18.10.82.1 (L1) Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'

Information

This policy setting controls whether winlogon includes a user's password in the content of Multiple Provider Router (MPR) notifications. MPR handles communication between the Windows operating system and the installed network providers. MPR checks the registry to determine which providers are installed on the system and the order they are cycled through.

The recommended state for this setting is: Disabled

MPR is a legacy utility that provides notifications to registered credential managers or network providers when there is a logon event, or a password change event. Although MPR can be used by legitimate applications, the user's password field of these notifications should be empty to prevent abuse by attackers.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Note #2: This setting was initially released with the Windows 11 Release 22H2 Administrative Templates, named

Enable MPR notifications for the system

. It was renamed starting with the Windows 11 Release 24H2 Administrative Templates.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/21994

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Windows

Control ID: 29a42e2a092eed88046b69be513a659d49a8a08901a900fe6b80705deb4c4c7f