Microsoft Windows Server 2019

Windows Server 2019 File Explorer shell protocol must run in protected mode

STIG ID: WN19-CC-000330 | SRG: SRG-OS-000480-GPOS-00227 | Severity: Medium | CCI: CCI-000366 | Vulnerability ID: V-205872

Description

The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.

Check

C-6137r355978_chk

The default behavior is for shell protected mode to be turned on for File Explorer.If the registry value name below does not exist, this is not a finding.If it exists and is configured with a value of "0", this is not a finding.If it exists and is configured with a value of "1", this is a finding.Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Value Name: PreXPSP2ShellProtocolBehaviorValue Type: REG_DWORDValue: 0x00000000 (0) (or if the Value Name does not exist)

Fix

F-6137r355979_fix

The default behavior is for shell protected mode to be turned on for File Explorer.If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".