18.8.28.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'
Info
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the '%windir%\Fonts' directory. This feature can be configured to be in 3 modes: On, Off, and Audit.
The recommended state for this setting is: 'Enabled': 'Block untrusted fonts and log events'
Rationale:
Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
Solution
To establish the recommended configuration via GP, set the following UI path to 'Enabled: Block untrusted fonts and log events':
Computer Configuration\Policies\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template 'GroupPolicy.admx/adml' that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Impact:
Fonts not located in the '%windir%\Fonts' directory will not be loaded. This setting can temporarily be run in Audit mode ('Log events without blocking untrusted fonts') first to observe if blocking untrusted fonts would cause any usability or compatibility issues.
18.8.28.1 Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'
Info
Solution