0% found this document useful (0 votes)

455 views329 pages

CIS Google Chrome Benchmark v3.0.0

Uploaded by

Nitin Gary

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

455 views329 pages

CIS Google Chrome Benchmark v3.0.0

Uploaded by

Nitin Gary

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 329

CIS Google Chrome

Benchmark
v3.0.0 - 01-29-2024
Terms of Use
Please see the below link for our current terms of use:
https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Page 1
Table of Contents
Terms of Use ..................................................................................................................... 1
Table of Contents ............................................................................................................. 2
Overview ............................................................................................................................ 8
--- USAGE NOTES --- ............................................................................................................... 8
Recommendation Order ............................................................................................................ 8
Enforced Defaults...................................................................................................................... 9
Viewing the Resulting "Policies" in Chrome.............................................................................. 9
Intended Audience ..................................................................................................................... 9
Consensus Guidance............................................................................................................... 10
Typographical Conventions .................................................................................................... 11
Recommendation Definitions ....................................................................................... 12
Title............................................................................................................................................. 12
Assessment Status .................................................................................................................. 12
Automated ............................................................................................................................................. 12
Manual.................................................................................................................................................... 12
Profile ......................................................................................................................................... 12
Description ................................................................................................................................ 12
Rationale Statement ................................................................................................................. 12
Impact Statement...................................................................................................................... 13
Audit Procedure........................................................................................................................ 13
Remediation Procedure ........................................................................................................... 13
Default Value ............................................................................................................................. 13
References ................................................................................................................................ 13
CIS Critical Security Controls® (CIS Controls®) .................................................................... 13
Additional Information ............................................................................................................. 13
Profile Definitions ..................................................................................................................... 14
Acknowledgements .................................................................................................................. 15
Recommendations ......................................................................................................... 16
1 Enforced Defaults .................................................................................................................. 16
1.1 HTTP authentication ....................................................................................................................... 17
1.1.1 (L1) Ensure 'Cross-origin HTTP Authentication prompts' is set to 'Disabled' (Automated)
................................................................................................................................................... 18
1.2 Safe Browsing settings .................................................................................................................. 20
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe Browsing will not trigger
warnings' is set to 'Disabled' (Automated) ................................................................................. 21
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to 'Enabled: Safe Browsing is active
in the standard mode.' or higher (Manual) ................................................................................ 23

Page 2
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast devices on all IP addresses' is set to
'Disabled' (Automated) .............................................................................................................. 25
1.4 (L1) Ensure 'Allow queries to a Google time service' is set to 'Enabled' (Automated) ....... 27
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to 'Enabled' (Automated) ................... 29
1.6 (L1) Ensure 'Ask where to save each file before downloading' is set to 'Enabled'
(Automated) ............................................................................................................................... 31
1.7 (L1) Ensure 'Continue running background apps when Google Chrome is closed' is set to
'Disabled' (Automated) .............................................................................................................. 33
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is set to 'Enabled: Filter top level
sites (but not embedded iframes) for adult content' (Automated) ............................................. 35
1.9 (L1) Ensure 'Determine the availability of variations' is set to 'Enable all variations'
(Manual) ..................................................................................................................................... 37
1.10 (L1) Ensure 'Disable Certificate Transparency enforcement for a list of Legacy Certificate
Authorities' is set to 'Disabled' (Automated) .............................................................................. 39
1.11 (L1) Ensure 'Disable Certificate Transparency enforcement for a list of
subjectPublicKeyInfo hashes' is set to 'Disabled' (Automated) ................................................. 41
1.12 (L1) Ensure 'Disable Certificate Transparency enforcement for a list of URLs' is set to
'Disabled' (Automated) .............................................................................................................. 43
1.13 (L1) Ensure 'Disable saving browser history' is set to 'Disabled' (Automated) ................. 45
1.14 (L1) Ensure 'DNS interception checks enabled' is set to 'Enabled' (Automated) ............. 47
1.15 (L1) Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'
(Automated) ............................................................................................................................... 49
1.16 (L1) Ensure 'Enable globally scoped HTTP auth cache' is set to 'Disabled' (Automated) 51
1.17 (L1) Ensure 'Enable online OCSP/CRL checks' is set to 'Disabled' (Automated) ............ 53
1.18 (L1) Ensure 'Enable security warnings for command-line flags' is set to 'Enabled'
(Automated) ............................................................................................................................... 55
1.19 (L1) Ensure 'Enable third party software injection blocking' is set to 'Enabled' (Automated)
................................................................................................................................................... 57
1.20 (L1) Ensure 'Enables managed extensions to use the Enterprise Hardware Platform API'
is set to 'Disabled' (Automated) ................................................................................................. 59
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled' (Automated) ...................................... 61
1.22 (L1) Ensure 'Import autofill form data from default browser on first run' is set to 'Disabled'
(Automated) ............................................................................................................................... 63
1.23 (L1) Ensure 'Import of homepage from default browser on first run' is set to 'Disabled'
(Automated) ............................................................................................................................... 65
1.24 (L1) Ensure 'Import search engines from default browser on first run' is set to 'Disabled'
(Automated) ............................................................................................................................... 67
1.25 (L1) Ensure 'List of names that will bypass the HSTS policy check' is set to 'Disabled'
(Automated) ............................................................................................................................... 69
1.26 (L1) Ensure 'Origins or hostname patterns for which restrictions on insecure origins
should not apply' is set to 'Disabled' (Automated) ..................................................................... 71
1.27 (L1) Ensure 'Suppress lookalike domain warnings on domains' is set to 'Disabled'
(Automated) ............................................................................................................................... 73
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled' (Automated) .... 75
1.29 (L1) Ensure 'URLs for which local IPs are exposed in WebRTC ICE candidates' is set to
'Disabled' (Automated) .............................................................................................................. 77
2 Attack Surface Reduction .................................................................................................... 79
2.1 Update settings (Google section of GPO).................................................................................... 80
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled' with 'Always allow updates
(recommended)' or 'Automatic silent updates' specified (Automated) ...................................... 81
2.1.2 (L1) Ensure 'Auto-update check period override' is set to any value except '0'
(Automated) ............................................................................................................................... 83
2.2 Content settings ............................................................................................................................. 84
2.2.1 (L1) Ensure 'Control use of insecure content exceptions' is set to 'Enabled: Do not allow
any site to load mixed content' (Automated) ............................................................................. 85

Page 3
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled: Do not allow any
site to request access to Bluetooth devices via the Web Bluetooth API' (Automated) ............. 87
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to 'Enabled: Do not allow any site to
request access to USB devices via the WebUSB API' (Automated) ........................................ 89
2.2.4 (L2) Ensure 'Default notification setting' is set to 'Enabled: Do not allow any site to show
desktop notifications' (Automated) ............................................................................................ 91
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on these sites in the PDF Viewer' Is
Disabled (Automated) ................................................................................................................ 93
2.3 Extensions ....................................................................................................................................... 95
2.3.1 (L1) Ensure 'Blocks external extensions from being installed' is set to 'Enabled'
(Automated) ............................................................................................................................... 96
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled: extension,
hosted_app, platform_app, theme' (Automated) ....................................................................... 98
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is set to 'Enabled: *' (Automated)
.................................................................................................................................................100
2.3.4 (L2) Ensure 'Default third-party storage partitioning setting' Is Enabled and Blocked
(Automated) .............................................................................................................................102
2.3.5 (L1) Ensure 'Block third-party storage partitioning for these origins' Is Configured
(Manual) ...................................................................................................................................104
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is Set to Forced Only
(Automated) .............................................................................................................................106
2.3.7 (L1) Ensure 'Control availability of extensions unpublished on the Chrome Web Store' Is
Disabled (Automated) ..............................................................................................................108
2.4 HTTP authentication .....................................................................................................................110
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'
(Automated) .............................................................................................................................111
2.5 Native Messaging .........................................................................................................................113
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set to 'Enabled: *' (Automated) ..114
2.6 Password manager .......................................................................................................................116
2.6.1 (L1) Ensure 'Enable saving passwords to the password manager' is Explicitly Configured
(Manual) ...................................................................................................................................117
2.7 Printing ..........................................................................................................................................119
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled' (Automated) ..........120
2.8 Remote access (Chrome Remote Desktop) ...............................................................................122
2.8.1 Ensure 'Allow remote access connections to this machine' is set to 'Disabled' (Manual)
.................................................................................................................................................123
2.8.2 (L1) Ensure 'Allow remote users to interact with elevated windows in remote assistance
sessions' is set to 'Disabled' (Automated) ...............................................................................125
2.8.3 (L1) Ensure 'Configure the required domain names for remote access clients' is set to
'Enabled' with a domain defined (Manual)...............................................................................127
2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled' (Automated)
.................................................................................................................................................129
2.8.5 (L1) Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled'
(Automated) .............................................................................................................................131
2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to
'Disabled' (Automated) ............................................................................................................133
2.8.7 (L1) Ensure 'Enable the use of relay servers by the remote access host' is set to
'Disabled'. (Automated) ...........................................................................................................135
2.9 First-Party Sets Settings ..............................................................................................................137
2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled (Manual) ...........................................138
2.10 Microsoft Active Directory Management Settings ..................................................................140
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud identity providers' Is Enabled
(Manual) ...................................................................................................................................141
2.11 (L1) Ensure 'Allow download restrictions' is set to 'Enabled: Block malicious downloads'
(Automated) .............................................................................................................................143

Page 4
2.12 (L2) Ensure 'Allow proceeding from the SSL warning page' is set to 'Disabled'
(Automated) .............................................................................................................................145
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing warning page' is set to 'Enabled'
(Automated) .............................................................................................................................147
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to 'Enabled' (Automated) .........149
2.15 (L2) Ensure 'Force Google SafeSearch' is set to 'Enabled' (Automated) .......................151
2.16 (L1) Ensure 'Notify a user that a browser relaunch or device restart is recommended or
required' is set to 'Enabled: Show a recurring prompt to the user indication that a relaunch is
required' (Automated) ..............................................................................................................153
2.17 (L1) Ensure 'Proxy settings' is set to 'Enabled' and does not contain "ProxyMode":
"auto_detect" (Automated) ......................................................................................................155
2.18 (L2) Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'
(Automated) .............................................................................................................................157
2.19 (L1) Ensure 'Set the time period for update notifications' is set to 'Enabled: 86400000'
(Automated) .............................................................................................................................159
2.20 (L1) Ensure 'Allow Web Authentication requests on sites with broken TLS certificates' Is
Disabled (Automated) ..............................................................................................................161
2.21 (L1) Ensure 'Allow reporting of domain reliability related data' Is Disabled (Automated)
.................................................................................................................................................163
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is Enabled (Automated) .....................165
2.23 (L2) Ensure 'Determines whether the built-in certificate verifier will enforce constraints
encoded into trust anchors loaded from the platform trust store' Is Enabled (Automated) .....167
2.24 (L1) Ensure 'Keep browsing data when creating enterprise profile by default' Is Enabled
(Automated) .............................................................................................................................169
2.25 (L1) Ensure 'Allow file or directory picker APIs to be called without prior user gesture' Is
Disabled (Automated) ..............................................................................................................171
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is Disabled (Automated) ....................173
2.27 (L1) Ensure 'Http Allowlist' Is Properly Configured (Manual) ..........................................175
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is Enabled (Automated) ...................177
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes Enabled' Is Disabled (Automated) .179
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled (Automated).........................181
2.31 (L1) Ensure 'Enable strict MIME type checking for worker scripts' Is Enabled (Automated)
.................................................................................................................................................183
2.32 Ensure 'Allow remote debugging' is set to 'Disabled' (Automated) .................................185
3 Privacy .................................................................................................................................. 187
3.1 Content settings ...........................................................................................................................188
3.1.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled: Keep cookies for the duration of
the session' (Automated) .........................................................................................................189
3.1.2 (L1) Ensure 'Default geolocation setting' is set to 'Enabled: Do not allow any site to track
the users' physical location' (Automated) ................................................................................191
3.2 Google Cast ...................................................................................................................................193
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled' (Automated) ...............................194
3.3 (L1) Ensure 'Allow websites to query for available payment methods' is set to 'Disabled'
(Automated) .............................................................................................................................196
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled' (Automated) ............................198
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled: Disabled browser sign-in'
(Automated) .............................................................................................................................200
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data to Google' is set to 'Disabled'
(Automated) .............................................................................................................................202
3.7 (L1) Ensure 'Disable synchronization of data with Google' is set to 'Enabled' (Automated)
.................................................................................................................................................204
3.8 (L1) Ensure 'Enable alternate error pages' is set to 'Disabled' (Automated) ....................206
3.9 (L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled'
(Automated) .............................................................................................................................208

Page 5
3.10 (L1) Ensure 'Enable predict network actions` is set to 'Enabled: Do not predict actions on
any network connection' (Automated) .....................................................................................210
3.11 (L1) Ensure 'Enable or disable spell checking web service' is set to 'Disabled'
(Automated) .............................................................................................................................212
3.12 (L1) Ensure 'Enable reporting of usage and crash-related data' is set to 'Disabled'
(Automated) .............................................................................................................................214
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is set to 'Disabled' (Automated)
.................................................................................................................................................216
3.14 (L2) Ensure 'Enable search suggestions' is set to 'Disabled' (Automated) .....................218
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled' (Automated) .....................................220
3.16 (L1) Ensure 'Enable URL-keyed anonymized data collection' is set to 'Disabled'
(Automated) .............................................................................................................................222
4 Data Loss Prevention.......................................................................................................... 224
4.1 Allow or deny screen capture .....................................................................................................225
4.1.1 (L2) Ensure 'Allow or deny screen capture' is set to 'Disabled' (Automated).................226
4.2 Content settings ...........................................................................................................................228
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to 'Enabled: Do not allow any site to
request access to serial ports via the Serial API' (Automated) ...............................................229
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled: Do not allow any site to access
sensors' (Automated)...............................................................................................................231
4.2.3 (L1) Ensure 'Allow clipboard for these sites' Is Configured (Manual) ............................233
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured (Manual) ............................235
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to 'Deny Permissions' (Automated)
.................................................................................................................................................237
4.2.6 (L2) Ensure 'Default Window Management permissions setting' Is 'Enabled' to 'Deny
Permission' (Automated) .........................................................................................................239
4.2.7 (L2) Ensure 'Allow Window Management permission on these sites' Is Configured
(Manual) ...................................................................................................................................241
4.2.8 (L2) Ensure 'Block Window Management permission on these sites' Is Configured
(Manual) ...................................................................................................................................243
4.3 (L2) Ensure 'Allow invocation of file selection dialogs' is set to 'Disabled' (Automated) ...245
4.4 (L2) Ensure 'Allow or deny audio capture' is set to 'Disabled' (Automated)......................247
4.5 (L2) Ensure 'Allow or deny video capture' is set to 'Disabled' (Automated) ......................249
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled' (Automated) ..................................251
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is set to 'Enabled: DNS-over-HTTPS
without insecure fallback' (Automated) ....................................................................................253
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to 'Disabled' (Automated) ...................255
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to 'Disabled' (Automated) .................257
4.10 (L1) Ensure 'Import saved passwords from default browser on first run' is set to 'Disabled'
(Automated) .............................................................................................................................259
4.11 (L1) Ensure 'List of types that should be excluded from synchronization' is set to
'Enabled: passwords' (Automated) ..........................................................................................261
4.12 (L2) Ensure 'Allow or deny screen capture' is set to 'Disabled' (Automated)..................263
5 Forensics (Post Incident) ................................................................................................... 265
5.1 (L2) Ensure 'Enable guest mode in browser' is set to 'Disabled' (Automated) .................266
5.2 (L2) Ensure 'Incognito mode availability' is set to 'Enabled: Incognito mode disabled'
(Automated) .............................................................................................................................268
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to 'Enabled: 250609664' (Automated) .270
Appendix: Summary Table .......................................................................................... 272
Appendix: CIS Controls v7 IG 1 Mapped Recommendations ................................. 283
Appendix: CIS Controls v7 IG 2 Mapped Recommendations ................................. 285
Appendix: CIS Controls v7 IG 3 Mapped Recommendations ................................. 290

