5.4 Set 'Disable changing certificate settings' to 'Enabled'

Information

*Description*

This policy setting removes a user's ability to change certificate settings in Internet
Explorer. Certificates are used to verify the identity of software publishers. If you enable
this policy setting, the certificate settings in the Certificates area of the Content tab in the
Internet Options dialog box are dimmed. This policy setting also removes a user's ability to
change settings that are configured through Group Policy.
Note When this policy setting is enabled, users can still double-click the software
publishing certificate (.spc) file to run the Certificate Manager Import Wizard. This wizard
enables users to import and configure settings for certificates from software publishers
that are not already configured in Internet Explorer.
Note The Disable the Content page setting removes the Content tab from Internet Explorer
in Control Panel and takes precedence over this Disable changing certificate settings
configuration option. If the former setting is enabled, the latter setting is ignored. The
Disable the Content page setting located in \User Configuration\Administrative
Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group
Policy Object Editor. The recommended state for this setting is- Enabled.

*Rationale*

Users could import new certificates, remove approved certificates, or change settings for
previously configured ones. Such occurrences could cause approved applications to fail, or
unapproved software to be executed.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Windows Components\Internet
Explorer\Disable changing certificate settings

Impact-Users will be unable to change the certificate settings.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Windows

Control ID: aee1edad8e803ad147bfef9cd166b73ce69b03240018716f6ca8a9b7aaa959c6