Details

Users could submit credentials to servers operated by malicious people who could then attempt to connect to legitimate servers with those captured credentials. Care must be taken with user credentials, automatic logon performance, and how default Windows credentials are passed to web sites.

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> ‘Logon options’ to ‘Enabled’ and select ‘Anonymous logon’ from the drop-down box.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Microsoft_IE9_V1R15_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-23
• CAT|II
• Rule-ID|SV-40619r1_rule
• STIG-ID|DTBI136
• Vuln-ID|V-6311

Source

• Tenable.com/audits