CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial -up password from being saved' is set to 'Enabled' (Scored)

ProfileApplicability:

 Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:

When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the "Save Password" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords.

The recommended state for this setting is: Enabled .

Rationale:

An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters:Disabl eSavePassword

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(DisableSavePassword) Prevent the dial-up password from being saved

Note: This Group Policy path does not exist by default. An additional Group Policy template ( MSS-legacy.admx/adml ) isrequired - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog

546 | P a g e