Title

AutoComplete feature for user names and passwords on forms must be disallowed. (Cat II impact)

Discussion

It is possible this feature will cache sensitive data and store it in the user's profile where it might not be protected as rigorously as required by organizational policy. This policy setting controls automatic completion of fields in forms on web pages. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for user names and passwords on forms will be turned on. If you disable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for user names and passwords on forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto Complete for user name and passwords on forms, and the option of prompting to save passwords.

Check Content

The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn on the auto-complete feature for user names and passwords on forms" must be “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value FormSuggest Passwords is REG_SZ = no, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn on the auto-complete feature for user names and passwords on forms" to “Disabled”.

Additional Identifiers

Rule ID: SV-40694r1_rule

Vulnerability ID: V-15581

Group Title: DTBI725 - U/N and Pwd auto-complete feature

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.