Check: EDGE-00-000067
Microsoft Edge STIG:
EDGE-00-000067
(in version v1 r8)
Title
Session only-based cookies must be enabled. (Cat II impact)
Discussion
Cookies must only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent. Approved URLs may be allowlisted via the "CookiesAllowedForUrls" or "SaveCookiesOnExit" policy settings, but these are not requirements.
Check Content
Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" is set to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for “DefaultCookiesSetting” is not set to "REG_DWORD = 4", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'".
Additional Identifiers
Rule ID: SV-260467r951025_rule
Vulnerability ID: V-260467
Group Title: SRG-APP-000080
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
Controls
| Number | Title |
|---|---|
| AU-10 |
Non-Repudiation |