CIS – Baselinehardening doc

Viewing 2 reply threads
  • Author
    Posts
    • #7889
      SJF1978
      Participant

      Hi all,

      I’ve been following the latest CIS hardening document for windows 7 and using Nessus to monitor my GPO progress. However I’ve come accross one setting which I don’t seem to understand the logic of and wanted others opinion. If I have no legacy in my domain why would I do this? I can see you may want to add exceptions but this seems to be lowering security and seems to be saying just fall back on other security at the OS level???

      Check Name: 1.12.4 Turn off Data Execution Prevention for Explorer

      Information
This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process.
CCE-9918-4

      ref: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.2.0.pdf pg. 160

      Description:

      This control determines if Data Execute Prevention (DEP) is enabled or disabled for the explorer process. For all profiles, the recommended state for this setting is Disabled.

      Rationale:

      DEP, when deployed in concert with the other native Windows exploit mitigation such a ASLR, Guard Stack, and SafeSEH, provides an effective means for preventing the exploitation of certain software defects that may affect explorer.

    • #49804
      dynamik
      Participant

      I think you’re confused over the double-negative. Disabling “Turn off Data Execution Prevention for Explorer” actually enables it.

    • #49805
      SJF1978
      Participant

      ARHHHH I SEE SAID THE BLIND MAN  😀

      all seems clear(ish)

      thanks again!

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?