18.10.28.5 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'

Information

This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.

The recommended state for this setting is: Disabled

Limiting the opening of files and folders to a limited set reduces the attack surface of the system.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off shell protocol protected mode

Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16515

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|8.3

Plugin: Windows

Control ID: 9563ef7a77f1f655c5db96cb2e3572ac5cb507633117111ee364c80edd0d3ba7