18.10.91.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'

Information

This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings.

The recommended state for this setting is: Enabled

Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

Local users cannot make changes in the Exploit protection settings area.

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: b94f9b43c08b77fce8786955ac4f2c3f05c1bca4adeb1bd1ed7b74a9b861a18d