Windows Server 2019 File Explorer shell protocol must run in protected mode.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-205872	WN19-CC-000330	SV-205872r991589_rule	CCI-000366	medium
Description
The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.
STIG			Date
Microsoft Windows Server 2019 Security Technical Implementation Guide			2025-05-23

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · 3 · disa_xccdf · related

Details

Check Text (C-205872r991589_chk)

The default behavior is for shell protected mode to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text (F-6137r355979_fix)

The default behavior is for shell protected mode to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".