Windows Server 2019 File Explorer shell protocol must run in protected mode.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-205872	WN19-CC-000330	SV-205872r569188_rule		Medium

Description
The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.

STIG	Date
Microsoft Windows Server 2019 Security Technical Implementation Guide	2021-08-18

Details

Check Text ( C-6137r355978_chk )
The default behavior is for shell protected mode to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Check Text ( C-6137r355978_chk )

The default behavior is for shell protected mode to be turned on for File Explorer.

If the registry value name below does not exist, this is not a finding.

If it exists and is configured with a value of "0", this is not a finding.

If it exists and is configured with a value of "1", this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

Value Name: PreXPSP2ShellProtocolBehavior

Value Type: REG_DWORD
Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text (F-6137r355979_fix)
The default behavior is for shell protected mode to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".