Microsoft Windows 10

File Explorer shell protocol must run in protected mode

STIG ID: WN10-CC-000225 | SRG: SRG-OS-000480-GPOS-00227 | Severity: Medium | CCI: CCI-000366 | Vulnerability ID: V-220839

Description

The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open, to a limited set of folders, increases the security of Windows.

Check

C-22554r555002_chk

The default behavior is for shell protected mode to be turned on for file explorer.If the registry value name below does not exist, this is not a finding.If it exists and is configured with a value of "0", this is not a finding.If it exists and is configured with a value of "1", this is a finding.Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Value Name: PreXPSP2ShellProtocolBehaviorValue Type: REG_DWORDValue: 0 (or if the Value Name does not exist)

Fix

F-22543r555003_fix

The default behavior is for shell protected mode to be turned on for file explorer.If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".