CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

The primary purpose of Windows Defender Application Guard (WDAG) is to present a "sandboxed container" for visiting untrusted websites. If the host clipboard is made available to WDAG, a compromised WDAG session will have access to its content, potentially exposing sensitive information to a malicious website or application. However, the risk is reduced if the WDAG clipboard is made accessible to the host, and indeed that functionality may often be necessary from an operational standpoint.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI:AppHVSIClipboardSettin gs

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled: Enable clipboard operation from an isolated session to the host

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

Impact:

Windows Defender Application Guard (WDAG) sessions will not be able to access the host device's clipboard, however the host device will be able to access the WDAG session clipboard.

Default Value:

Disabled. (All clipboard functionality is turned off in Windows Defender Application Guard (WDAG).)

1116 | P a g e