ayohrling / local_security_policy

Apache License 2.0
6 stars 28 forks source link

18.4.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' #53

Open pillarsdotnet opened 5 years ago

pillarsdotnet commented 5 years ago

18.4.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'

Info

The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:

  • Search folders specified in the system path first, and then search the current working folder.
  • Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: 'Enabled'. Rationale: If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render. Solution To establish the recommended configuration via GP, set the following UI path to 'Enabled': Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template ('MSS-legacy.admx/adml') is required - it is available from this TechNet blog post: The MSS settings -- Microsoft Security Guidance blog Impact: None - this is the default behavior.