 - SV-3427r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI320
Vuln IDs
  • V-3427
Rule IDs
  • SV-3427r1_rule
This setting enforces consistent security zone settings to all users of the computer. Security Zones control browser behavior at various web sites and it is desirable to maintain a consistent policy for all users of a machine.HKSystem AdministratorECSC-1
Checks: C-1745r1_chk

If the following registry value doesn’t exist or is not configured as specified this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Value Name: Security_HKLM_only Type: REG_DWORD Value: 1

Fix: F-5909r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Security Zones: Use only machine settings” to “Enabled”.

b
Internet Explorer is configured to Allow Users to Change Policies.
Medium - V-3428 - SV-3428r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI319
Vuln IDs
  • V-3428
Rule IDs
  • SV-3428r1_rule
This setting prevents users from changing the Internet Explorer policies on the machine. Policy changes should be made by Administrators only, so this setting should be Enabled.HKSystem AdministratorECSC-1
Checks: C-1746r1_chk

If the following registry value doesn’t exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Value Name: Security_Options_Edit Type: REG_DWORD Value: 1

Fix: F-5910r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Security Zones: Do Not Allow Users to Change Policies” to “Enabled”.

b
Internet Explorer is configured to Allow Users to Add/Delete Sites.
Medium - V-3429 - SV-3429r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI318
Vuln IDs
  • V-3429
Rule IDs
  • SV-3429r1_rule
This setting prevents users from adding sites to various security zones. Users should not be able to add sites to different zones, as this could allow them to bypass security controls of the system.HKSystem AdministratorECSC-1
Checks: C-1748r1_chk

If the following registry value doesn’t exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Value Name: Security_Zones_Map_Edit Type: REG_DWORD Value: 1

Fix: F-5911r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Security Zones: Do Not Allow Users to Add/Delete Sites” to “Enabled”.

a
Internet Explorer is not configured to disable making Proxy Settings Per Machine.
Low - V-3430 - SV-3430r1_rule
RMF Control
Severity
Low
CCI
Version
DTBI367
Vuln IDs
  • V-3430
Rule IDs
  • SV-3430r1_rule
This setting controls whether or not the Internet Explorer proxy settings are configured on a per-user or per-machine basis.System AdministratorECSC-1
Checks: C-1749r1_chk

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Make proxy settings per-machine (rather than per user)” to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Criteria: If the value ProxySettingsPerUser is REG_DWORD = 1, this is not a finding.

Fix: F-5912r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Make proxy settings per-machine (rather than per user)” to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Criteria: Set the value ProxySettingsPerUser to REG_DWORD = 1.

b
Internet Explorer is configured to allow Automatic Install of components.
Medium - V-3431 - SV-3431r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI316
Vuln IDs
  • V-3431
Rule IDs
  • SV-3431r1_rule
This setting controls the ability of Internet Explorer to automatically install components if it goes to a site that requires components that are not currently installed. The System Administrator should install all components on the system. If additional components are necessary, the user should inform the SA and have the SA install the components.HKSystem AdministratorDCSL-1
Checks: C-1753r1_chk

If the following registry value doesn’t exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\ Value Name: NoJITSetup Type: REG_DWORD Value: 1

Fix: F-5913r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Disable Automatic Install of Internet Explorer components” to “Enabled”.

b
Internet Explorer is configured to automatically check for updates.
Medium - V-3432 - SV-3432r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI317
Vuln IDs
  • V-3432
Rule IDs
  • SV-3432r1_rule
This setting determines whether or not Internet Explorer will periodically check the Microsoft web sites to determine if there are updates to Internet Explorer available. The SA should manually install all updates on a system so that configuration control is maintained.HKSystem AdministratorDCSL-1
Checks: C-1767r1_chk

If the following registry value doesn’t exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\ Value Name: NoUpdateCheck Type: REG_DWORD Value: 1

Fix: F-5914r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Disable Periodic Check for Internet Explorer Software Updates” to “Enabled”.

a
Internet Explorer is configured to notify users when programs are modified through the software distribution channel.
Low - V-3433 - SV-3433r1_rule
RMF Control
Severity
Low
CCI
Version
DTBI137
Vuln IDs
  • V-3433
Rule IDs
  • SV-3433r1_rule
Microsoft Internet Explorer now supports a software distribution channel that may be used to update software installed on a machine. If this setting is enabled, users will not be notified when programs are modified through the software distribution channel. This allows administrators to update workstations without user intervention.System AdministratorECSC-1
Checks: C-1771r1_chk

If the following registry value exists and its value is not set to 1, then this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoMSAppLogo5ChannelNotify Type: REG_DWORD Value: 1

Fix: F-5915r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer “Disable Software Update Shell Notifications on Program Launch” to “Enabled”.

c
The installed version of IE must be a supported version.
High - V-6227 - SV-6277r3_rule
RMF Control
Severity
High
CCI
Version
DTBG003
Vuln IDs
  • V-6227
Rule IDs
  • SV-6277r3_rule
Unsupported versions are no longer being evaluated or updated for security related issues.System AdministratorECSC-1
Checks: C-163r3_chk

Procedure: Open Internet Explorer, Select Help, Select About. Criteria: If the version number of Internet Explorer is any version of Internet Explorer 6, this is a Finding. Note: The end of life for Internet Explorer 6 running on a Windows 2003r2 server is July 14, 2015.

Fix: F-128r1_fix

Upgrade to the supported software version.

b
The IE home page is not set to blank or a trusted site.
Medium - V-6228 - SV-6278r3_rule
RMF Control
Severity
Medium
CCI
Version
DTBI001
Vuln IDs
  • V-6228
Rule IDs
  • SV-6278r3_rule
By setting this parameter appropriately, a malicious web site will not be automatically loaded into a browser which may contain mobile code.System AdministratorDCMC-1
Checks: C-170r2_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Internet Explorer\Main Criteria: If the value Start Page is about:blank or a trusted site this is not a finding.

Fix: F-131r2_fix

Change Start Page value to about:blank or a trusted site.

b
IE Local zone security parameter is set incorrectly.
Medium - V-6229 - SV-6279r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI002
Vuln IDs
  • V-6229
Rule IDs
  • SV-6279r1_rule
The Local zone must be set to custom level so the other required settings for the zone can take effect.System AdministratorDCMC-1
Checks: C-175r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value Currrentlevel is 0, this is not a finding.

Fix: F-135r1_fix

Change the value of registry HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 to Currentlevel is 0

b
The IE Trusted sites zone security parameter is set incorrectly.
Medium - V-6230 - SV-6280r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI003
Vuln IDs
  • V-6230
Rule IDs
  • SV-6280r1_rule
The Trusted sites zone must be set to custom level so the other required settings for the zone can take effect.System AdministratorDCMC-1
Checks: C-176r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value Currrentlevel is 0, this is not a finding.

Fix: F-136r1_fix

Change value of registry HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 to Currentlevel is 0

b
The IE Internet zone security parameter is set incorrectly.
Medium - V-6231 - SV-6281r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI004
Vuln IDs
  • V-6231
Rule IDs
  • SV-6281r1_rule
The Internet zone must be set to custom level so the other required settings for the zone can take effect.System Administrator
Checks: C-177r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value Currrentlevel is 0, this is not a finding.

Fix: F-137r1_fix

Change the value of registry HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 to Currentlevel is 0.

b
The IE Restricted sites zone security parameter is set incorrectly.
Medium - V-6232 - SV-6282r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI005
Vuln IDs
  • V-6232
Rule IDs
  • SV-6282r1_rule
The Restricted sites zone must be set to custom level so the other required settings for the zone can take effect.System AdministratorDCMC-1
Checks: C-178r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value Currrentlevel is 0, this is not a finding.

Fix: F-138r1_fix

Change the value of registry HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 to Currentlevel is 0.

b
The IE Local zone includes parameter is not set correctly.
Medium - V-6233 - SV-6283r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI006
Vuln IDs
  • V-6233
Rule IDs
  • SV-6283r1_rule
This parameter controls which sites are by default in the local zone. Since this is the least restrictive zone these settings ensure that sites are not included in this zone by default.System AdministratorECSC-1
Checks: C-179r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value Flags is less than or equal to 0x43 (hex) or 67 (Dec), this is not a finding.

Fix: F-139r1_fix

Change the value of registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 to Flags is 0x43.

b
The IE third party cookies parameter is not set correctly.
Medium - V-6234 - SV-6284r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI007
Vuln IDs
  • V-6234
Rule IDs
  • SV-6284r1_rule
This parameter ensures that third party cookies are blocked. Third party cookies come from a site other than the site being browsed. Since these cross sites, the storing unwanted data or allowing data to be retrieved later via the cookie is of greater concern for malicious activity.System AdministratorECSC-1
Checks: C-180r1_chk

Procedure: From the Tools/Internet Options dialog, Select the Privacy tab and click the Advanced button. Criteria: If the Third-party Cookies are not configured to Block, this is a finding.

Fix: F-140r1_fix

Under Tools/Internet Options, select the Privacy Tab and click the Advanced button. Change third party cookies to blocked.

b
The IE signature checking parameter is not set correctly.
Medium - V-6236 - SV-6286r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI012
Vuln IDs
  • V-6236
Rule IDs
  • SV-6286r1_rule
This parameter will ensure digital signatures are checked on downloaded programs.System AdministratorDCMC-1
Checks: C-192r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Internet Explorer\Download Criteria: If the value CheckExeSignatures is yes, this is not a finding.

Fix: F-151r1_fix

Change the value of registry key HKCU\Software\Microsoft\Internet Explorer\Download to CheckExeSignatures is yes.

b
The IE save encrypted pages to disk parameter is not set correctly.
Medium - V-6237 - SV-6287r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI013
Vuln IDs
  • V-6237
Rule IDs
  • SV-6287r1_rule
This parameter ensures pages using SSL or TLS are not cached to the local drive. This ensures sensitive data from a web site does not remain on the machine that is not properly protected.This will cause the browser's back button to not work for pages that use SSL or TLS.System AdministratorECSC-1
Checks: C-197r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value DisableCachingOfSSLPages is 1, this is not a finding. If the Do not save encrypted pages to disk is 0 enabled and the permissions of the Temporary Internet files folder are not the same as, or more restrictive than, those in the following table, this is a Finding. variable\Temporary Internet Files(The variable portion of the path name depends on the configuration setting in Internet Explorer.) Administrators ALL CREATOR OWNER ALL SYSTEM ALL [user] ALL

Fix: F-153r1_fix

Change the value of registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings to DisableCachingOfSSLPages is 1

b
The Internet Explorer SSL/TLS parameter must be set correctly.
Medium - V-6238 - SV-6288r3_rule
RMF Control
Severity
Medium
CCI
Version
DTBI014
Vuln IDs
  • V-6238
Rule IDs
  • SV-6288r3_rule
This parameter ensures SSL and TLS are able to be used from the browser.System AdministratorECSC-1
Checks: C-198r6_chk

Open Internet Explorer. From the menu bar, select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the Advanced tab, from the Advanced tab window scroll down to the Security category. Verify a check mark is placed in 'Use SSL 3.0' and 'Use TLS 1.0' check boxes. Check marks can also be placed in 'Use TLS 1.1' and/or 'Use TLS 1.2'. If so, this is acceptable and not a finding. Verify there is not a check placed in the check box for 'Use SSL 2.0'. If 'Use SSL 2.0' is checked, then this is a finding.

Fix: F-154r5_fix

Fix Text: Open Internet Explorer. From the menu bar, select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the Advanced tab, from the Advanced tab window scroll down to the Security category. Place a check mark in 'Use SSL 3.0' and 'Use TLS 1.0' check boxes. Check marks can also be placed in 'Use TLS 1.1' and/or 'Use TLS 1.2'. Uncheck 'Use SSL 2.0' option.

b
The IE warning of invalid certificates parameter is not set correctly
Medium - V-6239 - SV-6289r2_rule
RMF Control
Severity
Medium
CCI
Version
DTBI015
Vuln IDs
  • V-6239
Rule IDs
  • SV-6289r2_rule
This parameter warns users if the certifcate being presented by the web site is invalid. Since server certificates are used to validate the identity of the web server it is critical to warn the user of a potential issue with the certificate being presented by the web server.System AdministratorECSC-1
Checks: C-207r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value WarnonBadCertRecving value is 1, this is not a finding.

