8.1.21 Set 'Logon options' to 'Enabled:Prompt for user name and password'

Information



This policy setting allows you to manage settings for logon options. If you enable this policy
setting, you can choose from the following logon options- Anonymous logon disables HTTP
authentication and uses the guest account only for the Common Internet File System (CIFS)
protocol. Prompt for user name and password queries users for user IDs and passwords.
After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon only in Intranet zone queries users for user IDs and passwords in other
zones. After a user is queried, these values can be used silently for the remainder of the
session. Automatic logon with current user name and password attempts logon using
Windows NT Challenge Response (also known as NTLM authentication). If Windows NT
Challenge Response is supported by the server, the logon uses the user's network user
name and password for logon. If Windows NT Challenge Response is not supported by the
server, the user is queried to provide the user name and password. If you disable this
policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure
this policy setting, logon is set to Automatic logon only in Intranet zone. The recommended
state for this setting is- Enabled-Prompt for user name and password.

*Rationale*

Users could submit credentials to servers operated by malicious people who could then
attempt to connect to legitimate servers with those captured credentials.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Internet Zone\Logon optionsThen set the Logon options option to Prompt for user name and password.

Impact-Prompt for user name and password queries users for user IDs and passwords. After a user
is queried, these values can be used silently for the remainder of the session.

Default Value-Automatic logon only in Intranet zone

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23

Plugin: Windows

Control ID: a0d7477d0a08383549bce5cc3100095b6d9004cb5495b86db045ff269e9407f9