Edge V1R0.1

b

User control of proxy settings must be disabled.

AC-4 - Medium - CCI-001414 - EDGE-00-000001 - EDGE-00-000001_rule

RMF Control

AC-4

Severity

M

CCI

CCI-001414

Version

EDGE-00-000001

Vuln IDs

EDGE-00-000001

Rule IDs

EDGE-00-000001_rule

Specify the proxy server settings used by Microsoft Edge. If this policy is enabled, users cannot change the proxy settings. If a proxy server is never used a connection always made directly, all other options are ignored. If system proxy settings are used, all other options are ignored. If auto detect the proxy server is chosen, all other options are ignored. If fixed server proxy mode is chosen, further options can be specified in ProxyServer and 'Comma-separated list of proxy bypass rules'. If a .pac proxy script is used, specify the URL to the script in 'URL to a proxy .pac file'. For detailed examples, go to https://go.microsoft.com/fwlink/?linkid=2094936. If this policy is enabled, Microsoft Edge will ignore all proxy-related options specified from the command line. If this policy is not configured, users can choose their own proxy settings. Policy options mapping: *ProxyDisabled (direct) = Never use a proxy *ProxyAutoDetect (auto_detect) = Auto detect proxy settings *ProxyPacScript (pac_script) = Use a .pac proxy script *ProxyFixedServers (fixed_servers) = Use fixed proxy servers *ProxyUseSystem (system) = Use system proxy settings.

Checks: C-EDGE-00-000001_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Proxy server/ProxyMode must be set to one of the following options: "direct", "auto_detect", "pac_script", "fixed_servers", "system". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for ProxyMode is not set to one of the above selections, this is a finding.

Fix: F-EDGE-00-000001_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Proxy server/ProxyMode must be set to "direct", "auto_detect", "pac_script", "fixed_servers", "system".

b

Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled.

MA-3 - Medium - CCI-000870 - EDGE-00-000002 - EDGE-00-000002_rule

RMF Control

MA-3

Severity

M

CCI

CCI-000870

Version

EDGE-00-000002

Vuln IDs

EDGE-00-000002

Rule IDs

EDGE-00-000002_rule

This policy setting allows a decision to be made on whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites. If this setting is enabled, users cannot ignore Microsoft Defender SmartScreen warnings, and are blocked from continuing to the site. If this setting is disabled or not configured, users can ignore Microsoft Defender SmartScreen warnings and continue to the site.

Checks: C-EDGE-00-000002_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/PreventSmartScreenPromptOverride must be set to "enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for PreventSmartScreenPromptOverride is not set to "enabled", this is a finding.

Fix: F-EDGE-00-000002_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/PreventSmartScreenPromptOverride to "enabled".

b

Bypassing of Microsoft Defender SmartScreen warnings about downloads must be disabled.

MA-3 - Medium - CCI-000870 - EDGE-00-000003 - EDGE-00-000003_rule

RMF Control

MA-3

Severity

M

CCI

CCI-000870

Version

EDGE-00-000003

Vuln IDs

EDGE-00-000003

Rule IDs

EDGE-00-000003_rule

This policy setting allows a decision to be made on whether users can override Microsoft Defender SmartScreen warnings about unverified downloads. If this setting is enabled, users cannot ignore Microsoft Defender SmartScreen warnings, and are prevented from completing the unverified downloads. If this policy is disabled or not configured, users can ignore Microsoft Defender SmartScreen warnings and complete unverified downloads.

Checks: C-EDGE-00-000003_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/PreventSmartScreenPromptOverrideForFiles must be set to "enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for PreventSmartScreenPromptOverrideForFiles is not set to "enabled", this is a finding.

Fix: F-EDGE-00-000003_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/PreventSmartScreenPromptOverrideForFiles must to "enabled".

a

The list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be whitelisted if utilized.

MA-3 - Low - CCI-000870 - EDGE-00-000004 - EDGE-00-000004_rule

RMF Control

MA-3

Severity

L

CCI

CCI-000870

Version

EDGE-00-000004

Vuln IDs

EDGE-00-000004

Rule IDs

EDGE-00-000004_rule

Configure the list of Microsoft Defender SmartScreen trusted domains. This means: Microsoft Defender SmartScreen will not check for potentially malicious resources like phishing software and other malware if the source URLs match these domains. The Microsoft Defender SmartScreen download protection service will not check downloads hosted on these domains. If this policy is enabled, Microsoft Defender SmartScreen trusts these domains. If the policy is disabled or not set, default Microsoft Defender SmartScreen protection is applied to all resources.

Checks: C-EDGE-00-000004_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/SmartScreenAllowListDomains may be set to "allow" for whitelisted domains. Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. SmartScreenAllowListDomains may be set as follows: SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\1 = mydomain.com SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\2 = myagency.mil. Criteria: The value for SmartScreenAllowListDomains is not required; this is optional.

Fix: F-EDGE-00-000004_fix

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/SmartScreenAllowListDomains may be set to "allow" for whitelisted domains.

b

InPrivate mode must be disabled.

AU-10 - Medium - CCI-000166 - EDGE-00-000005 - EDGE-00-000005_rule

RMF Control

AU-10

Severity

M

CCI

CCI-000166

Version

EDGE-00-000005

Vuln IDs

EDGE-00-000005

Rule IDs

EDGE-00-000005_rule

Specifies whether the user can open pages in InPrivate mode in Microsoft Edge. If this policy is not configured or set it to "Enabled", users can open pages in InPrivate mode. Set this policy to "Disabled" to stop users from using InPrivate mode. Set this policy to "Forced" to always use InPrivate mode. Policy options mapping: *Enabled (0) = InPrivate mode available *Disabled (1) = InPrivate mode disabled *Forced (2) = InPrivate mode forced.

Checks: C-EDGE-00-000005_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/InPrivateModeAvailability must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for InPrivateModeAvailability is not set to "REG_DWORD = 1", this is a finding.

Fix: F-EDGE-00-000005_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/InPrivateModeAvailability to "1".

b

Browser history must be saved.

AU-10 - Medium - CCI-000166 - EDGE-00-000033 - EDGE-00-000033_rule

RMF Control

AU-10

Severity

M

CCI

CCI-000166

Version

EDGE-00-000033

Vuln IDs

EDGE-00-000033

Rule IDs

EDGE-00-000033_rule

Enables deleting browser history and download history, and prevents users from changing this setting.

Checks: C-EDGE-00-000033_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AllowDeletingBrowserHistory must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for AllowDeletingBrowserHistory is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000033_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AllowDeletingBrowserHistory to "0".

b

Background processing must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000006 - EDGE-00-000006_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000006

Vuln IDs

EDGE-00-000006

Rule IDs

EDGE-00-000006_rule

Background processing allows Microsoft Edge processes to start at OS sign-in and keep running after the last browser window is closed. In this scenario, background apps and the current browsing session remain active, including any session cookies. An open background process displays an icon in the system tray, and can be closed from there. If this policy is enabled, background mode is turned on. If this policy is disabled, background mode is turned off. If this policy is not configured, background mode is initially turned off, and the user can configure its behavior in edge://settings/system.

Checks: C-EDGE-00-000006_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/BackgroundModeEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for BackgroundModeEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000006_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/BackgroundModeEnabled to "0".

b

The ability of sites to show desktop notifications must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000007 - EDGE-00-000007_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000007

Vuln IDs

EDGE-00-000007

Rule IDs

EDGE-00-000007_rule

Set whether websites can display desktop notifications. Notifications can be allowed by default ('AllowNotifications'), denied by default ('BlockNotifications'), or set to ask the user each time a website wants to show a notification ('AskNotifications'). If this policy is not configured, notifications are allowed by default, and the user can change this setting. Policy options mapping: *AllowNotifications (1) = Allow sites to show desktop notifications *BlockNotifications (2) = Don't allow any site to show desktop notifications *AskNotifications (3) = Ask every time a site wants to show desktop notifications.

Checks: C-EDGE-00-000007_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultNotificationsSetting must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DefaultNotificationsSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000007_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultNotificationsSetting to "2".

b

The ability of sites to show pop-ups must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000008 - EDGE-00-000008_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000008

Vuln IDs

EDGE-00-000008

Rule IDs

EDGE-00-000008_rule

Set whether websites can show pop-up windows. Pop-ups can be allowed on all websites ('AllowPopups') or block them on all sites ('BlockPopups'). If this policy is configured, pop-up windows are blocked by default, and users can change this setting. Policy options mapping: *AllowPopups (1) = Allow all sites to show pop-ups *BlockPopups (2) = Do not allow any site to show popups.

Checks: C-EDGE-00-000008_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultPopupsSetting must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. riteria: If the value for DefaultPopupsSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000008_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultPopupsSetting to "2".

b

The default search provider must be set to use an encrypted connection.

