Google Chrome Current Windows STIG

Details

Version / Release: V1R3

Published: 2015-10-01

Updated At: 2018-09-23 02:43:35

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-57545r2_rule DTBC-0001 MEDIUM Firewall traversal from remote host must be disabled. Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is
    SV-57547r1_rule DTBC-0003 LOW Sites ability for showing desktop notifications must be disabled. Chrome by default allows websites to display notifications on the desktop. This check allows you to set whether or not this is permitted. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a
    SV-57553r1_rule DTBC-0004 MEDIUM Sites ability to show pop-ups must be disabled. Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disabl
    SV-57557r1_rule DTBC-0002 MEDIUM Site tracking users location must be disabled. Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed
    SV-57561r1_rule DTBC-0005 MEDIUM Extensions installation must be blacklisted by default. Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all
    SV-57563r1_rule DTBC-0006 MEDIUM Extensions that are approved for use must be whitelisted. The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of
    SV-57567r1_rule DTBC-0007 MEDIUM The default search providers name must be set. Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing inte
    SV-57569r1_rule DTBC-0008 MEDIUM The default search provider URL must be set to perform encrypted searches. Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProvide
    SV-57571r1_rule DTBC-0009 MEDIUM Default search provider must be enabled. Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the def
    SV-57573r1_rule DTBC-0010 MEDIUM Use of cleartext passwords in the Password Manager must be disabled. Cleartext passwords would allow another individual to see password via shoulder surfing. This policy controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow show
    SV-57575r1_rule DTBC-0011 MEDIUM The Password Manager must be disabled. Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwor
    SV-57577r1_rule DTBC-0012 MEDIUM The HTTP Authentication must be set to negotiate. Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
    SV-57579r1_rule DTBC-0013 HIGH The running of outdated plugins must be disabled. Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as norm
    SV-57583r1_rule DTBC-0014 HIGH Plugins requiring authorization must ask for user permission. Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will be not be asked for permission to run plugins that require
    SV-57585r1_rule DTBC-0015 LOW Third party cookies must be blocked. Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the
    SV-57587r1_rule DTBC-0017 MEDIUM Background processing must be disabled. Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed fro
    SV-57591r1_rule DTBC-0019 MEDIUM 3D Graphics APIs must be disabled. Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leavi
    SV-57593r1_rule DTBC-0020 MEDIUM Google Data Synchronization must be disabled. Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left no
    SV-57595r2_rule DTBC-0021 MEDIUM The URL protocol schema javascript must be disabled. Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles
    SV-57597r1_rule DTBC-0022 MEDIUM AutoFill must be disabled. This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational
    SV-57599r1_rule DTBC-0023 MEDIUM Cloud print sharing must be disabled. Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If th
    SV-57603r1_rule DTBC-0025 MEDIUM Network prediction must be disabled. Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the u
    SV-57605r1_rule DTBC-0026 MEDIUM Metrics reporting to Google must be disabled. Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report coul
    SV-57607r1_rule DTBC-0027 MEDIUM Search suggestions must be disabled. Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search
    SV-57609r2_rule DTBC-0029 MEDIUM Importing of saved passwords must be disabled. Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. I
    SV-57611r1_rule DTBC-0030 MEDIUM Incognito mode must be disabled. Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" settin
    SV-57615r1_rule DTBC-0034 MEDIUM Plugins must be disabled by default. Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? speci
    SV-57617r2_rule DTBC-0035 MEDIUM Plugins approved for use must be enabled. Policy specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters w
    SV-57621r1_rule DTBC-0036 MEDIUM Automated installation of missing plugins must be disabled. The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. If you set this setting
    SV-57623r1_rule DTBC-0037 MEDIUM Online revocation checks must be done. By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have be
    SV-57625r1_rule DTBC-0038 MEDIUM Safe Browsing must be enabled, Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, use
    SV-57627r1_rule DTBC-0039 MEDIUM Browser history must be saved. This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.
    SV-57629r2_rule DTBC-0040 MEDIUM Default behavior must block webpages from automatically running plugins. This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the u
    SV-57633r2_rule DTBC-0045 MEDIUM Session only based cookies must be disabled. Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is se
    SV-57635r2_rule DTBC-0048 MEDIUM The home page must be set to a trusted site. When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. If no home page is defined then there is a possibility that
    SV-57639r1_rule DTBC-0050 MEDIUM Browser must support auto-updates. One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current. Frequent updates provide corrections to discovered vulnerabilities and the timely update reduces the window for zero d
    SV-67011r1_rule DTBC-0051 MEDIUM URLs must be whitelisted for plugin use