CIS Google Chrome Benchmark v1.2.0

CIS Google Chrome Benchmark
v1.2.0 - 06-28-2017
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
4.0 International Public License. The link to the license terms can be found at
https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
To further clarify the Creative Commons license related to CIS Benchmark content, you are
authorized to copy and redistribute the content for use by you, within your organization
and outside your organization for non-commercial purposes only, provided that (i)
appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you
remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified
materials if they are subject to the same license terms as the original Benchmark license
and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks
is subject to the prior approval of the Center for Internet Security.
1|Page
Table of Contents
Overview .................................................................................................................................................................. 5
Intended Audience ........................................................................................................................................... 5
Consensus Guidance........................................................................................................................................ 5
Typographical Conventions ......................................................................................................................... 6
Scoring Information ........................................................................................................................................ 6
Profile Definitions ............................................................................................................................................ 7
Acknowledgements ......................................................................................................................................... 8
Recommendations ................................................................................................................................................ 9
1 Computer Configuration ............................................................................................................................ 9
1.1 Google Chrome ...................................................................................................................................... 9
1.1.1 (L2) Ensure 'Allow invocation of file selection dialogs' is set to 'Enabled'
(Scored) ...................................................................................................................................................... 9
1.1.2 (L1) Ensure 'Allow running plugins that are outdated' is set to 'Disabled'
(Scored) ................................................................................................................................................... 11
1.1.3 (L1) Ensure 'Always runs plugins that require authorization' is set to 'Disabled'
(Scored) ................................................................................................................................................... 13
1.1.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled' (Scored) .................... 15
1.1.5 (L1) Ensure 'Continue running background apps when Google Chrome is
closed' is set to 'Disabled' (Scored) .............................................................................................. 16
1.1.6 (L1) Ensure 'Enable AutoFill' is set to 'Disabled' (Scored) ....................................... 18
1.1.7 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled' (Scored) .... 19
1.1.8 (L1) Ensure 'Enable reporting of usage and crash-related data' is set to
'Disabled' (Scored) .............................................................................................................................. 20
1.1.9 (L1) Ensure 'Enable submission of documents to Google Cloud print' is set to
'Disabled' (Scored) .............................................................................................................................. 21
1.1.10 (L1) Ensure 'Import saved passwords from default browser on first run' is set
to 'Disabled' (Scored) ......................................................................................................................... 23
1.1.11 (L1) Ensure 'Specify whether the plugin finder should be disabled' is set to
'Enabled' (Scored) ............................................................................................................................... 24
2|Page
1.2 Allow Google Chrome Frame to Handle the Following Content Types ........................ 26
1.3 Configure Remote Access Options .............................................................................................. 27
1.3.1 (L1) Ensure 'Configure the required domain name for remote access hosts' is
set to 'Enabled' (Scored) ................................................................................................................... 27
1.3.2 (L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Enabled'
(Scored) ................................................................................................................................................... 29
1.3.3 (L1) Ensure 'Enable firewall traversal from remote access host' is set to
'Disabled' (Scored) .............................................................................................................................. 31
1.3.4 (L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts'
is set to 'Disabled' (Scored) ............................................................................................................. 33
1.4 Content Settings ................................................................................................................................. 34
1.4.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep cookies for the
duration of the session) (Scored) .................................................................................................. 34
1.4.2 (L1) Ensure 'Default Plugin Setting' is set to 'Enabled' (Click to Play) (Scored)
..................................................................................................................................................................... 36
1.5 Default HTML Renderer for Google Chrome Frame ............................................................ 38
1.6 Default Search Provider .................................................................................................................. 38
1.7 Extensions ............................................................................................................................................ 39
1.7.1 (L1) Ensure 'Configure extension installation blacklist' is set to 'Enabled' ("*"
for all extensions) (Scored) ............................................................................................................. 39
1.8 Home Page ........................................................................................................................................... 41
1.9 Locally Managed Users Settings .................................................................................................. 41
1.10 Native Messaging ............................................................................................................................ 41
1.11 Password Manager ......................................................................................................................... 42
1.11.1 (L1) Ensure 'Enable the password manager' is set to 'Disabled' (Scored) ...... 42
1.12 Policies for HTTP Authentication ............................................................................................. 44
1.13 Proxy Server ..................................................................................................................................... 44
1.14 Startup Pages.................................................................................................................................... 44
Appendix: Summary Table ............................................................................................................................. 45
Appendix: Change History .............................................................................................................................. 47
3|Page
4|Page
Overview
This document provides prescriptive guidance for establishing a secure configuration
posture for Google Chrome Browser. This guide was tested against Google Chrome
v59.0.3071.86. To obtain the latest version of this guide, please visit
http://benchmarks.cisecurity.org. If you have questions, comments, or have identified
ways to improve this guide, please write us at [email protected].
Intended Audience
This document is intended for system and application administrators, security specialists,
auditors, help desk, and platform deployment personnel who plan to develop, deploy,
assess, or secure solutions that incorporate Google Chrome.
Consensus Guidance
This benchmark was created using a consensus review process comprised of subject
matter experts. Consensus participants provide perspective from a diverse set of
backgrounds including consulting, software development, audit and compliance, security
research, operations, government, and legal.
Each CIS benchmark undergoes two phases of consensus review. The first phase occurs
during initial benchmark development. During this phase, subject matter experts convene
to discuss, create, and test working drafts of the benchmark. This discussion occurs until
consensus has been reached on benchmark recommendations. The second phase begins
after the benchmark has been published. During this phase, all feedback provided by the
Internet community is reviewed by the consensus team for incorporation in the
benchmark. If you are interested in participating in the consensus process, please visit
https://community.cisecurity.org.
5|Page
Typographical Conventions
The following typographical conventions are used throughout this guide:
Convention Meaning
Stylized Monospace font Used for blocks of code, command, and script examples.
Text should be interpreted exactly as presented.
Monospace font Used for inline code, commands, or examples. Text should
be interpreted exactly as presented.
<italic font in brackets> Italic texts set in angle brackets denote a variable
requiring substitution for a real value.
Italic font Used to denote the title of a book, article, or other

