Title

Download restrictions must be configured. (Cat III impact)

Discussion

This configures the type of downloads that Microsoft Edge completely blocks without allowing users to override the security decision. Set "BlockDangerousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of known dangerous downloads or that have dangerous file type extensions. Set "BlockPotentiallyDangerousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of potentially dangerous or unwanted downloads or that have dangerous file type extensions. Set "BlockAllDownloads" to block all downloads. Set "BlockMaliciousDownloads" to allow all downloads except those that carry Microsoft Defender SmartScreen warnings of known malicious downloads. If this policy is not configured or the "DefaultDownloadSecurity" option is not set, the downloads go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results. Policy options mapping: DefaultDownloadSecurity (0) = No special restrictions BlockDangerousDownloads (1) = Block malicious downloads and dangerous file types BlockPotentiallyDangerousDownloads (2) = Block potentially dangerous or unwanted downloads and dangerous file types BlockAllDownloads (3) = Block all downloads BlockMaliciousDownloads (4) = Block malicious downloads

Check Content

If this machine is on SIPRNet, this is Not Applicable. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" must be set to "Enabled" with the option value set to "BlockDangerousDownloads" or "Block potentially dangerous or unwanted downloads". The more restrictive option, "Block all downloads", is also acceptable. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DownloadRestrictions" is set to "REG_DWORD = 0", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" to "Enabled" and select one of the following: "BlockDangerousDownloads", "Block potentially dangerous or unwanted downloads", "BlockAllDownloads", or "BlockMaliciousDownloads".

Additional Identifiers

Rule ID: SV-235752r1106675_rule

Vulnerability ID: V-235752

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.