Free DISA STIG and SRG Library | Vaulted

Google Chrome v24 Windows Benchmark

Version 1 Release 1
2013-03-07
U_GoogleChrome24Windows_V1R1_STIG_Benchmark-xccdf.xml

Vulnerabilities (36)

Firewall traversal from remote host must be disabled

Finding ID
DTBC-0001
Rule ID
SV-46751r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0001 - Disable firewall traversal from remote host
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. "Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled." - Google Chrome Administrators Policy List

Fix Text

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding.

Check Content

Valid for Chrome Browser version 14 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: RemoteAccessHostFirewallTraversal Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Configure remote access options\ Policy Name: Enable firewall traversal from remote access host Policy State: Disabled Policy Value: N/A

Responsibility

System Administrator

IA Controls

ECSC-1

Site tracking users location must be disabled

Finding ID
DTBC-0002
Rule ID
SV-46906r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0002 - Disable all sites from tracking a users location
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Tracking of user location data over time poses a significant OPSEC issue. "allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it. 1 = Allow sites to track the users' physical location 2 = Do not allow any site to track the users' physical location 3 = Ask whenever a site wants to track the users' physical location" - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 10 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultGeolocationSetting Value Type: REG_DWORD Value Data: 2 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default geolocation setting Policy State: Enabled Policy Value: Do not allow any site to track the users' physical location

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to Do not allow any site to track the users’ physical location under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Sites ability for showing desktop notifications must be disabled

Finding ID
DTBC-0003
Rule ID
SV-46907r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0003 - Do not allow sites to show desktop notifications
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it. 1 = Allow sites to show desktop notifications 2 = Do not allow any site to show desktop notifications 3 = Ask every time a site wants to show desktop notifications" - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 10 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultNotificationsSetting Value Type: REG_DWORD Value Data: 2 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default notification setting Policy State: Enabled Policy Value: Do not allow any site to show desktop notifications

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If Default notification setting is not displayed under the Policy Name column or it is not set to Do not allow any site to show desktop notifications under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultNotificationsSetting value name does not exist or its value data is not set to 2, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Sites ability to show pop-ups must be disabled

Finding ID
DTBC-0004
Rule ID
SV-46908r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0004 - Disable sites from showing pop-ups
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. 1 = Allow all sites to show pop-ups 2 = Do not allow any site to show popups" - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 10 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultPopupsSetting Value Type: REG_DWORD Value Data: 2 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default popups setting Policy State: Enabled Policy Value: Do not allow any site to show popups

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to Do not allow any site to show popups under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Extensions must be blacklisted by default

Finding ID
DTBC-0005
Rule ID
SV-46909r2_rule
Severity
Cat I
CCE
(None)
Group Title
DTBC0005 - Blacklist extensions by default
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Extensions are developed by third party sources. They are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. "Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist Value Name: 1 Value Type: String (REG_SZ) Value Data: * Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ Policy Name: Configure extension installation blacklist Policy State: Enabled Policy Value: *

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist 3. If the ExtensionInstallBlacklist key does not exist, or a registry value name of 1 does not exist under that key, or the registry value name of 1 does not have its value data set to * then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Extensions that are approved for use must be whitelisted

Finding ID
DTBC-0006
Rule ID
SV-46910r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0006 - Whitelist approved extensions
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. "Allows you to specify which extensions are not subject to the blacklist. A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions" - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist For each extension that is to whitelisted sequential keys must be created. The name of the keys are numeric going 1,2,3,etc. Value Name: 1 Value Type: String (REG_SZ) Value Data: oiigbmnaadbkfbmpbfijlflahbdbdgdf Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ Policy Name: Configure extension installation whitelist Policy State: Enabled Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension)

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist 3. If the ExtensionInstallWhitelist key does not exist or is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The default search providers name must be set

Finding ID
DTBC-0007
Rule ID
SV-46911r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0007 - Specify the default search provider name
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to used an encrypted connection via https." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultSearchProviderName Value Type: String (REG_SZ) Value Data: organization approved encrypted search provider (ex. Google Encrypted Search) Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Default search provider name Policy State: Enabled Policy Value: set to an organization approved encrypted search provider (ex. Google Encrypted Search)

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider (ex. Google Encrypted Search) under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider (ex. Google Encrypted Search), then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The default search provider URL must be set

Finding ID
DTBC-0008
Rule ID
SV-46912r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0008 - Set default search provider URL to perform encrypted search
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.." - Google Chrome Administrators Policy List When doing internet searches it is important to used an encrypted connection via https.