publication.
Note Additional information or caveats
Scoring Information
A scoring status indicates whether compliance with the given recommendation impacts the
assessed target's benchmark score. The following scoring statuses are used in this
benchmark:
Scored
Failure to comply with "Scored" recommendations will decrease the final benchmark score.
Compliance with "Scored" recommendations will increase the final benchmark score.
Not Scored
Failure to comply with "Not Scored" recommendations will not decrease the final
benchmark score. Compliance with "Not Scored" recommendations will not increase the
final benchmark score.
6|Page
Profile Definitions
The following configuration profiles are defined by this Benchmark:
 Level 1
Items in this profile intend to:
o be practical and prudent;

o provide a clear security benefit; and
o not inhibit the utility of the technology beyond acceptable means.
 Level 2
This profile extends the "Level 1" profile. Items in this profile exhibit one or more of
the following characteristics:
o are intended for environments or use cases where security is paramount

o acts as defense in depth measure
o may negatively inhibit the utility or performance of the technology
7|Page
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter
experts can accomplish through consensus collaboration. The CIS community thanks the entire
consensus team with special recognition to the following individuals who contributed greatly to
the creation of this guide:
Contributor
Brian Howson
Philippe Langlois
Frank Lesniak MCSE
Editor
Edward Oechsner GSEC
Jordan Rakoske GSEC, GCWN
8|Page
Recommendations
1 Computer Configuration
The following structure of this guide mirrors how it is structured in the Google Chrome
Group Policy template.
1.1 Google Chrome

This section contains recommendations for Google Chrome.
1.1.1 (L2) Ensure 'Allow invocation of file selection dialogs' is set to

'Enabled' (Scored)
Profile Applicability:
 Level 2
Description:
Allows access to local files on the machine by allowing Google Chrome to display file
selection dialogs.
Rationale:
Preventing users from uploading documents can help limit the loss of sensitive
information.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AllowFileSelectionDialogs
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.
Computer Configuration\Administrative Templates\Classic Administrative

Template (ADM)\Google\Google Chrome\Allow invocation of file selection
dialogs
9|Page
Impact:
If you enable this setting, users can open file selection dialogs as normal.
Default Value:
Not Configured
CIS Controls:
14 Controlled Access Based on the Need to Know

Controlled Access Based on the Need to Know
10 | P a g e
1.1.2 (L1) Ensure 'Allow running plugins that are outdated' is set to
'Disabled' (Scored)
 Level 1
Description:
Chrome enables the use of outdated plugins. By disabling this feature Chrome will not
prompt the user to use an outdated plugin.
Rationale:
Running the most up-to-date version of a plugin can reduce the possibility of running a
plugin that contains an exploit or security hole.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AllowOutdatedPlugins
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Allow running plugins that are outdated
Impact:
If you disable this setting, outdated plugins will not be used and users will not be asked for
permission to run them.
Default Value:
Not Configured
CIS Controls:
7.1 Use Only Fully-supported Web Browsers And Email Clients

Ensure that only fully supported web browsers and email clients are allowed to execute in
11 | P a g e
the organization, ideally only using the latest version of the browsers provided by the
vendor in order to take advantage of the latest security functions and fixes.
12 | P a g e
1.1.3 (L1) Ensure 'Always runs plugins that require authorization' is set
to 'Disabled' (Scored)
 Level 1
Description:
Chrome allows plugins that are not outdated to run automatically. Disabling this setting
allows the plugins to run only when permission is granted by the user.
Rationale:
Disabling plugins from automatically running can prevent unwanted and/or harmful
plugins from running without the user’s consent, limiting unauthorized data/remote
access.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AlwaysAuthorizePlugins
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Always runs plugins that require
authorization
Impact:
If this setting is disabled or not set, users will be asked for permission to run plugins that
require authorization. These are plugins that can potentially compromise security.
Default Value:
Not Configured
13 | P a g e
CIS Controls:
7.2 Uninstall/Disable Unnecessary or Unauthorized Browser Or Email Client Plugins

Uninstall or disable any unnecessary or unauthorized browser or email client plugins or
add-on applications. Each plugin shall utilize application / URL whitelisting and only allow
the use of the application for pre-approved domains.
14 | P a g e
1.1.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled' (Scored)
 Level 1
Description:
Chrome allows cookies to be set by web page elements that are not from the domain in the
user's address bar. Enabling this feature prevents third party cookies from being set.
Rationale:
Blocking third party cookies can help protect a user's privacy by eliminating a number of
website tracking cookies.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BlockThirdPartyCookies
Remediation:
Enabled.

Template (ADM)\Google\Google Chrome\Block third party cookies
Impact:
Enabling this setting prevents cookies from being set by web page elements that are not
from the domain that is in the browser's address bar.
Default Value:
Not Configured
CIS Controls:
13 Data Protection
Data Protection
15 | P a g e
1.1.5 (L1) Ensure 'Continue running background apps when Google
Chrome is closed' is set to 'Disabled' (Scored)
 Level 1
Description:
Chrome allows for processes started while the browser is open to remain running once the
browser has been closed. It also allows for background apps and the current browsing
session to remain active after the browser has been closed. Disabling this feature will stop
all processes and background applications when the browser window is closed.
Rationale:
If this setting is enabled, vulnerable or malicious plugins, apps and processes can continue
running even after Chrome has closed.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BackgroundModeEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Continue running background apps when
Google Chrome is closed
Impact:
If this policy is set to Disabled, background mode is disabled and cannot be controlled by
the user in the browser settings.
Default Value:
Not Configured
16 | P a g e
CIS Controls:
7 Email and Web Browser Protections

Email and Web Browser Protections
17 | P a g e
1.1.6 (L1) Ensure 'Enable AutoFill' is set to 'Disabled' (Scored)
 Level 1
Description:
Chrome allows users to auto-complete web forms with saved information such as address,
phone number and credit card numbers. Disabling this feature will prompt a user to enter
all information manually.
Rationale:
If an attacker gains access to a user's machine where the user has stored auto save data,
information could be harvested or used to gain access to more systems.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AutoFillEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Enable AutoFill
Impact:
If this setting is disabled, AutoFill will be inaccessible to users.
Default Value:
Not Configured
CIS Controls:
13 Data Protection
Data Protection
18 | P a g e
1.1.7 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled'
(Scored)
 Level 1
Description:
This setting enables Google Chrome to act as a proxy between Google Cloud Print and
legacy printers connected to the machine.
Rationale:
Disabling this option will prevent users from printing possible confidential enterprise
documents through the cloud.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:CloudPrintProxyEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Enable Google Cloud Print Proxy
Impact:
If this setting is disabled, users cannot enable the proxy, and the machine will not be
allowed to share its local printers with Google Cloud Print.
Default Value:
Not Configured
CIS Controls:
13 Data Protection
Data Protection
19 | P a g e
1.1.8 (L1) Ensure 'Enable reporting of usage and crash-related data' is
set to 'Disabled' (Scored)
 Level 1
Description:
This Setting controls anonymous reporting of usage and crash-related data about Google
Chrome to Google.
Rationale:
Anonymous crash/usage data can be used to identify people, companies and information,
which can be considered data ex-filtration from company systems.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:MetricsReportingEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Enable reporting of usage and crash-
related data
Impact:
If this setting is disabled, this information is not sent to Google.
Default Value:
Not Configured
CIS Controls:
13 Data Protection
Data Protection
20 | P a g e
1.1.9 (L1) Ensure 'Enable submission of documents to Google Cloud
print' is set to 'Disabled' (Scored)
 Level 1
Description:
This setting enables Google Chrome to submit documents to Google Cloud Print for
printing. NOTE: This only affects Google Cloud Print support in Google Chrome. It does not
prevent users from submitting print jobs on web sites.
Rationale:
Disabling this option will prevent users from printing possible confidential enterprise
documents through the cloud.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:CloudPrintSubmitEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Enable submission of documents to Google
Cloud print
Impact:
If this setting is disabled, users cannot print to Google Cloud Print from the Chrome print
dialog
Default Value:
Not Configured
21 | P a g e
CIS Controls:
13 Data Protection
Data Protection
22 | P a g e
1.1.10 (L1) Ensure 'Import saved passwords from default browser on
first run' is set to 'Disabled' (Scored)
 Level 1
Description:
This setting controls if saved passwords from the default browser can be imported.
Rationale:
In Chrome, passwords can be stored in plain-text and revealed by clicking the “show”
button next to the password field by going to chrome://settings/passwords/.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ImportSavedPasswords
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Import saved passwords from default
browser on first run
Impact:
If this setting is disabled, saved passwords from other browsers are not imported.
Default Value:
Not Configured
CIS Controls:
16 Account Monitoring and Control

Account Monitoring and Control
23 | P a g e
1.1.11 (L1) Ensure 'Specify whether the plugin finder should be disabled'
is set to 'Enabled' (Scored)
 Level 1
Description:
Chrome allows for the automatic search and installation of missing plugins. Disabling this
feature will stop plugins from being downloaded and installed without the user's consent
or knowledge.
Rationale:
Disabling the feature that allows plugins to automatically be installed prevents plugins that
may have vulnerabilities or be against company policy from being introduced to the
computer without anyone’s knowledge.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DisablePluginFinder
Remediation:
Enabled.

Template (ADM)\Google\Google Chrome\Specify whether the plugin finder should
be disabled
Impact:
If this settings is enabled, the automatic search and installation of missing plugins will be
disabled in Google Chrome.
Default Value:
Not Configured
24 | P a g e
CIS Controls:

25 | P a g e
1.2 Allow Google Chrome Frame to Handle the Following
Content Types
This section is intentionally blank and exists to ensure the structure of the Google Chrome
benchmark is consistent in future releases.
26 | P a g e
1.3 Configure Remote Access Options
This section contains recommendations for Configuring Remote Access Options
1.3.1 (L1) Ensure 'Configure the required domain name for remote
access hosts' is set to 'Enabled' (Scored)
 Level 1
Description:
Chrome allows the user to configure a required host domain that is imposed on remote
access hosts. When enabled, hosts can only be shared using accounts that are registered to
the specified domain.
Rationale:
If this setting is disabled or not set, then hosts can be shared using any account.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostDomain
Remediation:
Enabled and enter domain.

Templates (ADM)\Google\Google Chrome\Configure remote access
options\Configure the required domain name for remote access hosts
Impact:
If this setting is enabled, hosts can be shared only using accounts registered on the
specified domain name.
Default Value:
Not Configured
27 | P a g e
CIS Controls:
9 Limitation and Control of Network Ports, Protocols, and Services

Limitation and Control of Network Ports, Protocols, and Services
28 | P a g e
1.3.2 (L1) Ensure 'Enable curtaining of remote access hosts' is set to
'Enabled' (Scored)
 Level 1
Description:
Chrome allows the user to disable a remote user's physical input and output while the
remote connection is in progress.
Rationale:
If this setting is disabled or not set, then both local and remote users can interact with the
host when it is being shared.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostRequireCur
tain
Remediation:
Enabled.

Templates (ADM)\Google\Google Chrome\Configure remote access options\Enable
curtaining of remote access hosts
Impact:
If this setting is enabled, host's physical input and output devices are disabled while a
remote connection is in progress.
Default Value:
Not Configured
29 | P a g e
CIS Controls:

30 | P a g e
1.3.3 (L1) Ensure 'Enable firewall traversal from remote access host' is
set to 'Disabled' (Scored)
 Level 1
Description:
Chrome enables the usage of STUN servers which allows remote clients to discover and
connect to a machine even if they are separated by a firewall. By disabling this feature, in
conjunction with filtering outgoing UDP connections, the machine will only allow
connections from machines within the local network.
Rationale:
If this setting is enabled, remote clients can discover and connect to this machines even if
they are separated by a firewall.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostFirewallTr
aversal
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Configure remote access options\Enable
firewall traversal from remote access host
Impact:
If this setting is disabled and outgoing UDP connections are filtered by the firewall, this
machine will only allow connections from client machines within the local network.
Default Value:
Not Configured
31 | P a g e
CIS Controls:

32 | P a g e
1.3.4 (L1) Ensure 'Enable or disable PIN-less authentication for remote
access hosts' is set to 'Disabled' (Scored)
 Level 1
Description:
Chrome enables a user to opt-out of using user-specified PIN authentication and instead
pair clients and hosts during connection time.
Rationale:
If this setting is enabled or not configured, users can opt to pair clients and hosts at
connection time, eliminating the need to enter a PIN every time.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostAllowClien
tPairing
Remediation:
``Disabled.

Templates (ADM)\Google\Google Chrome\Configure remote access options\Enable
or disable PIN-less authentication
Impact:
If this setting is disabled, users will be required to enter PIN every time.
Default Value:
Not Configured
CIS Controls:

33 | P a g e
1.4 Content Settings
This section contains recommendations for Content Settings
1.4.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep

cookies for the duration of the session) (Scored)
 Level 2
Description:
Allows you to set whether websites are allowed to set local data. Setting local data can be
either allowed for all websites or denied for all websites.
Rationale:
If this policy is left not set, 'AllowCookies' will be used and the user will be able to change it.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultCookiesSetting
Remediation:
Enabled.

Template (ADM)\Google\Google Chrome\Content Settings\Default cookies setting
Impact:
If this setting is enabled, cookies will be cleared when the session closes.
Default Value:
Not Configured
CIS Controls:
34 | P a g e
13 Data Protection
Data Protection
35 | P a g e
1.4.2 (L1) Ensure 'Default Plugin Setting' is set to 'Enabled' (Click to Play)
(Scored)
 Level 1
Description:
Allows you to set whether websites are allowed to automatically run plugins. Automatically
running plugins can be either allowed for all websites or denied for all websites.
Rationale:
Malicious plugins can cause browser instability and erratic behavior so setting the value to
click to play will allow a user to only run necessary plugins.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultPluginsSetting
Remediation:
Enabledwith click to play selected from the drop down.

Template (ADM)\Google\Google Chrome\Content Settings\Default Plugins Setting
Impact:
If this setting is enabled, users must click plugins to allow their execution
Default Value:
Not Configured
CIS Controls:

36 | P a g e
37 | P a g e
1.5 Default HTML Renderer for Google Chrome Frame
1.6 Default Search Provider

38 | P a g e
1.7 Extensions
This section contains recommendations for Extensions
1.7.1 (L1) Ensure 'Configure extension installation blacklist' is set to

'Enabled' ("*" for all extensions) (Scored)
 Level 1
Description:
Enabling this setting allows you to specify which extensions the users can NOT install.
Extensions already installed will be removed if blacklisted.
Rationale:
This can be used to block extensions that could potentially allow remote control of the
system through the browser. If there are extensions needed for securing the browser or for
enterprise use these can be enabled by configuring the extension whitelist.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist\
1
Remediation:
Enabled.

Template (ADM)\Google\Google Chrome\Extensions\Configure Extension
Installation Blacklist
Impact:
Any installed extension will be removed unless it is specified on the extension whitelist.
39 | P a g e
Default Value:
Not Configured
CIS Controls:

40 | P a g e
1.8 Home Page
1.9 Locally Managed Users Settings

1.10 Native Messaging

41 | P a g e
1.11 Password Manager
This section contains recommendations for Password Manager
1.11.1 (L1) Ensure 'Enable the password manager' is set to 'Disabled'

(Scored)
 Level 1
Description:
Chrome will memorize passwords and automatically provide them when a user logs into a
site. By disabling this feature the user will be prompted to enter their password each time
they visit a website.
Rationale:
If this setting is enabled, users can have Google Chrome memorize passwords and provide
them automatically the next time they log in to a site. An intruder who has unrestricted
access to your computer for even a minute can view and copy all of your saved passwords
just by visiting an easy-to-remember settings page: chrome://settings/passwords.
Audit:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:PasswordManagerEnabled
Remediation:
Disabled.

Template (ADM)\Google\Google Chrome\Password manager\Enable the password
manager
Impact:
If this setting is disable, users are not able to save passwords or use previously saved
passwords.
42 | P a g e
Default Value:
Not Configured
CIS Controls:
16 Account Monitoring and Control

Account Monitoring and Control
43 | P a g e
1.12 Policies for HTTP Authentication
1.13 Proxy Server

1.14 Startup Pages

44 | P a g e
Appendix: Summary Table
Control Set
Correctly
Yes No
1 Computer Configuration
1.1 Google Chrome
1.1.1 (L2) Ensure 'Allow invocation of file selection dialogs' is set to
 
'Enabled' (Scored)
1.1.2 (L1) Ensure 'Allow running plugins that are outdated' is set to
 
'Disabled' (Scored)
1.1.3 (L1) Ensure 'Always runs plugins that require authorization'
 
is set to 'Disabled' (Scored)
1.1.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'
 
(Scored)
1.1.5 (L1) Ensure 'Continue running background apps when Google
 
Chrome is closed' is set to 'Disabled' (Scored)
1.1.6 (L1) Ensure 'Enable AutoFill' is set to 'Disabled' (Scored)  
1.1.7 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
 
'Disabled' (Scored)
1.1.8 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled' (Scored)
1.1.9 (L1) Ensure 'Enable submission of documents to Google
 
Cloud print' is set to 'Disabled' (Scored)
1.1.10 (L1) Ensure 'Import saved passwords from default browser
 
on first run' is set to 'Disabled' (Scored)
1.1.11 (L1) Ensure 'Specify whether the plugin finder should be
 
disabled' is set to 'Enabled' (Scored)
1.2 Allow Google Chrome Frame to Handle the Following Content Types
1.3 Configure Remote Access Options
1.3.1 (L1) Ensure 'Configure the required domain name for remote
 
access hosts' is set to 'Enabled' (Scored)
1.3.2 (L1) Ensure 'Enable curtaining of remote access hosts' is set
 
to 'Enabled' (Scored)
1.3.3 (L1) Ensure 'Enable firewall traversal from remote access
 
host' is set to 'Disabled' (Scored)
1.3.4 (L1) Ensure 'Enable or disable PIN-less authentication for
 
remote access hosts' is set to 'Disabled' (Scored)
1.4 Content Settings
1.4.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep
 
cookies for the duration of the session) (Scored)
1.4.2 (L1) Ensure 'Default Plugin Setting' is set to 'Enabled' (Click to
 
Play) (Scored)
45 | P a g e
1.5 Default HTML Renderer for Google Chrome Frame
1.6 Default Search Provider
1.7 Extensions
1.7.1 (L1) Ensure 'Configure extension installation blacklist' is set
 
to 'Enabled' ("*" for all extensions) (Scored)
1.8 Home Page
1.9 Locally Managed Users Settings
1.10 Native Messaging
1.11 Password Manager
1.11.1 (L1) Ensure 'Enable the password manager' is set to
 
'Disabled' (Scored)
1.12 Policies for HTTP Authentication
1.13 Proxy Server
1.14 Startup Pages
46 | P a g e
Appendix: Change History
Date Version Changes for this version
10-30- 1.0.0 Initial Release

