From 0892a46f744c470aad02710ee8a2f473b947926c Mon Sep 17 00:00:00 2001 From: Eric Jenkins Date: Wed, 16 Dec 2020 12:15:09 -0500 Subject: [PATCH] Update PowerSTIG to Parse/Apply Google Chrome V2R1 (#803) * initial commit for Chrome * fixed parse error * fixed rule * added support for chrome * updated changelog * updated key, removed trailing " * removed tabs * updated resource * updated export function * updated * updated based on testing * Updated based on testing * updated tests * updated based on test failure * updated based on testing * updated based on testing * added registry policy file to schema * update based on feedback * updated based on feedback --- CHANGELOG.md | 2 + .../DSCResources/Chrome.config.ps1 | 57 + .../DSCResources/Chrome.integration.tests.ps1 | 47 + source/DSCResources/Chrome/Chrome.psd1 | 48 + source/DSCResources/Chrome/Chrome.schema.psm1 | 77 ++ source/Module/Common/Functions.XccdfXml.ps1 | 5 + .../Convert/Functions.SingleLine.ps1 | 17 +- .../Convert/RegistryRule.Convert.psm1 | 6 +- source/Module/Rule/Convert/Data.Chrome.ps1 | 24 + .../STIG/Convert/Functions.PowerStigXml.ps1 | 1 - source/PowerStig.psd1 | 1 + ...U_Google_Chrome_STIG_V2R1_Manual-xccdf.log | 14 + ...U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml | 611 +++++++++++ .../Google-Chrome-2.1.org.default.xml | 21 + .../StigData/Processed/Google-Chrome-2.1.xml | 992 ++++++++++++++++++ 15 files changed, 1919 insertions(+), 4 deletions(-) create mode 100644 Tests/Integration/DSCResources/Chrome.config.ps1 create mode 100644 Tests/Integration/DSCResources/Chrome.integration.tests.ps1 create mode 100644 source/DSCResources/Chrome/Chrome.psd1 create mode 100644 source/DSCResources/Chrome/Chrome.schema.psm1 create mode 100644 source/Module/Rule/Convert/Data.Chrome.ps1 create mode 100644 source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log create mode 100644 source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml create mode 100644 source/StigData/Processed/Google-Chrome-2.1.org.default.xml create mode 100644 source/StigData/Processed/Google-Chrome-2.1.xml diff --git a/CHANGELOG.md b/CHANGELOG.md index dbff9e85f..3d9792fd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,9 +8,11 @@ * Update PowerSTIG to successfully parse/apply Microsoft Windows Defender Antivirus STIG - Ver 2, Rel 1: [#786](https://github.com/microsoft/PowerStig/issues/786) * Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2016 STIG - Ver 2, Rel 1: [#782](https://github.com/microsoft/PowerStig/issues/782) * Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2019 STIG - Ver 2, Rel 1 [#787](https://github.com/microsoft/PowerStig/issues/787) +* Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 DC STIG - Ver 3, Rel 1: [#784](https://github.com/microsoft/PowerStig/issues/784) * Update PowerSTIG to include LegacyId to assist in determining Legacy Vuln Ids with the new DISA standard: [#788](https://github.com/microsoft/PowerStig/issues/788) * Update PowerSTIG to include LegacyId query via Get-StigRule function: [#800](https://github.com/microsoft/PowerStig/issues/800) * Update PowerSTIG to fix LegacyId logic: [#791](https://github.com/microsoft/PowerStig/issues/791) +* Update PowerSTIG to successfully parse/apply Google Chrome V1R19: [#709](https://github.com/microsoft/PowerStig/issues/709) ## [4.6.0] - 2020-12-01 diff --git a/Tests/Integration/DSCResources/Chrome.config.ps1 b/Tests/Integration/DSCResources/Chrome.config.ps1 new file mode 100644 index 000000000..d4303b9f7 --- /dev/null +++ b/Tests/Integration/DSCResources/Chrome.config.ps1 @@ -0,0 +1,57 @@ +configuration Chrome_config +{ + param + ( + [Parameter()] + [AllowNull()] + [string] + $TechnologyVersion, + + [Parameter()] + [AllowNull()] + [string] + $TechnologyRole, + + [Parameter(Mandatory = $true)] + [version] + $StigVersion, + + [Parameter()] + [string[]] + $SkipRule, + + [Parameter()] + [string[]] + $SkipRuleType, + + [Parameter()] + [string[]] + $SkipRuleSeverity, + + [Parameter()] + [hashtable] + $Exception, + + [Parameter()] + [object] + $OrgSettings, + + [Parameter()] + [string[]] + $ResourceParameters + ) + + Import-DscResource -ModuleName PowerStig + + Node localhost + { + $psboundParams = $PSBoundParameters + $psboundParams.Remove('TechnologyRole') + $psboundParams.Remove('ConfigurationData') + $psboundParams.Remove('TechnologyVersion') + + $resourceParamString = New-ResourceParameterString -ResourceParameters $ResourceParameters -PSBoundParams $psboundParams + $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Chrome + & ([scriptblock]::Create($resourceScriptBlockString)) + } +} diff --git a/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 b/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 new file mode 100644 index 000000000..11f453ef1 --- /dev/null +++ b/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 @@ -0,0 +1,47 @@ +using module .\helper.psm1 + +$script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] +. $PSScriptRoot\.tests.header.ps1 + +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$script:DSCCompositeResourceNameUpdate = "Google-{0}" -f ($MyInvocation.MyCommand.Name -split '\.')[0] +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceNameUpdate +$resourceInformation = $global:getDscResource | Where-Object -FilterScript {$PSItem.Name -eq $script:DSCCompositeResourceName} +$resourceParameters = $resourceInformation.Properties.Name + +foreach ($stig in $stigList) +{ + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $singleSkipRuleSeverity = 'CAT_I' + $multipleSkipRuleSeverity = 'CAT_I', 'CAT_II' + $expectedSingleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $singleSkipRuleSeverity + $expectedSingleSkipRuleSeverityCount = ($expectedSingleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count + $expectedMultipleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $multipleSkipRuleSeverity + $expectedMultipleSkipRuleSeverityCount = ($expectedMultipleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" +} diff --git a/source/DSCResources/Chrome/Chrome.psd1 b/source/DSCResources/Chrome/Chrome.psd1 new file mode 100644 index 000000000..442371e5a --- /dev/null +++ b/source/DSCResources/Chrome/Chrome.psd1 @@ -0,0 +1,48 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Chrome.schema.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0.0' + + # ID used to uniquely identify this module + GUID = '30cee7e3-aa8b-4f11-bcfa-01b851eecae5' + + # Author of this module + Author = 'Microsoft Corporation' + + # Company or vendor of this module + CompanyName = 'Microsoft Corporation' + + # Copyright statement for this module + Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'Composite DSC Resource for managing Google Chrome related DISA STIGs' + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @('Chrome') + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + } # End of PSData hashtable + + } # End of PrivateData hashtable + +} diff --git a/source/DSCResources/Chrome/Chrome.schema.psm1 b/source/DSCResources/Chrome/Chrome.schema.psm1 new file mode 100644 index 000000000..8da11681a --- /dev/null +++ b/source/DSCResources/Chrome/Chrome.schema.psm1 @@ -0,0 +1,77 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +using module ..\helper.psm1 +using module ..\..