5.34 (L1) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'

Information

WinHTTP implements the client HTTP stack and provides developers with a Win32 API and COM Automation component for sending HTTP requests and receiving responses. In addition, WinHTTP provides support for auto-discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol.
The recommended state for this setting is: Disabled.
Note: Microsoft changed the behavior of this service starting with Windows 10 Release 1709. As of that version, this service is also required for setting a manual proxy on a workstation. If this service is forcibly disabled via GPO, then users cannot even click OK in the Local Area Network (LAN) Settings dialog box in Internet Explorer. For this reason, organizations may need to selectively grant exceptions for workstations that require setting a proxy configuration (or globally if all workstations require setting a proxy manually).

Rationale:
This service is primarily needed to support Web Proxy Auto-Discovery (WPAD), which is an auto-proxy discovery mechanism that is poorly designed, as it causes an excessive amount of unnecessary DNS traffic on the network, and exposes the computer to Man-In-The-Middle (MITM) risks. If an organization depends on HTTP proxy configuration, it is recommended that other client configuration mechanisms be used instead, such as Group Policy.

Solution

To establish the recommended configuration via GP, set the following UI path to: Disabled.
Computer Configuration\Policies\Windows Settings\Security Settings\System Services\WinHTTP Web Proxy Auto-Discovery Service

Impact:
WPAD will cease to function for automatic HTTP proxy routing, which may prevent Internet connectivity for workstations in organizations that currently use WPAD. In addition, on Windows 10 Release 1709 or higher, users will not be able to click OK in the Local Area Network (LAN) Settings dialog box of Internet Explorer. Microsoft also cautions that some software that uses the network stack may have a functional dependency on this service, so it is advised that you test disabling this service on a representation of user workstations and applications before disabling it across the entire organization.

Default Value:
Manual

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Windows

Control ID: f3f25c3aba38b5e682a297e00419c0c53365d007c0f154a279e2b7f8e8f0af2b