Ability for users to enable or disable add-ons must be managed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-46809	DTBI697-IE11	SV-59675r1_rule	ECSC-1	Low

Description
Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager. If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on. If you disable or do not configure this policy setting, the appropriate controls in the Add-On Manager will be available to the user.

Description

Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager. If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on. If you disable or do not configure this policy setting, the appropriate controls in the Add-On Manager will be available to the user.

STIG	Date
Microsoft Internet Explorer 11 Security Technical Implementation Guide	2015-12-18

Details

Check Text ( C-49901r2_chk )
The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Do Not Allow users to enable or disable add-ons' must be 'Disabled' or 'Not Configured'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria: If the value NoExtensionManagement does not exist , this is not a finding. If the value "NoExtensionManagement" is DWORD=1, then this is a finding.

Check Text ( C-49901r2_chk )

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Do Not Allow users to enable or disable add-ons' must be 'Disabled' or 'Not Configured'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria: If the value NoExtensionManagement does not exist , this is not a finding. If the value "NoExtensionManagement" is DWORD=1, then this is a finding.

Fix Text (F-50559r1_fix)
Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> 'Do Not Allow users to enable or disable add-ons' to 'Disabled' or 'Not Configured'.