The list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be whitelisted if used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235722	EDGE-00-000004	SV-235722r626523_rule		Low

Description
Configure the list of Microsoft Defender SmartScreen trusted domains. This means Microsoft Defender SmartScreen will not check for potentially malicious resources, such as phishing software and other malware, if the source URLs match these domains. The Microsoft Defender SmartScreen download protection service will not check downloads hosted on these domains. If this policy is enabled, Microsoft Defender SmartScreen trusts these domains. If the policy is disabled or not set, default Microsoft Defender SmartScreen protection is applied to all resources.

Description

Configure the list of Microsoft Defender SmartScreen trusted domains. This means Microsoft Defender SmartScreen will not check for potentially malicious resources, such as phishing software and other malware, if the source URLs match these domains. The Microsoft Defender SmartScreen download protection service will not check downloads hosted on these domains. If this policy is enabled, Microsoft Defender SmartScreen trusts these domains. If the policy is disabled or not set, default Microsoft Defender SmartScreen protection is applied to all resources.

STIG	Date
Microsoft Edge Security Technical Implementation Guide	2021-02-16

Details

Check Text ( C-38941r626362_chk )
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings" may be set to "allow" for whitelisted domains. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge SmartScreenAllowListDomains may be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\1 = mydomain.com HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\2 = myagency.mil This requirement for "SmartScreenAllowListDomains" is not required; this is optional. If configured, the list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be whitelisted; otherwise this is a finding. If this machine is on SIPRNet, this is Not Applicable.

Check Text ( C-38941r626362_chk )

The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings" may be set to "allow" for whitelisted domains.

Use the Windows Registry Editor to navigate to the following key:
HKLM\SOFTWARE\Policies\Microsoft\Edge

SmartScreenAllowListDomains may be set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\1 = mydomain.com
HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\2 = myagency.mil

This requirement for "SmartScreenAllowListDomains" is not required; this is optional.

If configured, the list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be whitelisted; otherwise this is a finding.

If this machine is on SIPRNet, this is Not Applicable.

Fix Text (F-38904r626363_fix)
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings" may be set to "allow" for whitelisted domains.