Page 6
Appendix: CIS Controls v7 Unmapped Recommendations .................................... 296
Appendix: CIS Controls v8 IG 1 Mapped Recommendations ................................. 297
Appendix: CIS Controls v8 IG 2 Mapped Recommendations ................................. 301
Appendix: CIS Controls v8 IG 3 Mapped Recommendations ................................. 307
Appendix: CIS Controls v8 Unmapped Recommendations .................................... 313
Appendix: Change History .......................................................................................... 314

Page 7
Overview
All CIS Benchmarks focus on technical configuration settings used to maintain and/or
increase the security of the addressed technology, and they should be used in
conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly updating with
the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with
the latest security patches

In the end, the CIS Benchmarks are designed as a key component of a comprehensive
cybersecurity program.

This document provides prescriptive guidance for establishing a secure configuration

posture for Google Chrome browser. This guide was tested against Google Chrome
v120. To obtain the latest version of this guide, please visit
http://benchmarks.cisecurity.org. If you have questions, comments, or have identified
ways to improve this guide, please write us at [email protected].
IMPORTANT NOTE: This Benchmark assumes the installation of the Google Chrome
and Google Update ADMX/ADML templates into the Active Directory policy store for the
domain(s) of interest. These can be obtained at the following web locations:

•
Chrome
•
Google Update

--- USAGE NOTES ---

Some helpful guidance on using this Benchmark.

Recommendation Order

This Benchmark has high-level sections based on various security related concerns
(Enforced Defaults, Privacy, etc.). Within each of these major sections the
recommendations are ordered alphabetically, and are grouped in the relevant sub-
section where the setting is located in the Google Chrome GPO as shown in the
Microsoft Group Policy Management Editor when the GPO is sorted alphabetically by
setting (Clicking the Setting column in the Microsoft Group Policy Management Editor
right pane view).

Page 8
Enforced Defaults

Many of the settings specified in this Benchmark are also the default settings for the
browser. These are specified for the following reasons:

1. The default (Unset) setting may have the same effect as what is prescribed, but
they allow the user to change these settings at any time. Actually configuring the
browser setting to the prescribed value will prevent the user from changing it.
2. Many organizations want the ability to scan systems for Benchmark compliance
and configuration drift using CIS (CIS-CAT) or CIS certified third party tools (CIS
Vendor Partners). Having these settings specified in the Benchmark allows for
this.

Viewing the Resulting "Policies" in Chrome

This benchmark is designed to use Windows Group Policy on a domain joined system
to set the appropriate Windows registry values that pertain to Google Chrome. In the
end, these settings change the internal "policy" configuration of Google Chrome. These
"Policy" settings can be viewed in Google Chrome directly by typing chrome://policy/
directly into the Google Chrome address box.

Intended Audience
The Google Chrome CIS Benchmarks are written for Microsoft Windows Active
Directory domain-joined systems using Group Policy, not standalone/workgroup
systems. Adjustments/tailoring to some recommendations will be needed to maintain
functionality if attempting to implement CIS hardening on standalone systems.

Page 9
Consensus Guidance
This CIS Benchmark was created using a consensus review process comprised of a
global community of subject matter experts. The process combines real world
experience with data-based information to create technology specific guidance to assist
users to secure their environments. Consensus participants provide perspective from a
diverse set of backgrounds including consulting, software development, audit and
compliance, security research, operations, government, and legal.
Each CIS Benchmark undergoes two phases of consensus review. The first phase
occurs during initial Benchmark development. During this phase, subject matter experts
convene to discuss, create, and test working drafts of the Benchmark. This discussion
occurs until consensus has been reached on Benchmark recommendations. The
second phase begins after the Benchmark has been published. During this phase, all
feedback provided by the Internet community is reviewed by the consensus team for
incorporation in the Benchmark. If you are interested in participating in the consensus
process, please visit https://workbench.cisecurity.org/.

Page 10
Typographical Conventions
The following typographical conventions are used throughout this guide:

Convention Meaning

Used for blocks of code, command, and script

Stylized Monospace font examples. Text should be interpreted exactly as
presented.

Monospace font Used for inline code, commands, or examples.

Text should be interpreted exactly as presented.

Italic texts set in angle brackets denote a variable

<italic font in brackets> requiring substitution for a real value.

Used to denote the title of a book, article, or other

Italic font
publication.

Note Additional information or caveats

Page 11
Recommendation Definitions
The following defines the various components included in a CIS recommendation as
applicable. If any of the components are not applicable it will be noted or the
component will not be included in the recommendation.

Title
Concise description for the recommendation's intended configuration.

Assessment Status
An assessment status is included for every recommendation. The assessment status
indicates whether the given recommendation can be automated or requires manual
steps to implement. Both statuses are equally important and are determined and
supported as defined below:

Automated
Represents recommendations for which assessment of a technical control can be fully
automated and validated to a pass/fail state. Recommendations will include the
necessary information to implement automation.

Manual
Represents recommendations for which assessment of a technical control cannot be
fully automated and requires all or some manual steps to validate that the configured
state is set as expected. The expected state can vary depending on the environment.

Profile
A collection of recommendations for securing a technology or a supporting platform.
Most benchmarks include at least a Level 1 and Level 2 Profile. Level 2 extends Level 1
recommendations and is not a standalone profile. The Profile Definitions section in the
benchmark provides the definitions as they pertain to the recommendations included for
the technology.

Description
Detailed information pertaining to the setting with which the recommendation is
concerned. In some cases, the description will include the recommended value.

Rationale Statement
Detailed reasoning for the recommendation to provide the user a clear and concise
understanding on the importance of the recommendation.

Page 12
Impact Statement
Any security, functionality, or operational consequences that can result from following
the recommendation.

Audit Procedure
Systematic instructions for determining if the target system complies with the
recommendation.

Remediation Procedure
Systematic instructions for applying recommendations to the target system to bring it
into compliance according to the recommendation.

Default Value
Default value for the given setting in this recommendation, if known. If not known, either
not configured or not defined will be applied.

References
Additional documentation relative to the recommendation.

CIS Critical Security Controls® (CIS Controls®)

The mapping between a recommendation and the CIS Controls is organized by CIS
Controls version, Safeguard, and Implementation Group (IG). The Benchmark in its
entirety addresses the CIS Controls safeguards of (v7) “5.1 - Establish Secure
Configurations” and (v8) '4.1 - Establish and Maintain a Secure Configuration Process”
so individual recommendations will not be mapped to these safeguards.

Additional Information
Supplementary information that does not correspond to any other field but may be
useful to the user.

Page 13
Profile Definitions
The following configuration profiles are defined by this Benchmark:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Items in this profile intend to:

o be the starting baseline for most organizations;

o be practical and prudent;
o provide a clear security benefit; and
o not inhibit the utility of the technology beyond acceptable means.