\PowerStig.psm1 + +<# + .SYNOPSIS + A composite DSC resource to manage the Chrome STIG settings + .PARAMETER BrowserVersion + The version of the Browser the STIG applies to + .PARAMETER StigVersion + The version of the STIG to apply and monitor + .PARAMETER Exception + A hash table of key value pairs that are injected into the STIG data and applied to + the target node. The title of STIG setting is tagged with the text 'Exception' to identify + the exceptions to policy across the data center when you centralize DSC log collection. + .PARAMETER OrgSettings + The path to the xml file that contains the local organizations preferred settings for STIG + items that have allowable ranges. The OrgSettings parameter also accepts a hashtable for + values that need to be modified. When a hashtable is used, the specified values take + presidence over the values defined in the org.default.xml file. + .PARAMETER SkipRule + The SkipRule Node is injected into the STIG data and applied to the target node. The title + of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the + data center when you centralize DSC log collection. + .PARAMETER SkipRuleType + All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule + function. Each rule follows the same process as the SkipRule parameter. +#> +configuration Chrome +{ + [CmdletBinding()] + param + ( + [Parameter()] + [ValidateNotNullOrEmpty()] + [version] + $StigVersion, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [hashtable] + $Exception, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [object] + $OrgSettings, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRule, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRuleType, + + [Parameter()] + [ValidateSet('CAT_I', 'CAT_II', 'CAT_III')] + [string[]] + $SkipRuleSeverity + ) + + ##### BEGIN DO NOT MODIFY ##### + $stig = [STIG]::New('Google','Chrome', $StigVersion) + $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity) + ##### END DO NOT MODIFY ##### + + Import-DscResource -ModuleName GPRegistryPolicyDsc -ModuleVersion 1.2.0 + Import-DscResource -ModuleName PSDSCresources -ModuleVersion 2.12.0.0 + . "$resourcePath\windows.Registry.ps1" + . "$resourcePath\windows.Script.skip.ps1" + . "$resourcePath\windows.RefreshRegistryPolicy.ps1" +} diff --git a/source/Module/Common/Functions.XccdfXml.ps1 b/source/Module/Common/Functions.XccdfXml.ps1 index 2465eddd5..dfe4cd0e3 100644 --- a/source/Module/Common/Functions.XccdfXml.ps1 +++ b/source/Module/Common/Functions.XccdfXml.ps1 @@ -429,6 +429,11 @@ function Split-BenchmarkId $returnId = 'OracleJRE_8' continue } + {$PSItem -match 'Google_Chrome_Current_Windows'} + { + $returnId = 'Google_Chrome' + continue + } {$PSItem -match "Windows"} { # The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2 diff --git a/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 index 8fc2bd319..6cbe57b09 100644 --- a/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 +++ b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 @@ -53,6 +53,12 @@ function Get-SingleLineRegistryPath foreach ($item in $global:SingleLineRegistryPath.Values) { $value = Get-SLRegistryPath -CheckContent $CheckContent -Hashtable $item + + if ($value -match "HKEY_LOCAL_MACHINE.*Chrome\\") + { + $value = $value.TrimEnd("\") + } + if ([String]::IsNullOrEmpty($value) -eq $false) { return $value | where-object {[string]::IsNullOrEmpty($_) -eq $false} @@ -259,9 +265,16 @@ function Get-RegistryValueTypeFromSLStig $valueName = Get-RegistryValueNameFromSingleLineStig -CheckContent $CheckContent # McAfee STIG isn't written in a way that ValueType can be detected via CheckContent and/or FixText - if ($CheckContent -match 'Wow6432Node\\McAfee') + if ($CheckContent -match 'Wow6432Node\\McAfee|Google\\Chrome') { - $valueType = 'DWORD' + if ($valueName -match "1|URLBlacklist") + { + $valueType = 'REG_MULTI_SZ' + } + else + { + $valueType = 'DWORD' + } } else { diff --git a/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 index ae3ea7b54..8a4067317 100644 --- a/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 +++ b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 @@ -369,7 +369,7 @@ class RegistryRuleConvert : RegistryRule { if ($null -eq $this.DuplicateOf) { - if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)") + if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)" -or $this.ValueName -match "RemoteAccessHostFirewallTraversal") { $this.DscResource = 'RegistryPolicyFile' } @@ -405,6 +405,10 @@ class RegistryRuleConvert : RegistryRule ( $CheckContent -Match "HKLM|HKCU" -and $CheckContent -Match "REG_DWORD" + ) -or + ( + $CheckContent -Match "regedit" -and + $CheckContent -Match "omnibox" ) ) { diff --git a/source/Module/Rule/Convert/Data.Chrome.ps1 b/source/Module/Rule/Convert/Data.Chrome.ps1 new file mode 100644 index 000000000..38fe7f5a0 --- /dev/null +++ b/source/Module/Rule/Convert/Data.Chrome.ps1 @@ -0,0 +1,24 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +<# + Instructions: Use this file to add/update/delete regsitry expressions that are used accross + multiple technologies files that are considered commonly used. Ensure expressions are listed + from MOST Restrive to LEAST Restrictive, similar to exception handling. Also, ensure only + UNIQUE Keys are used in each hashtable to prevent errors and conflicts. +#> + +$global:SingleLineRegistryValueName += [ordered]@{ + Chrome1 = @{ + Select = '(?<=3. If the\s|\s")\w+(?=("\s|\s)value name|\skey)' + } +} + +$global:SingleLineRegistryValueData += [ordered]@{ + Chrome1 = @{ + Select = "(?<=entries 1 set to )\w+\:\/\/\*" + } + Chrome2 = @{ + Select = '(?<=its value data is not set to\s|\s\")\d+|\*' + } +} diff --git a/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 b/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 index 7e8b4a8a4..0ca592429 100644 --- a/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 +++ b/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 @@ -156,7 +156,6 @@ function Get-RegistryRuleExpressions { $spInclude += "Data.Mcafee.ps1" } - } } else diff --git a/source/PowerStig.psd1 b/source/PowerStig.psd1 index e1bd9c22a..66c30b33c 100644 --- a/source/PowerStig.psd1 +++ b/source/PowerStig.psd1 @@ -59,6 +59,7 @@ DscResourcesToExport = @( 'IisServer', 'IisSite', 'InternetExplorer', + 'Chrome', 'McAfee', 'Office', 'OracleJRE', diff --git a/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log new file mode 100644 index 000000000..3cdf176e1 --- /dev/null +++ b/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log @@ -0,0 +1,14 @@ +V-221561::3. If the value name DefaultPopupsSetting::3. If the DefaultPopupsSetting value name +V-221562::3. If the a registry value name of 1 does not exist under that key or its value is not set to *::3. If the 1 value name does not exist under that key or its value data is not set to * +V-221582::3. If this key "DefaultPluginsSetting"::3. If the "DefaultPluginsSetting" value name +V-221597::3. If the “::3. If the " +V-221599::3. If the key "DeveloperToolsAvailability"::3. If the "DeveloperToolsAvailability" value name +V-221596::3. If the “AutoplayWhitelist” key::If the "AutoplayWhitelist" value name +V-221563::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist'; ValueName = 'ExtensionInstallWhitelist'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs'"} +V-221564::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderName'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization approved encrypted search provider'"} +V-221565::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderSearchURL'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization-approved encrypted search string'"} +V-221585::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'PluginsAllowedForUrls'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator approved URLs'"} +V-221588::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DownloadRestrictions'; ValueType = 'Dword'; ValueData = $null; OrganizationValueTestString = "{0} -eq '1|2'"} +V-221596::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'AutoplayWhitelist'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator-approved URLs"} +V-221589::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'SSLVersionMin'; ValueType = 'String'; ValueData = 'tls1.1'} +V-221583::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Absent'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls'} diff --git a/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml b/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml new file mode 100644 index 000000000..fdae97e93 --- /dev/null +++ b/source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml @@ -0,0 +1,611 @@ +acceptedGoogle Chrome Current Windows Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 23 Oct 20203.1.1.362251.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000039<GroupDescription></GroupDescription>DTBC-0001Firewall traversal from remote host must be disabled.<VulnDiscussion>Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44711SV-57545CCI-001414Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options + Policy Name: Enable firewall traversal from remote access host + Policy State: Disabled + Policy Value: N/A + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows registry: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0002Site tracking users location must be disabled.<VulnDiscussion>Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. + 1 = Allow sites to track the user’s physical location + 2 = Do not allow any site to track the user’s physical location + 3 = Ask whenever a site wants to track the user’s physical location</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44723SV-57557CCI-001166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default geolocation setting + Policy State: Enabled + Policy Value: Do not allow any site to track the users' physical location + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0004Sites ability to show pop-ups must be disabled.<VulnDiscussion>Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. + 1 = Allow all sites to show pop-ups + 2 = Do not allow any site to show pop-ups</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44719SV-57553CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default popups setting + Policy State: Enabled + Policy Value: Do not allow any site to show popups + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding. + +Note: If AO Approved exceptions to this rule have been enabled, this is not a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0005Extensions installation must be blacklisted by default.<VulnDiscussion>Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44727SV-57561CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ + Policy Name: Configure extension installation blacklist + Policy State: Enabled + Policy Value: * + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist + 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. +SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0006Extensions that are approved for use must be whitelisted. +<VulnDiscussion>The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44729SV-57563CCI-001170Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ + Policy Name: Configure extension installation whitelist + Policy State: Enabled + Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf (or 1) + +Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension)Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to the key HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist + 3. If the ExtensionInstallWhitelist key is not set to 1 or oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator-approved extension IDs, then this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0007The default search providers name must be set.<VulnDiscussion>Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44733SV-57567CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Default search provider name + Policy State: Enabled + Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0008The default search provider URL must be set to perform encrypted searches.<VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44735SV-57569CCI-000381If the system is on the SIPRNet, this requirement is NA. + +Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Default search provider search URL + Policy State: Enabled + Policy Value: Must be set to an organization-approved encrypted search string + (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} )If the system is on the SIPRNet, this requirement is NA. + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization-approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization-approved encrypted search string (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0009Default search provider must be enabled.<VulnDiscussion>Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57571V-44737CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Enable the default search provider + Policy State: Enabled + Policy Value: N/A + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0011The Password Manager must be disabled.<VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57575V-44741CCI-000381Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ +Policy Name: Enable Saving Passwords to the Password Manager +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000276<GroupDescription></GroupDescription>DTBC-0013The running of outdated plugins must be disabled.<VulnDiscussion>Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57579V-44745CCI-001240Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Allow running plugins that are outdated + Policy State: Disabled + Policy Value: N/A +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome + 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000112<GroupDescription></GroupDescription>DTBC-0017Background processing must be disabled.<VulnDiscussion>Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57587V-44753CCI-001695Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Continue running background apps when Google Chrome is closed + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0020Google Data Synchronization must be disabled.<VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57593V-44759CCI-001374Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Disable synchronization of data with Google + Policy State: Enabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0021The URL protocol schema javascript must be disabled.