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultSearchProviderSearchURL Value Type: String (REG_SZ) Value Data: must be set to an organization approved encrypted search string (ex. https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms}) Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Default search provider search URL Policy State: Enabled Policy Value: must be set to an organization approved encrypted search string (ex. https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms})

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization approved encrypted search string (ex. https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms}) under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization approved encrypted search string (ex. https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms}) then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Default search provider must be enabled

Finding ID
DTBC-0009
Rule ID
SV-46913r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0009 - Enable default search provider
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text In the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultSearchProviderEnabled Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ Policy Name: Enable the default search provider Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Use of cleartext passwords in the Password Manager must be disabled

Finding ID
DTBC-0010
Rule ID
SV-47044r2_rule
Severity
Cat I
CCE
(None)
Group Title
DTBC0010 - Disable cleartext passwords in Password Manager
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Cleartext passwords would allow another individual to see password via shouldersurfing. "Controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. If you enable or do not set this policy, users can view their passwords in clear text in the password manager.." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: PasswordManagerAllowShowPasswords Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\ Policy Name: Allow users to show passwords in Password Manager Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If PasswordManagerAllowShowPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The Password Manager must be disabled

Finding ID
DTBC-0011
Rule ID
SV-47045r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0011 - Disable the Password Manager
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables saving passwords and using saved passwords in Google Chrome. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it." - Google Chrome Administrators Policy List Password manager should not be used as it stores passwords locally.

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: PasswordManagerEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ Policy Name: Enable the password manager Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The HTTP Authentication must be set to negotiate

Finding ID
DTBC-0012
Rule ID
SV-47046r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0012 - Set HTTP Authentication to negotiate
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 9 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: AuthSchemes Value Type: String (REG_SZ) Value Data: negotiate Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\ Policy Name: Supported authentication schemes Policy State: Enabled Policy Value: negotiate

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If AuthSchemes is not displayed under the Policy Name column or it is not set to negotiate under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome 3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The running of outdated plugins must be disabled

Finding ID
DTBC-0013
Rule ID
SV-47047r2_rule
Severity
Cat I
CCE
(None)
Group Title
DTBC0013 - Disable running outdated plugins
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Running outdated plugins could lead to system compromise through the use of known exploits.Having plugins that udpated to the most current version ensures the smallest attack surfuce possible. "Allows Google Chrome to run plugins that are outdated. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 12 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: AllowOutdatedPlugins Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Allow running plugins that are outdated Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Plugins requiring authorization must ask for user permission

Finding ID
DTBC-0014
Rule ID
SV-47048r2_rule
Severity
Cat I
CCE
(None)
Group Title
DTBC0014 - Ask for user permission to run plugins requiring authorization
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated always run. If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 13 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: AlwaysAuthorizePlugins Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Always runs plugins that require authorization Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If AlwaysAuthorizePlugins is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the AlwaysAuthorizePlugins value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Third party cookies must be blocked

Finding ID
DTBC-0015
Rule ID
SV-47049r2_rule
Severity
Cat III
CCE
(None)
Group Title
DTBC0015 - Block third party cookies
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Blocks third party cookies. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 10 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: BlockThirdPartyCookies Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Block third party cookies Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If BlockThirdPartyCookies is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the BlockThirdPartyCookies value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Site data must not be wiped on closing the browser

Finding ID
DTBC-0016
Rule ID
SV-47050r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0016 - prevent wiping site data on closing browser
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"This policy is an override for the "Clear cookies and other site data when I close my browser" content settings option. When set to enabled Google Chrome will delete all locally stored data from the browser when it is shut down. If set to disabled site data will not be cleared on exit. If this policy is left not set Google Chrome will use the default which is to preserve site data on shut down and the user will be able to change this. If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not clear cookies or other data relevant to restoring the previous browsing session completely." - Google Chrome Administrators Policy List The site data must be retained for forensics purposes. If a system is compromised, it is important to have as much information available as possible to ensure that it can be determined how the system was compromised.