• Level 2 (L2) - High Security/Sensitive Data Environment (limited

functionality)

This profile extends the "Level 1 (L1)" profile. Items in this profile exhibit one or
more of the following characteristics:

o are intended for environments or use cases where security is more critical
than manageability and usability;
o may negatively inhibit the utility or performance of the technology; and
o limit the ability of remote management/access.

Note: Implementation of Level 2 requires that both Level 1 and Level 2 settings
are applied.

Page 14
Acknowledgements
This Benchmark exemplifies the great things a community of users, vendors, and
subject matter experts can accomplish through consensus collaboration. The CIS
community thanks the entire consensus team with special recognition to the following
individuals who contributed greatly to the creation of this guide:

Contributor
Jordan Rakoske
Brian Howson
Johannes Goerlich , Siemens AG
Fletcher Oliver
Adrian Clark
Joe Goerlich , Siemens AG
Patrick Stoeckle , Siemens AG
John Mahlman
Joseph Musso
Loren Hudziak
Daniel Christopher
Kari Byrd

Editor
Phil White , Center for Internet Security, New York
Edward Byrd , Center for Internet Security, New York
Josh Franklin

Page 15
Recommendations
1 Enforced Defaults
This section contains recommendations that are configured by default when you install
Google Chrome. Enforcing these settings at an enterprise level can prevent these
settings from changing to a less secure option.

Page 16
1.1 HTTP authentication

Page 17
1.1.1 (L1) Ensure 'Cross-origin HTTP Authentication prompts' is
set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether third-party sub-content can open a HTTP Basic Auth
dialog and is typically disabled.
The recommended state for this setting is: Disabled (0)

Rationale:
This setting is typically disabled to help combat phishing attempts.
Impact:
None - This is the default behavior.

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AllowCrossOriginAuthPrompt

Page 18
CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 19
1.2 Safe Browsing settings

Page 20
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe
Browsing will not trigger warnings' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
The setting determines the functionality of Safe Browsing.

• Disabled (0): Safe Browsing protection applies to all resources

• Enabled (1), with a list of 1 or more sites: Means Safe Browsing
will trust the
domains you designate. It won't check them for dangerous resources such as
phishing, malware, or unwanted software.

The recommended state for this setting is: Disabled (0)

NOTE: Safe Browsing's download protection service won't check downloads hosted on
these domains, and its password protection service won't check for password reuse.

Rationale:
Google Safe Browsing will help protect users from a variety of malicious and fraudulent
sites, or download dangerous files.
Impact:
None - This is the default behavior.
NOTE: The only real impact is possible user annoyance if they are going to a legitimate
site that is falsely considered fraudulent (a rare occurrence). This can be handled by
adding the site to the allowlist and/or notifying Google of the false finding.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\SafeBrowsingAllowlistDomai
ns\

Page 21
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Safe Browsing settings\Configure the list of domains on which Safe
Browsing will not trigger warnings.

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains
2. https://safebrowsing.google.com/

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

Enforce and update network-based URL filters to limit an enterprise asset from
v8 connecting to potentially malicious or unapproved websites. Example ● ●
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.

7.4 Maintain and Enforce Network-Based URL Filters

Enforce network-based URL filters that limit a system's ability to connect to
v7 websites not approved by the organization. This filtering shall be enforced for each ● ●
of the organization's systems, whether they are physically at an organization's
facilities or not.

Page 22
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to
'Enabled: Safe Browsing is active in the standard mode.' or higher
(Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Control whether Google Chrome's Safe Browsing feature is enabled and the mode in
which it operates. If you set this setting as mandatory, users cannot change or override
the Safe Browsing setting in Google Chrome.
If this setting is left not set, Safe Browsing will operate in Standard Protection mode but
users can change this setting.

• No Protection (0): Safe Browsing is never active.

• Standard Protection (1): Safe Browsing is active in the standard mode.
• Enhanced Protection (2): Safe Browsing is active in the enhanced mode. This
mode provides better security, but requires sharing more browsing information
with Google.

The recommended state for this setting is: Safe Browsing is active in the standard
mode. (1) or higher

Rationale:
Google Safe Browsing will help protect users from a variety of malicious and fraudulent
sites, or from downloading dangerous files.
NOTE: Google recommends using Enhanced Safe Browsing Mode (2). Turning on
Enhanced Safe Browsing will substantially increase protection from dangerous websites
and downloads, but will share more data with Google.
For more details, please refer to the items in the References section below.
Impact:
None - This is the default behavior (Standard Protection).

Page 23
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1 or 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SafeBrowsingProtectionLeve
l

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Safe Browsing is active in the standard mode.:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Safe Browsing settings\Safe Browsing Protection Level

Default Value:
Unset (Same as Standard Protection, but user can change)

References:

1. https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel
2. https://security.googleblog.com/2020/05/enhanced-safe-browsing-protection-
now.html
3. https://security.googleblog.com/2021/06/new-protections-for-enhanced-safe.html
4. https://developers.google.com/safe-
browsing?_ga=2.65351149.274800631.1631808382-2031399475.1630502681

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 24
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast devices on
all IP addresses' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether Google Cast is able to connect to all IP Addresses or only
private IP Addresses as defined in RFC1918 (IPv4) and RFC4193 (IPv6). Note that if
the EnabledMediaRouter setting is set to Disabled there is no positive or negative effect
for this setting.
The recommended state for this setting is: Disabled (0)

Rationale:
Allowing Google Cast to connect to public IP addresses could allow media and other
potentially sensitive data to be exposed to the public. Disabling this setting will ensure
that Google Cast is only able to connect to private (ie: internal) IP addresses.
Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:MediaRouterCastAllowAllIPs

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#MediaRouterCastAllowAllIPs

Page 25
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

Enterprise Assets and Software
v8 Uninstall or disable unnecessary services on enterprise assets and software, ● ●
such as an unused file sharing service, web application module, or service
function.

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running ● ●
Ensure that only network ports, protocols, and services listening on a system
with validated business needs, are running on each system.

Page 26
1.4 (L1) Ensure 'Allow queries to a Google time service' is set to
'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether Google Chrome can send queries to a Google time
service for accurate timestamps. This check helps in validation of certificates.
The recommended state for this setting is: Enabled(1)

Rationale:
Google Chrome uses a network time service to randomly track times from a trusted
external service. This allows Google Chrome the ability for verification of a certificate's
validity and is important for certificate validation.

Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BrowserNetworkTimeQueriesE
nabled

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Allow queries to a Google time service

Default Value:

Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#BrowserNetworkTimeQueriesEnabled

Page 27
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.4 Standardize Time Synchronization

v8 Standardize time synchronization. Configure at least two synchronized time ● ●
sources across enterprise assets, where supported.

6.1 Utilize Three Synchronized Time Sources

v7 Use at least three synchronized time sources from which all servers and
network devices retrieve time information on a regular basis so that timestamps
● ●
in logs are consistent.

Page 28
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether audio processes in Google Chrome run in a sandbox.
NOTE: Security software setups within your environment might interfere with the
sandbox.
The recommended state for this setting is: Enabled (1)

Rationale:
Having audio processes run in a sandbox ensures that if a website misuses audio
processes that data may not be manipulated or exfiltrated from the system.

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AudioSandboxEnabled

Page 29
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with ● ● ●
the enterprise’s audit log management process.

10.5 Ensure Backups Have At least One Non-

v7 Continuously Addressable Destination
Ensure that all backups have at least one backup destination that is not
● ● ●
continuously addressable through operating system calls.

Page 30
1.6 (L1) Ensure 'Ask where to save each file before downloading'
is set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome offers to download files automatically to the default download directory
without prompting.
If this setting is enabled, users are always asked where to save each file before
downloading.
The recommended state for this setting is: Enabled (1)

Rationale:
Users shall be prevented from the drive-by-downloads threat.

