| Finding ID |
Severity |
Title |
Description |
|
V-245539
|
Medium |
Session only based cookies must be enabled. |
Cookies must only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent.
Approved URLs may be allowlisted via the CookiesAllowedForUrls policy setting, but is not a requirement. |
|
V-245538
|
Medium |
Use of the QUIC protocol must be disabled. |
QUIC is used by more than half of all connections from the Chrome web browser to Google's servers, and this activity is undesirable in the DoD.
Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in Google Chrome.
Setting the policy to Disabled disallows... |
|
V-241787
|
Medium |
Web Bluetooth API must be disabled. |
Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
Leaving the policy unset lets sites ask for access, but users can change this setting.
2 = Do not allow any site to request access... |
|
V-226404
|
Medium |
Import AutoFill form data must be disabled. |
This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.
If disabled, the autofill form data is not imported.
If it is not set, the user may be asked whether to import, or importing... |
|
V-226403
|
Medium |
AutoFill for addresses must be disabled. |
Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information.
If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web.
If this... |
|
V-226402
|
Medium |
AutoFill for credit cards must be disabled. |
Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information.
If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the... |
|
V-226401
|
Medium |
Guest Mode must be disabled. |
If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.
If this policy is set to false, Google Chrome will not allow guest profiles to be started. |
|
V-221598
|
Medium |
Collection of WebRTC event logs must be disabled. |
If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google.
If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs.
These logs contain... |
|
V-221597
|
Medium |
Anonymized data collection must be disabled. |
Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting.
URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better.
If you enable this policy, URL-keyed anonymized data collection is always active.
If you disable this... |
|
V-221596
|
Medium |
URLs must be allowlisted for Autoplay use. |
Controls the allowlist of URL patterns that autoplay will always be enabled on. If the "AutoplayAllowed" policy is set to "True" then this policy will have no effect. If the "AutoplayAllowed" policy is set to "False", then any URL patterns set in this policy will still be allowed to play. |
|
V-221595
|
Medium |
Autoplay must be disabled. |
This allows a user to control if videos can play automatically with audio content (without user consent) in Google Chrome.
If the policy is set to "True", Google Chrome is allowed to autoplay media. If the policy is set to "False", Google Chrome is not allowed to autoplay media. The... |
|
V-221594
|
Medium |
Google Cast must be disabled. |
If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon.
If this policy set to ”False”, Google... |
|
V-221593
|
Medium |
Chrome Cleanup reporting must be disabled. |
If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup... |
|
V-221592
|
Medium |
Chrome Cleanup must be disabled. |
If set to "False", prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled.
If set to "True" or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if... |
|
V-221591
|
Medium |
WebUSB must be disabled. |
Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices.
If this policy is left not set, ”3” will be used, and... |
|
V-221590
|
Medium |
Safe Browsing Extended Reporting must be disabled. |
Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites.
If the setting is set to "True", then reports will be created and sent whenever necessary (such... |
|
V-221588
|
Medium |
Download restrictions must be configured. |
Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads... |
|
V-221587
|
Medium |
Prompt for download location must be enabled. |
If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to... |
|
V-221586
|
Medium |
Deletion of browser history must be disabled. |
Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on... |
|
V-221584
|
Medium |
The version of Google Chrome running on the system must be a supported version. |
Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system. |
|
V-221581
|
Medium |
Browser history must be saved. |
This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved. |
|
V-221580
|
Medium |
Safe Browsing must be enabled. |
Allows you to control whether Google Chrome's Safe Browsing feature is enabled and the mode it operates in.
If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.
If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active... |
|
V-221579
|
Medium |
Online revocation checks must be performed. |
By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid,... |
|
V-221578
|
Medium |
Incognito mode must be disabled. |
Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy... |
|
V-221577
|
Medium |
Importing of saved passwords must be disabled. |
Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.... |
|
V-221576
|
Medium |
Search suggestions must be disabled. |
Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions... |
|
V-221575
|
Medium |
Metrics reporting to Google must be disabled. |
Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable... |
|
V-221574
|
Medium |
Network prediction must be disabled. |
Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it. |
|
V-221573
|
Medium |
Cloud print sharing must be disabled. |
Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the... |
|
V-221572
|
Medium |
The URL protocol schema javascript must be disabled. |
Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and... |
|
V-221571
|
Medium |
Google Data Synchronization must be disabled. |
Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync... |
|
V-221570
|
Medium |
Background processing must be disabled. |
Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to... |
|
V-221567
|
Medium |
The Password Manager must be disabled. |
Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in... |
|
V-221566
|
Medium |
Default search provider must be enabled. |
Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search... |
|
V-221565
|
Medium |
The default search provider URL must be set to perform encrypted searches. |
Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be... |
|
V-221564
|
Medium |
The default search providers name must be set. |
Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use... |
|
V-221562
|
Medium |
Extensions installation must be blocklisted by default. |
Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by... |
|
V-221561
|
Medium |
Sites ability to show pop-ups must be disabled. |
Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented... |
|
V-221559
|
Medium |
Site tracking users location must be disabled. |
Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons,... |
|
V-221558
|
Medium |
Firewall traversal from remote host must be disabled. |
Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can... |
|
V-221599
|
Low |
Chrome development tools must be disabled. |
While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page... |
|
V-221563
|
Low |
Extensions that are approved for use must be allowlisted. |
The allowlist should only contain organizationally approved extensions. This is to prevent a user from accidently allowlisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions... |