Detections
Analytics

19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
The recommended state for this setting is: Disabled.
Note: The Attachment Manager feature warns users when opening or executing files which are marked as being from an untrusted source, unless/until the file's zone information has been removed via the 'Unblock' button on the file's properties or via a separate tool such as Microsoft Sysinternals Streams.

Rationale:
A file that is downloaded from a computer in the Internet or Restricted Sites zone may be moved to a location that makes it appear safe, like an intranet file share, and executed by an unsuspecting user. The Attachment Manager feature will warn users when opening or executing files which are marked as being from an untrusted source, unless/until the file's zone information has been removed.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:
User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Do not preserve zone information in file attachments
Note: This Group Policy path is provided by the Group Policy template AttachmentManager.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Impact:
None - this is the default behavior.

Default Value:
Disabled. (Windows marks file attachments with their zone information.)

References:
1. CCE-34810-2

See Also

https://workbench.cisecurity.org/files/2754

Item Details

References: CSCv6|7, CSCv7|7.1

Plugin: Windows

Control ID: 6f099e76d9e561351d6e54d33d4e76373764ea6b57f607bc7dc8537cc444901f