1.2.1.5 Ensure 'Restrict File Download' is set to Enabled - groove.exe

Information

Restrict File Download.T he recommended state for this setting is: Enabled. (Check: groove.exe, excel.exe, mspub.exe, powerpnt.exe, pptview.exe, visio.exe, winproj.exe, outlook.exe, spDesign.exe, exprwd.exe, msaccess.exe, onent.exe, mse7.exe) Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interacting with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled. Computer Configuration\Administrative Templates\Microsoft Office 2016 (Machine)\Security Settings\IE Security\Restrict File Download Impact: User initiated downloads can still occur so the majority of legitimate user download interactions remain unaffected. Hiding website-initiated prompt messages makes it impossible for a malicious website to initiate a download by itself. Such a site can no longer confuse a user into downloading a file that could then open on the user's computer to execute an attack. However, some valid websites may initiate file downloads. If this setting is enabled, users cannot view download prompts, and remain unaware when a download is available. If such sites reside in an organization's intranet, they should display a link to prompt users to initiate valid downloads if the automatic download process does not occur. This type of functionality is already in common use on many major internet sites and should not confuse users. It is possible that some advanced users may expect their user preferences to control this behavior, and for this reason, they may be confused when this preference is overridden by this setting.

See Also

https://workbench.cisecurity.org/files/571

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|3.1

Plugin: Windows

Control ID: a13fbb86a77644ab0cd26f6c48c74f11584bb9ee4fcdcf226cdafd4b3097c0d3