Remediation:
To establish the recommended configuration via Group Policy, set the
following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Ask where to save each file before downloading

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#PromptForDownloadLocation
2. https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-
chrome-right-now/

Page 31
CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 32
1.7 (L1) Ensure 'Continue running background apps when Google
Chrome is closed' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome allows for processes started while the browser is open to remain running once
the browser has been closed. It also allows for background apps and the current
browsing session to remain active after the browser has been closed.
With this setting Disabled, the browser will close its processes and will stop running
background apps.
The recommended state for this setting is: Disabled (0)

Rationale:

If this setting is enabled, vulnerable or malicious plugins, apps and processes can
continue running even after Chrome has closed.
Impact:
None - This is the default behavior.
Audit:

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#BackgroundModeEnabled

Page 33
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running ● ●
Ensure that only network ports, protocols, and services listening on a system
with validated business needs, are running on each system.

Page 34
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is set to
'Enabled: Filter top level sites (but not embedded iframes) for
adult content' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome can use the Google Safe Search API to classify URLs as pornographic
or not.
The recommended state for this setting is: Enabled with a value of Filter top level
sites (but not embedded iframes) for adult content (1)

Users' search results will be filtered and content such as adult text, videos, and images
will not be shown.
NOTE: Using Googles Safe Search API may leak information which is typed/pasted by
mistake into the omnibox, e.g. passwords, internal webservices, folder structures, etc.
Audit:

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not filter sites for adult content:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Control SafeSites adult content filtering.

Default Value:
Unset (Same as Enabled with "Do not filter sites for adult content", but user can
change)

Page 35
References:

1. https://chromeenterprise.google/policies/#SafeSitesFilterBehavior

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 36
1.9 (L1) Ensure 'Determine the availability of variations' is set to
'Enable all variations' (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Configuring this setting allows specifying which variations are allowed to be applied in
Google Chrome. Variations provide a means for Google to offer modifications to Google
Chrome without shipping a new version of the browser by selectively enabling or
disabling already existing features.

• Enable all variations (0): Allows all variations to be applied to the browser
(Default value).
• Enable variations concerning critical fixes only (1): Allows only variations
considered critical security or stability fixes to be applied to Google Chrome.
• Disable all variations (2): Prevent all variations from being applied to the
browser. Please note that this mode can potentially prevent the Google Chrome
developers from providing critical security fixes in a timely manner and is thus not
recommended.

The recommended state for this setting is: Enable all variations (0)
NOTE: Google strongly believes there is no added security benefit for turning this to
critical fixes as leaving it on increases the stability of the browser. Disabling variations
can also prevent getting critical security updates in a timely manner.
Rationale:
Google strongly recommends leaving this setting at the default (0 = Enable all
variations), so fixes are gradually enabled (or if necessary, rapidly disabled) via the
Chrome Variations framework.
Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ChromeVariations

Page 37
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Enable all variations:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Determine the availability of variations

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#ChromeVariations
2. https://support.google.com/chrome/a/answer/9805991?p=Manage_the_Chrome_
variations_framework&_ga=2.161804159.274800631.1631808382-
2031399475.1630502681&visit_id=637674174853642930-2644817764&rd=1

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.5 Deploy Automated Software Patch Management Tools

v7 Deploy automated software update tools in order to ensure that third-party
software on all systems is running the most recent security updates provided by
● ● ●
the software vendor.

7.4 Maintain and Enforce Network-Based URL Filters

Page 38
1.10 (L1) Ensure 'Disable Certificate Transparency enforcement
for a list of Legacy Certificate Authorities' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can disable the enforcing of Certificate Transparency requirements for
a list of Legacy Certificate Authorities.
If this setting is disabled, certificates not properly publicly disclosed as required by
Certificate Transparency are untrusted.
The recommended state for this setting is: Disabled (0)

Rationale:
Legacy Certificate Authorities shall follow the Certificate Transparency policy.
Impact:
None - This is the default behavior.

Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnf
orcementDisabledForLegacyCas\

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDi
sabledForLegacyCas

Page 39
CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 40
1.11 (L1) Ensure 'Disable Certificate Transparency enforcement
for a list of subjectPublicKeyInfo hashes' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can exclude certificates by their subjectPublicKeyInfo hashes from
enforcing Certificate Transparency requirements. If this setting is disabled, no
certificates are excluded from Certificate Transparency requirements.
The recommended state for this setting is: Disabled (0)

Rationale:
Certificate Transparency requirements shall be enforced for all certificates.
Impact:
None - This is the default behavior.
Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnf
orcementDisabledForCas

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDi
sabledForCas

Page 41
CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 42
1.12 (L1) Ensure 'Disable Certificate Transparency enforcement
for a list of URLs' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can specify URLs/hostnames for which Certificate Transparency will
not be enforced. If this setting is disabled, no URLs are excluded from Certificate
Transparency requirements.
The recommended state for this setting is: Disabled (0)

Rationale:
Certificates that are required to be disclosed via Certificate Transparency shall be
treated for all URLs as untrusted if they are not disclosed according to the Certificate
Transparency policy.
Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnf
orcementDisabledForUrls

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Disable Certificate Transparency enforcement for a list of URLs

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDi
sabledForUrls

Page 43
CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 44
1.13 (L1) Ensure 'Disable saving browser history' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome is configured to save the browser history.
The recommended state for this setting is: Disabled (0)
NOTE: This setting will preserve browsing history that could contain a user's personal
browsing history. Please make sure that this setting is in compliance with organizational
policies.
Rationale:
Browser history shall be saved as it may contain indicators of compromise.

Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SavingBrowserHistoryDisabl
ed

Remediation:

Default Value:

Unset (Same as Disabled, but user can change).

References:

1. https://chromeenterprise.google/policies/#SavingBrowserHistoryDisabled

Page 45
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 46
1.14 (L1) Ensure 'DNS interception checks enabled' is set to
'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting determines whether a local switch is configured for DNS interception
checks. These checks attempt to discover if the browser is behind a proxy that redirects
unknown host names.
The recommended state for this setting is: Enabled (1)
NOTE: This detection might not be necessary in an enterprise environment where the
network configuration is known. It can be disabled to avoid additional DNS and HTTP
traffic on startup and each DNS configuration change.

Rationale:
Disabling these checks could potentially allow DNS hijacking and poisoning.
Impact:
None - This is the default behavior.
Audit:

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#DNSInterceptionChecksEnabled

Page 47
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.7 Remediate Detected Vulnerabilities

v8 Remediate detected vulnerabilities in software through processes and tooling ● ●
on a monthly, or more frequent, basis, based on the remediation process.

4.9 Log and Alert on Unsuccessful Administrative

v7 Account Login
Configure systems to issue a log entry and alert on unsuccessful logins to an
● ●
administrative account.

Page 48
1.15 (L1) Ensure 'Enable component updates in Google Chrome'
is set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome's Component Updater updates several components of Google Chrome
on a regular basis (applies only to Chrome browser components).
The recommended state for this setting is: Enabled (1)
NOTE: Updates to any component that does not contain executable code, does not
significantly alter the behavior of the browser, or is critical for its security will not be
disabled (E.g. certificate revocation lists and Safe Browsing data is updated regardless
of this setting). FYI chrome://components lists all components, but not if they are
affected by this setting.
NOTE: Google provided the following list of "some of the components" controlled by
this setting:

• Recovery component
• Pnacl
• Floc
• Optimization hints
• SSL error assistant
• CRL set
• Origin trials
• SW reporter
• PKI metadata

Rationale:
Google Chrome Updater shall be used to keep the components bundled to Chrome up-
to-date.
Impact:

None - This is the default behavior.

Page 49
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ComponentUpdatesEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#ComponentUpdatesEnabled

Additional Information:
To check the current components versions, navigate to chrome://components.

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 50
1.16 (L1) Ensure 'Enable globally scoped HTTP auth cache' is set
to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether HTTP auth credentials may be automatically used in the
context of another web site visited in Google Chrome.
The recommended state for this setting is: Disabled (0)
NOTE: This setting is intended to give enterprises depending on the legacy behavior a
chance to update their login procedures and will be removed in the future.
Rationale:
Allowing HTTP auth credentials to be shared without the user's consent could lead to a
user sharing sensitive information without their knowledge. Enabling this setting could
also lead to some types of cross-site attacks that would allow users to be tracked
across sites without the use of cookies.
Impact:
None - This is the default behavior.

Default Value:
Unset (Same as Disabled, but user can change)

Page 51
References:

1. https://chromeenterprise.google/policies/#GloballyScopeHTTPAuthCacheEnable
d

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 52
1.17 (L1) Ensure 'Enable online OCSP/CRL checks' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can reactivate soft-fail, online revocation checks although they can
provide some benefit in most cases.
If this setting is disabled, unsecure online OCSP/CRL checks are no longer performed.
The recommended state for this setting is: Disabled (0)

Rationale:
CRLSets are primarily a means by which Chrome can quickly block certificates in
emergency situations. As a secondary function they can also contain some number of
non-emergency revocations. These latter revocations are obtained by crawling CRLs
published by CAs.
Online (i.e. OCSP and CRL) checks are not, by default, performed by Chrome. The
underlying system certificate library always performs these checks no matter what
Chrome does, so enabling it here is redundant.
An attacker may block OCSP traffic and cause revocation checks to pass in order to
cause usage of soft-fail behavior. Furthermore, the browser may leak what website is
being accessed and who accesses it to CA servers.
Impact:
None - This is the default behavior.

Page 53
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Enable online OCSP/CRL checks

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#EnableOnlineRevocationChecks
2. https://medium.com/@alexeysamoshkin/how-ssl-certificate-revocation-is-broken-
in-practice-af3b63b9cb3
3. https://dev.chromium.org/Home/chromium-security/crlsets

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 54
1.18 (L1) Ensure 'Enable security warnings for command-line
flags' is set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting prevents Google Chrome from showing security warnings that potentially
dangerous command-line flags are in use at its launch.
The recommended state of this setting is: Enabled (0)

Rationale:
If Google Chrome is being launched with potentially dangerous flags, this information
should be exposed to the user as a warning. If not, the user may be unintentionally
using non-secure settings and be exposed to security flaws.

Remediation:

Default Value:

Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#CommandLineFlagSecurityWarningsE
nabled

Page 55
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with ● ● ●
the enterprise’s audit log management process.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins
Uninstall or disable any unauthorized browser or email client plugins or add-
● ●
on applications.

Page 56
1.19 (L1) Ensure 'Enable third party software injection blocking' is
set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can prevent third party software from injecting executable code into
Chrome's processes.
The recommended state for this setting is: Enabled (1)

Rationale:
Third party software shall not be able to inject executable code into Chrome's
processes.
Impact:

None - This is the default behavior.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Enable third party software injection blocking

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#ThirdPartyBlockingEnabled

Page 57
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

10.5 Ensure Backups Have At least One Non-

v7 Continuously Addressable Destination
Ensure that all backups have at least one backup destination that is not
● ● ●
continuously addressable through operating system calls.

Page 58
1.20 (L1) Ensure 'Enables managed extensions to use the
Enterprise Hardware Platform API' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows extensions installed by enterprise policies to be allowed to use the
Enterprise Hardware Platform API.
The recommended state for this setting is: Disabled (0)

Rationale:
It is recommended that this setting is disabled unless otherwise directed by Enterprise
policies.
Impact:
None - This is the default behavior.
Audit:

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#EnterpriseHardwarePlatformAPIEnable
d

Page 59
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running ● ●
Ensure that only network ports, protocols, and services listening on a system
with validated business needs, are running on each system.

Page 60
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether user profiles are switched to ephemeral mode. In
ephemeral mode, profile data is saved on disk for the length of the session and then the
data is deleted after the session is over. Therefore, no data is saved to the device.
The recommended state for this setting is: Disabled (0)

Rationale:
Allowing use of ephemeral profiles allows a user to use Google Chrome with no data
being logged to the system. Deleting browser data will delete information that may be
important for a computer investigation and investigators such as Computer Forensics
Analysts may not be able to retrieve pertinent information to the investigation.
Impact:
None - This is the default behavior.
Audit:

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#ForceEphemeralProfiles

Page 61
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 62
1.22 (L1) Ensure 'Import autofill form data from default browser on
first run' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether users are allowed to import autofill data from other
browsers into Google Chrome.
If you set this setting to Disabled, users will be unable to perform an import of autofill
data during Google Chrome run. This will also prevent users from importing data after
Google Chrome has been set up.
The recommended state for this setting is: Disabled (0)

Rationale:

Allowing autofill data to be imported could potentially allow sensitive data such as
personally identifiable information (PII) from a non-secured source into Google Chrome.
Considering that storage of sensitive data should be handled with care, disabling this
setting is recommended.
Impact:
None - This is the default behavior.

Default Value:
Unset (Same as Disabled, but user can change)

Page 63
References:

1. https://chromeenterprise.google/policies/#ImportAutofillFormData

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 64
1.23 (L1) Ensure 'Import of homepage from default browser on
first run' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether users are able to import homepage settings from another
browser into Google Chrome as well as whether homepage settings are imported on
first use.
If you set this setting to Disabled users will be unable to perform an import homepage
settings from other browsers into Google Chrome.
The recommended state for this setting is: Disabled (0)

Rationale:

Having the homepage setting automatically imported or allowing users to import this
setting from another browser into Google Chrome allows for the potential of
compromised settings being imported into Google Chrome.
Impact:
None - This is the default behavior.
Audit:

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Import of homepage from default browser on first run

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#ImportHomepage

Page 65
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 66
1.24 (L1) Ensure 'Import search engines from default browser on
first run' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether users are able to import search engine settings from
another browser into Google Chrome as well as whether said setting is imported on first
use.
If you set this setting to Disabled users will be unable to perform an import of their
search engine settings from other browsers into Google Chrome.
The recommended state for this setting is: Disabled (0)

Rationale:

Having search engine settings automatically imported or allowing users to import the
settings from another browser into Google Chrome could allow for a malicious search
engine to be set.
Impact:
None - This is the default behavior.
Audit:

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Import search engines from default browser on first run

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#ImportSearchEngine

Page 67
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 68
1.25 (L1) Ensure 'List of names that will bypass the HSTS policy
check' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows a list of names to be specified that will be exempt from HTTP Strict
Transport Security (HSTS) policy checks, then potentially upgraded from http:// to
https://.
The recommended state for this setting is: Disabled (0)

Rationale:
Allowing hostnames to be exempt from HSTS checks could allow for protocol
downgrade attacks and cookie hijackings.

Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HSTSPolicyBypassList

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#HSTSPolicyBypassList

Page 69
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 70
1.26 (L1) Ensure 'Origins or hostname patterns for which
restrictions on insecure origins should not apply' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can use a list of origins (URLs) or hostname patterns (such as
"*.example.com") for which security restrictions on insecure origins will not apply and
are prevented from being labeled as "Not Secure" in the omnibox.
The recommended state for this setting is: Disabled (0)

Rationale:
Insecure contexts shall always be labeled as insecure.
Impact:
None - This is the default behavior.
Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chrome\OverrideSecurityRestrictionsOnIns
ecureOrigin

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Origins or hostname patterns for which restrictions on
insecure origins should not apply
Note: The UI path defined in the chrome.adml includes a line break between the on and
the insecure. In some views, the line break is correctly rendered, in others not.

Default Value:
Unset (Same as Disabled, but user can change)

Page 71
References:

1. https://chromeenterprise.google/policies/#OverrideSecurityRestrictionsOnInsecur
eOrigin

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 72
1.27 (L1) Ensure 'Suppress lookalike domain warnings on
domains' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting prevents the display of lookalike URL warnings on the sites listed. These
warnings are typically shown on sites that Google Chrome believes might be trying to
spoof another site with which the user is familiar.

• Disabled (0) or set to an empty list: Warnings may appear on any site the user
visits.
• Enabled(1) and set to one or more domains: No lookalike warnings pages will be
shown when the user visits pages on that domain.

The recommended state for this setting is: Disabled (0)

Rationale:
Look-alike domains are intentionally misleading to give users the false impression that
they’re interacting with trusted brands, leading to significant reputation damage,
financial losses, and data compromise for established enterprises.
In addition, this technique is commonly used to host phishing sites, and often leads to
account takeover attacks. Users are prompted to enter their credentials on a fake
website, and scammers take control of their online accounts with little effort to engage in
fraudulent activity.
Impact:
None - This is the default behavior.
NOTE: The only real impact is possible user annoyance if they are going to a legitimate
site that is falsely considered fraudulent (a rare occurrence). This can be handled by
adding the site to the allowlist and/or notifying Google of the false finding.

Page 73
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\LookalikeWarningAllowlistD
omains

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#LookalikeWarningAllowlistDomains
2. https://safebrowsing.google.com/
3. https://bugs.chromium.org/p/chromium/issues/entry?template=Safety+Tips+Appe
als
4. https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/
5. https://www.phishlabs.com/blog/the-anatomy-of-a-look-alike-domain-attack/

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 74
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome will show a warning that appears when Google Chrome is running on a
computer or operating system that is no longer supported.
The recommended state for this setting is: Disabled (0)

Rationale:
The user shall be informed if the used software is no longer supported.
Impact:
None - This is the default behavior.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Suppress the unsupported OS warning

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#SuppressUnsupportedOSWarning

Page 75
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.2 Ensure Authorized Software is Currently Supported

Ensure that only currently supported software is designated as authorized in the
software inventory for enterprise assets. If software is unsupported, yet necessary
v8 for the fulfillment of the enterprise’s mission, document an exception detailing ● ● ●
mitigating controls and residual risk acceptance. For any unsupported software
without an exception documentation, designate as unauthorized. Review the
software list to verify software support at least monthly, or more frequently.

2.2 Ensure Software is Supported by Vendor

Ensure that only software applications or operating systems currently supported
v7 by the software's vendor are added to the organization's authorized software ● ● ●
inventory. Unsupported software should be tagged as unsupported in the inventory
system.

Page 76
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
WebRTC ICE candidates' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting specifies a list of URLs or patterns for which local IP addresses will be
exposed by WebRTC.
The recommended state for this setting is: Disabled (0)
NOTE: This setting, if Enabled, weakens the protection of local IPs if needed by
administrators.
Rationale:
Enabling this setting and allowing exposure of IP addresses can allow an attacker to
gather information about the internal network that could potentially be utilized to breach
and traverse a network.
Impact:
None - This is the default behavior.
Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting will have no registry value (the key will not exist) if
it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WebRtcLocalIpsAllowedUrls

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#WebRtcLocalIpsAllowedUrls

Page 77
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 78
2 Attack Surface Reduction
This section contains recommendations that help reduce the overall attack surface.
Organizations should review these settings and any potential impacts to ensure they
make sense within the environment since they restrict some browser functionality.

Page 79
2.1 Update settings (Google section of GPO)

These setting are not in the normal \Google\Google Chrome\ section of the GPO.

Page 80
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled' with
'Always allow updates (recommended)' or 'Automatic silent
updates' specified (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Update manages installation of available Google Chrome updates from Google.
This setting allows users to define whether updates are to be applied automatically.
Depending on the business scenario, updates shall be applied periodically or also if the
user seeks for updates.

• Updates disabled: Never apply updates (0)

• Always allow updates: Updates are always applied when found, either by
periodic update check or by a manual update check (1)
• Manual updates only: Updates are only applied when the user does a manual
update check (2)
• Automatic silent updates only: Updates are only applied when they are found
via the periodic update check (3)

Disabled (0): Google Update handles available updates as specified by "Update policy
override default".
The recommended state for this setting is: Enabled with a value of Always allow
updates (1) or Automatic silent updates (3)

NOTE: This policy is available only on Windows instances that are joined to a
Microsoft® Active Directory® domain.
Rationale:
Software updates shall be applied as soon as they are available since they may include
latest security patches.
Impact:
Latest updates are automatically applied at least periodically.

Page 81
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1 or 3:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update:Update{8A69D345-D564-463C-
AFF1-A69D9E530F96}

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Always allow updates (recommended):
Computer Configuration\Polices\Administrative Templates\Google\Google
Update\Applications\Google Chrome\Update policy override

Default Value:
Inherit the value from 'Update policy override default'.

References:

1. https://admx.help/?Category=GoogleUpdate&Policy=Google.Policies.Update::Pol
_UpdatePolicyGoogleChrome
2. https://admx.help/?Category=ChromeEnterprise&Policy=Google.Policies.Update:
:Pol_DefaultUpdatePolicy

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 82
2.1.2 (L1) Ensure 'Auto-update check period override' is set to
any value except '0' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy setting configures the minimum number of minutes between automatic
update checks.
The recommended state for this setting is: any value except 0.

Rationale:
Automatic updates can help ensure that the computers in the environment will always
have the most recent critical updates and can decrease the amount of time the system
will remain vulnerable between updates and patches.

Impact:
If using a third-party for patching, an exception to this recommendation will be needed.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to any value except 0.
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update:AutoUpdateCheckPeriodMinut
es

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to any value except 0:
Computer Configuration\Policies\Administrative Templates\Google\Google\Google
Update\Preferences\Auto-update check period override

Default Value:

1400 (10 hours)

Additional Information:
Ms Edge 3.3.1

Page 83
2.2 Content settings

Page 84
2.2.1 (L1) Ensure 'Control use of insecure content exceptions' is
set to 'Enabled: Do not allow any site to load mixed content'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Setting controls whether users can add exceptions to allow mixed content for specific
sites.

• Do not allow any site to load mixed content (2)

• Allow users to add exceptions to allow mixed content (3)

The recommended state for this setting is: Enabled with the value of Do not allow any
site to load mixed content (2)

NOTE: This policy can be overridden for specific URL patterns using the
InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies.
Rationale:
Allowing mixed (secure / insecure) content from a site can lead to malicious content
being loaded. Mixed content occurs if the initial request is secure over HTTPS, but
HTTPS and HTTP content is subsequently loaded to display the web page. HTTPS
content is secure. HTTP content is insecure.
Impact:
Users will not be able to mix content.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultInsecureContentSett
ing

Page 85
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to load mixed content:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Content Settings\Control use of insecure content exceptions

Default Value:
Unset (Same as Enabled: Allow users to add exceptions to allow mixed content, but
user can change)

References:

1. https://chromeenterprise.google/policies/#DefaultInsecureContentSetting

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.5 Subscribe to URL-Categorization service

v7 Subscribe to URL categorization services to ensure that they are up-to-date with
the most recent website category definitions available. Uncategorized sites shall be
● ●
blocked by default.

Page 86
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set to
'Enabled: Do not allow any site to request access to Bluetooth
devices via the Web Bluetooth API' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome has an API which allows the access to nearby Bluetooth devices from
the browser with users consent.

