1.2 Set 'Allow software to run or install even if the signature is invalid' to 'Disabled'

Information



Microsoft ActiveX controls and file downloads often have digital signatures attached that
help certify the file's integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can identify
active signers to determine whether you trust them enough to run their software.The Allow software to run or install even if the signature is invalid setting allows you to
manage whether downloaded software can be installed or run by users even though the
signature is invalid. An invalid signature might indicate that someone has tampered with
the file. If you enable this policy setting, users will be prompted to install or run files with
an invalid signature. If you disable this policy setting, users cannot run or install files with
an invalid signature.


Note- Some legitimate software and controls may have an invalid signature and still be OK.
You should carefully test such software in isolation before you allow it to be used on your
organization's network. The recommended state for this setting is- Disabled.

*Rationale*

Microsoft ActiveX controls and file downloads often have digital signatures attached that
certify the file's integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can positively
identify the signer to determine whether you trust them enough to run their software. The
validity of unsigned code cannot be ascertained.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Disabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Advanced Page\Allow software to run or install even if
the signature is invalid

Impact-Some legitimate software and controls may have an invalid signature. You should carefully
test such software in isolation before it is allowed to be used on your organization's
network.

Default Value-Disabled

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: b6cb3bb2d1b9531b10a5fc50073a8decbb594793ca3ac69bd85661ccb381a556