draftGoogle Chrome STIG DraftGoogle Chrome STIG DraftDISA, Field Security OperationsSTIG.DOD.MILRelease: 0.5 STIG Date: 25 Sept 20121I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>DTBC0001 - Disable firewall traversal from remote host<GroupDescription></GroupDescription>DTBC-0001Firewall traversal from remote host must be disabled<VulnDiscussion>Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 14 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: RemoteAccessHostFirewallTraversal
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Configure remote access options\
Policy Name: Enable firewall traversal from remote access host
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If RemoteAccessHostFirewallTraversal is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding.DTBC0002 - Disable any site from tracking a user's location<GroupDescription></GroupDescription>DTBC-0002Site tracking user's location must be disabled<VulnDiscussion>Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.
1 = Allow sites to track the users' physical location
2 = Do not allow any site to track the users' physical location
3 = Ask whenever a site wants to track the users' physical location
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 10 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultGeolocationSetting
Value Type: Integer (REG_DWORD)
Value Data: 2
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: Default geolocation setting
Policy State: Enabled
Policy Value: Do not allow any site to track the users' physical location
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DefaultGeolocationSetting is displayed under the Policy Name column and it is set to Do not allow any site to track the users’ physical location under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.DTBC0003 - Disable sites from showing desktop notifications<GroupDescription></GroupDescription>DTBC-0003sites' ability for showing desktop notifications must be disabled<VulnDiscussion>Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.
1 = Allow sites to show desktop notifications
2 = Do not allow any site to show desktop notifications
3 = Ask every time a site wants to show desktop notifications
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 10 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultNotificationsSetting
Value Type: Integer (REG_DWORD)
Value Data: 2
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: Default notification setting
Policy State: Enabled
Policy Value: Do not allow any site to show desktop notifications
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If Default notification setting is displayed under the Policy Name column and it is set to Do not allow any site to show desktop notifications under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DefaultNotificationsSetting value name does not exist or its value data is not set to 2, then this is a finding.DTBC0004 - Disable sites from showing pop-ups<GroupDescription></GroupDescription>DTBC-0004Sites' ability to show pop-ups must be disabled<VulnDiscussion>Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.
1 = Allow all sites to show pop-ups
2 = Do not allow any site to show popups
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 10 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultPopupsSetting
Value Type: Integer (REG_DWORD)
Value Data: 2
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: Default popups setting
Policy State: Enabled
Policy Value: Do not allow any site to show popups
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DefaultPopupsSetting is displayed under the Policy Name column and it is set to Do not allow any site to show popups under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding.DTBC0005 - Blacklist extensions by default<GroupDescription></GroupDescription>DTBC-0005Extensions must be blacklisted by default<VulnDiscussion>Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist
Value Name: 1
Value Type: String (REG_SZ)
Value Data: *
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
Policy Name: Configure extension installation blacklist
Policy State: Enabled
Policy Value: *
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If ExtensionInstallBlacklist is displayed under the Policy Name column and it is set to * under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist
3. If the ExtensionInstallBlacklist key does not exist, or a registry value name of 1 does not exist under that key, or the registry value name of 1 does not have its value data set to * then this is a finding.DTBC0006 - Whitelist approved extensions<GroupDescription></GroupDescription>DTBC-0006Extensions that are approved for use must be whitelisted<VulnDiscussion>Allows you to specify which extensions are not subject to the blacklist. A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist
Value Name:
Value Type: String (REG_SZ)
Value Data: oiigbmnaadbkfbmpbfijlflahbdbdgd
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
Policy Name: Configure extension installation whitelist
Policy State: Enabled
Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgd
Note: oiigbmnaadbkfbmpbfijlflahbdbdgd is the ID for scriptno
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If ExtensionInstallWhitelist is displayed under the Policy Name column and it is set to oiigbmnaadbkfbmpbfijlflahbdbdgd or a list of administrator approved extension IDs, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist
3. If the ExtensionInstallWhitelist key does not exist or is not set to oiigbmnaadbkfbmpbfijlflahbdbdgd or a list of administrator approved extension IDs, then this is a finding.DTBC0007 - Specify the default search provider name<GroupDescription></GroupDescription>DTBC-0007The default search provider's name must be set<VulnDiscussion>Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultSearchProviderName
Value Type: String (REG_SZ)
Value Data: Google Encrypted Search
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
Policy Name: Default search provider name
Policy State: Enabled
Policy Value: Google Encrypted Search
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DefaultSearchProviderName is displayed under the Policy Name column and it is set to Google Encrypted Search under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DefaultSearchProviderName value name does not exist or it is not set to Google Encrypted Search, then this is a finding.DTBC0008 - Set default search provider URL to perform encrypted search<GroupDescription></GroupDescription>DTBC-0008The default search provider URL must be set<VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for.
