CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

The recommended state for this setting is: {d48179be-ec20-11d1-b6b8-00c04fa372a7} , {7ebefbc0-3200-11d2-b4c2-00a0C9697d07} , {c06ff265-ae09-48f0-812c-16753d7cba83} , and {6bdd1fc1-810f-11d0-bec7-08002be2092f}

Note: IEEE 1394 has also been known/branded as FireWire (by Apple), i.LINK (by Sony) and Lynx (by Texas Instruments).

Rationale:

A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) attacks when the computer is turned on or is in the Standby power state - this includes when the workstation is locked.

BitLocker with TPM-only authentication lets a computer enter the power-on state without any pre-boot authentication. Therefore, an attacker may be able to perform DMA attacks.

This issue is documented in Microsoft Knowledge Base article 2516445: Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrict ions\DenyDeviceClasses:

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled , and add {d48179be-ec20-11d1-b6b8-00c04fa372a7} , {7ebefbc0-3200-11d2-b4c2- 00a0C9697d07} , {c06ff265-ae09-48f0-812c-16753d7cba83} , and {6bdd1fc1-810f-11d0- bec7-08002be2092f} to the device setup classes list:

Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes

Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

648 | P a g e