CM-7 - Medium - CCI-000381 - EDGE-00-000009 - EDGE-00-000009_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000009

Vuln IDs

EDGE-00-000009

Rule IDs

EDGE-00-000009_rule

Allows a list of list of up to 10 search engines to be configured, one of which must be marked as the default search engine. The encoding does not need to be specified. Starting in Microsoft Edge 80, the suggest_url and image_search_url parameters are optional. The optional parameter, image_search_post_params (consists of comma-separated name/value pairs), is available starting in Microsoft Edge 80. Starting in Microsoft Edge 83, search engine discovery can be enabled with the allow_search_engine_discovery optional parameter. This parameter must be the first item in the list. If allow_search_engine_discovery is not specified, search engine discovery will be disabled by default. Starting in Microsoft Edge 84, this policy can be set as a recommended policy to allow search provider discovery. The allow_search_engine_discovery optional parameter does not need to be added. If this policy is enabled, users cannot add, remove, or change any search engine in the list. Users can set their default search engine to any search engine in the list. If this policy is disabled or not configured, users can modify the search engines list as desired.

Checks: C-EDGE-00-000009_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ManagedSearchEngines must be configured. Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Example REG_SZ value text: SOFTWARE\Policies\Microsoft\Edge\ManagedSearchEngines = [ { "allow_search_engine_discovery": true }, { "is_default": true, "keyword": "example1.com", "name": "Example1", "search_url": "https://www.example1.com/search?q={searchTerms}", "suggest_url": "https://www.example1.com/qbox?query={searchTerms}" }, Criteria: If any of the search URLs in the list do not begin with "https", this is a finding.

Fix: F-EDGE-00-000009_fix

Configure the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ManagedSearchEngines.

b

Data Synchronization must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000010 - EDGE-00-000010_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000010

Vuln IDs

EDGE-00-000010

Rule IDs

EDGE-00-000010_rule

Disables data synchronization in Microsoft Edge. This policy also prevents the sync consent prompt from appearing. If this policy is not set or applied as recommended, users will be able to turn sync on or off. If this policy is applied as mandatory, users will not be able to turn on sync.

Checks: C-EDGE-00-000010_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SyncDisabled must be set to "enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for SyncDisabled is not set to "REG_DWORD = 1", this is a finding.

Fix: F-EDGE-00-000010_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SyncDisabled to "1".

b

Network prediction must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000011 - EDGE-00-000011_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000011

Vuln IDs

EDGE-00-000011

Rule IDs

EDGE-00-000011_rule

Enables network prediction and prevents users from changing this setting. This controls DNS prefetching, TCP and SSL pre-connection, and pre-rendering of web pages. If this policy is not configured, network prediction is enabled but the user can change it. Policy options mapping: *NetworkPredictionAlways (0) = Predict network actions on any network connection *NetworkPredictionWifiOnly (1) = Not supported, if this value is used it will be treated as if 'Predict network actions on any network connection' (0) was set *NetworkPredictionNever (2) = Don't predict network actions on any network connection.

Checks: C-EDGE-00-000011_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/NetworkPredictionOptions must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for NetworkPredictionOptions is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000011_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/NetworkPredictionOptions to "2".

b

Search suggestions must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000012 - EDGE-00-000012_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000012

Vuln IDs

EDGE-00-000012

Rule IDs

EDGE-00-000012_rule

Enables web search suggestions in the Microsoft Edge Address Bar and Auto-Suggest List, and prevents users from changing this policy. If this policy is enabled, web search suggestions are used. If this policy is disabled, web search suggestions are never used; however local history and local favorites suggestions still appear. If this policy is disabled, neither the typed characters, nor the URLs visited, will be included in telemetry to Microsoft. If this policy is not set, search suggestions are enabled but the user can change that.

Checks: C-EDGE-00-000012_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SearchSuggestEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for SearchSuggestEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000012_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SearchSuggestEnabled to "0".

b

Importing of autofill form data must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000013 - EDGE-00-000013_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000013

Vuln IDs

EDGE-00-000013

Rule IDs

EDGE-00-000013_rule

Allows users to import autofill form data from another browser into Microsoft Edge. If this policy is enabled, the option to manually import autofill data is automatically selected. If this policy is disabled, autofill form data is not imported at first run, and users cannot import it manually. If this policy is not configured, autofill data is imported at first run, and users can choose whether to import this data manually during later browsing sessions. This policy cannot be set as a recommendation. This means that Microsoft Edge will import autofill data on first run, but users can select or clear autofill data option during manual import.

Checks: C-EDGE-00-000013_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportAutofillFormData must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportAutofillFormData is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000013_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportAutofillFormData to "0".

b

Importing of browser settings must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000014 - EDGE-00-000014_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000014

Vuln IDs

EDGE-00-000014

Rule IDs

EDGE-00-000014_rule

Allows users to import browser settings from another browser into Microsoft Edge. If this policy is enabled, the Browser settings check box is automatically selected in the Import browser data dialog box. If this policy is disabled, browser settings are not imported at first run, and users cannot import them manually. If this policy is not configured, browser settings are imported at first run, and users can choose whether to import them manually during later browsing sessions.