This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultSearchProviderSearchURL
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
Policy Name: Default search provider search URL
Policy State: Enabled
Policy Value: https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms}
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DefaultSearchProviderSearchURL is displayed under the Policy Name column and it is set to https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms} under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to https://encrypted.google.com/search?{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q=%{searchTerms} then this is a finding.DTBC0009 - Enable default search provider<GroupDescription></GroupDescription>DTBC-0009Default search provider must be enabled<VulnDiscussion>Enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text In the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DefaultSearchProviderEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
Policy Name: Enable the default search provider
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DefaultSearchProviderEnabled is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding.DTBC0010 - Disable cleartext passwords in Password Manager<GroupDescription></GroupDescription>DTBC-0010Use of cleartext passwords in the Password Manager must be disabled<VulnDiscussion>Controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. If you enable or do not set this policy, users can view their passwords in clear text in the password manager.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: PasswordManagerAllowShowPasswords
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\
Policy Name: Allow users to show passwords in Password Manager
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If PasswordManagerAllowShowPasswords is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding.DTBC0011 - Disable the Password Manager<GroupDescription></GroupDescription>DTBC-0011The Password Manager must be disabled<VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: PasswordManagerEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\
Policy Name: Enable the password manager
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If PasswordManagerEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0012 - Set HTTP Authentication to negotiate<GroupDescription></GroupDescription>DTBC-0012The HTTP Authentication must be set to negotiate<VulnDiscussion>Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 9 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: AuthSchemes
Value Type: String (REG_SZ)
Value Data: negotiate
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\
Policy Name: Supported authentication schemes
Policy State: Enabled
Policy Value: negotiate
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If AuthSchemes is displayed under the Policy Name column and it is set to negotiate under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome
3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding.DTBC0013 - Disable running outdated plugins<GroupDescription></GroupDescription>DTBC-0013The running of outdated plugins must be disabled<VulnDiscussion>Allows Google Chrome to run plugins that are outdated. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 12 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: AllowOutdatedPlugins
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Allow running plugins that are outdated
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If AllowOutdatedPlugins is displayed under the Policy Name column and it is set to false under the Policy Name column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome
3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding.DTBC0014 - Ask for user permission to run plugins requiring authorization<GroupDescription></GroupDescription>DTBC-0014Plugins requiring authorization must ask for user permission<VulnDiscussion>Allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated always run. If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 13 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: AlwaysAuthorizePlugins
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Always runs plugins that require authorization
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If AlwaysAuthorizePlugins is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the AlwaysAuthorizePlugins value name does not exist or its value data is not set to 0, then this is a finding.DTBC0015 - Block third party cookies<GroupDescription></GroupDescription>DTBC-0015Third party cookies must be blocked<VulnDiscussion>Blocks third party cookies. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 10 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: BlockThirdPartyCookies
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Block third party cookies
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If BlockThirdPartyCookies is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the BlockThirdPartyCookies value name does not exist or its value data is not set to 1, then this is a finding.DTBC0016 - prevent wiping site data on closing browser<GroupDescription></GroupDescription>DTBC-0016Site data must not be wiped on closing the browser<VulnDiscussion>This policy is an override for the "Clear cookies and other site data when I close my browser" content settings option. When set to enabled Google Chrome will delete all locally stored data from the browser when it is shut down. If set to disabled site data will not be cleared on exit. If this policy is left not set Google Chrome will use the default which is to preserve site data on shut down and the user will be able to change this. If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not clear cookies or other data relevant to restoring the previous browsing session completely.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: ClearSiteDataOnExit
