CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows.

The recommended state for this setting is: Disabled or Not Installed .

Note: This service is not installed by default. It is supplied withWindows, but is installed by enabling an optional Windows feature ( Windows Subsystem for Linux ).

Rationale:

The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager:Start

Remediation:

To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed.

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\LxssManager

Impact:

The Linux SubSystem will not be available, and native ELF binaries will no longer run.

314 | P a g e