Checks: C-EDGE-00-000014_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportBrowserSettings must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportBrowserSettings is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000014_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportBrowserSettings to "0".

b

Importing of Cookies must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000015 - EDGE-00-000015_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000015

Vuln IDs

EDGE-00-000015

Rule IDs

EDGE-00-000015_rule

Allows users to import Cookies from another browser into Microsoft Edge. If this policy is disabled, Cookies are not imported on first run. If this policy is not configured, Cookies are imported on first run.

Checks: C-EDGE-00-000015_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportCookies must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportCookies is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000015_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportCookies to "0".

b

Importing of extensions must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000016 - EDGE-00-000016_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000016

Vuln IDs

EDGE-00-000016

Rule IDs

EDGE-00-000016_rule

Allows users to import extensions from another browser into Microsoft Edge. If this policy is enabled, the Extensions check box is automatically selected in the Import browser data dialog box. If this policy is disabled, extensions are not imported at first run, and users cannot import them manually.

Checks: C-EDGE-00-000016_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportExtensions must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportExtensions is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000016_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportExtensions to "0".

b

Importing of browsing history must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000017 - EDGE-00-000017_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000017

Vuln IDs

EDGE-00-000017

Rule IDs

EDGE-00-000017_rule

Allows users to import their browsing history from another browser into Microsoft Edge. If this policy is enabled, the Browsing history check box is automatically selected in the Import browser data dialog box. If this policy is disabled, browsing history data is not imported at first run, and users cannot import this data manually.

Checks: C-EDGE-00-000017_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportHistory must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportHistory is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000017_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportHistory to "0".

b

Importing of home page settings must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000018 - EDGE-00-000018_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000018

Vuln IDs

EDGE-00-000018

Rule IDs

EDGE-00-000018_rule

Allows users to import their home page setting from another browser into Microsoft Edge. If this policy is enabled, the option to manually import the home page setting is automatically selected. If this policy is disabled, the home page setting is not imported at first run, and users cannot import it manually.

Checks: C-EDGE-00-000018_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportHomepage must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportHomepage is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000018_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportHomepage to "0".

b

Importing of open tabs must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000019 - EDGE-00-000019_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000019

Vuln IDs

EDGE-00-000019

Rule IDs

EDGE-00-000019_rule

Allows users to import open and pinned tabs from another browser into Microsoft Edge. If this policy is enabled, the Open tabs check box is automatically selected in the Import browser data dialog box. If this policy is disabled, open tabs are not imported at first run, and users cannot import them manually. If this policy is not configured, open tabs are imported at first run, and users can choose whether to import them manually during later browsing sessions.

Checks: C-EDGE-00-000019_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportOpenTabs must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportOpenTabs is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000019_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportOpenTabs to "0".

b

Importing of payment info must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000020 - EDGE-00-000020_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000020

Vuln IDs

EDGE-00-000020

Rule IDs

EDGE-00-000020_rule

Allows users to import payment info from another browser into Microsoft Edge. If this policy is enabled, the payment info check box is automatically selected in the Import browser data dialog box. If this policy is disabled, payment info is not imported at first run, and users cannot import it manually.

Checks: C-EDGE-00-000020_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportPaymentInfo must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportPaymentInfo is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000020_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportPaymentInfo to "0".

b

Importing of saved passwords must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000021 - EDGE-00-000021_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000021

Vuln IDs

EDGE-00-000021

Rule IDs

EDGE-00-000021_rule

Allows users to import saved passwords from another browser into Microsoft Edge. If this policy is enabled, the option to manually import saved passwords is automatically selected. If this policy is disabled, saved passwords are not imported on first run, and users cannot import them manually.

Checks: C-EDGE-00-000021_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportSavedPasswords must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportSavedPasswords is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000021_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportSavedPasswords to "0".

b

Importing of search engine settings must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000022 - EDGE-00-000022_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000022

Vuln IDs

EDGE-00-000022

Rule IDs

EDGE-00-000022_rule

Allows users to import search engine settings from another browser into Microsoft Edge. If you enable, this policy, the option to import search engine settings is automatically selected. If this policy is disabled, search engine settings are not imported at first run, and users cannot import them manually.

