Skip to content

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000231

    <GroupDescription></GroupDescription>
    Group
  • Userdata persistence must be disallowed (Restricted Sites zone).

    &lt;VulnDiscussion&gt;Userdata persistence must have a level of protection based upon the site being accessed. This policy setting allows you to ma...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Active scripting must be disallowed (Restricted Sites Zone).

    &lt;VulnDiscussion&gt;Active scripts hosted on sites located in this zone are more likely to contain malicious code. Active scripting must have a l...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Clipboard operations via script must be disallowed (Restricted Sites zone).

    &lt;VulnDiscussion&gt;A malicious script could use the clipboard in an undesirable manner, for example, if the user had recently copied confidentia...
    Rule Medium Severity
  • SRG-APP-000219

    <GroupDescription></GroupDescription>
    Group
  • Logon options must be configured and enforced (Restricted Sites zone).

    &lt;VulnDiscussion&gt;Users could submit credentials to servers operated by malicious individuals who could then attempt to connect to legitimate s...
    Rule Medium Severity
  • SRG-APP-000089

    <GroupDescription></GroupDescription>
    Group
  • Configuring History setting must be set to 40 days.

    &lt;VulnDiscussion&gt;This setting specifies the number of days that Internet Explorer keeps track of the pages viewed in the History List. The del...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Internet Explorer must be set to disallow users to add/delete sites.

    &lt;VulnDiscussion&gt;This setting prevents users from adding sites to various security zones. Users should not be able to add sites to different z...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Internet Explorer must be configured to disallow users to change policies.

    &lt;VulnDiscussion&gt;Users who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Int...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Internet Explorer must be configured to use machine settings.

    &lt;VulnDiscussion&gt;Users who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Int...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Security checking features must be enforced.

    &lt;VulnDiscussion&gt;This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determ...
    Rule Medium Severity
  • SRG-APP-000210

    <GroupDescription></GroupDescription>
    Group
  • Software must be disallowed to run or install with invalid signatures.

    &lt;VulnDiscussion&gt;Microsoft ActiveX controls and file downloads often have digital signatures attached that certify the file's integrity and th...
    Rule Medium Severity
  • SRG-APP-000233

    <GroupDescription></GroupDescription>
    Group
  • The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on.

    &lt;VulnDiscussion&gt;This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes ...
    Rule Medium Severity
  • SRG-APP-000175

    <GroupDescription></GroupDescription>
    Group
  • Checking for server certificate revocation must be enforced.

    &lt;VulnDiscussion&gt;This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Cer...
    Rule Low Severity
  • SRG-APP-000131

    <GroupDescription></GroupDescription>
    Group
  • Checking for signatures on downloaded programs must be enforced.

    &lt;VulnDiscussion&gt;This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publis...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • All network paths (UNCs) for Intranet sites must be disallowed.

    &lt;VulnDiscussion&gt;Some UNC paths could refer to servers not managed by the organization, which means they could host malicious content; and the...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Script-initiated windows without size or position constraints must be disallowed (Internet zone).

    &lt;VulnDiscussion&gt;This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows including the title and ...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone).

    &lt;VulnDiscussion&gt;This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows including the title and ...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Scriptlets must be disallowed (Internet zone).

    &lt;VulnDiscussion&gt;This policy setting allows you to manage whether scriptlets can be allowed. Scriptlets hosted on sites located in this zone a...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Automatic prompting for file downloads must be disallowed (Internet zone).

    &lt;VulnDiscussion&gt;This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setti...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Java permissions must be disallowed (Local Machine zone).

    &lt;VulnDiscussion&gt;Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you...
    Rule Medium Severity
  • SRG-APP-000207

    <GroupDescription></GroupDescription>
    Group
  • Anti-Malware programs against ActiveX controls must be run for the Local Machine zone.

    &lt;VulnDiscussion&gt;This policy setting determines whether Internet Explorer runs Anti-Malware programs against ActiveX controls, to check if the...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Java permissions must be disallowed (Locked Down Local Machine zone).

    &lt;VulnDiscussion&gt;Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Java permissions must be disallowed (Locked Down Intranet zone).

    &lt;VulnDiscussion&gt;Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Java permissions must be disallowed (Locked Down Trusted Sites zone).

    &lt;VulnDiscussion&gt;Java applications could contain malicious code; sites located in this security zone are more likely to be hosted by malicious...
    Rule Medium Severity
  • SRG-APP-000141

    <GroupDescription></GroupDescription>
    Group
  • Java permissions must be disallowed (Locked Down Restricted Sites zone).

    &lt;VulnDiscussion&gt;Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • XAML files must be disallowed (Internet zone).

    &lt;VulnDiscussion&gt;These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules