1.1.4.1.14 Ensure 'Scripted Window Security Restrictions' is set to 'Enabled'

Information

This policy setting controls the Scripted Window Security Restrictions security feature, which restricts pop-up windows and prohibits scripts from displaying windows title and status bars in a way that is not visible to the user, or hides other windows title and status bars.

The recommended state for this setting is: Enabled: groove.exe, excel.exe, mspub.exe, powerpnt.exe, pptview.exe, visio.exe, winproj.exe, winword.exe, outlook.exe, spDesign.exe, exprwd.exe, msaccess.exe, onent.exe, mse7.exe.

Rationale:

Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:

- Create browser windows that appear to be from the local operating system.

- Draw active windows that display outside of the viewable areas of the screen that can capture keyboard input.

- Overlay parent windows with their own browser windows to hide important system information, choices, or prompts.

Impact:

It is unlikely that any valid applications would use such deceptive methods to accomplish a task. For this reason, it is unlikely that organizations may encounter any major limitations due to using this setting.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Check all applications:

Computer Configuration\Administrative Templates\Microsoft Office 2016 (Machine)\Security Settings\IE Security\Scripted Window Security Restrictions

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18

Plugin: Windows

Control ID: e9972700b8eaa3f3783759827350a28bfdc08d937e721dbe000d13a044212c8c