Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Google Chrome Current Windows STIG

V1R5 · · · Released 22 Jul 2016 · 37 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

Digest of Updates vs. V1R3 · 23 Oct 2015 ✎ 3

Comparison against the immediately-prior release (V1R3). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 3

  • V-44711 Medium fix Firewall traversal from remote host must be disabled.
  • V-44775 Medium fix Importing of saved passwords must be disabled.
  • V-44805 Medium checkfix Browser must support auto-updates.
Sort by
b
Firewall traversal from remote host must be disabled.
Medium - V-44711 - SV-57545r3_rule
RMF Control
Severity
M
CCI
Version
DTBC-0001
Vuln IDs
  • V-44711
Rule IDs
  • SV-57545r3_rule
Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled.
Checks: C-49503r4_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows registry: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49801r5_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options Policy Name: Enable firewall traversal from remote access host Policy State: Disabled Policy Value: N/A

a
Sites ability for showing desktop notifications must be disabled.
Low - V-44713 - SV-57547r1_rule
RMF Control
Severity
L
CCI
Version
DTBC-0003
Vuln IDs
  • V-44713
Rule IDs
  • SV-57547r1_rule
Chrome by default allows websites to display notifications on the desktop. This check allows you to set whether or not this is permitted. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it. 1 = Allow sites to show desktop notifications 2 = Do not allow any site to show desktop notifications 3 = Ask every time a site wants to show desktop notifications
Checks: C-49507r4_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultNotificationsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultNotificationsSetting value name does not exist or its value data is not set to 2, then this is a finding.

Fix: F-49807r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default notification setting Policy State: Enabled Policy Value: Do not allow any site to show desktop notifications

b
Sites ability to show pop-ups must be disabled.
Medium - V-44719 - SV-57553r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0004
Vuln IDs
  • V-44719
Rule IDs
  • SV-57553r1_rule
Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. 1 = Allow all sites to show pop-ups 2 = Do not allow any site to show pop-ups
Checks: C-49509r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding.

Fix: F-49809r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default popups setting Policy State: Enabled Policy Value: Do not allow any site to show popups

b
Site tracking users location must be disabled.
Medium - V-44723 - SV-57557r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0002
Vuln IDs
  • V-44723
Rule IDs
  • SV-57557r1_rule
Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. 1 = Allow sites to track the user’s physical location 2 = Do not allow any site to track the user’s physical location 3 = Ask whenever a site wants to track the user’s physical location
Checks: C-49511r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.

Fix: F-49813r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default geolocation setting Policy State: Enabled Policy Value: Do not allow any site to track the users' physical location

b
Extensions installation must be blacklisted by default.
Medium - V-44727 - SV-57561r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0005
Vuln IDs
  • V-44727
Rule IDs
  • SV-57561r1_rule
Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.
Checks: C-49513r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding.

Fix: F-49817r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ Policy Name: Configure extension installation blacklist Policy State: Enabled Policy Value: *

b
Extensions that are approved for use must be whitelisted.
Medium - V-44729 - SV-57563r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0006
Vuln IDs
  • V-44729
Rule IDs
  • SV-57563r1_rule
The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.
Checks: C-49515r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist 3. If the ExtensionInstallWhitelist key does not exist or is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding.

Fix: F-49821r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ Policy Name: Configure extension installation whitelist Policy State: Enabled Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension)

b
The default search providers name must be set.
Medium - V-44733 - SV-57567r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0007
Vuln IDs
  • V-44733
Rule IDs
  • SV-57567r1_rule
Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.
Checks: C-49517r4_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding.

Fix: F-49825r5_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Default search provider name Policy State: Enabled Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted)

b
The default search provider URL must be set to perform encrypted searches.
Medium - V-44735 - SV-57569r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0008
Vuln IDs
  • V-44735
Rule IDs
  • SV-57569r1_rule
Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.
Checks: C-49519r7_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) then this is a finding.

