Detections
Analytics

18.9.17.1 Ensure 'Download Mode' is set to 'Enabled'

Information

This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.

 The following list shows the supported values:

 0 = HTTP only, no peering.

 1 = HTTP blended with peering behind the same NAT.

 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.

 3 = HTTP blended with Internet Peering.

 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.

 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.

 The STIG recommended state for this setting is: Enabled with any option except 3 = Internet




 Rationale:

 Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.

 Impact:

 Microsoft updates will not be obtained via Internet peering.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled with any option except 3 = Internet

 Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode

 Note: This Group Policy path may not exist by default. This Group Policy section is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

 Default Value:

 Not configured.




 Additional Information:

 Microsoft Windows Server 2019 Security Technical Implementation Guide:
 Version 2, Release 1, Benchmark Date: November 13, 2020

 Vul ID: V-205870
 Rule ID: SV-205870r569188_rule
 STIG ID: WN19-CC-000260
 Severity: CAT IIII

See Also

https://workbench.cisecurity.org/files/3345

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4

Plugin: Windows

Control ID: 0061356ae07e168cf668f14793a220c3b81b7e71c8fbfc96c3a9a44866a2d4f4