CCE-97211-7Platform: cpe:/o:microsoft:windows_11 | Date: (C)2023-11-22 (M)2023-11-22 |
Description:Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions.
Because the channel of communication between the sensors and the algorithm is secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
The recommended state for this setting is: Enabled: 1. (Enhanced Sign-in Security Enabled)
Default Value:Enabled: 1. (Biometric devices that are not supported by Enhanced Sign-in Security (including peripheral devices) will not work with Windows Hello for Business.)
Fix:
To establish the recommended configuration via GP, set the following UI path to Enabled: 1 (Enhanced Sign-in Security Enabled):
(1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Hello for Business\Enable ESS with Supported Peripherals
(2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics!EnableESSwithSupportedPeripherals
Parameter:
[Enabled: 0/Enabled: 1/Disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Hello for Business\\Enable ESS with Supported Peripherals
(2) REG: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Policies\\PassportForWork\\Biometrics!EnableESSwithSupportedPeripherals
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.6 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: