Security: Kernel (Direct Memory Access) DMA Protection must be enabled

7464d97c-90d5-49f3-8f02-e3c5e854744d

Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt 3 ports. Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Administrative Templates
|_ System
|_ Kernel DMA Protection
|_ "Enumeration policy for external devices incompatible with Kernel DMA Protection" to "Enabled" with "Enumeration Policy" set to "Block All".

More information: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#disable-new-dma-devices-when-this-computer-is-locked
0

STIG: Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253426
W10: https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220902 / https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220902

NIST 800-53: AU-12c.
CAT: II
CCI: CCI-000172
Stig Rule-ID: SV-253426r829362_rule
STIG-ID: WN11-EP-000310
Vuln-ID|V-253426