Fix: F-5686r3_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings to the value WarnonBadCertRecving to 1

b
The IE changing zones parameter is not set correctly.
Medium - V-6240 - SV-6290r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI016
Vuln IDs
  • V-6240
Rule IDs
  • SV-6290r1_rule
This parameter warns the user when changing between zones. This conveys important information to the user so the user is reminded that the zone has changed and the possiblity the type of data to be entered in the site has changed. Also the user expected actions have also changed based upon what happens when a mobile code technology is encountered.System AdministratorDCMC-1
Checks: C-209r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value WarnonZoneCrossing value is 1, this is not a finding.

Fix: F-5687r1_fix

Change the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings to the value WarnonZoneCrossing is 1.

b
The IE form redirect parameter is not set correctly.
Medium - V-6241 - SV-6291r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI017
Vuln IDs
  • V-6241
Rule IDs
  • SV-6291r1_rule
This parameter warns the user that input from the form is being redirected to another web site. Since the form may contain sensitive data the user must be warned that the data is not being directed to the site the user was using. This enables the user to make a decision if the data on the form is appropriate for inclusion into the new web site.System AdministratorECSC-1
Checks: C-210r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value WarnOnPostRedirect value is 1, this is not a finding.

Fix: F-5689r1_fix

Change the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings to the value WarnOnPostRedirect is 1.

b
Users can change the advanced settings in IE.
Medium - V-6242 - SV-6292r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI021
Vuln IDs
  • V-6242
Rule IDs
  • SV-6292r1_rule
Since most of the IE settings can be changed through the GUI, it is important to ensure that user's cannot change these settings. Some settings will restrict users from visiting certain sites or will restrict the functionality of sites. It is important that access to changing the settings is removed.System AdministratorDCMC-1
Checks: C-211r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel Criteria: If the value AdvancedTab is 1, this is not a finding. If the value is not 1 or the key is not present, this is a finding.

Fix: F-5690r1_fix

Change the registry key HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel to the value AdvancedTab is 1.

b
The Download signed ActiveX controls property is not set properly for the Internet Zone.
Medium - V-6243 - SV-6293r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI022
Vuln IDs
  • V-6243
Rule IDs
  • SV-6293r1_rule
Active X controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites.System AdministratorDCMC-1
Checks: C-212r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1001 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5691r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria:Set the value 1001 to REG_DWORD = 3 (Disabled = 3).

b
The Download unsigned ActiveX controls property is not set properly for the Internet Zone.
Medium - V-6244 - SV-6294r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI023
Vuln IDs
  • V-6244
Rule IDs
  • SV-6294r1_rule
Active X controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed. System AdministratorDCMC-1
Checks: C-213r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1004 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5692r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1004 to REG_DWORD = 3 (Disabled = 3).

b
The Initialize and script ActiveX controls not marked as safe property is not set properly for the Internet Zone.
Medium - V-6245 - SV-6295r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI024
Vuln IDs
  • V-6245
Rule IDs
  • SV-6295r1_rule
ActiveX controls that are not marked safe scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-214r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1201 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5693r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1201 is REG_DWORD = 3 (Disabled = 3).

b
The Script ActiveX controls marked safe for scripting property is not set properly for the Internet Zone.
Medium - V-6246 - SV-6296r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI026
Vuln IDs
  • V-6246
Rule IDs
  • SV-6296r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-215r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1405 is REG_DWORD = 1 (Prompt = 1), this is not a finding.

Fix: F-5695r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1405 is REG_DWORD = 1 (Prompt = 1).

b
The Font download control is not set properly for the Internet Zone.
Medium - V-6248 - SV-6300r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI030
Vuln IDs
  • V-6248
Rule IDs
  • SV-6300r1_rule
Download of fonts can sometimes contain malicious code. System AdministratorDCMC-1
Checks: C-243r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1604 is REG_DWORD = 1 (Prompt = 1), this is not a finding.

Fix: F-5703r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1604 to REG_DWORD = 1 (Prompt = 1).

b
The Java Permissions is not set properly for the Internet Zone.
Medium - V-6249 - SV-6301r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI031
Vuln IDs
  • V-6249
Rule IDs
  • SV-6301r1_rule
Java must have level of protections based upon the site being browsed.System AdministratorDCMC-1
Checks: C-244r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1C00 is REG_DWORD = 0 (Disabled = 0), this is not a finding.

Fix: F-5704r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1C00 to REG_DWORD = 0 (Disabled = 0).

b
The Access data sources across domains is not set properly for the Internet Zone.
Medium - V-6250 - SV-6302r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI032
Vuln IDs
  • V-6250
Rule IDs
  • SV-6302r1_rule
Access to data sources across multiple domains must be controlled based upon the site being browsed.System AdministratorDCMC-1
Checks: C-245r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1406 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5705r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1406 to REG_DWORD = 3 (Disabled = 3).

b
The Display mixed content is not set properly for the Internet Zone.
Medium - V-6251 - SV-6303r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI034
Vuln IDs
  • V-6251
Rule IDs
  • SV-6303r1_rule
Display mixed content must have level of protection based upon the site being browsed.System AdministratorDCMC-1
Checks: C-247r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1609 is REG_DWORD = 1 (Prompt = 1), this is not a finding.

Fix: F-5706r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1609 to REG_DWORD = 1 (Prompt = 1).

b
The Don't prompt for client certificate selection when no certificate or only one certificate exists is not set properly for the Internet Zone.
Medium - V-6252 - SV-6304r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI035
Vuln IDs
  • V-6252
Rule IDs
  • SV-6304r1_rule
Client certificates should not be presented to web sites without the user's acknowledgement.System AdministratorECSC-1
Checks: C-248r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1A04 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5707r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1A04 to REG_DWORD=3 (Disabled).

b
The Allow Drag and drop or copy and paste files is not set properly for the Internet Zone.
Medium - V-6253 - SV-6305r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI036
Vuln IDs
  • V-6253
Rule IDs
  • SV-6305r1_rule
Drag and Drop or copy and paste files must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-249r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value for 1802 is REG_DWORD = 3 (Disable= 3) or the value does not exist, this is not a finding.

Fix: F-5708r1_fix

If a value for this zone is present and not set to 3 change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1802 to REG_DWORD = 3 (Disable= 3).

b
The Installation of desktop items is not set properly for the Internet Zone.
Medium - V-6254 - SV-6306r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI037
Vuln IDs
  • V-6254
Rule IDs
  • SV-6306r1_rule
Installation of items must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-250r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1800 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5709r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1800 to REG_DWORD = 3 (Disabled = 3).

b
The Launching programs and files in IFRAME is not set properly for the Internet Zone.
Medium - V-6255 - SV-6307r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI038
Vuln IDs
  • V-6255
Rule IDs
  • SV-6307r1_rule
Launching of programs in IFRAME must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-255r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1804 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5710r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1804 to REG_DWORD = 3 (Disabled = 3).

b
The Navigate sub-frames across different domains is not set properly for the Internet Zone.
Medium - V-6256 - SV-6311r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI039
Vuln IDs
  • V-6256
Rule IDs
  • SV-6311r1_rule
Frames that navigate across different domains are a security concern because the user may think they are accessing pages on one site while they are actually accessing pages on another site.System AdministratorECSC-1
Checks: C-284r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1607 is REG_DWORD = 1 (Prompt = 1), this is not a finding.

Fix: F-5714r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1607 to REG_DWORD = 1 (Prompt = 1).

b
The Software channel permissions is not set properly for the Internet Zone.
Medium - V-6257 - SV-6313r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI040
Vuln IDs
  • V-6257
Rule IDs
  • SV-6313r1_rule
Software Channel permissions must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-297r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1E05 is REG_DWORD = 65536 (High Safety), this is not a finding.

Fix: F-15395r1_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1E05 to REG_DWORD = 65536 (High Safety).

b
The Submit non-encrypted form data is not set properly for the Internet Zone.
Medium - V-6258 - SV-6315r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI041
Vuln IDs
  • V-6258
Rule IDs
  • SV-6315r1_rule
The user needs to be prompted before sending information from a browser that is not encrypted.System AdministratorECSC-1
Checks: C-306r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1601 is REG_DWORD = 1 (Prompt), this is not a finding.

Fix: F-5720r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1601 to REG_DWORD = 1 (Prompt).

b
The Userdata persistence is not set properly for the Internet Zone.
Medium - V-6259 - SV-6316r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI042
Vuln IDs
  • V-6259
Rule IDs
  • SV-6316r1_rule
Userdata persistence must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-310r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1606 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5722r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1606 to REG_DWORD = 3 (Disabled = 3).

b
The Allow paste operations via script is not set properly for the Internet Zone.
Medium - V-6260 - SV-6318r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI044
Vuln IDs
  • V-6260
Rule IDs
  • SV-6318r1_rule
Allow paste operations via script must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-313r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1407 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5724r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1407 to REG_DWORD = 3 (Disabled = 3).

b
The Scripting of Java applets is not set properly for the Internet Zone.
Medium - V-6261 - SV-6319r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI045
Vuln IDs
  • V-6261
Rule IDs
  • SV-6319r1_rule
Java Applets must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-315r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1402 is REG_DWORD = 1 (Prompt), this is not a finding.

Fix: F-5726r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1402 to REG_DWORD = 1 (Prompt).

b
The user Authentication - Logon is not set properly for the Internet Zone.
Medium - V-6262 - SV-6321r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI046
Vuln IDs
  • V-6262
Rule IDs
  • SV-6321r1_rule
Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites.System AdministratorECSC-1
Checks: C-318r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value 1A00 is REG_DWORD = 65536 (decimal), this is not a finding.

Fix: F-5728r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: Set the value 1A00 to REG_DWORD = 65536 (decimal).

b
The Download signed ActiveX controls property is not set properly for the Local Zone.
Medium - V-6263 - SV-6322r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI052
Vuln IDs
  • V-6263
Rule IDs
  • SV-6322r1_rule
Active X controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites.System AdministratorDCMC-1
Checks: C-320r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1001 is REG_DWORD 1 (Prompt), this is not a finding.

Fix: F-5729r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: Set the value 1001 to REG_DWORD 1 (Prompt).

b
The Download unsigned ActiveX controls property is not set properly for the Local Zone.
Medium - V-6264 - SV-6324r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI053
Vuln IDs
  • V-6264
Rule IDs
  • SV-6324r1_rule
ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed.System AdministratorDCMC-1
Checks: C-323r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1004 is REG_DWORD = 3, this is not a finding.

Fix: F-5731r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: Set the value 1004 to REG_DWORD = 3.

b
The Initialize and script ActiveX controls not marked as safe property is not set properly for the Local Zone.
Medium - V-6265 - SV-6325r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI054
Vuln IDs
  • V-6265
Rule IDs
  • SV-6325r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed. System AdministratorDCMC-1
Checks: C-324r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1201 is REG_DWORD 3, this is not a finding.

Fix: F-5732r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: Set the value 1201 to REG_DWORD 3.

b
The Script ActiveX controls marked safe for scripting property is not set properly for the Local Zone.
Medium - V-6266 - SV-6326r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI056
Vuln IDs
  • V-6266
Rule IDs
  • SV-6326r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed. System AdministratorDCMC-1
Checks: C-326r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1405 is REG_DWORD 1 (Prompt), this is not a finding.

Fix: F-5733r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: Set the value 1405 to REG_DWORD 1 (Prompt).

b
The Java Permissions is not set properly for the Local Zone.
Medium - V-6267 - SV-6327r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI061
Vuln IDs
  • V-6267
Rule IDs
  • SV-6327r1_rule
Java must have level of protection based upon the site being browsed. System AdministratorDCMC-1
Checks: C-327r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1C00 is REG_DWORD = 65536, (High Safety), this is not a finding.

Fix: F-5734r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: Set the value 1C00 to REG_DWORD = 65536, (High Safety).

b
The Access data sources across domains is not set properly for the Local Zone.
Medium - V-6268 - SV-6328r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI062
Vuln IDs
  • V-6268
Rule IDs
  • SV-6328r1_rule
The user must know when data access crosses sources to ensure the data is being received from a source that is known.ECSC-1
Checks: C-328r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1406 is REG_DWORD 1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5735r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1406 is REG_DWORD 1 (Prompt) or 3 (Disabled).

b
The Don't prompt for client certificate selection when no certificate or only one certificate exists is not set properly for the Local Zone.
Medium - V-6271 - SV-6331r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI065
Vuln IDs
  • V-6271
Rule IDs
  • SV-6331r1_rule
Client certificates should not be presented to web sites without the user's acknowledgement.System AdministratorECSC-1
Checks: C-331r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1A04 is REG_DWORD = 3 (Disabled), this is not a finding.

Fix: F-5736r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1A04 is REG_DWORD = 3 (Disabled).

b
The Installation of desktop items is not set properly for the Local Zone.
Medium - V-6272 - SV-6333r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI067
Vuln IDs
  • V-6272
Rule IDs
  • SV-6333r1_rule
Installation of items must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-380r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1800 is REG_DWORD 1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5746r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1800 is REG_DWORD 1 (Prompt) or 3 (Disabled).

b
The Launching programs and files in IFRAME is not set properly for the Local Zone.
Medium - V-6273 - SV-6334r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI068
Vuln IDs
  • V-6273
Rule IDs
  • SV-6334r1_rule
Launching of programs in IFRAME must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-382r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1804 is REG_DWORD 1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5748r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1804 is REG_DWORD 1 (Prompt) or 3 (Disabled).

b
The Software channel permissions is not set properly for the Local Zone.
Medium - V-6274 - SV-6336r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI070
Vuln IDs
  • V-6274
Rule IDs
  • SV-6336r1_rule
Software channel permissions must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-384r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1E05 is REG_DWORD = 65536 (High Safety), this is not a finding.

Fix: F-5749r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1E05 is REG_DWORD = 65536 (High Safety).

b
The Allow paste operations via script is not set properly for the Local Zone.
Medium - V-6275 - SV-6337r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI074
Vuln IDs
  • V-6275
Rule IDs
  • SV-6337r1_rule
The Allow paste operations via script must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-385r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1407 is REG_DWORD 1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5750r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1407 is REG_DWORD 1 (Prompt) or 3 (Disabled).

b
The User Authentication - Logon is not set properly for the Local Zone.
Medium - V-6276 - SV-6338r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI076
Vuln IDs
  • V-6276
Rule IDs
  • SV-6338r1_rule
Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites.System AdministratorECSC-1
Checks: C-387r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1A00 is REG_DWORD = 0 (Automatically logon with current username and password), this is not a finding.

Fix: F-5752r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value 1A00 is REG_DWORD = 0 (Automatically logon with current username and password).

b
The Download signed ActiveX controls property is not set properly for the Trusted Sites Zone.
Medium - V-6277 - SV-6339r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI082
Vuln IDs
  • V-6277
Rule IDs
  • SV-6339r1_rule
ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed.System AdministratorDCMC-1
Checks: C-388r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1001 is REG_DWORD 1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5753r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1001 is REG_DWORD 1 (Prompt) or 3 (Disabled).

b
The Download unsigned ActiveX controls property is not set properly for the Trusted Sites Zone.
Medium - V-6278 - SV-6340r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI083
Vuln IDs
  • V-6278
Rule IDs
  • SV-6340r1_rule
ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed.System AdministratorDCMC-1
Checks: C-389r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1004 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5754r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1004 is REG_DWORD=3 (Disabled).

b
The Initialize and script ActiveX controls not marked as safe property is not set properly for the Trusted Sites Zone.
Medium - V-6279 - SV-6341r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI084
Vuln IDs
  • V-6279
Rule IDs
  • SV-6341r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-390r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1201 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5755r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1201 is REG_DWORD=3 (Disabled).

b
The ActiveX controls marked safe for scripting property is not set properly for the Trusted Sites Zone.
Medium - V-6280 - SV-6342r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI086
Vuln IDs
  • V-6280
Rule IDs
  • SV-6342r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-392r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1405 is REG_DWORD=1 (Prompt), this is not a finding.

Fix: F-5757r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1405 is REG_DWORD=1.

b
The Java Permissions is not set properly for the Trusted Sites Zone.
Medium - V-6281 - SV-6348r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI091
Vuln IDs
  • V-6281
Rule IDs
  • SV-6348r1_rule
Java must have level of protection based upon the site being browsed.System AdministratorDCMC-1
Checks: C-417r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1C00 is REG_DWORD = 65536, (High Safety), this is not a finding.

Fix: F-5765r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1C00 is REG_DWORD = 65536, (High Safety).

b
The Access data sources across domains is not set properly for the Trusted Sites Zone.
Medium - V-6282 - SV-6349r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI092
Vuln IDs
  • V-6282
Rule IDs
  • SV-6349r1_rule
Access data sources across domains must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-418r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1406 is REG_DWORD=1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5766r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1406 is REG_DWORD=1 (Prompt) or 3 (Disabled),.

b
The Don't prompt for client certificate selection when no certificate or only one certificate exists is not set properly for the Trusted Sites Zone.
Medium - V-6283 - SV-6350r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI095
Vuln IDs
  • V-6283
Rule IDs
  • SV-6350r1_rule
Client certificates should not be presented to web sites without the user's acknowledgement.System AdministratorECSC-1
Checks: C-419r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1A04 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5767r1_fix

Change the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 to the value 1A04 is 3.

b
The Installation of desktop items is not set properly for the Trusted Sites Zone.
Medium - V-6284 - SV-6351r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI097
Vuln IDs
  • V-6284
Rule IDs
  • SV-6351r1_rule
Installation of items must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-420r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1800 is REG_DWORD=1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5768r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1800 is REG_DWORD=1 (Prompt) or 3 (Disabled).

b
The Launching programs and files in IFRAME is not set properly for the Trusted Sites Zone.
Medium - V-6285 - SV-6352r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI098
Vuln IDs
  • V-6285
Rule IDs
  • SV-6352r1_rule
Launching of programs in IFRAME must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-422r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1804 is REG_DWORD=1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5769r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1804 is REG_DWORD=1 (Prompt) or 3 (Disabled).

b
The Software channel permissions is not set properly for the Trusted Sites Zone.
Medium - V-6286 - SV-6353r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI100
Vuln IDs
  • V-6286
Rule IDs
  • SV-6353r1_rule
The Software channel permissions must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-423r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1E05 is REG_DWORD=65536 (High Safety), this is not a finding.

Fix: F-5771r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1E05 is REG_DWORD=65536 (High Safety).

b
The Allow paste operations via script is not set properly for the Trusted Sites Zone.
Medium - V-6287 - SV-6355r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI104
Vuln IDs
  • V-6287
Rule IDs
  • SV-6355r1_rule
Allow paste operations via script must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-429r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1407 is REG_DWORD=1 (Prompt) or 3 (Disabled), this is not a finding.

Fix: F-5775r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1407 is REG_DWORD=1 (Prompt) or 3 (Disabled).

b
The User Authentication - Logon is not set properly for the Trusted Sites Zone.
Medium - V-6288 - SV-6356r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI106
Vuln IDs
  • V-6288
Rule IDs
  • SV-6356r1_rule
Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites. System AdministratorECSC-1
Checks: C-430r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1A00 is REG_DWORD=65536 (Prompt), this is not a finding.

Fix: F-5776r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value 1A00 is REG_DWORD=65536 (Prompt).

b
The Download signed ActiveX controls property is not set properly for the Restricted Sites Zone.
Medium - V-6289 - SV-6357r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI112
Vuln IDs
  • V-6289
Rule IDs
  • SV-6357r1_rule
ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites.System AdministratorDCMC-1
Checks: C-440r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1001 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5777r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1001 is REG_DWORD = 3 (Disabled = 3).

b
The Download unsigned ActiveX controls property is not set properly for the Restricted Sites Zone.
Medium - V-6290 - SV-6358r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI113
Vuln IDs
  • V-6290
Rule IDs
  • SV-6358r1_rule
ActiveX controls can contain potentially malicious code and must only be allowed to be downloaded from trusted sites and they must be digitally signed.System AdministratorDCMC-1
Checks: C-443r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1004 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5778r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1004 is REG_DWORD = 3 (Disabled = 3).

b
The Initialize and script ActiveX controls not marked as safe property is not set properly for the Restricted Sites Zone.
Medium - V-6291 - SV-6359r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI114
Vuln IDs
  • V-6291
Rule IDs
  • SV-6359r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-446r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1201 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5779r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1201 is REG_DWORD = 3 (Disabled = 3).

b
Run ActiveX controls and plug-ins property is not set properly for the Restricted Sites Zone.
Medium - V-6292 - SV-6360r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI115
Vuln IDs
  • V-6292
Rule IDs
  • SV-6360r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-447r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1200 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5780r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1200 is REG_DWORD = 3 (Disabled = 3).

b
The Script ActiveX controls marked safe for scripting property is not set properly for the Restricted Sites Zone.
Medium - V-6293 - SV-6361r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI116
Vuln IDs
  • V-6293
Rule IDs
  • SV-6361r1_rule
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not marked safe, it should not be initialized and executed.System AdministratorDCMC-1
Checks: C-477r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1405 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5791r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1405 is REG_DWORD = 3 (Disabled = 3).

b
The File download control is not set properly for the Restricted Sites Zone.
Medium - V-6294 - SV-6362r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI119
Vuln IDs
  • V-6294
Rule IDs
  • SV-6362r1_rule
Files should not be able to be downloaded from sites that are considered restricted.System AdministratorDCMC-1
Checks: C-478r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1803 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5792r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1803 is REG_DWORD = 3 (Disabled = 3).

b
The Font download control is not set properly for the Restricted Sites Zone.
Medium - V-6295 - SV-6363r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI120
Vuln IDs
  • V-6295
Rule IDs
  • SV-6363r1_rule
Download of fonts can sometimes contain malicious code. Files should not be downloaded from restricted sites.System AdministratorDCMC-1
Checks: C-480r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1604 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5794r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1604 is REG_DWORD = 3 (Disabled = 3).

b
The Access data sources across domains is not set properly for the Restricted Sites Zone.
Medium - V-6297 - SV-6365r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI122
Vuln IDs
  • V-6297
Rule IDs
  • SV-6365r1_rule
The restricted zones is used for MS Outlook. This zone must be set properly to ensure Outlook is secured.System AdministratorDCMC-1
Checks: C-483r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1406 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5797r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1406 is REG_DWORD = 3 (Disabled = 3).

b
The Allow META REFRESH is not set properly for the Restricted Site Zone.
Medium - V-6298 - SV-6366r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI123
Vuln IDs
  • V-6298
Rule IDs
  • SV-6366r1_rule
Allow META REFRESH must have level of protection based upon the site being browsed.System AdministratorDCMC-1
Checks: C-484r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1608 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5798r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1608 is REG_DWORD = 3 (Disabled = 3).

b
The Display mixed content is not set properly for the Restricted Sites Zone.
Medium - V-6299 - SV-6367r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI124
Vuln IDs
  • V-6299
Rule IDs
  • SV-6367r1_rule
Mixed content poses a risk when coming from a restricted site. System AdministratorDCMC-1
Checks: C-485r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1609 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5799r1_fix

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1609 is REG_DWORD = 3 (Disabled = 3).

b
The Don’t prompt for client certificate selection when no certificate or only one certificate exists is not set properly for the Restricted Sites Zone.
Medium - V-6300 - SV-6369r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI125
Vuln IDs
  • V-6300
Rule IDs
  • SV-6369r1_rule
Client certificates should not be presented to web sites without the user's acknowledgement.System AdministratorECSC-1
Checks: C-507r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1A04 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5806r1_fix

Change the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1A04 is REG_DWORD=3 (Disabled).

b
The Drag and drop or copy and paste files is not set properly for the Restricted Sites Zone.
Medium - V-6301 - SV-6370r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI126
Vuln IDs
  • V-6301
Rule IDs
  • SV-6370r1_rule
Drag and Drop of files must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-508r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1802 is REG_DWORD=3 (Disabled), this is not a finding.

Fix: F-5807r1_fix

Change the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1802 is REG_DWORD=3 (Disabled).

b
The Installation of desktop items is not set properly for the Restricted Sites Zone.
Medium - V-6302 - SV-6372r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI127
Vuln IDs
  • V-6302
Rule IDs
  • SV-6372r1_rule
Installation of items must have level of protection based upon the site being accessed. System AdministratorDCMC-1
Checks: C-511r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1800 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5809r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1800 is REG_DWORD = 3 (Disabled = 3).

b
The Launching programs and files in IFRAME is not set properly for the Restricted Sites Zone.
Medium - V-6303 - SV-6373r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI128
Vuln IDs
  • V-6303
Rule IDs
  • SV-6373r1_rule
Launching of programs in IFRAME must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-512r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1804 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5810r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1804 is REG_DWORD = 3 (Disabled = 3).

b
The Navigate sub-frames across different domains is not set properly for the Restricted Sites Zone.
Medium - V-6304 - SV-6374r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI129
Vuln IDs
  • V-6304
Rule IDs
  • SV-6374r1_rule
Frames that navigate across different domains are a security concern because the user may think they are accessing pages on one site while they are actually accessing pages on another site. System AdministratorECSC-1
Checks: C-514r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1607 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5812r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1607 is REG_DWORD = 3 (Disabled = 3).

b
The Software channel permissions is not set properly for the Restricted Sites Zone.
Medium - V-6305 - SV-6375r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI130
Vuln IDs
  • V-6305
Rule IDs
  • SV-6375r1_rule
Software channel permissions must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-517r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1E05 is REG_DWORD = 65536 (decimal), this is not a finding.

Fix: F-5815r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1E05 is REG_DWORD = 65536 (decimal).

b
The Submit non-encrypted form data is not set properly for the Restricted Sites Zone.
Medium - V-6306 - SV-6376r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI131
Vuln IDs
  • V-6306
Rule IDs
  • SV-6376r1_rule
Submit non-encrypted form data must have level of protection based upon the site being accessed.System AdministratorECSC-1
Checks: C-541r1_chk

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security page -> Restricted Sites Zone -> "Submit non-encrypted form data" will be enabled and set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1601 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5822r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security page -> Restricted Sites Zone -> "Submit non-encrypted form data" will be enabled and set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: Set the value 1601 to REG_DWORD = 3 (Disabled = 3).

b
The Userdata persistence is not set properly for the Restricted Sites Zone.
Medium - V-6307 - SV-6377r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI132
Vuln IDs
  • V-6307
Rule IDs
  • SV-6377r1_rule
No perseistant data should exist and be used in the Restricted sites zone. System AdministratorECSC-1
Checks: C-542r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1606 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5823r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1606 is REG_DWORD = 3 (Disabled = 3).

b
The Active scripting is not set properly for the Restricted Sites Zone.
Medium - V-6308 - SV-6378r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI133
Vuln IDs
  • V-6308
Rule IDs
  • SV-6378r1_rule
Active Scripting must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-545r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1400 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5825r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1400 is REG_DWORD = 3 (Disabled = 3).

b
The Allow paste operations via script is not set properly for the Restricted Sites Zone.
Medium - V-6309 - SV-6379r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI134
Vuln IDs
  • V-6309
Rule IDs
  • SV-6379r1_rule
The Allow paste operations via script must have level of protection based upon the site being browsed.System AdministratorECSC-1
Checks: C-565r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1407 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5832r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1407 is REG_DWORD = 3 (Disabled = 3).

b
The Scripting of Java applets is not set properly for the Restricted Sites Zone.
Medium - V-6310 - SV-6380r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI135
Vuln IDs
  • V-6310
Rule IDs
  • SV-6380r1_rule
The Scripting of Java applets must have level of protection based upon the site being accessed.System AdministratorDCMC-1
Checks: C-566r1_chk

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security page -> Restricted Sites Zone -> "Scripting of Java Applets" will be enabled and set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1402 is REG_DWORD = 3 (Disabled = 3), this is not a finding.

Fix: F-5833r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security page -> Restricted Sites Zone -> "Scripting of Java Applets" will be enabled and set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: Set the value 1402 to REG_DWORD = 3 (Disabled = 3).

b
The User Authentication – Logon is not set properly for the Restricted Sites Zone.
Medium - V-6311 - SV-6381r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI136
Vuln IDs
  • V-6311
Rule IDs
  • SV-6381r1_rule
Care must be taken with user credentials and how automatic logons are performed and how default Windows credentials are passed to web sites. System AdministratorECSC-1
Checks: C-570r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1A00 is REG_DWORD = 196608 (decimal), this is not a finding.

Fix: F-5834r1_fix

Change the registry key HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1A00 is REG_DWORD = 196608 (decimal).

b
The Microsoft Java VM is installed.
Medium - V-6312 - SV-6382r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI150
Vuln IDs
  • V-6312
Rule IDs
  • SV-6382r1_rule
This software is no longer being support and should be removed.System AdministratorECSC-1
Checks: C-588r1_chk

Procedure: Search for the msjava.dll file in the %System root%\System32 by using the Start menu “Search | For Files or Folders…” facility. Criteria: If the file exists, this is a finding.

