|
Title: CIS - Baseline\hardening doc Post by: SJF1978 on September 11, 2012, 05:23:04 AM Hi all,
I've been following the latest CIS hardening document for windows 7 and using Nessus to monitor my GPO progress. However I've come accross one setting which I don't seem to understand the logic of and wanted others opinion. If I have no legacy in my domain why would I do this? I can see you may want to add exceptions but this seems to be lowering security and seems to be saying just fall back on other security at the OS level??? Check Name: 1.12.4 Turn off Data Execution Prevention for Explorer Information This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process. CCE-9918-4 ref: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.2.0.pdf pg. 160 Description: This control determines if Data Execute Prevention (DEP) is enabled or disabled for the explorer process. For all profiles, the recommended state for this setting is Disabled. Rationale: DEP, when deployed in concert with the other native Windows exploit mitigation such a ASLR, Guard Stack, and SafeSEH, provides an effective means for preventing the exploitation of certain software defects that may affect explorer. Title: Re: CIS - Baseline\hardening doc Post by: ajohnson on September 11, 2012, 10:25:22 AM I think you're confused over the double-negative. Disabling "Turn off Data Execution Prevention for Explorer" actually enables it.
Title: Re: CIS - Baseline\hardening doc Post by: SJF1978 on September 13, 2012, 06:28:21 AM ARHHHH I SEE SAID THE BLIND MAN :D
all seems clear(ish) thanks again!
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |