Check: EDGE-00-000036
Microsoft Edge STIG:
EDGE-00-000036
(in versions v1 r8 through v1 r6)
Title
Download restrictions must be configured. (Cat III impact)
Discussion
Configure the type of downloads that Microsoft Edge completely blocks, without letting users override the security decision. Set "BlockDangerousDownloads" to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings. Set "BlockPotentiallyDangerousDownloads" to allow all downloads except for those that carry Microsoft Defender SmartScreen warnings of potentially dangerous or unwanted downloads. Set "BlockAllDownloads" to block all downloads. If this policy is not configured or the 'DefaultDownloadSecurity' option set, downloads go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results. Note that these restrictions apply to downloads from web page content, as well as the "download link..." context menu option. These restrictions do not apply to saving or downloading the currently displayed page, nor do they apply to the "Save as PDF" option from the printing options. See https://go.microsoft.com/fwlink/?linkid=2094934 for more information on Microsoft Defender SmartScreen. Policy options mapping: - DefaultDownloadSecurity (0) = No special restrictions. - BlockDangerousDownloads (1) = Block malicious downloads and dangerous file types. - BlockPotentiallyDangerousDownloads (2) = Block potentially dangerous or unwanted downloads and dangerous file types. - BlockAllDownloads (3) = Block all downloads. - BlockMaliciousDownloads (4) = Block malicious downloads.
Check Content
If this machine is on SIPRNet, this is Not Applicable. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" must be set to "Enabled" with the option value set to "BlockDangerousDownloads" or "Block potentially dangerous or unwanted downloads". The more restrictive option, "Block all downloads" is also acceptable. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DownloadRestrictions" is set to "REG_DWORD = 0", or "REG_DWORD = 4", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" to "Enabled" and select "BlockDangerousDownloads" or "Block potentially dangerous or unwanted downloads".
Additional Identifiers
Rule ID: SV-235752r879587_rule
Vulnerability ID: V-235752
Group Title: SRG-APP-000141
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |