18.9.30.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'

Information

Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer.

The recommended state for this setting is: Disabled.

Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug-in/software.

Rationale:

Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:

None - this is the default behavior.

Default Value:

Disabled. (Data Execution Prevention will block certain types of malware from exploiting Explorer.)

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CSCv6|8.4

Plugin: Windows

Control ID: 5932c59030518584ce54f603a785e3dce5a0f95779128cf68653e45b49694fa7