3.10.9.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'

Information

This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.

The recommended state for this setting is: Enabled

Note: This will not prevent the installation of basic hardware drivers, but does prevent associated third-party utility software from automatically being installed under the context of the SYSTEM account.

Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic third-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\System\Device Installation\Prevent device metadata retrieval from the Internet

Impact:

Standard users without administrator privileges will not be able to install associated third-party utility software for peripheral devices. This may limit the use of advanced features of those devices unless/until an administrator installs the associated utility software for the device.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7(5), 800-53|CM-10, 800-53|SI-16

Plugin: Windows

Control ID: 642925fa0677e39464dca47689746db05110467e2166fa8c45da1c3d96c01dea