.

CIS - Baseline\hardening doc

<<

SJF1978

Newbie
Newbie

Posts: 19

Joined: Mon Jul 20, 2009 6:13 am

Location: London

Post Tue Sep 11, 2012 5:23 am

CIS - Baseline\hardening doc

Hi all,

I've been following the latest CIS hardening document for windows 7 and using Nessus to monitor my GPO progress. However I've come accross one setting which I don't seem to understand the logic of and wanted others opinion. If I have no legacy in my domain why would I do this? I can see you may want to add exceptions but this seems to be lowering security and seems to be saying just fall back on other security at the OS level???

Check Name: 1.12.4 Turn off Data Execution Prevention for Explorer

Information
This control defines whether Data Execute Prevention (DEP) is enabled or disabled for the explorer process.
CCE-9918-4

ref: https://benchmarks.cisecurity.org/tools ... v1.2.0.pdf pg. 160

Description:

This control determines if Data Execute Prevention (DEP) is enabled or disabled for the explorer process. For all profiles, the recommended state for this setting is Disabled.

Rationale:

DEP, when deployed in concert with the other native Windows exploit mitigation such a ASLR, Guard Stack, and SafeSEH, provides an effective means for preventing the exploitation of certain software defects that may affect explorer.
CISSP, CISM, CEH, ISO27001, MCSE, CCNA and Security +
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Sep 11, 2012 10:25 am

Re: CIS - Baseline\hardening doc

I think you're confused over the double-negative. Disabling "Turn off Data Execution Prevention for Explorer" actually enables it.
The day you stop learning is the day you start becoming obsolete.
<<

SJF1978

Newbie
Newbie

Posts: 19

Joined: Mon Jul 20, 2009 6:13 am

Location: London

Post Thu Sep 13, 2012 6:28 am

Re: CIS - Baseline\hardening doc

ARHHHH I SEE SAID THE BLIND MAN  :D

all seems clear(ish)

thanks again!
CISSP, CISM, CEH, ISO27001, MCSE, CCNA and Security +

Return to OS

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software