CCE-97212-5Platform: cpe:/o:microsoft:windows_11 | Date: (C)2023-11-22 (M)2023-11-22 |
Description:This policy setting controls whether winlogon sends Multiple Provider Router (MPR) notifications. MPR handles communication between the Windows operating system and the installed network providers. MPR checks the registry to determine which providers are installed on the system and the order they are cycled through.
MPR is a legacy utility that provides notifications to registered credential managers or network providers when there is a logon event or a password change event. Although this functionality can be used by legitimate applications, it can also be abused by attackers to harvest logon information.
The recommended state for this setting is: Disabled.
Default Value: Enabled. (Winlogon sends MPR notifications if a credential manager is configured.)
Fix:
To establish the recommended configuration via GP, set the following UI path to Disabled:
(1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Enable MPR notifications for the system
(2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!EnableMPR
Parameter:
[Enabled/Disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Enable MPR notifications for the system
(2) REG: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System!EnableMPR
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.4 | Attack Vector: LOCAL |
Exploit Score: 1.4 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: