ÿþ;Custom Administrative Template for the issue described in the Microsoft Security Advisory 2501696: http://www.microsoft.com/technet/security/advisory/2501696.mspx ;This policy requires that you disable filtering in the Group Policy Object Editor ;To disable the Group policy filer in the Group Policy Object Editor go to View->Filtering... and deselect "Only show policy settings that can be fully managed" ;####################### Begin setting ########################### CLASS MACHINE CATEGORY "KB2501696 Workaround - Vulnerability in MHTML could allow information disclosure" POLICY "Enable MHTML Protocol Lockdown for 32-bit editions of Microsoft Windows" EXPLAIN !!explain32bit KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" ACTIONLISTON KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 1 VALUENAME "iexplore.exe" VALUE NUMERIC 1 VALUENAME "*" VALUE NUMERIC 1 KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE "mhtml" END ACTIONLISTON ACTIONLISTOFF KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 0 VALUENAME "iexplore.exe" VALUE NUMERIC 0 VALUENAME "*" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE DELETE END ACTIONLISTOFF END POLICY POLICY "Enable MHTML Protocol Lockdown for 64-bit editions of Microsoft Windows" EXPLAIN !!explain64bit KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" ACTIONLISTON KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 1 VALUENAME "iexplore.exe" VALUE NUMERIC 1 VALUENAME "*" VALUE NUMERIC 1 KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 1 VALUENAME "iexplore.exe" VALUE NUMERIC 1 VALUENAME "*" VALUE NUMERIC 1 KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE "mhtml" KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE "mhtml" END ACTIONLISTON ACTIONLISTOFF KEYNAME "SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 0 VALUENAME "iexplore.exe" VALUE NUMERIC 0 VALUENAME "*" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN" VALUENAME "explorer.exe" VALUE NUMERIC 0 VALUENAME "iexplore.exe" VALUE NUMERIC 0 VALUENAME "*" VALUE DELETE KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3" VALUENAME "mhtml" VALUE DELETE KEYNAME "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4" VALUENAME "mhtml" VALUE DELETE END ACTIONLISTOFF END POLICY END CATEGORY [STRINGS] explain32bit="Important: apply this policy only on 32-bit editions of Microsoft Windows.\n\nImplements the first suggested action in the Microsoft Security Advisory 2501696: http://www.microsoft.com/technet/security/advisory/2501696.mspx\n\nIf you enable this setting the MHTML Protocol Lockdown will be enabled.\n\nIf you disable this setting the MHTML Protocol Lockdown will be disabled." explain64bit="Important: apply this policy only on 64-bit editions of Microsoft Windows.\n\nImplements the first suggested action in the Microsoft Security Advisory 2501696: http://www.microsoft.com/technet/security/advisory/2501696.mspx\n\nIf you enable this setting the MHTML Protocol Lockdown will be enabled.\nPlease note that in this case the "Enable MHTML Protocol Lockdown for 32-bit editions of Microsoft Windows" policy will result enabled too.\n\nIf you disable this setting the MHTML Protocol Lockdown will be disabled.\nPlease note that in this case the "Enable MHTML Protocol Lockdown for 32-bit editions of Microsoft Windows" policy will result disabled too."