CCE-37926-3Platform: cpe:/o:microsoft:windows_server_2012::r2 | Date: (C)2015-10-08 (M)2023-07-04 |
Allow signed updates from an intranet Microsoft update service location
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
Note: Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update!Allow signed updates from an intranet Microsoft update service location
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate!AcceptTrustedPublisherCerts
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.0 | Attack Vector: ADJACENT_NETWORK |
Exploit Score: 2.3 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: LOW |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:28307 |