Microsoft Windows 11

File Explorer shell protocol must run in protected mode

STIG ID: WN11-CC-000225 | SRG: SRG-OS-000480-GPOS-00227 | Severity: Medium | CCI: CCI-000366 | Vulnerability ID: V-253398

Description

The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open, to a limited set of folders, increases the security of Windows.

Check

C-56851r829276_chk

The default behavior is for shell protected mode to be turned on for file explorer.If it exists and is configured with a value of "1", this is a finding.Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Value Name: PreXPSP2ShellProtocolBehaviorValue Type: REG_DWORDValue: 0 (or if the Value Name does not exist)

Fix

F-56801r829277_fix

The default behavior is for shell protected mode to be turned on for file explorer.To correct this, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".