8.3.14 Set 'Enable MIME Sniffing' to 'Enabled:Enable'

Information

*Description*

This policy setting allows you to manage MIME sniffing for file promotion from one type to
another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the
file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety
Feature will not apply in this zone. The security zone will run without the added layer of
security provided by this feature. If you disable this policy setting, the actions that may be
harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as
dictated by the feature control setting for the process. If you do not configure this policy
setting, the actions that may be harmful cannot run; this Internet Explorer security feature
will be turned on in this zone, as dictated by the feature control setting for the process. The
recommended state for this setting is- Enabled-Enable.


*Rationale*

The MIME Sniffing Safety Feature improves security in some scenarios by providing an
added layer of defense against potentially malicious files. The feature also helps with
compatibility issues caused by web servers that specify incorrect MIME types. Under
certain circumstances it can actually increase the risk of compromise because Internet
Explorer may detect a script embedded within content that has a non-script MIME type
declared and execute the script.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Enable MIME
Sniffing\Enable MIME Sniffing

Then set the Enable MIME Sniffing option to Enable.

Impact-If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this
zone; the security zone will run without the added layer of security provided by this
feature. If you disable this policy setting, the actions that may be harmful cannot run; this
Internet Explorer security feature will be turned on in this zone, as dictated by the feature
control setting for the process. If you do not configure this policy setting, the actions that
may be harmful cannot run; this Internet Explorer security feature will be turned on in this
zone, as dictated by the feature control setting for the process.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3

Plugin: Windows

Control ID: eca038160d0e1426f953c9adac06e8806f89b226b332674b8f2c50073de187a5