Title

AutoComplete feature for forms must be disallowed. (Cat II impact)

Discussion

This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting, the user is not presented with suggested matches when filling in forms. If you disable this setting, the user is presented with suggested possible matches when filling forms. If you do not configure this setting, the user has the freedom to turn on the auto-complete feature for forms. To display this option, the user opens the Internet Options dialog box, clicks the Contents Tab, and clicks the Settings button.

Check Content

The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Disable AutoComplete for forms" must be "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value Use FormSuggest is REG_SZ = no, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Disable AutoComplete for forms" to "Enabled".

Additional Identifiers

Rule ID: SV-45099r1_rule

Vulnerability ID: V-15574

Group Title: DTBI690 - AutoComplete for forms

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.