Fix Text

Universal method(Requires Chrome Browser v15 or later): 1. In the omnibox(address bar) type chrome://policy 2. If the policy "ClearSiteDataOnExit" is not shown or it is not set to false, this is a finding. Windows: Start regedit Navigate to HKLM\Software\Policies\Google\Chrome\ClearSiteDataOnExit If this key does not exist or is not set to 0 this is a finding

Check Content

Universal method(Requires Chrome Browser v15 or later): 1. In the omnibox(address bar) type chrome://policy 2. If the policy "ClearSiteDataOnExit" is not shown or it is not set to false, this is a finding. Windows: Start regedit Navigate to HKLM\Software\Policies\Google\Chrome\ClearSiteDataOnExit If this key does not exist or is not set to 0 this is a finding

Responsibility

System Administrator

IA Controls

ECSC-1

Background processing must be disabled

Finding ID
DTBC-0017
Rule ID
SV-47051r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0017 - Disable background processing
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings." - Google Chrome Administrators Policy List This setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.

Fix Text

Valid for Chrome Browser version 19 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: BackgroundModeEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Continue running background apps when Google Chrome is closed Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The SPDY protocol must be disabled

Finding ID
DTBC-0018
Rule ID
SV-47052r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0018 - Disable SPDY Protocol
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Disables use of the SPDY protocol in Google Chrome. If this policy is enabled the SPDY protocol will not be available in Google Chrome. Setting this policy to disabled will allow the usage of SPDY. If this policy is left not set, SPDY will be available." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DisableSpdy Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable SPDY protocol Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DisableSpdy is not displayed under the Policy Name column or it is not set to true under the Policy Name column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DisableSpdy value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

3D Graphics APIs must be disabled

Finding ID
DTBC-0019
Rule ID
SV-47054r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0019 - Disable 3D Graphics APIs
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

"Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs." - Google Chrome Administrators Policy List Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.

Fix Text

Valid for Chrome Browser version 9 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: Disable3DAPIs Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable support for 3D graphics APIs Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

Google Data Synchronization must be disabled

Finding ID
DTBC-0020
Rule ID
SV-47056r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0020 - Disable Google Data Synchronization
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set Google Sync will be available for the user to choose whether to use it or not. This feature is used to sync information between different user devices. This data is stored on Google owned servers. The data consists of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization has not control over the servers the data is stored on." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: SyncDisabled Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable synchronization of data with Google Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The URL protocol schemas file and javascript must be disabled

Finding ID
DTBC-0021
Rule ID
SV-47058r2_rule
Severity
Cat I
CCE
(None)
Group Title
DTBC0021 - Disable URL protocol schemas
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Disables the listed protocol schemes in Google Chrome. URLs using a scheme from this list will not load and can not be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 12 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\DisabledSchemes\ Value Name: 1 Value Type: String (REG_SZ) Value Data: file Key Path: HKLM\Software\Policies\Google\Chrome\DisabledSchemes\ Value Name: 2 Value Type: String (REG_SZ) Value Data: javascript Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable URL protocol schemes Policy State: Enabled Policy Value 1: file Policy Value 2: javascript

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DisabledSchemes is not displayed under the Policy Name column or it is not set to file,javascript under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledSchemes 3. If the DisabledSchemes key does not exist, or the does not cantain entries 1 and 2 set to file and javascript, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

AutoFill must be disabled

Finding ID
DTBC-0022
Rule ID
SV-47060r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0022 - Disable AutoFill
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: AutoFillEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable AutoFill Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If AutoFillEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the AutoFillEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Cloud print sharing must be disabled

Finding ID
DTBC-0023
Rule ID
SV-47063r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0023 - Disable Cloud print sharing
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print. If this policy is left not set, this will be enabled but the user will be able to change it." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 17 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: CloudPrintProxyEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable Google Cloud Print proxy Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Google Chrome Instant must be disabled

Finding ID
DTBC-0024
Rule ID
SV-47064r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0024 - Disable Google Chrome Instant
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables Google Chrome's Instant feature and prevents users from changing this setting. If you enable this setting, Google Chrome Instant is enabled. If you disable this setting, Google Chrome Instant is disabled. If you enable or disable this setting, users cannot change or override this setting. If this setting is left not set the user can decide to use this function or not." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: InstantEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable Instant Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If InstantEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the InstantEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Network prediction must be disabled

Finding ID
DTBC-0025
Rule ID
SV-47066r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0025 - Disable network prediction
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DnsPrefetchingEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable network prediction Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DnsPrefetchingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DnsPrefetchingEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Metrics reporting to Google must be disabled

Finding ID
DTBC-0026
Rule ID
SV-47067r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0026 - Disable metrics reporting to Google
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: MetricsReportingEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable reporting of usage and crash-related data Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Search suggestions must be disabled

Finding ID
DTBC-0027
Rule ID
SV-47068r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0027 - Disable search suggestion
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: SearchSuggestEnabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable search suggestions Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Importing of saved passwords must be disabled

Finding ID
DTBC-0029
Rule ID
SV-47071r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0029 - Disable import of saved passwords
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically." - Google Chrome Administrators Policy List

Fix Text

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Incognito mode must be disabled

Finding ID
DTBC-0030
Rule ID
SV-47072r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0030 - Disable incognito mode
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

Incognito mode prevents saving of anything from the current session. This is bad from a foreignics standpoint. This information needs to be retained in case a compromise happens. "pecifies whether the user may open pages in Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. 0 = Incognito mode available. 1 = Incognito mode disabled. 2 = Incognito mode forced." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 14 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: IncognitoModeAvailability Value Type: REG_DWORD Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Incognito mode availability Policy State: Enabled Policy Value: Incognito mode disabled

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

The user data location must be set

Finding ID
DTBC-0033
Rule ID
SV-47074r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0033 - Set the user data location
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Configures the directory that Google Chrome will use for storing user data. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 11 or later. Windows Registry: Registry Path: HKLM\Software\Policies\Google\Chrome\ Value Name: UserDataDir Value Type: String (REG_SZ) Value Data: "${roaming_app_data}\Chrome\Data" Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: "Set user data directory" Policy State: Enabled Policy Value: "${roaming_app_data}\Chrome\Data"

Check Content

Universal method(Requires Chrome Browser v15 or later): 1. In the omnibox(address bar) type chrome://policy 2. If the policy "UserDataDir" is not shown or is not set to "${roaming_app_data}\Chrome\Data", then this is a finding. Windows: Start regedit Navigate to HKLM\Software\Policies\Google\Chrome\UserDataDir If this key does not exist or is not set to "${roaming_app_data}\Chrome\Data" this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Plugins must be disabled by default

Finding ID
DTBC-0034
Rule ID
SV-47075r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0034 - Disable plugins by default
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? specifies an optional single character, i.e. matches zero or one characters. The escape character is \, so to match actual *, ?, or \ characters, you can put a \ in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in about:plugins and users cannot enable them. Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins. - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\DisabledPlugins Value Name: 1 Value Type: String (REG_SZ) Value Data: * Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Specify a list of disabled plugins Policy State: Enabled Policy Value: *

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DisabledPlugins is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledPlugins 3. If the DisabledPlugins key does not exist, or the 1 value name does not exist under that key and the value data is not set to * then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Automated installation of missing plugins must be disabled

Finding ID
DTBC-0036
Rule ID
SV-47077r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0036 - Disable automated search and installation of missing plugins
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 11 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DisablePluginFinder Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Specify whether the plugin finder should be disabled Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DisablePluginFinder is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DisablePluginFinder value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Online revocation checks must be done

Finding ID
DTBC-0037
Rule ID
SV-47078r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0037 - Enable online revocation checks
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"By setting this policy to true, the previous behaviour is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks in Chrome 19 and later.." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 19 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: EnableOnlineRevocationChecks Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Whether online OCSP/CRL checks are performed Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Safe Browsing must be enabled

Finding ID
DTBC-0038
Rule ID
SV-47079r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0038 - Enable Safe Browsing
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it." - Google Chrome Administrators Policy List Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known maleware.

Fix Text

Valid for Chrome Browser version 14 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: SafeBrowsingEnabled Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable Safe Browsing Policy State: Enabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Browser history must be saved

Finding ID
DTBC-0039
Rule ID
SV-47080r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0039 - Force saving of browsing history
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 8 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: SavingBrowserHistoryDisabled Value Type: Boolean (REG_DWORD) Value Data: 0 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable saving browser history Policy State: Disabled Policy Value: N/A

Check Content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If the policy "SavingBrowserHistoryDisabled" is not shown or is not set to false, then this is a finding. Windows: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Default behavior must block plugin usage

Finding ID
DTBC-0040
Rule ID
SV-47081r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTBC0040 - set default behavior to block plugin usage
CCI
CCI-001588
Target Key
(None)
Documentable
No
Discussion

"Allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it. 1 = Allow all sites to automatically run plugins 2 = Block all plugins 3 = Click to play." - Google Chrome Administrators Policy List

Fix Text

Valid for Chrome Browser version 10 or later. Windows Registry: Registry Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultPluginsSetting Value Type: REG_DWORD Value Data: 3 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: "Default plugins setting" Policy State: Enabled Policy Value: "Click to play"

Check Content

Universal method(Requires Chrome Browser v15 or later): 1. In the omnibox(address bar) type chrome://policy 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "Click to play", this is a finding. Windows: Start regedit Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting If this key does not exist or is not set to 3 this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1