Key Type: Boolean (REG_DWORD)
Set the value of the registry key to 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: "Clear site data on browser shutdown"
Policy State: Disabled
Policy Value: N/A
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "ClearSiteDataOnExit" is shown and is set to false, this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\ClearSiteDataOnExit
If this key does not exist or is not set to 0 this is a finding.DTBC0017 - Disable background processing<GroupDescription></GroupDescription>DTBC-0017Background processing must be disabled<VulnDiscussion>Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 19 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: BackgroundModeEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Continue running background apps when Google Chrome is closed
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If BackgroundModeEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0018 - Disable SPDY Protocol<GroupDescription></GroupDescription>DTBC-0018The SPDY protocol must be disabled<VulnDiscussion>Disables use of the SPDY protocol in Google Chrome. If this policy is enabled the SPDY protocol will not be available in Google Chrome. Setting this policy to disabled will allow the usage of SPDY. If this policy is left not set, SPDY will be available.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DisableSpdy
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable SPDY protocol
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DisableSpdy is displayed under the Policy Name column and it is set to true under the Policy Name column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DisableSpdy value name does not exist or its value data is not set to 1, then this is a finding.DTBC0019 - Disable 3D Graphics APIs<GroupDescription></GroupDescription>DTBC-00193D Graphics APIs must be disabled<VulnDiscussion>Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 9 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: Disable3DAPIs
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable support for 3D graphics APIs
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If Disable3DAPIs is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.DTBC0020 - Disable Google Data Synchronization<GroupDescription></GroupDescription>DTBC-0020Google Data Synchronization must be disabled<VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: SyncDisabled
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable synchronization of data with Google
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If SyncDisabled is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.DTBC0021 - Disable URL protocol schemas<GroupDescription></GroupDescription>DTBC-0021The URL protocol schemas "file" and "javascript" must be disabled<VulnDiscussion>Disables the listed protocol schemes in Google Chrome. URLs using a scheme from this list will not load and can not be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 12 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\DisabledSchemes\
Value Name: 1
Value Type: String (REG_SZ)
Value Data: file
Key Path: HKLM\Software\Policies\Google\Chrome\DisabledSchemes\
Value Name: 2
Value Type: String (REG_SZ)
Value Data: javascript
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable URL protocol schemes
Policy State: Enabled
Policy Value 1: file
Policy Value 2: javascript
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DisabledSchemes is displayed under the Policy Name column and it is set to file,javascript under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledSchemes
3. If the DisabledSchemes key does not exist, or the 1 value name does not exist under that key and its value data is not set to file, or the 2 value name does not exist under that key and its value data is not set to javascript, then this is a finding..DTBC0022 - Disable AuotFill<GroupDescription></GroupDescription>DTBC-0022AutoFill must be disabled<VulnDiscussion>Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: AutoFillEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable AutoFill
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If AutoFillEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the AutoFillEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0023 - Disable Cloud print sharing<GroupDescription></GroupDescription>DTBC-0023Cloud print sharing must be disabled<VulnDiscussion>Enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print. If this policy is left not set, this will be enabled but the user will be able to change it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 17 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: CloudPrintProxyEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable Google Cloud Print proxy
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If CloudPrintProxyEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0024 - Disable Google Chrome Instant<GroupDescription></GroupDescription>DTBC-0024Google Chrome Instant must be disabled<VulnDiscussion>Enables Google Chrome's Instant feature and prevents users from changing this setting. If you enable this setting, Google Chrome Instant is enabled. If you disable this setting, Google Chrome Instant is disabled. If you enable or disable this setting, users cannot change or override this setting. If this setting is left not set the user can decide to use this function or not.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: SyncDisabled
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable synchronization of data with Google
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If SyncDisabled is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.DTBC0025 - Disable network prediction<GroupDescription></GroupDescription>DTBC-0025Network prediction must be disabled<VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DnsPrefetchingEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable network prediction
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DnsPrefetchingEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DnsPrefetchingEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0026 - Disable metrics reporting to Google<GroupDescription></GroupDescription>DTBC-0026Mestrics reporting to Google must be disabled<VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: MetricsReportingEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable reporting of usage and crash-related data
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If MetricsReportingEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0027 - Disable search suggestion<GroupDescription></GroupDescription>DTBC-0027Search suggestions must be enabled<VulnDiscussion>Enables search suggestions in Google Chrome's Omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: SearchSuggestEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable search suggestions
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If SearchSuggestEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0028 - Disable submitting documents to Google Print Cloud<GroupDescription></GroupDescription>DTBC-0028Submitting documents to Google Print Cloud must be disabled<VulnDiscussion>Enables Google Chrome to submit documents to Google Cloud Print for printing. NOTE: This only affects Google Cloud Print support in Google Chrome. It does not prevent users from submitting print jobs on web sites. If this setting is enabled or not configured, users can print to Google Cloud Print from the Google Chrome print dialog. If this setting is disabled, users cannot print to Google Cloud Print from the Google Chrome print dialog
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: InstantEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable Instant
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If InstantEnabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the InstantEnabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0029 - Disable import of saved passwords<GroupDescription></GroupDescription>DTBC-0029Importing of saved passwords must be disabled<VulnDiscussion>This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 15 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: ImportSavedPasswords
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Import saved passwords from default browser on first run
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If ImportSavedPasswords is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.DTBC0030 - Disable incognito mode<GroupDescription></GroupDescription>DTBC-0030Incognito mode must be disabled<VulnDiscussion>Specifies whether the user may open pages in Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.
0 = Incognito mode available.
1 = Incognito mode disabled.
2 = Incognito mode forced.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 14 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: IncognitoModeAvailability
Value Type: Integer (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Incognito mode availability
Policy State: Enabled
Policy Value: Incognito mode disabled
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If IncognitoModeAvailability is displayed under the Policy Name column and it is set to 1 under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding.DTBC0031 - Disable web store ads<GroupDescription></GroupDescription>DTBC-0031Web store ads must be disabled<VulnDiscussion>When set to True, promotions for Chrome Web Store apps will not appear on the new tab page. Setting this option to False or leaving it not set will make the promotions for Chrome Web Store apps appear on the new tab page
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 15 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: HideWebStorePromo
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Prevent app promotions from appearing on the new tab page
Policy State: Enabled
Policy Value: N/A
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If HideWebStorePromo is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the HideWebStorePromo value name does not exist or its value data is not set to 1, then this is a finding.DTBC0032 - Set Chrome cache location<GroupDescription></GroupDescription>DTBC-0032the Chrome cache location must be set<VulnDiscussion>Configures the directory that Google Chrome will use for storing cached files on the disk. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not. If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 13 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: DiskCacheDir
Key Type: String (REG_SZ)
Set the value of the registry key to "${local_app_data}\Chrome\Cache"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: "Set disk cache directory"
Policy State: Enabled
Policy Value: "${local_app_data}\Chrome\Cache"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "DiskCacheDir" is shown and is set to "${local_app_data}\Chrome\Cache", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\DiskCacheDir
If this key does not exist or is not set to "${local_app_data}\Chrome\Cache" this is a finding.DTBC0033 - Set the user data location<GroupDescription></GroupDescription>DTBC-0033The user data location must be set<VulnDiscussion>Configures the directory that Google Chrome will use for storing user data. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: UserDataDir
Key Type: String (REG_SZ)
Set the value of the registry key to "${roaming_app_data}\Chrome\Data"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: "Set user data directory"
Policy State: Enabled
