19.7.25.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'

Information

This policy setting determines whether users can share files within their profile. By default, users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.

The recommended state for this setting is: Enabled

If not properly configured, a user could accidentally share sensitive data with unauthorized users. In an enterprise managed environment, the company should provide a managed location for file sharing, such as a file server or SharePoint, instead of the user sharing files directly from their own user profile.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

User Configuration\Policies\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile.

Note: This Group Policy path is provided by the Group Policy template Sharing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:

Users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\Users and can only be used to create SMB shares on folders.

See Also

https://workbench.cisecurity.org/benchmarks/15273

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: 408e275c79810d83e4e6a2abd6a496a63a6fb62795a41c9dd58512080443f071