18.4.5 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'

Information

This policy setting configures whether the

WinVerifyTrust

function performs strict Windows Authenticode signature verification for Portable Executable files (PE files). If enabled, PE files will be considered 'unsigned' if Windows identifies content in them that does not conform to the Authenticode specification.

The recommended state for this setting is: Enabled

A remote code execution vulnerability exists in the way that the

WinVerifyTrust

function handles Windows Authenticode signature verification for portable executable (PE) files. For more information on this vulnerability, visit

CVE-2013-3900 - Security Update Guide - Microsoft - WinVerifyTrust Signature Validation Vulnerability

.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Certificate Padding

Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at

this link

.

Impact:

Microsoft recommends that installers are built to only extract content from validated portions of signed files. Some installers do not follow this guidance and therefore may be negatively impacted by this setting.

See Also

https://workbench.cisecurity.org/benchmarks/16515

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8

Plugin: Windows

Control ID: 082ab2fd476cdfd5d5eed49bc7fabb87d4535f4b26ca4645a5972b3ffd228652