8.3.22 Set 'Scriptlets' to 'Enabled:Disable'


This policy setting allows you to manage whether scriptlets can be allowed. If you enable
this policy setting, users will be able to run scriptlets. If you disable this policy setting,
users will not be able to run scriptlets. If you do not configure this policy setting, a scriptlet
can be enabled or disabled by the user. The recommended state for this setting is-


Scriptlets have been exploited by malicious users in the past, one example is the malware
Exploit-MSWord.k which embedded the class ID of the Microsoft Scriptlet Component
within a Word document and the URL of a website that hosted additional malicious
software. When opened Microsoft Word would process the embedded object then
download and activate the malicious payload. This particular vulnerability was patched
several years ago but disabling this setting in untrusted zones helps mitigate against the
entire class of attacks.


To establish the recommended configuration via Group Policy, set the following UI path to

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Allow ScriptletsThen set the Scriptlets option to Disable.

See Also


Item Details

Audit Name: CIS IE 11 v1.0.0


References: 800-53|CM-7a.

Plugin: Windows

Control ID: 9325ec32b0a034674e68c3878e53a5c04eb9c307381e7c5035ce87d4e01e6b91