Fix: F-5835r1_fix

Delete the file msjava.dll in the %System root%\System32 by going to the Start menu, Search | For Files or Folders.

b
The Cipher setting for DES 56/56 is not set properly.
Medium - V-6313 - SV-6383r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI151
Vuln IDs
  • V-6313
Rule IDs
  • SV-6383r1_rule
This cipher setting controls the behavior of the DES 56/56 encryption algorthm.System AdministratorECSC-1
Checks: C-589r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 Criteria: If the value Enabled is 0xffffffff, this is not a finding. The absence of the key also indicates Not a Finding.

Fix: F-5836r1_fix

Navigate to registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 and change the value to Enabled is 0xffffffff.

b
The Cipher setting for Null is not set properly.
Medium - V-6314 - SV-6384r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI152
Vuln IDs
  • V-6314
Rule IDs
  • SV-6384r1_rule
This controls the behavior of the Null cipher. System AdministratorECSC-1
Checks: C-590r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL Criteria: If the value Enabled is 0x0, this is not a finding. The absence of the key also indicates Not a Finding.

Fix: F-5837r1_fix

Navigate to registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL and change the value to Enabled is 0x0.

b
The Cipher setting for Triple DES is not set properly.
Medium - V-6315 - SV-6385r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI153
Vuln IDs
  • V-6315
Rule IDs
  • SV-6385r1_rule
This enables the Triple Des cipher.System AdministratorECSC-1
Checks: C-591r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168 Criteria: If the value Enabled is 0xffffffff, this is not a finding. The absence of the key also indicates Not a Finding.

Fix: F-5838r1_fix

Navigate to the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168 and change the value to Enabled is 0xffffffff.

b
The Hash setting for SHA is not set properly.
Medium - V-6316 - SV-6386r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI160
Vuln IDs
  • V-6316
Rule IDs
  • SV-6386r1_rule
This ensures that the Hash value for SHA is enabled.System AdministratorECSC-1
Checks: C-592r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA Criteria: If the value Enabled is 0xffffffff, this is not a finding.

Fix: F-5839r1_fix

Navigate to the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA and change the value to Enabled is 0xffffffff.

b
IE is not capable to use 128-bit encryption.
Medium - V-6317 - SV-6387r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBG007
Vuln IDs
  • V-6317
Rule IDs
  • SV-6387r1_rule
IE must be enabled to use 128 bit encryption. This will lead to stronger encryption when supported by the web server for SSL connections.System AdministratorECSC-1
Checks: C-593r1_chk

Procedure: From IE go to the Help | About Internet Explorer dialog. The capability for 128 bit encryption is indicated by the phrase “Cipher Strength: 128 bit.” Criteria: If the phrase “Cipher Strength: 128 bit” is displayed, this is not a finding.

Fix: F-5840r1_fix

Install a 128 bit version of IE.

b
The Error Reporting tool for IE is installed or enabled.
Medium - V-6319 - SV-6389r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI140
Vuln IDs
  • V-6319
Rule IDs
  • SV-6389r1_rule
An error reporting tool may send sensitive data to a vendor.System AdministratorECSC-1
Checks: C-595r1_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\ Software\Microsoft\Internet Explorer\Main and determine the value data for the IEWatsonEnabled value. Criteria: If the system being reviewed is running Windows XP or 2003, this is not a Finding. [This potential vulnerability is covered in the Windows Checklist.] If the value data for the IEWatsonEnabled value is not 0 (the number zero) or the key is not found, then this is a Finding.

Fix: F-5842r1_fix

Navigate to the registry key HKLM\Software\Microsoft\Internet Explorer\Main. Make sure that the key exists and the value data for the IEWatsonEnabled value is 0 (the number zero).

b
The IE search parameter is not set correctly.
Medium - V-7006 - SV-7341r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI011
Vuln IDs
  • V-7006
Rule IDs
  • SV-7341r1_rule
This parameter ensures automatic searches are not performed from the address bar. When a web site is not found and searching is performed, potentially malicious or unsuited sites may be displayed.System AdministratorECSC-1
Checks: C-3342r1_chk

Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Internet Explorer\Main Criteria: If the value AutoSearch is 0 or 4, this is not a finding.

Fix: F-6585r1_fix

Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Internet Explorer\Main Ensure the value AutoSearch is 0 or 4

b
The Java Permissions is not set properly for the Restricted Sites Zone.
Medium - V-7007 - SV-7354r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI121
Vuln IDs
  • V-7007
Rule IDs
  • SV-7354r1_rule
Java must have level of protection based upon the site being browsed.System AdministratorDCMC-1
Checks: C-3411r1_chk

Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1C00 is REG_DWORD = 0 (Disabled = 0), this is not a finding.

Fix: F-6587r1_fix

Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value 1C00 is REG_DWORD = 0 (Disabled = 0).

b
The Download signed ActiveX controls property is not set properly for the Lockdown Zone.
Medium - V-16879 - SV-17879r1_rule
RMF Control
Severity
Medium
CCI
Version
DTBI025
Vuln IDs
  • V-16879
Rule IDs
  • SV-17879r1_rule
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.System AdministratorInformation Assurance OfficerDCMC-1
Checks: C-17467r1_chk

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Internet Zone -> "Download signed ActiveX controls" will be set to “Enabled” and "Disable" selected from down drop box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Criteria: If the value 1001 is REG_DWORD = 3, this is not a finding.

Fix: F-16726r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Internet Zone -> "Download signed ActiveX controls" will be set to “Enabled” and "Disable" selected from down drop box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 Criteria: Set the value 1001 to REG_DWORD = 3.

b
Check for publishers certificate revocation is enforced.
Medium - V-32808 - SV-43160r2_rule
RMF Control
Severity
Medium
CCI
Version
DTBI018
Vuln IDs
  • V-32808
Rule IDs
  • SV-43160r2_rule
Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated.System AdministratorECSC-1
Checks: C-41148r3_chk

Procedure: Use the Windows Registry Editor to navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria: If the value State is REG_DWORD = 65536 (decimal), this is not a finding.

Fix: F-36696r7_fix

Change the registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\WinTrust\Trust Providers\Software Publishing to 65536.