107
2.8.6.8
DLL Search Settings
Enable Safe DLL Search Order: Enable Safe DLL search mode
(recommended)
This entry appears as
MSS: Enable Safe DLL search mode (recommended)
in the SCE. The dynamic-link
library (DLL) search order can be configured to search for DLLs requested by running processes in one
of two ways:
•
Search folders specified in the system path first, and then search the current working folder.
•
Search current working folder first, and then search the folders specified in the system path.
The registry value is set to 1. With a setting of 1, the system first searches the folders that are
specified in the system path, and then searches the current working folder. With a setting of 0, the
system first searches the current working folder, and then searches the folders that are specified in the
system path. The following registry value entries have been added to the template file at the following
registry key.
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\
Subkey Registry Value Entry
Format
Recommended Value (Decimal)
SafeDllSearchMode
DWORD
1
Vulnerability:
If a user unknowingly executes hostile code, and that hostile code has been
packaged with additional files including modified versions of system DLLs, the hostile code could load
its own versions of those DLLs potentially increasing the type and degree of damage the code can
render.
Countermeasure:
Configure
MSS: Enable Safe DLL search mode (recommended)
to a value of
Enabled
. The possible values for this Registry value are:
•
1
or
0
; default is
0
In the SCE UI, these options appear as:
•
Enabled
•
Disabled
•
Not Defined
Potential Impact:
Applications will be forced to search for DLLs in the system path first. For
applications that require unique versions of these DLLs that have been included with the application,
this could cause performance or stability problems.
2.8.7
Additional Security Settings (Manual Hardening Procedures)
Although most of the countermeasures used to harden the baseline servers in the three environments
defined in this guide were applied through Group Policy, there are additional settings that are difficult
or impossible to apply with Group Policy. This section describes how some additional
countermeasures were implemented manually, such as securing accounts, and how others were put in