18.9.24.6 (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In'

Information

This setting determines how applications become enrolled in Address Space Layout Randomization (ASLR).
The recommended state for this setting is: Enabled: Application Opt-In.

Rationale:
ASLR reduces the predictability of process memory, which in-turn helps reduce the reliability of exploits targeting memory corruption vulnerabilities.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-In:
Computer Configuration\Policies\Administrative Templates\Windows Components\EMET\System ASLR
Note: This Group Policy path does not exist by default. An additional Group Policy template (EMET.admx/adml) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Impact:
ASLR protections will be enabled on applications that have been configured for it in EMET.

Default Value:
User configured.

References:
1. CCE-35483-7

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-39, 800-53|SI-16, CSCv6|8.4, CSCv7|8.3

Plugin: Windows

Control ID: f595200ec8c8bf1d34924371d4e74271d55c26acc7853299e77702555fb2704b