1.1.1.2 (L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled'

Information

This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for Office applications. JScript is Microsoft's legacy dialect of the ECMAScript standard that is used in Microsoft's Internet Explorer 11 and older.

If Enabled, Office applications will not execute legacy JScript for the Internet or Restricted Sites zones and users aren't notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.

The recommended state for this setting is: Enabled: Access: 69632 Excel: 69632 OneNote: 69632 Outlook: 69632 PowerPoint: 69632 Project: 69632 Publisher: 69632 Visio: 69632 Word: 69632

Development on the JScript engine ended and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE. Due to this, it has been exploited by a number of bad actors over the years, including nation-states.

The following CVE's are associated with JSCRIPT vulnerabilities: CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674

Solution

To establish the recommended state via configuration profiles, set the following Settings Catalog path to Enabled: 69632 for each application listed.

Administrative Templates\MS Security Guide\Restrict legacy JScript execution for Office

Impact:

It's important to determine whether legacy JScript is being used to provide business-critical functionality before enabling this setting.

See Also

https://workbench.cisecurity.org/benchmarks/15808

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: 292264bec9687c46e9f776fa0683087cf4bdd7047b0d74aee53a71f4e102beef