<VulnDiscussion>Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). +This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57595V-44761CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Block access to a list of URLs + Policy State: Enabled + Policy Value 1: javascript://*Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist + 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding. + +SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0023Cloud print sharing must be disabled.<VulnDiscussion>Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57599V-44765CCI-001374Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable Google Cloud Print proxy + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTBC-0025Network prediction must be disabled.<VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57603V-44769CCI-000366Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable network prediction +Policy State: Enabled +Policy Value: Do not predict network actions on any network connectionUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "NetworkPredictionOptions" is not displayed under the “Policy Name” column or it is not set to "2" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "NetworkPredictionOptions" value name does not exist or its value data is not set to "2," this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0026Metrics reporting to Google must be disabled.<VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57605V-44771CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable reporting of usage and crash-related data + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0027Search suggestions must be disabled.<VulnDiscussion>Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44773SV-57607CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable search suggestions + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0029Importing of saved passwords must be disabled.<VulnDiscussion>Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44775SV-57609CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Import saved passwords from default browser on first run + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000080<GroupDescription></GroupDescription>DTBC-0030Incognito mode must be disabled.<VulnDiscussion>Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. + 0 = Incognito mode available. + 1 = Incognito mode disabled. + 2 = Incognito mode forced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44777SV-57611CCI-000166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Incognito mode availability + Policy State: Enabled + Policy Value: Incognito mode disabledUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000605<GroupDescription></GroupDescription>DTBC-0037Online revocation checks must be done.<VulnDiscussion>By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44789SV-57623CCI-000185Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Whether online OCSP/CRL checks are performed + Policy State: Enabled + Policy Value: N/A +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0038Safe Browsing must be enabled,<VulnDiscussion>Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44791SV-57625CCI-001166Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing Settings + Policy Name: Enable Safe Browsing + Policy State: Enabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000231<GroupDescription></GroupDescription>DTBC-0039Browser history must be saved.<VulnDiscussion>This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44793SV-57627CCI-001199Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Disable saving browser history + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0040Default behavior must block webpages from automatically running plugins.<VulnDiscussion>This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually. + 1 = Allow all sites to automatically run Flash plugin + 2 = Block the Flash plugin + 3 = Click to play</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44795SV-57629CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default Flash setting + Policy State: Enabled + Policy Value: Click to playUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "3", this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting + 3. If this key "DefaultPluginsSetting" does not exist or is not set to "3", this is a finding.SRG-APP-000080<GroupDescription></GroupDescription>DTBC-0045Session only based cookies must be disabled.<VulnDiscussion>Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44799SV-57633CCI-000166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Allow session only cookies on these sites + Policy State: Disabled + Policy Value: N/AUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy ”CookiesSessionOnlyForUrls” exists, and has any defined values, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls + 3. If this key exists and has any defined values, this is a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTBC-0050The version of Google Chrome running on the system must be a supported version.<VulnDiscussion>Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44805SV-57639CCI-002605Install a supported version of Google Chrome.Universal method: +1. In the omnibox (address bar) type chrome://settings/help +2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x. +3. If the installed version of Chrome is not supported by Google, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0051URLs must be whitelisted for plugin use<VulnDiscussion>This policy allows you to set a list of URL patterns that specify sites which are allowed to run the Flash plugin. If this policy is left not set, the global default value will be used for all sites either from the "DefaultPluginsSetting" policy if it is set, or the user’s personal configuration otherwise. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-52795SV-67011CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Allow the Flash plugin on these sites + Policy State: Enabled + Policy Value 1: [*.]mil + Policy Value 2: [*.]govUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. + +Suggested: the set or subset of [*.]mil and [*.]govSRG-APP-000089<GroupDescription></GroupDescription>DTBC-0052Deletion of browser history must be disabled.<VulnDiscussion>Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-75165SV-89845CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable deleting browser and download history + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "AllowDeletingBrowserHistory" is not shown or is not set to false, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AllowDeletingBrowserHistory" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0053Prompt for download location must be enabled.<VulnDiscussion>If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94633V-79929CCI-000169Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Ask where to save each file before downloading + Policy State: Enabled + Policy Value: N/AUniversal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "PromptForDownloadLocation" is not displayed under the "Policy Name" column or it is not set to "true" under the "Policy Value" column, then this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "PromptForDownloadLocation" value name does not exist or its value data is not set to "1", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0055Download restrictions must be configured.