Title

Extensions that are approved for use must be allowlisted if used. (Cat III impact)

Discussion

By default, all extensions are allowed. However, if all extensions are blocked by setting the "ExtensionInstallBlockList" policy to "*," users can only install extensions defined in this policy.

Check Content

This requirement for "Allow specific extensions to be installed" is not required; this is optional. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge "ExtensionInstallAllowlist" must be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\1 = "extension_id1" HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\2 = "extension_id2" If configured, the list of extensions for which Microsoft Edge allows to be installed may be allowlisted.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" to "Enabled". A list of allowlisted extensions may then be specified.

Additional Identifiers

Rule ID: SV-235755r879759_rule

Vulnerability ID: V-235755

Group Title: SRG-APP-000386

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.