Policy Value: "${roaming_app_data}\Chrome\Data"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "UserDataDir" is shown and is set to "${roaming_app_data}\Chrome\Data", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\UserDataDir
If this key does not exist or is not set to "${roaming_app_data}\Chrome\Data" this is a finding.DTBC0034 - Disable plugins by default<GroupDescription></GroupDescription>DTBC-0034Plugins must be disabled by default<VulnDiscussion>Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in 'about:plugins' and users cannot enable them. Note that this policy can be overriden by EnabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\DisabledPlugins
Value Name: 1
Value Type: String (REG_SZ)
Value Data: *
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Specify a list of disabled plugins
Policy State: Enabled
Policy Value: *
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DisabledPlugins is displayed under the Policy Name column and it is set to * under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledPlugins
3. If the DisabledPlugins key does not exist, or the 1 value name does not exist under that key and the value data is not set to * then this is a finding.DTBC0035 - Enable approved plugins<GroupDescription></GroupDescription>DTBC-0035Plugins approved for use must be enabled<VulnDiscussion>Specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them. The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them. Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can disable any plugin installed on the system.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\EnabledPlugins
Value Name: 1
Value Type: String (REG_SZ)
Value Data: Java*
Key Path: HKLM\Software\Policies\Google\Chrome\EnabledPlugins
Value Name: 2
Value Type: String (REG_SZ)
Value Data: Shockwave Flash
Key Path: HKLM\Software\Policies\Google\Chrome\EnabledPlugins
Value Name: 3
Value Type: String (REG_SZ)
Value Data: Chrome PDF Viewer
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Specify a list of enabled plugins
Policy State: Enabled
Policy Value 1: Java*
Policy Value 2: Shockwave Flash
Policy Value 3: Chrome PDF Viewer
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If EnabledPlugins is displayed under the Policy Name column and it is set to Java*,Shockwave Flash,Chrome PDF Viewer under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\EnabledPlugins
3. If the EnabledPlugins key does not exist and the 1 value name data is not set to Java*, the 2 value name data is not set to Shockwave Flash, and the 3 value name is not set to Chrome PDF Viewer then this is a finding.DTBC0036 - Disable automated search and installation of missing plugins<GroupDescription></GroupDescription>DTBC-0036Automated installation of missing plugins must be disabled<VulnDiscussion>If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome. Setting this option to disabled or leave it not set the plugin finder will be active.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: DisablePluginFinder
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Specify whether the plugin finder should be disabled
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If DisablePluginFinder is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the DisablePluginFinder value name does not exist or its value data is not set to 1, then this is a finding.DTBC0037 - Enable online revocation checks<GroupDescription></GroupDescription>DTBC-0037Online revocation checks must be done<VulnDiscussion>In light of the fact that soft-fail, online revocation checks provide no effective security benefit, they are disabled by default in Google Chrome version 19 and later. By setting this policy to true, the previous behaviour is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks in Chrome 19 and later.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 19 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: EnableOnlineRevocationChecks
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Whether online OCSP/CRL checks are performed
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If EnableOnlineRevocationChecks is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.DTBC0038 - Enable Safe Browsing<GroupDescription></GroupDescription>DTBC-0038Safe Browsing must be enabled<VulnDiscussion>Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 14 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: SafeBrowsingEnabled
Value Type: Boolean (REG_DWORD)
Value Data: 1
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Enable Safe Browsing
Policy State: Enabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If SafeBrowsingEnabled is displayed under the Policy Name column and it is set to true under the Policy Value column, then this is not a finding.
Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the SafeBrowsingEnabled value name not exist or its value data is not set to 1, then this is a finding.DTBC0039 - Force saving of browsing history<GroupDescription></GroupDescription>DTBC-0039Browser history must be saved<VulnDiscussion>Disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 8 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: SavingBrowserHistoryDisabled
Value Type: Boolean (REG_DWORD)
Value Data: 0
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Disable saving browser history
Policy State: Disabled
Policy Value: N/A
Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If SavingBrowserHistoryDisabled is displayed under the Policy Name column and it is set to false under the Policy Value column, then this is not a finding.
Windows:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding.DTBC0040 - set default behavior to block plugin usage<GroupDescription></GroupDescription>DTBC-0040Default behavior must block plugin usage<VulnDiscussion>Allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.