<VulnDiscussion>Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the "Block potentially dangerous downloads" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the "Block all downloads" option is chosen, all downloads are blocked. When this policy is not set, (or the "No special restrictions" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results. + +Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing. +0 = No special restrictions +1 = Block dangerous downloads +2 = Block potentially dangerous downloads +3 = Block all downloads</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94635V-79931CCI-000169If the system is on the SIPRNet, this requirement is NA. +Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow download restrictions +Policy State: 1 or 2 +Policy Value: N/AIf the system is on the SIPRNet, this requirement is NA. +Universal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is not set to "1" or "2" under the "Policy Value" column, then this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "DownloadRestrictions" value name does not exist or its value data is not set to "1" or "2", then this is a finding.SRG-APP-000416<GroupDescription></GroupDescription>DTBC-0056Chrome must be configured to allow only TLS.<VulnDiscussion>If this policy is not configured then Google Chrome uses a default minimum version, which is TLS 1.0. Otherwise, it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". +When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. +"tls1" = TLS 1.0 +"tls1.1" = TLS 1.1 +"tls1.2" = TLS 1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96297V-81583CCI-002450Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc. + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Minimum SSL version enabled + Policy State: Enabled + Policy Value: TLS 1.1Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SSLVersionMin" is not displayed under the "Policy Name" column or it is not set to "tls1.1", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SSLVersionMin" value name does not exist or its value data is not set to "tls1.1", this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0057Safe Browsing Extended Reporting must be disabled.<VulnDiscussion>Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites. +If the setting is set to "True", then reports will be created and sent whenever necessary (such as when a security interstitial is shown). +If the setting is set to "False", reports will never be sent. +If this policy is set to "True" or "False", the user will not be able to modify the setting. +If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96299V-81585CCI-001166Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing settings\ +Policy Name: Enable Safe Browsing Extended Reporting +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SafeBrowsingExtendedReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SafeBrowsingExtendedReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0058WebUSB must be disabled.<VulnDiscussion>Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices. +If this policy is left not set, ”3” will be used, and the user will be able to change it. +2 = Do not allow any site to request access to USB devices via the WebUSB API +3 = Allow sites to ask the user to grant access to a connected USB device</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96301V-81587CCI-000381Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Control use of the WebUSB API + Policy State: Enabled + Policy Value: 2 +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "DefaultWebUsbGuardSetting" is not displayed under the "Policy Name" column or it is not set to "2", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "DefaultWebUsbGuardSetting" value name does not exist or its value data is not set to "2", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0060Chrome Cleanup must be disabled.<VulnDiscussion>If set to “False”, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled. +If set to “True” or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96305V-81591CCI-000169Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Enables Chrome Cleanup on Windows +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0061Chrome Cleanup reporting must be disabled.<VulnDiscussion>If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata and registry keys as described by the Chrome Privacy Whitepaper. +If set to “false”, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so. +If set to “true”, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96307V-81593CCI-000169Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Control how Chrome Cleanup reports data to Google +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0063Google Cast must be disabled.<VulnDiscussion>If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon. +If this policy set to ”False”, Google Cast will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96311V-81597CCI-000381Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Google Cast +Policy Name: Enable Google Cast +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "EnableMediaRouter" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "EnableMediaRouter" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0064Autoplay must be disabled.<VulnDiscussion>Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome. +If the policy is set to “True”, Google Chrome is allowed to autoplay media. If the policy is set to “False”, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96295V-81581CCI-000381Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow media autoplay +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "AutoplayAllowed" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AutoplayAllowed" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0065URLs must be whitelisted for Autoplay use.<VulnDiscussion>Controls the whitelist of URL patterns that autoplay will always be enabled on. +If the “AutoplayAllowed” policy is set to “True” then this policy will have no effect. +If the “AutoplayAllowed” policy is set to “False” then any URL patterns set in this policy will still be allowed to play.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96303V-81589CCI-001170Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Allow media autoplay on a whitelist of URL patterns +Policy State: Enabled +Policy Value 1: [*.]mil +Policy Value 2: [*.]govUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If “AutoplayWhitelist” is not displayed under the “Policy Name” column or it is not set to a list of administrator-approved URLs under the “Policy Value” column, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the “AutoplayWhitelist” key does not exist and it does not contain a list of administrator-approved URLs, this is a finding. +Suggested: the set or subset of [*.]mil and [*.]govSRG-APP-000206<GroupDescription></GroupDescription>DTBC-0066Anonymized data collection must be disabled.