Fix: F-49827r5_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Default search provider search URL Policy State: Enabled Policy Value: must be set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} )

b
Default search provider must be enabled.
Medium - V-44737 - SV-57571r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0009
Vuln IDs
  • V-44737
Rule IDs
  • SV-57571r1_rule
Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.
Checks: C-49521r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49829r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Enable the default search provider Policy State: Enabled Policy Value: N/A

b
Use of cleartext passwords in the Password Manager must be disabled.
Medium - V-44739 - SV-57573r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0010
Vuln IDs
  • V-44739
Rule IDs
  • SV-57573r1_rule
Cleartext passwords would allow another individual to see password via shoulder surfing. This policy controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. By not configuring this policy, users can view their stored passwords in clear text in the password manager.
Checks: C-49523r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If PasswordManagerAllowShowPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49831r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\ Policy Name: Allow users to show passwords in Password Manager Policy State: Disabled Policy Value: N/A

b
The Password Manager must be disabled.
Medium - V-44741 - SV-57575r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0011
Vuln IDs
  • V-44741
Rule IDs
  • SV-57575r1_rule
Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.
Checks: C-49525r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49833r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ Policy Name: Enable the password manager Policy State: Disabled Policy Value: N/A

b
The HTTP Authentication must be set to negotiate.
Medium - V-44743 - SV-57577r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0012
Vuln IDs
  • V-44743
Rule IDs
  • SV-57577r1_rule
Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
Checks: C-49527r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If AuthSchemes is not displayed under the Policy Name column or it is not set to negotiate under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome 3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding.

Fix: F-49835r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\ Policy Name: Supported authentication schemes Policy State: Enabled Policy Value: negotiate

c
The running of outdated plugins must be disabled.
High - V-44745 - SV-57579r1_rule
RMF Control
Severity
H
CCI
Version
DTBC-0013
Vuln IDs
  • V-44745
Rule IDs
  • SV-57579r1_rule
Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.
Checks: C-49529r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49837r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Allow running plugins that are outdated Policy State: Disabled Policy Value: N/A

c
Plugins requiring authorization must ask for user permission.
High - V-44749 - SV-57583r1_rule
RMF Control
Severity
H
CCI
Version
DTBC-0014
Vuln IDs
  • V-44749
Rule IDs
  • SV-57583r1_rule
Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will be not be asked for permission to run plugins that require authorization. These are plugins that can compromise security.
Checks: C-49531r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If AlwaysAuthorizePlugins is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the AlwaysAuthorizePlugins value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49839r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Always runs plugins that require authorization Policy State: Disabled Policy Value: N/A

a
Third party cookies must be blocked.
Low - V-44751 - SV-57585r1_rule
RMF Control
Severity
L
CCI
Version
DTBC-0015
Vuln IDs
  • V-44751
Rule IDs
  • SV-57585r1_rule
Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.
Checks: C-49533r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If BlockThirdPartyCookies is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the BlockThirdPartyCookies value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49841r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Block third party cookies Policy State: Enabled Policy Value: N/A

b
Background processing must be disabled.
Medium - V-44753 - SV-57587r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0017
Vuln IDs
  • V-44753
Rule IDs
  • SV-57587r1_rule
Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.
Checks: C-49535r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49845r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Continue running background apps when Google Chrome is closed Policy State: Disabled Policy Value: N/A

b
3D Graphics APIs must be disabled.
Medium - V-44757 - SV-57591r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0019
Vuln IDs
  • V-44757
Rule IDs
  • SV-57591r1_rule
Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs. Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.
Checks: C-49539r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49849r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable support for 3D graphics APIs Policy State: Enabled Policy Value: N/A

b
Google Data Synchronization must be disabled.
Medium - V-44759 - SV-57593r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0020
Vuln IDs
  • V-44759
Rule IDs
  • SV-57593r1_rule
Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.
Checks: C-49541r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49851r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable synchronization of data with Google Policy State: Enabled Policy Value: N/A

b
The URL protocol schema javascript must be disabled.
Medium - V-44761 - SV-57595r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0021
Vuln IDs
  • V-44761
Rule IDs
  • SV-57595r2_rule
Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.
Checks: C-49543r4_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding.