Checks: C-EDGE-00-000022_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportSearchEngine must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportSearchEngine is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000022_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportSearchEngine to "0".

b

Importing of shortcuts must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000023 - EDGE-00-000023_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000023

Vuln IDs

EDGE-00-000023

Rule IDs

EDGE-00-000023_rule

Allows users to import Shortcuts from another browser into Microsoft Edge. If this policy is disabled, Shortcuts are not imported on first run. If this policy is not configured, Shortcuts are imported on first run.

Checks: C-EDGE-00-000023_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportShortcuts must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge\Recommended. Criteria: If the value for ImportShortcuts is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000023_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/ImportShortcuts to "0".

b

Autoplay must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000024 - EDGE-00-000024_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000024

Vuln IDs

EDGE-00-000024

Rule IDs

EDGE-00-000024_rule

This policy sets the media autoplay policy for websites. The default setting, "Not configured" respects the current media autoplay settings and lets users configure their autoplay settings. Setting to "Enabled" sets media autoplay to "Allow". All websites are allowed to autoplay media. Users cannot override this policy. Setting to "Disabled" sets media autoplay to "Block". No websites are allowed to autoplay media. Users cannot override this policy.

Checks: C-EDGE-00-000024_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutoplayAllowed must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for AutoplayAllowed is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000024_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutoplayAllowed to "0".

b

WebUSB must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000025 - EDGE-00-000025_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000025

Vuln IDs

EDGE-00-000025

Rule IDs

EDGE-00-000025_rule

Set whether websites can access connected USB devices. Access can be blocked completely or the user asked each time a website wants to get access to connected USB devices. Override this policy for specific URL patterns by using the WebUsbAskForUrls and WebUsbBlockedForUrls policies. If this policy is not configured, sites can ask users whether they can access the connected USB devices ('AskWebUsb') by default, and users can change this setting.

Checks: C-EDGE-00-000025_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultWebUsbGuardSetting must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DefaultWebUsbGuardSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000025_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultWebUsbGuardSetting to "2".

b

Google Cast must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000026 - EDGE-00-000026_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000026

Vuln IDs

EDGE-00-000026

Rule IDs

EDGE-00-000026_rule

Enable this policy to enable Google Cast. Users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon. Disable this policy to disable Google Cast. By default, Google Cast is enabled.

Checks: C-EDGE-00-000026_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Cast/EnableMediaRouter must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for EnableMediaRouter is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000026_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Cast/EnableMediaRouter to "0".

b

Web Bluetooth API must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000027 - EDGE-00-000027_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000027

Vuln IDs

EDGE-00-000027

Rule IDs

EDGE-00-000027_rule

Control whether websites can access nearby Bluetooth devices. Access can be blocked completely or the site required to ask the user each time it wants to access a Bluetooth device. If this policy is not configured, the default value ('AskWebBluetooth', meaning users are asked each time) is used and users can change it. Policy options mapping: *BlockWebBluetooth (2) = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API *AskWebBluetooth (3) = Allow sites to ask the user to grant access to a nearby Bluetooth device.

Checks: C-EDGE-00-000027_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultWebBluetoothGuardSetting must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DefaultWebBluetoothGuardSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000027_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultWebBluetoothGuardSetting to "2".

b

Autofill for Credit Cards must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000028 - EDGE-00-000028_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000028

Vuln IDs

EDGE-00-000028

Rule IDs

EDGE-00-000028_rule

Enables the Microsoft Edge AutoFill feature and lets users auto complete credit card information in web forms using previously stored information. If this policy is disabled, AutoFill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web. If this policy is enabled or not configured, users can control AutoFill for credit cards.

Checks: C-EDGE-00-000028_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutofillCreditCardEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for AutofillCreditCardEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000028_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutofillCreditCardEnabled to "0".

b

Autofill for addresses must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000029 - EDGE-00-000029_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000029

Vuln IDs

EDGE-00-000029

Rule IDs

EDGE-00-000029_rule

Enables the AutoFill feature and allows users to auto-complete address information in web forms using previously stored information. If this policy is disabled, AutoFill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web. If this policy is enabled or not configured, users can control AutoFill for addresses in the user interface.

Checks: C-EDGE-00-000029_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutofillAddressEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for AutofillAddressEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000029_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/AutofillAddressEnabled to "0".

b

Personalization of ads, search, and news by sending browsing history to Microsoft must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000031 - EDGE-00-000031_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000031

Vuln IDs

EDGE-00-000031

Rule IDs

EDGE-00-000031_rule

This policy prevents Microsoft from collecting a user's Microsoft Edge browsing history to be used for personalizing advertising, search, news and other Microsoft services. This setting is only available for users with a Microsoft account. This setting is not available for child accounts or enterprise accounts. If this policy is disabled, users ca not change or override the setting. If this policy is enabled or not configured, Microsoft Edge will default to the user's preference.

Checks: C-EDGE-00-000031_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/PersonalizationReportingEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for PersonalizationReportingEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000031_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/PersonalizationReportingEnabled to "0".

b

Site tracking of a user’s location must be disabled.

CM-7 - Medium - CCI-000381 - EDGE-00-000032 - EDGE-00-000032_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000032

Vuln IDs

EDGE-00-000032

Rule IDs

EDGE-00-000032_rule

Set whether websites can track users' physical locations. Tracking can be allowed by default ('AllowGeolocation'), denied by default ('BlockGeolocation'), or the user asked each time a website requests their location ('AskGeolocation'). If this policy is not configured, 'AskGeolocation' is used and the user can change it. Policy options mapping: AllowGeolocation (1) = Allow sites to track users' physical location BlockGeolocation (2) = Don't allow any site to track users' physical location AskGeolocation (3) = Ask whenever a site wants to track users' physical location.

Checks: C-EDGE-00-000032_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultGeolocationSetting must be set to "enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DefaultGeolocationSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000032_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultGeolocationSetting to "2".

a

Edge development tools must be disabled.

CM-7 - Low - CCI-000381 - EDGE-00-000034 - EDGE-00-000034_rule

RMF Control

CM-7

Severity

L

CCI

CCI-000381

Version

EDGE-00-000034

Vuln IDs

EDGE-00-000034

Rule IDs

EDGE-00-000034_rule

While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application-related data via the browser. Page elements, source code, javascript, API calls, application data, etc., may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.

Checks: C-EDGE-00-000034_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/DeveloperToolsAvailability must be set to "DeveloperToolsDisallowed". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DeveloperToolsAvailability is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000034_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/DeveloperToolsAvailability to "2".

b

Flash plugin must be disabled by default.

CM-7 - Medium - CCI-000381 - EDGE-00-000035 - EDGE-00-000035_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

EDGE-00-000035

Vuln IDs

EDGE-00-000035

Rule IDs

EDGE-00-000035_rule

PluginsAllowedForUrls and PluginsBlockedForUrls are checked first, then this policy. The options are 'ClickToPlay' and 'BlockPlugins'. If this policy is set to 'BlockPlugins', this plugin is denied for all websites. 'ClickToPlay' lets the Flash plugin run, but users click the placeholder to start it. If this policy is not set, it uses BlockPlugins and users can change this setting. Note: Automatic playback is only for domains explicitly listed in the PluginsAllowedForUrls policy. To turn automatic playback on for all sites, add http://* and https://* to the allowed list of URLs. Policy options mapping: *BlockPlugins (2) = Block the Adobe Flash plugin *ClickToPlay (3) = Click to play.

Checks: C-EDGE-00-000035_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultPluginsSetting must be set to "BlockPlugins". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DefaultPluginsSetting is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000035_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/DefaultPluginsSetting to "2".

a

Download restrictions must be configured.

CM-7 - Low - CCI-000381 - EDGE-00-000036 - EDGE-00-000036_rule

RMF Control

CM-7

Severity

L

CCI

CCI-000381

Version

EDGE-00-000036

Vuln IDs

EDGE-00-000036

Rule IDs

EDGE-00-000036_rule

Configures the type of downloads that Microsoft Edge completely blocks, without letting users override the security decision. Set "BlockDangerousDownloads" to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings. Set "BlockPotentiallyDangerousDownloads" to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings of potentially dangerous or unwanted downloads. Set "BlockAllDownloads" to block all downloads. If this policy is not configured or the 'DefaultDownloadSecurity' option set, downloads go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results. Note that these restrictions apply to downloads from web page content, as well as the "download link... " context menu option. These restrictions do not apply to saving or downloading the currently displayed page, nor do they apply to the "Save as PDF" option from the printing options. See https://go.microsoft.com/fwlink/?linkid=2094934 for more info on Microsoft Defender SmartScreen. Policy options mapping: DefaultDownloadSecurity (0) = No special restrictions *BlockDangerousDownloads (1) = Block dangerous downloads *BlockPotentiallyDangerousDownloads (2) = Block potentially dangerous or unwanted downloads *BlockAllDownloads (3) = Block all downloads.

Checks: C-EDGE-00-000036_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/DownloadRestrictions must be set to "BlockPotentiallyDangerousDownloads". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for DownloadRestrictions is not set to "REG_DWORD = 2", this is a finding.