<VulnDiscussion>Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting. +URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better. +If you enable this policy, URL-keyed anonymized data collection is always active. +If you disable this policy, URL-keyed anonymized data collection is never active. +If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-91203SV-101303CCI-001166Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable URL-keyed anonymized data collection +Policy State: Disabled +Policy Value: NAUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "UrlKeyedAnonymizedDataCollectionEnabled" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the “UrlKeyedAnonymizedDataCollectionEnabled" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0067Collection of WebRTC event logs must be disabled.<VulnDiscussion>If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google. +If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs. +These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call. +This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-91205SV-101305CCI-001166Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow collection of WebRTC event logs from Google services +Policy State: Disabled +Policy Value: NAUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "WebRtcEventLogCollectionAllowed" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "WebRtcEventLogCollectionAllowed" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>DTBC-0068Chrome development tools must be disabled.<VulnDiscussion>While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-97525SV-106629CCI-001312Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Control where Developer Tools can be used +Policy State: Enabled +Policy Value: Disallow usage of the Developer ToolsUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy "DeveloperToolsAvailability" is not shown or is not set to "2", this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the key "DeveloperToolsAvailability" does not exist or is not set to "2", this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0069Guest Mode must be disabled.<VulnDiscussion>If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode. + +If this policy is set to false, Google Chrome will not allow guest profiles to be started.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-102867SV-111829CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable guest mode in browser +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If BrowserGuestModeEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the BrowserGuestModeEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0070AutoFill for credit cards must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-102869SV-111831CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable AutoFill for credit cards +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillCreditCardEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillCreditCardEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0071AutoFill for addresses must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111833V-102871CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable AutoFill for addresses +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillAddressEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillAddressEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0072Import AutoFill form data must be disabled.<VulnDiscussion>This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. +If disabled, the autofill form data is not imported. + +If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111835V-102873CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Import autofill form data from default browser on first run +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If ImportAutofillFormData is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the ImportAutofillFormData value name does not exist or its value data is not set to 0, this is a finding. + diff --git a/source/StigData/Processed/Google-Chrome-2.1.org.default.xml b/source/StigData/Processed/Google-Chrome-2.1.org.default.xml new file mode 100644 index 000000000..42cfa9b80 --- /dev/null +++ b/source/StigData/Processed/Google-Chrome-2.1.org.default.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + diff --git a/source/StigData/Processed/Google-Chrome-2.1.xml b/source/StigData/Processed/Google-Chrome-2.1.xml new file mode 100644 index 000000000..e51923864 --- /dev/null +++ b/source/StigData/Processed/Google-Chrome-2.1.xml @@ -0,0 +1,992 @@ + + + + <VulnDiscussion>Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + False + V-44805 + False + + Universal method: +1. In the omnibox (address bar) type chrome://settings/help +2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x. +3. If the installed version of Chrome is not supported by Google, this is a finding. + + + + + <VulnDiscussion>Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44711 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows registry: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + RemoteAccessHostFirewallTraversal + Dword + + + <VulnDiscussion>Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. + 1 = Allow sites to track the user’s physical location + 2 = Do not allow any site to track the user’s physical location + 3 = Ask whenever a site wants to track the user’s physical location</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44723 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding. + + 2 + DefaultGeolocationSetting + Dword + + + <VulnDiscussion>Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. + 1 = Allow all sites to show pop-ups + 2 = Do not allow any site to show pop-ups</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44719 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding. + +Note: If AO Approved exceptions to this rule have been enabled, this is not a finding. + 2 + DefaultPopupsSetting + Dword + + + <VulnDiscussion>Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallBlacklist + V-44727 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist + 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. + + * + 1 + MultiString + + + <VulnDiscussion>The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist + V-44729 + True + {0} -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs' + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to the key HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist + 3. If the ExtensionInstallWhitelist key is not set to 1 or oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator-approved extension IDs, then this is a finding. + + ExtensionInstallWhitelist + MultiString + + + <VulnDiscussion>Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44733 + True + {0} -eq 'an organization approved encrypted search provider' + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding. + + + DefaultSearchProviderName + String + + + <VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44735 + True + {0} -eq 'an organization-approved encrypted search string' + If the system is on the SIPRNet, this requirement is NA. + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization-approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization-approved encrypted search string (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding. + + DefaultSearchProviderSearchURL + String + + + <VulnDiscussion>Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44737 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display. + 1 + DefaultSearchProviderEnabled + Dword + + + <VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44741 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + PasswordManagerEnabled + Dword + + + <VulnDiscussion>Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44745 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome + 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + AllowOutdatedPlugins + Dword + + + <VulnDiscussion>Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44753 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + BackgroundModeEnabled + Dword + + + <VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44759 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding. + + 1 + SyncDisabled + Dword + + + <VulnDiscussion>Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). +This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\URLBlacklist + V-44761 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist + 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding. + + + javascript://* + URLBlacklist + MultiString + + + <VulnDiscussion>Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44765 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding. + 0 + CloudPrintProxyEnabled + Dword + + + <VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44769 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If "NetworkPredictionOptions" is not displayed under the “Policy Name” column or it is not set to "2" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "NetworkPredictionOptions" value name does not exist or its value data is not set to "2," this is a finding. + 2 + NetworkPredictionOptions + Dword + + + <VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44771 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display. + 0 + MetricsReportingEnabled + Dword + + + <VulnDiscussion>Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44773 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + SearchSuggestEnabled + Dword + + + <VulnDiscussion>Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44775 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding. + 0 + ImportSavedPasswords + Dword + + + <VulnDiscussion>Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. + 0 = Incognito mode available. + 1 = Incognito mode disabled. + 2 = Incognito mode forced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44777 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding. + + 1 + IncognitoModeAvailability + Dword + + + <VulnDiscussion>By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44789 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding. + + 1 + EnableOnlineRevocationChecks + Dword + + + <VulnDiscussion>Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44791 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding. + + 1 + SafeBrowsingEnabled + Dword + + + <VulnDiscussion>This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-44793 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. + + 0 + SavingBrowserHistoryDisabled + Dword + + + <VulnDiscussion>This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually. + 1 = Allow all sites to automatically run Flash plugin + 2 = Block the Flash plugin + 3 = Click to play</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\DefaultPluginsSetting + V-44795 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "3", this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting + 3. If this key "DefaultPluginsSetting" does not exist or is not set to "3", this is a finding. + 3 + DefaultPluginsSetting + Dword + + + <VulnDiscussion>Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Absent + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls + V-44799 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy ”CookiesSessionOnlyForUrls” exists, and has any defined values, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls + 3. If this key exists and has any defined values, this is a finding. + + + + + + <VulnDiscussion>This policy allows you to set a list of URL patterns that specify sites which are allowed to run the Flash plugin. If this policy is left not set, the global default value will be used for all sites either from the "DefaultPluginsSetting" policy if it is set, or the user’s personal configuration otherwise. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-52795 + True + {0} -eq 'a list of administrator approved URLs' + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. + +Suggested: the set or subset of [*.]mil and [*.]gov + + PluginsAllowedForUrls + MultiString + + + <VulnDiscussion>Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-75165 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "AllowDeletingBrowserHistory" is not shown or is not set to false, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AllowDeletingBrowserHistory" value name does not exist or its value data is not set to "0", this is a finding. + 0 + AllowDeletingBrowserHistory + Dword + + + <VulnDiscussion>If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-79929 + False + + Universal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "PromptForDownloadLocation" is not displayed under the "Policy Name" column or it is not set to "true" under the "Policy Value" column, then this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "PromptForDownloadLocation" value name does not exist or its value data is not set to "1", this is a finding. + 1 + PromptForDownloadLocation + Dword + + + <VulnDiscussion>Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the "Block potentially dangerous downloads" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the "Block all downloads" option is chosen, all downloads are blocked. When this policy is not set, (or the "No special restrictions" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results. + +Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing. +0 = No special restrictions +1 = Block dangerous downloads +2 = Block potentially dangerous downloads +3 = Block all downloads</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-79931 + True + {0} -eq '1|2' + If the system is on the SIPRNet, this requirement is NA. +Universal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is not set to "1" or "2" under the "Policy Value" column, then this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "DownloadRestrictions" value name does not exist or its value data is not set to "1" or "2", then this is a finding. + + DownloadRestrictions + Dword + + + <VulnDiscussion>If this policy is not configured then Google Chrome uses a default minimum version, which is TLS 1.0. Otherwise, it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". +When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. +"tls1" = TLS 1.0 +"tls1.1" = TLS 1.1 +"tls1.2" = TLS 1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81583 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SSLVersionMin" is not displayed under the "Policy Name" column or it is not set to "tls1.1", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SSLVersionMin" value name does not exist or its value data is not set to "tls1.1", this is a finding. + tls1.1 + SSLVersionMin + String + + + <VulnDiscussion>Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites. +If the setting is set to "True", then reports