Fix: F-49853r5_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Block access to a list of URLs Policy State: Enabled Policy Value 1: javascript://*

b
AutoFill must be disabled.
Medium - V-44763 - SV-57597r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0022
Vuln IDs
  • V-44763
Rule IDs
  • SV-57597r1_rule
This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
Checks: C-49545r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If AutoFillEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the AutoFillEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49855r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable AutoFill Policy State: Disabled Policy Value: N/A

b
Cloud print sharing must be disabled.
Medium - V-44765 - SV-57599r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0023
Vuln IDs
  • V-44765
Rule IDs
  • SV-57599r1_rule
Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.
Checks: C-49547r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49857r4_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable Google Cloud Print proxy Policy State: Disabled Policy Value: N/A

b
Network prediction must be disabled.
Medium - V-44769 - SV-57603r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0025
Vuln IDs
  • V-44769
Rule IDs
  • SV-57603r1_rule
Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
Checks: C-49549r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DnsPrefetchingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DnsPrefetchingEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49859r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable network prediction Policy State: Disabled Policy Value: N/A

b
Metrics reporting to Google must be disabled.
Medium - V-44771 - SV-57605r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0026
Vuln IDs
  • V-44771
Rule IDs
  • SV-57605r1_rule
Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.
Checks: C-49551r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49861r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable reporting of usage and crash-related data Policy State: Disabled Policy Value: N/A

b
Search suggestions must be disabled.
Medium - V-44773 - SV-57607r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0027
Vuln IDs
  • V-44773
Rule IDs
  • SV-57607r1_rule
Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
Checks: C-49553r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49863r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable search suggestions Policy State: Disabled Policy Value: N/A

b
Importing of saved passwords must be disabled.
Medium - V-44775 - SV-57609r3_rule
RMF Control
Severity
M
CCI
Version
DTBC-0029
Vuln IDs
  • V-44775
Rule IDs
  • SV-57609r3_rule
Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.
Checks: C-49555r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49865r4_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Import saved passwords from default browser on first run Policy State: Disabled Policy Value: N/A

b
Incognito mode must be disabled.
Medium - V-44777 - SV-57611r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0030
Vuln IDs
  • V-44777
Rule IDs
  • SV-57611r1_rule
Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. 0 = Incognito mode available. 1 = Incognito mode disabled. 2 = Incognito mode forced.
Checks: C-49557r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49867r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Incognito mode availability Policy State: Enabled Policy Value: Incognito mode disabled

b
Plugins must be disabled by default.
Medium - V-44781 - SV-57615r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0034
Vuln IDs
  • V-44781
Rule IDs
  • SV-57615r1_rule
Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? specifies an optional single character, i.e. matches zero or one characters. The escape character is \, so to match actual *, ?, or \ characters, you can put a \ in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in about:plugins and users cannot enable them. Note that this policy can be overridden by ‘EnabledPlugins’ and ‘DisabledPluginsExceptions’. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.
Checks: C-49561r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DisabledPlugins is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledPlugins 3. If the DisabledPlugins key does not exist, or the 1 value name does not exist under that key and the value data is not set to * then this is a finding.

Fix: F-49873r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Specify a list of disabled plugins Policy State: Enabled Policy Value: *

b
Plugins approved for use must be enabled.
Medium - V-44783 - SV-57617r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0035
Vuln IDs
  • V-44783
Rule IDs
  • SV-57617r2_rule
Policy specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them. The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them. Note that this policy overrides both ‘DisabledPlugins ‘and ‘DisabledPluginsExceptions’. If this policy is left not set the user can disable any plugin installed on the system.
Checks: C-49563r6_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If EnabledPlugins is not displayed under the Policy Name column or does not contain a list of administrator approved Plugins under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\EnabledPlugins 3. If the EnabledPlugins key does not exist and does not contain a set of administrator approved Plugins then this is a finding. Suggested: the set or subset of Shockwave Flash, Chrome PDF Viewer, Silverlight, Java*

Fix: F-49875r5_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Specify a list of enabled plugins Policy State: Enabled Policy Value 1: Shockwave Flash Policy Value 2: Chrome PDF Viewer Policy Value 3: Silverlight Policy Value 4: Java*

b
Automated installation of missing plugins must be disabled.
Medium - V-44787 - SV-57621r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0036
Vuln IDs
  • V-44787
Rule IDs
  • SV-57621r1_rule
The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome.
Checks: C-49565r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DisablePluginFinder is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DisablePluginFinder value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49877r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Specify whether the plugin finder should be disabled Policy State: Enabled Policy Value: N/A

b
Online revocation checks must be done.
Medium - V-44789 - SV-57623r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0037
Vuln IDs
  • V-44789
Rule IDs
  • SV-57623r1_rule
By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
Checks: C-49567r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49879r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Whether online OCSP/CRL checks are performed Policy State: Enabled Policy Value: N/A

b
Safe Browsing must be enabled,
Medium - V-44791 - SV-57625r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0038
Vuln IDs
  • V-44791
Rule IDs
  • SV-57625r1_rule
Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.
Checks: C-49569r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding.

