Title

WebUSB must be disabled. (Cat II impact)

Discussion

Set whether websites can access connected USB devices. Access can be blocked completely or the user asked each time a website wants to get access to connected USB devices. Override this policy for specific URL patterns by using the WebUsbAskForUrls and WebUsbBlockedForUrls policies. If this policy is not configured, sites can ask users whether they can access the connected USB devices ('AskWebUsb') by default, and users can change this setting.

Check Content

The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the WebUSB API" must be set to "enabled" with the option value set to "Do not allow any site to request access to USB devices via the WebUSB API". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DefaultWebUsbGuardSetting" is not set to "REG_DWORD = 2", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the WebUSB API" to enabled" and select "Do not allow any site to request access to USB devices via the WebUSB API".

Additional Identifiers

Rule ID: SV-235742r879587_rule

Vulnerability ID: V-235742

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.