will be created and sent whenever necessary (such as when a security interstitial is shown). +If the setting is set to "False", reports will never be sent. +If this policy is set to "True" or "False", the user will not be able to modify the setting. +If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81585 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SafeBrowsingExtendedReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SafeBrowsingExtendedReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding. + 0 + SafeBrowsingExtendedReportingEnabled + Dword + + + <VulnDiscussion>Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices. +If this policy is left not set, ”3” will be used, and the user will be able to change it. +2 = Do not allow any site to request access to USB devices via the WebUSB API +3 = Allow sites to ask the user to grant access to a connected USB device</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81587 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "DefaultWebUsbGuardSetting" is not displayed under the "Policy Name" column or it is not set to "2", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "DefaultWebUsbGuardSetting" value name does not exist or its value data is not set to "2", this is a finding. + 2 + DefaultWebUsbGuardSetting + Dword + + + <VulnDiscussion>If set to “False”, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled. +If set to “True” or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81591 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupEnabled" value name does not exist or its value data is not set to "0", this is a finding. + 0 + ChromeCleanupEnabled + Dword + + + <VulnDiscussion>If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata and registry keys as described by the Chrome Privacy Whitepaper. +If set to “false”, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so. +If set to “true”, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81593 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding. + 0 + ChromeCleanupReportingEnabled + Dword + + + <VulnDiscussion>If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon. +If this policy set to ”False”, Google Cast will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81597 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "EnableMediaRouter" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "EnableMediaRouter" value name does not exist or its value data is not set to "0", this is a finding. + 0 + EnableMediaRouter + Dword + + + <VulnDiscussion>Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome. +If the policy is set to “True”, Google Chrome is allowed to autoplay media. If the policy is set to “False”, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81581 + False + + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "AutoplayAllowed" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AutoplayAllowed" value name does not exist or its value data is not set to "0", this is a finding. + 0 + AutoplayAllowed + Dword + + + <VulnDiscussion>Controls the whitelist of URL patterns that autoplay will always be enabled on. +If the “AutoplayAllowed” policy is set to “True” then this policy will have no effect. +If the “AutoplayAllowed” policy is set to “False” then any URL patterns set in this policy will still be allowed to play.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-81589 + True + {0} -eq 'a list of administrator-approved URLs + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If “AutoplayWhitelist” is not displayed under the “Policy Name” column or it is not set to a list of administrator-approved URLs under the “Policy Value” column, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + If the "AutoplayWhitelist" value name does not exist and it does not contain a list of administrator-approved URLs, this is a finding. +Suggested: the set or subset of [*.]mil and [*.]gov + + AutoplayWhitelist + MultiString + + + <VulnDiscussion>Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting. +URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better. +If you enable this policy, URL-keyed anonymized data collection is always active. +If you disable this policy, URL-keyed anonymized data collection is never active. +If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-91203 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If "UrlKeyedAnonymizedDataCollectionEnabled" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the “UrlKeyedAnonymizedDataCollectionEnabled" value name does not exist or its value data is not set to "0," this is a finding. + 0 + UrlKeyedAnonymizedDataCollectionEnabled + Dword + + + <VulnDiscussion>If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google. +If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs. +These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call. +This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-91205 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If "WebRtcEventLogCollectionAllowed" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "WebRtcEventLogCollectionAllowed" value name does not exist or its value data is not set to "0," this is a finding. + 0 + WebRtcEventLogCollectionAllowed + Dword + + + <VulnDiscussion>While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-97525 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy "DeveloperToolsAvailability" is not shown or is not set to "2", this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the key "DeveloperToolsAvailability" does not exist or is not set to "2", this is a finding. + 2 + DeveloperToolsAvailability + Dword + + + <VulnDiscussion>If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode. + +If this policy is set to false, Google Chrome will not allow guest profiles to be started.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-102867 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If BrowserGuestModeEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the BrowserGuestModeEnabled value name does not exist or its value data is not set to 0, this is a finding. + 0 + BrowserGuestModeEnabled + Dword + + + <VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-102869 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillCreditCardEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillCreditCardEnabled value name does not exist or its value data is not set to 0, this is a finding. + 0 + AutofillCreditCardEnabled + Dword + + + <VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-102871 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillAddressEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillAddressEnabled value name does not exist or its value data is not set to 0, this is a finding. + 0 + AutofillAddressEnabled + Dword + + + <VulnDiscussion>This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. +If disabled, the autofill form data is not imported. + +If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome + V-102873 + False + + Universal method: +1. In the omnibox (address bar) type chrome://policy +2. If ImportAutofillFormData is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the ImportAutofillFormData value name does not exist or its value data is not set to 0, this is a finding. + + 0 + ImportAutofillFormData + Dword + + +