Fix: F-49881r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable Safe Browsing Policy State: Enabled Policy Value: N/A

b
Browser history must be saved.
Medium - V-44793 - SV-57627r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0039
Vuln IDs
  • V-44793
Rule IDs
  • SV-57627r1_rule
This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.
Checks: C-49571r2_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding.

Fix: F-49883r2_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable saving browser history Policy State: Disabled Policy Value: N/A

b
Default behavior must block webpages from automatically running plugins.
Medium - V-44795 - SV-57629r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0040
Vuln IDs
  • V-44795
Rule IDs
  • SV-57629r2_rule
This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it. 1 = Allow all sites to automatically run plugins 2 = Block all plugins 3 = Click to play.
Checks: C-49573r2_chk

Universal method: 1. In the omnibox(address bar) type chrome://policy 2. If the policy 'DefaultPluginsSetting' is not shown or is not set to 'Click to play', this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting 3. If this key does not exist or is not set to 3 this is a finding.

Fix: F-49885r4_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default plugins setting Policy State: Enabled Policy Value: Click to play

b
Session only based cookies must be disabled.
Medium - V-44799 - SV-57633r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0045
Vuln IDs
  • V-44799
Rule IDs
  • SV-57633r2_rule
Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.
Checks: C-49577r3_chk

Universal method: 1. In the omnibox(address bar) type chrome://policy 2. If the policy 'CookiesSessionOnlyForUrls' has any defined values, this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Google Chrome\Content Settings\CookiesSessionOnlyForUrls 3. If this key does not exist or has any defined values this is a finding

Fix: F-49889r3_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings Policy Name: Allow session only cookies on these sites Policy State: Disabled Policy Value: N/A

b
The home page must be set to a trusted site.
Medium - V-44801 - SV-57635r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0048
Vuln IDs
  • V-44801
Rule IDs
  • SV-57635r2_rule
When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. The browser must have an organizationally approved default home page.
Checks: C-49579r3_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If HomepageLocation is not displayed under the Policy Name column or it is not set to an organizationally approved default home page. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the HomepageLocation value name does not exist or its value data is not set to an organizationally approved default home page.

Fix: F-49891r4_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Home page Policy Name: Configure the home page URL Policy State: Enabled Policy Value: An organizationally approved default home page.

b
Browser must support auto-updates.
Medium - V-44805 - SV-57639r2_rule
RMF Control
Severity
M
CCI
Version
DTBC-0050
Vuln IDs
  • V-44805
Rule IDs
  • SV-57639r2_rule
One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current. Frequent updates provide corrections to discovered vulnerabilities and the timely update reduces the window for zero day attacks. Automatic installation of updates and patches is the most effective method for keeping the browser software current. The browser must have the capability to install software updates and patches automatically.
Checks: C-49583r2_chk

Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Update\ 3. If the AutoUpdateCheckPeriodMinutes value name does not exist or its value is set to 0 or greater than 10080, this is a finding.

Fix: F-49895r4_fix

1. Start regedit 2. Navigate to Key Path: HKLM\Software\Policies\Google\Update Value Name: AutoUpdateCheckPeriodMinutes Value Type: Boolean (REG_DWORD) Value Data: 10080 or less, but not 0.

b
URLs must be whitelisted for plugin use
Medium - V-52795 - SV-67011r1_rule
RMF Control
Severity
M
CCI
Version
DTBC-0051
Vuln IDs
  • V-52795
Rule IDs
  • SV-67011r1_rule
Checks: C-54515r1_chk

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. Suggested: the set or subset of *.mil and *.gov

Fix: F-57613r1_fix

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings Policy Name: Allow plugins on these sites Policy State: Enabled Policy Value 1: *.mil Policy Value 2: *.gov