Fix: F-EDGE-00-000036_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/DownloadRestrictions to "2".

b

Online revocation checks must be performed.

IA-5 - Medium - CCI-000185 - EDGE-00-000030 - EDGE-00-000030_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

EDGE-00-000030

Vuln IDs

EDGE-00-000030

Rule IDs

EDGE-00-000030_rule

Control whether online revocation checks (OCSP/CRL checks) are required. If Microsoft Edge cannot get revocation status information, these certificates are treated as revoked ("hard-fail"). If this policy is enabled, Microsoft Edge always performs revocation checking for server certificates that successfully validate and are signed by locally installed CA certificates.

Checks: C-EDGE-00-000030_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/RequireOnlineRevocationChecksForLocalAnchors must be set to "enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for RequireOnlineRevocationChecksForLocalAnchors is not set to "REG_DWORD = 1", this is a finding.

Fix: F-EDGE-00-000030_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/RequireOnlineRevocationChecksForLocalAnchors to "1".

b

URLs must be whitelisted for plugin use.

CM-11 - Medium - CCI-001812 - EDGE-00-000039 - EDGE-00-000039_rule

RMF Control

CM-11

Severity

M

CCI

CCI-001812

Version

EDGE-00-000039

Vuln IDs

EDGE-00-000039

Rule IDs

EDGE-00-000039_rule

Define a list of sites, based on URL patterns that can open pop-up windows.

Checks: C-EDGE-00-000039_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/PopupsAllowedForUrls must be set to allow for whitelisted URLs. Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge PopupsAllowedForUrls must be set as follows: SOFTWARE\Policies\Microsoft\Edge\PopupsAllowedForUrls\1 = mydomain.com SOFTWARE\Policies\Microsoft\Edge\PopupsAllowedForUrls\2 = myagency.mil Criteria: If the value for PopupsAllowedForUrls is not set, this is a finding. If no URLs in the agency require whitelisting for plugin use, this is not applicable.

Fix: F-EDGE-00-000039_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/PopupsAllowedForUrls to allow for whitelisted URLs.

b

Extensions installation must be blocklisted by default.

CM-7 - Medium - CCI-001767 - EDGE-00-000041 - EDGE-00-000041_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001767

Version

EDGE-00-000041

Vuln IDs

EDGE-00-000041

Rule IDs

EDGE-00-000041_rule

List specific extensions that users cannot install in Microsoft Edge. When this policy is deployed, any extensions on this list that were previously installed will be disabled, and the user will not be able to enable them. If an item is removed from the list of blocked extensions, the extension is automatically re-enabled anywhere it was previously installed. Use "*" to block all extensions that are not explicitly listed in the allow list. If this policy is not configured, users can install any extension in Microsoft Edge.

Checks: C-EDGE-00-000041_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/ExtensionInstallBlocklist must be set to block all extensions that are not explicitly listed in the allow list. Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for ExtensionInstallBlocklist is not set to "REG_SZ = *", this is a finding.

Fix: F-EDGE-00-000041_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/ExtensionInstallBlocklist/DownloadRestrictions to "*".

b

Extensions that are approved for use must be allowlisted.

CM-7 - Medium - CCI-001774 - EDGE-00-000042 - EDGE-00-000042_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001774

Version

EDGE-00-000042

Vuln IDs

EDGE-00-000042

Rule IDs

EDGE-00-000042_rule

By default, all extensions are allowed. However, if all extensions are blocked by setting the "ExtensionInstallBlockList" policy to "*," users can only install extensions defined in this policy.

Checks: C-EDGE-00-000042_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/ExtensionInstallAllowlist must be set to "allow" for whitelisted URLs. Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. ExtensionInstallAllowlist must be set as follows: SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\1 = "extension_id1" SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\2 = "extension_id2" Criteria: If the value for ExtensionInstallAllowlist is not set, this is a finding. If no Extensions in the agency require whitelisting for use, this is not applicable.

Fix: F-EDGE-00-000042_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/ExtensionInstallAllowlist to "allow" for whitelisted URLs.

b

The Password Manager must be disabled.

IA-5 - Medium - CCI-002007 - EDGE-00-000043 - EDGE-00-000043_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

EDGE-00-000043

Vuln IDs

EDGE-00-000043

Rule IDs

EDGE-00-000043_rule

Enable Microsoft Edge to save user passwords. If this policy is enabled, users can save their passwords in Microsoft Edge. The next time the user visits the site, Microsoft Edge will enter the password automatically.

Checks: C-EDGE-00-000043_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Password manager and protection/PasswordManagerEnabled must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for PasswordManagerEnabled is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000043_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/Password manager and protection/PasswordManagerEnabled to "0".

b

The HTTPS warning page must not be able to be bypassed.

