2.3.16.1 (L1) Ensure 'System settings: Optional subsystems' is set to 'Defined: (blank)'

Information

This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands.

The recommended state for this setting is: Defined:(blank)

POSIX is included with Windows and enabled by default. If you don't need it, leaving it enabled could introduce an additional attack surface to your environment.

Solution

To establish the recommended configuration via GP, set the following UI path to Defined: (blank) :

Computer Configuration\Security Settings\Local Policies\Security Options\System settings: Optional subsystems

Impact:

Removes POSIX compatibility.

See Also

https://workbench.cisecurity.org/benchmarks/14291

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 4bd7343434d5b8dd512b20dfa39e32139dde6f99ebe0c0efb9d9af8c78c71f3d