18.9.24.6 Ensure 'System ASLR' is set to 'Enabled: Application Opt-In'

Information

This setting determines how applications become enrolled in Address Space Layout Randomization (ASLR).

The recommended state for this setting is: Enabled: Application Opt-In.

Rationale:

ASLR reduces the predictability of process memory, which in-turn helps reduce the reliability of exploits targeting memory corruption vulnerabilities.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-In:

Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System ASLR

Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:

ASLR protections will be enabled on applications that have been configured for it in EMET.

Default Value:

User configured.

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CSCv6|8.4

Plugin: Windows

Control ID: 91030b3cb53cc3fb133d2e017e35af7c45e6708a83ff5e882eb7794f096d4acd