1 = Allow all sites to automatically run plugins
2 = Block all plugins
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 10 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: DefaultPluginsSetting
Key Type: Integer (REG_DWORD)
Set the value of the registry key to 2
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Default plugins setting"
Policy State: Enabled
Policy Value: "Block all plugins"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "DefaultPluginsSetting" is shown and is set to "Block all plugins", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting
If this key does not exist or is not set to 2 this is a finding.DTBC0041 - Disable JavaScript by default<GroupDescription></GroupDescription>DTBC-0041JavaScript must be disabled by default<VulnDiscussion>Allows you to set a list of url patterns that specify sites which are not allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: JavaScriptBlockedForUrls
Key Type: List of strings
Set the value of the registry key to "*"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Block JavaScript on these sites"
Policy State: Enabled
Policy Value: "*"
If this setting is not feasible, the usage of the ScriptNo extension is recommend. This will give the users control at blocking JavaScript by default, and granting privileges to websites they need JavaScript for.
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "JavaScriptBlockedForUrls" is shown and is set to "*", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\JavaScriptBlockedForUrls
If this key does not exist or is not set to "*" this is a finding.DTBC0042 - Enable JavaScript for approved domains<GroupDescription></GroupDescription>DTBC-0042JavaScript must be enabled for approved domains<VulnDiscussion>Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: JavaScriptAllowedForUrls
Key Type: List of strings
Set the value of the registry key to "[*.]gov", "[*.]mil", "[*.]google.com", and "[*.]microsoft.com"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Allow JavaScript on these sites"
Policy State: Enabled
Policy Value: "[*.]gov", "[*.]mil", "[*.]google.com", and "[*.]microsoft.com"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "JavaScriptAllowedForUrls" is shown and is set to "[*.]gov", "[*.]mil", "[*.]google.com", and "[*.]microsoft.com", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\JavaScriptAllowedForUrls
If this key does not exist or is not set to "[*.]gov", "[*.]mil", "[*.]google.com", and "[*.]microsoft.com" this is a finding.DTBC0043 - Disable plugin usage by default<GroupDescription></GroupDescription>DTBC-0043Plugin usage must be disabled by default<VulnDiscussion>Allows you to set a list of url patterns that specify sites which are not allowed to run plugins. If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: PluginsBlockedForUrls
Key Type: List of strings
Set the value of the registry key to "*"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Block plugins on these sites"
Policy State: Enabled
Policy Value: "*"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "PluginsBlockedForUrls" is shown and is set to "*", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\PluginsBlockedForUrls
If this key does not exist or is not set to "*" this is a finding.DTBC0044 - Enable plugin usage on approved sites<GroupDescription></GroupDescription>DTBC-0044Site that are approved to use approved plugins must be whitelisted<VulnDiscussion>Allows you to set a list of url patterns that specify sites which are allowed to run plugins. If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Registry Key: PluginsAllowedForUrls
Key Type: List of strings
Set the value of the registry key to "[*.]gov", "[*.]mil", and "[*.]microsoft.com"
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Allow plugins on these sites"
Policy State: Enabled
Policy Value: "[*.]gov", "[*.]mil", and "[*.]microsoft.com"
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "PluginsAllowedForUrls" is shown and is set to "[*.]gov", "[*.]mil", and "[*.]microsoft.com", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\PluginsAllowedForUrls
If this key does not exist or is not set to "[*.]gov", "[*.]mil", and "[*.]microsoft.com" this is a finding.DTBC0045 - Disable per session cookies<GroupDescription></GroupDescription>DTBC-0045Session only based cookies must be disabled<VulnDiscussion>Allows you to set a list of url patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not be respectred and cookies will be stored permanently for those sites.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>VMS Target Google Chrome 17DISA FSOVMS TargetGoogle Chrome 172343CCI-dummy
Valid for Chrome Browser version 11 or later.
Windows registry:
Key Path: HKLM\Software\Policies\Google\Chrome\
Value Name: CookiesSessionOnlyForUrls
Value Type: List of strings
Value Data: null
Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
Policy Name: Allow session only cookies on these sites
Policy State: Disabled
Policy Value: N/A
Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "ProxyMode" is shown and is set to "system", this is not a finding.
Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\ProxyMode
If this key does not exist or is not set to "system" this is a finding.