Title

Download restrictions must be configured. (Cat II impact)

Discussion

Setting the policy means users cannot bypass download security decisions. There are many types of download warnings within Chrome, which roughly break down into these categories: - Malicious, as flagged by the Safe Browsing server. - Uncommon or unwanted, as flagged by the Safe Browsing server. - A dangerous file type (e.g., all SWF downloads and many EXE downloads). Setting the policy blocks different subsets of these, depending on its value: 0 = No special restrictions. Default. 1 = Block malicious downloads and dangerous file types. 2 = Block malicious downloads, uncommon or unwanted downloads, and dangerous file types. 3 = Block all downloads. 4 = Block malicious downloads. Recommended.

Check Content

If the system is on the SIPRNet, this requirement is Not Applicable. Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is set to "0", this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "DownloadRestrictions" value name does not exist or its value data is set to "0", this is a finding.

Fix Text

If the system is on the SIPRNet, this requirement is Not Applicable. Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Allow download restrictions Policy State: 1, 2, or 4 Policy Value: N/A

Additional Identifiers

Rule ID: SV-221588r1106670_rule

Vulnerability ID: V-221588

Group Title: SRG-APP-000089

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.