Title

Extensions that are approved for use must be allowlisted. (Cat II impact)

Discussion

By default, all extensions are allowed. However, if all extensions are blocked by setting the "ExtensionInstallBlockList" policy to "*," users can only install extensions defined in this policy.

Check Content

The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge "ExtensionInstallAllowlist" must be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\1 = "extension_id1" HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\2 = "extension_id2" This requirement for "Allow specific extensions to be installed" is not required; this is optional. If configured, the list of extensions for which Microsoft Edge allows to be installed must be allowlisted; otherwise this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" to "Enabled". A list of allowlisted extensions may then be specified.

Additional Identifiers

Rule ID: SV-235755r766863_rule

Vulnerability ID: V-235755

Group Title: SRG-APP-000386

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.