An error occurred:

Check: DTBI725-IE11

Microsoft Internet Explorer 11 STIG: DTBI725-IE11 (in versions v2 r5 through v1 r11)

Title

Turn on the auto-complete feature for user names and passwords on forms must be disabled. (Cat II impact)

Discussion

This policy setting controls automatic completion of fields in forms on web pages. It is possible that malware could be developed which would be able to extract the cached user names and passwords from the currently logged on user, which an attacker could then use to compromise that user's online accounts. If you enable this setting, the user cannot change the 'User name and passwords on forms' or 'prompt me to save passwords'. The Auto Complete feature for" User names and passwords on forms" will be turned on. If you disable this setting, the user cannot change the 'User name and passwords on forms' or 'prompt me to save passwords'. The Auto Complete feature for "User names and passwords on forms" is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto Complete for "User name and passwords on forms", and the option of prompting to save passwords.

Check Content

The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn on the auto-complete feature for user names and passwords on forms' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest Passwords" is REG_SZ = 'no', this is not a finding. AND Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest PW Ask" is REG_SZ = 'no', this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn on the auto-complete feature for user names and passwords on forms' to 'Disabled'.

Additional Identifiers

Rule ID: SV-223124r879587_rule

Vulnerability ID: V-223124

Group Title: SRG-APP-000141

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000381

The organization configures the information system to provide only essential capabilities.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7

Least Functionality