SC-23 - Medium - CCI-002470 - EDGE-00-000044 - EDGE-00-000044_rule

RMF Control

SC-23

Severity

M

CCI

CCI-002470

Version

EDGE-00-000044

Vuln IDs

EDGE-00-000044

Rule IDs

EDGE-00-000044_rule

Microsoft Edge shows a warning page when users visit sites that have SSL errors. If this policy is enabled or not configured (default), users can click through these warning pages. If this policy is disabled, users are blocked from clicking through any warning page.

Checks: C-EDGE-00-000044_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SSLErrorOverrideAllowed must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for SSLErrorOverrideAllowed is not set to "REG_DWORD = 0", this is a finding.

Fix: F-EDGE-00-000044_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SSLErrorOverrideAllowed to "0".

c

The version of Microsoft Edge running on the system must be a supported version.

SI-2 - High - CCI-002605 - EDGE-00-000045 - EDGE-00-000045_rule

RMF Control

SI-2

Severity

H

CCI

CCI-002605

Version

EDGE-00-000045

Vuln IDs

EDGE-00-000045

Rule IDs

EDGE-00-000045_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Checks: C-EDGE-00-000045_chk

Cross-reference the build information displayed with the Microsoft Edge site to identify, at minimum, the oldest supported build available. If the installed version of Edge is not supported by Microsoft, this is a finding.

Fix: F-EDGE-00-000045_fix

Install a supported version of Edge.

c

Edge must be configured to allow only TLS.

AC-17 - High - CCI-001453 - EDGE-00-000046 - EDGE-00-000046_rule

RMF Control

AC-17

Severity

H

CCI

CCI-001453

Version

EDGE-00-000046

Vuln IDs

EDGE-00-000046

Rule IDs

EDGE-00-000046_rule

Sets the minimum supported version of SSL. If this policy is not configured, Microsoft Edge uses a default minimum version, TLS 1.0. If this policy is enabled, the minimum version can be set to one of the following values: "TLSv1", "TLSv1.1" or "TLSv1.2". When set, Microsoft Edge will not use any version of SSL/TLS lower than the specified version. Any unrecognized value is ignored. Policy options mapping: *TLSv1 (tls1) = TLS 1.0 *TLSv1.1 (tls1.1) = TLS 1.1 *TLSv1.2 (tls1.2) = TLS 1.2 NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-EDGE-00-000046_chk

The policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SSLVersionMin must be set to "TLS 1.2". Procedure: Use the Windows Registry Editor to navigate to the following key: SOFTWARE\Policies\Microsoft\Edge. Criteria: If the value for SSLVersionMin is not set to "REG_SZ = tls1.2", this is a finding.

Fix: F-EDGE-00-000046_fix

Set the policy value for Computer Configuration/Administrative Templates/Microsoft Edge/SSLVersionMin to "tls1.2".

Checks: C-EDGE-00-000001_chk

Fix: F-EDGE-00-000001_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000002_chk

Fix: F-EDGE-00-000002_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000003_chk

Fix: F-EDGE-00-000003_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000004_chk

Fix: F-EDGE-00-000004_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000005_chk

Fix: F-EDGE-00-000005_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000033_chk

Fix: F-EDGE-00-000033_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000006_chk

Fix: F-EDGE-00-000006_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000007_chk

Fix: F-EDGE-00-000007_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000008_chk

Fix: F-EDGE-00-000008_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000009_chk

Fix: F-EDGE-00-000009_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000010_chk

Fix: F-EDGE-00-000010_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000011_chk

Fix: F-EDGE-00-000011_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000012_chk

Fix: F-EDGE-00-000012_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000013_chk

Fix: F-EDGE-00-000013_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000014_chk

Fix: F-EDGE-00-000014_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000015_chk

Fix: F-EDGE-00-000015_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000016_chk

Fix: F-EDGE-00-000016_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000017_chk

Fix: F-EDGE-00-000017_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000018_chk

Fix: F-EDGE-00-000018_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000019_chk

Fix: F-EDGE-00-000019_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000020_chk

Fix: F-EDGE-00-000020_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000021_chk

Fix: F-EDGE-00-000021_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000022_chk

Fix: F-EDGE-00-000022_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000023_chk

Fix: F-EDGE-00-000023_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000024_chk

Fix: F-EDGE-00-000024_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000025_chk

Fix: F-EDGE-00-000025_fix

Generate Mitigation Statement:

Checks: C-EDGE-00-000026_chk

Fix: F-EDGE-00-000026_fix