CIS – Baselinehardening doc

This topic contains 2 replies, has 2 voices, and was last updated by  SJF1978 6 years, 11 months ago.

  • Author
    Posts
  • #7889
     SJF1978 
    Participant

    Hi all,

    I’ve been following the latest CIS hardening document for windows 7 and using Nessus to monitor my GPO progress. However I’ve come accross one setting which I don’t seem to understand the logic of and wanted others opinion. If I have no legacy in my domain why would I do this? I can see you may want to add exceptions but this seems to be lowering security and seems to be saying just fall back on other security at the OS level???

    Check Name: 1.12.4 Turn off Data Execution Prevention for Explorer

    Information
This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process.
CCE-9918-4

    ref: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.2.0.pdf pg. 160

    Description:

    This control determines if Data Execute Prevention (DEP) is enabled or disabled for the explorer process. For all profiles, the recommended state for this setting is Disabled.

    Rationale:

    DEP, when deployed in concert with the other native Windows exploit mitigation such a ASLR, Guard Stack, and SafeSEH, provides an effective means for preventing the exploitation of certain software defects that may affect explorer.

  • #49804
     dynamik 
    Participant

    I think you’re confused over the double-negative. Disabling “Turn off Data Execution Prevention for Explorer” actually enables it.

  • #49805
     SJF1978 
    Participant

    ARHHHH I SEE SAID THE BLIND MAN  😀

    all seems clear(ish)

    thanks again!

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?