15
3-15-16 1.1.0 text to update on

benchmarks_rule_1.11.1_Set_Enable_the_password_manager_to_Disabled
3-15-16 1.1.0 Removed version from Title
3-15-16 1.1.0 Updated all recommendation titles to include level and new wording.
6-28-17 1.2.0 Added Controls Mappings to all recommendations
6-28-17 1.2.0 Set 'Allow invocation of file selection dialogs' to Enabled - description /
rationale error – Ticket #5105
6-28-17 1.2.0 Remove - (L1) Ensure 'Allow users to show passwords in Password
Manager' is set to 'Disabled' – Deprecated – Ticket #4767
6-28-17 1.2.0 Remove - (L1) Ensure 'Specify a list of Disabled Plugins' is set to
'Enabled' - Deprecated – Ticket #4764
6-28-17 1.2.0 Remove - Set 'Enable alternate error pages' to Disabled – Ticket #5106
47 | P a g e

CIS Google Chrome Benchmark v1.2.0

Uploaded by

Copyright:

Available Formats

CIS Google Chrome Benchmark v1.2.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Google Chrome Benchmark v1.2.0

Uploaded by

Copyright:

Available Formats

CIS Google Chrome Benchmark

Italic font Used to denote the title of a book, article, or other

Note Additional information or caveats

Items in this profile intend to:

o be practical and prudent;

o are intended for environments or use cases where security is paramount

1.1 Google Chrome

1.1.1 (L2) Ensure 'Allow invocation of file selection dialogs' is set to

Computer Configuration\Administrative Templates\Classic Administrative

14 Controlled Access Based on the Need to Know

Computer Configuration\Administrative Templates\Classic Administrative

7.1 Use Only Fully-supported Web Browsers And Email Clients

Computer Configuration\Administrative Templates\Classic Administrative

7.2 Uninstall/Disable Unnecessary or Unauthorized Browser Or Email Client Plugins

Computer Configuration\Administrative Templates\Classic Administrative

Computer Configuration\Administrative Templates\Classic Administrative

7 Email and Web Browser Protections

Computer Configuration\Administrative Templates\Classic Administrative

If this setting is disabled, AutoFill will be inaccessible to users.

Computer Configuration\Administrative Templates\Classic Administrative

Computer Configuration\Administrative Templates\Classic Administrative

If this setting is disabled, this information is not sent to Google.

Computer Configuration\Administrative Templates\Classic Administrative

Computer Configuration\Administrative Templates\Classic Administrative

16 Account Monitoring and Control

Computer Configuration\Administrative Templates\Classic Administrative

7.2 Uninstall/Disable Unnecessary or Unauthorized Browser Or Email Client Plugins

Computer Configuration\Administrative Templates\Classic Administrative

9 Limitation and Control of Network Ports, Protocols, and Services

Computer Configuration\Administrative Templates\Classic Administrative

9 Limitation and Control of Network Ports, Protocols, and Services

Computer Configuration\Administrative Templates\Classic Administrative

9 Limitation and Control of Network Ports, Protocols, and Services

Computer Configuration\Administrative Templates\Classic Administrative

9 Limitation and Control of Network Ports, Protocols, and Services

1.4.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep

Computer Configuration\Administrative Templates\Classic Administrative

Computer Configuration\Administrative Templates\Classic Administrative

7.2 Uninstall/Disable Unnecessary or Unauthorized Browser Or Email Client Plugins

1.6 Default Search Provider

1.7.1 (L1) Ensure 'Configure extension installation blacklist' is set to

Computer Configuration\Administrative Templates\Classic Administrative

7.2 Uninstall/Disable Unnecessary or Unauthorized Browser Or Email Client Plugins

1.9 Locally Managed Users Settings

1.10 Native Messaging

1.11.1 (L1) Ensure 'Enable the password manager' is set to 'Disabled'

Computer Configuration\Administrative Templates\Classic Administrative

16 Account Monitoring and Control

1.13 Proxy Server

1.14 Startup Pages

10-30- 1.0.0 Initial Release

3-15-16 1.1.0 text to update on

3-15-16 1.1.0 Removed version from Title

6-28-17 1.2.0 Added Controls Mappings to all recommendations

You might also like