5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'

Information



This policy setting allows you to manage whether Internet Explorer checks for digital
signatures (which identifies the publisher of signed software and verifies it hasn't been
modified or tampered with) on user computers before downloading executable programs.
If you enable this policy setting, Internet Explorer will check the digital signatures of
executable programs and display their identities before downloading them to user
computers.
If you disable this policy setting, Internet Explorer will not check the digital signatures of
executable programs or display their identities before downloading them to user
computers.
If you do not configure this policy, Internet Explorer will not check the digital signatures of
executable programs or display their identities before downloading them to user
computers. The recommended state for this setting is- Enabled.

*Rationale*

Although digitally signing software does not guarantee that it includes no malware it does
reduce the risk and it provides another potential path of investigation should the software
include a dangerous payload.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Advanced Page\Check for signatures on downloaded
programs

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-5(3)

Plugin: Windows

Control ID: 7128068d2e0c5d6157fa4502816dc725eb2ef915ba8d1bd2492d0ed29a15b97d