5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'

Information



When a user experiences Secure Socket Layer/Transport Layer Security (SSL/TLS)
certificate errors such as 'expired,' 'revoked,' or 'name mismatch,' Internet Explorer
blocks the user's ability to continue browsing the Web site. The recommended state for this
setting is- Enabled.

*Rationale*

Users who ignore certificate errors are more likely to visit unauthorized sites or sites that
host malicious content.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Prevent ignoring certificate errors

Impact-
If you enable this policy setting, the user is not permitted to continue browsing the Web
site. If you disable this policy setting or do not configure it, the user may elect to ignore
certificate errors and continue browsing the Web site.

Default Value-Disabled

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5)

Plugin: Windows

Control ID: 550e3f5891d8958935bb68749b726a2081c29f62d9dd07f753ba4ba08b8c3191