3D Graphics APIs must be disabled

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35767	DTBC-0019	SV-47054r1_rule		Medium

Description
"Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs." - Google Chrome Administrators Policy List Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.

Description

"Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs." - Google Chrome Administrators Policy List Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.

STIG	Date
Google Chrome v23 Windows STIG	2013-01-11

Details

Check Text ( C-44113r1_chk )
Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.

Check Text ( C-44113r1_chk )

Universal method (Requires Chrome Browser v15 or later):
1. In the omnibox (address bar) type chrome://policy
2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.

Windows method:
1. Start regedit
2. Navigate to HKLM\Software\Policies\Google\Chrome\
3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.

Fix Text (F-40313r1_fix)
Valid for Chrome Browser version 9 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: Disable3DAPIs Value Type: Boolean (REG_DWORD) Value Data: 1 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Disable support for 3D graphics APIs Policy State: Enabled Policy Value: N/A