• Do not allow any site to request access to Bluetooth devices via the
Web Bluetooth API (2)
• Allow sites to ask the user to grant access to a nearby Bluetooth
device (3)

The recommended state for this setting is: Enabled with a value of Do not allow any
site to request access to Bluetooth devices via the Web Bluetooth API (2)

Rationale:
A malicious website could exploit a vulnerable Bluetooth device.
Impact:

If this setting is configured, websites can no longer access nearby Bluetooth devices via
the API (this includes web cameras, headphones, and other Bluetooth devices) and the
user will never be asked.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultWebBluetoothGuardSe
tting

Page 87
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to request access to Bluetooth devices via
the Web Bluetooth API:

Computer Configuration\Polices\Administrative Templates\Google\Google

Chrome\Content Settings\Control use of the Web Bluetooth API

Default Value:
Unset (Same as Enabled: Allow sites to ask the user to grant access to a nearby
Bluetooth device, but user can change)

References:

1. https://chromeenterprise.google/policies/#DefaultWebBluetoothGuardSetting
2. https://webbluetoothcg.github.io/web-bluetooth/use-cases.html#security_privacy

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

15.9 Disable Wireless Peripheral Access of Devices

v7 Disable wireless peripheral access of devices (such as Bluetooth and NFC), ● ●
unless such access is required for a business purpose.

Page 88
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to
'Enabled: Do not allow any site to request access to USB devices
via the WebUSB API' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome has an API which allows access to connected USB devices from the
browser

• Do not allow any site to request access to USB devices via the WebUSB
API (2)
• Allow sites to ask the user to grant access to a connected USB device
(3)

The recommended state for this setting is: Enabled with a value of Do not allow any
site to request access to USB devices via the WebUSB API (2)

Rationale:
WebUSB is opening the doors for sophisticated phishing attacks that could bypass
hardware-based two-factor authentication devices (e.g. Yubikey devices).
Impact:
If this setting is configured, websites can no longer access connected USB devices via
the API (this includes web cameras, headphones, and other USB devices) which could
also prevent some two factor authentication (2FA) USB devices from working properly.

Page 89
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to request access to USB devices via the
WebUSB API:

Computer Configuration\Polices\Administrative Templates\Google\Google

Chrome\Content Settings\Control use of the WebUSB API

Default Value:
Unset (Same as Enabled: Allow sites to ask the user to grant access to a connected
USB device, but user can change)

References:

1. https://chromeenterprise.google/policies/#DefaultWebUsbGuardSetting
2. https://www.wired.com/story/chrome-yubikey-phishing-webusb/

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

13.7 Manage USB Devices

v7 If USB storage devices are required, enterprise software should be used that
can configure systems to allow the use of specific devices. An inventory of such
● ●
devices should be maintained.

Page 90
2.2.4 (L2) Ensure 'Default notification setting' is set to 'Enabled:
Do not allow any site to show desktop notifications' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome offers websites the ability to display desktop notifications. These are
push messages which are sent from the website operator through Google infrastructure
to Chrome.

• Allow sites to show desktop notifications (1)

• Do not allow any site to show desktop notifications (2)
• Ask every time a site wants to show desktop notifications (3)

The recommended state for this setting is: Enabled with a value of Do not allow any
site to show desktop notifications (2)

Rationale:
If the website operator decides to send messages unencrypted, Google's servers may
process it as plain text. Furthermore, potentially compromised or faked notifications
might trick users into clicking on a malicious link.
Impact:
If this setting is enabled and set to Do not allow any site to show desktop
notifications, notifications will not be displayed for any sites and the user will not be
asked.
Audit:

Page 91
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to show desktop notifications:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Content Settings\Default notification setting

Default Value:
Unset (Same as Enabled, with 'Ask every time a site wants to show desktop
notifications')

References:

1. https://chromeenterprise.google/policies/#DefaultNotificationsSetting
2. https://www.google.com/chrome/privacy/whitepaper.html#notifications
3. https://medium.com/@BackmaskSWE/push-messages-isnt-secure-enough-
69121c683cc6

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 92
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on these
sites in the PDF Viewer' Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting will allow specified URLs to access file:// URLs in the PDF Viewer. By
default all domains are blocked from accessing file:// URLs in the PDF Viewer

Rationale:
Blocking all domains, or a restricted list of domains, from opening a downloaded PDF
file blocks the possibility of a malicious file being masked as a PDF. It could also block
unknown or malicious code contained within the PDF that would run on the immediate
opening within a browser tab.

Impact:
Users will be required to open PDF files manually in the PDF Viewer or in the
organization's PDF viewing application.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting will have no registry value (the key will not exist) if
it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\PdfLocalFileAccessAllowedF
orDomains\

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Allow local file access to file:// URLs on these
sites in the PDF Viewer

References:

1. https://chromeenterprise.google/policies/#PdfLocalFileAccessAllowedForDomain
s

Page 93
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

14.6 Train Workforce Members on Recognizing and

v8 Reporting Security Incidents
Train workforce members to be able to recognize a potential incident and be
● ● ●
able to report such an incident.

3.3 Protect Dedicated Assessment Accounts

v7 Use a dedicated account for authenticated vulnerability scans, which should
not be used for any other administrative activities and should be tied to specific
● ●
machines at specific IP addresses.

Page 94
2.3 Extensions

Page 95
2.3.1 (L1) Ensure 'Blocks external extensions from being installed'
is set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Enabling this setting blocks external extensions (an extension that is not installed from
the Chrome Web Store) from being installed.
The recommended state for this setting is: Enabled (1)

Rationale:
Allowing users to install extensions from other locations (not the Chrome Web Store)
can lead to malicious extensions being installed.
Impact:

User will only be allowed to install extension for the Chrome web store.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BlockExternalExtensions

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Extensions\Blocks external extensions from being installed

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#BlockExternalExtensions
2. https://developer.chrome.com/docs/extensions/mv2/external_extensions/

Page 96
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins ● ●
Uninstall or disable any unauthorized browser or email client plugins or add-
on applications.

Page 97
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is set
to 'Enabled: extension, hosted_app, platform_app, theme'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Enabling this setting allows you to specify which app/extension types are allowed.
Disabled (0): Results in no restrictions on the acceptable extension and app types.
The recommended state for this setting is: Enabled with the values of extension,
hosted_app, platform_app, theme.

Rationale:

App or extension types that could be misused or are deprecated shall no longer be
installed.
NOTE: Google has removed support for Chrome Apps which includes the types
hosted_app and platform_app. The blog post indicates that these types will require a
setting to be enabled for continued use through June 2022.

Impact:
Extensions already installed will be removed if its type is denylisted and the extension
itself is not allowlisted.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to extension, hosted_app, platform_app, theme:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionAllowedTypes:

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: extension, hosted_app, platform_app, theme:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Extensions\Configure allowed app/extension types

Default Value:
Unset (Same as Disabled, but user can change)

Page 98
References:

1. https://chromeenterprise.google/policies/#ExtensionAllowedTypes
2. https://blog.chromium.org/2020/08/changes-to-chrome-app-support-timeline.html
3. https://chromium.googlesource.com/chromium/src/+/HEAD/extensions/docs/exte
nsion_and_app_types.md

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins ● ●
Uninstall or disable any unauthorized browser or email client plugins or add-
on applications.

Page 99
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is set
to 'Enabled: *' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Enabling this setting allows you to specify which extensions the users can NOT install.
Extensions already installed will be removed if blocklisted.
Disabled (0): then the user can install any extension in Google Chrome.
The recommended state for this setting is: Enabled with a value of *
NOTE: Chrome does offer a more granular permission-based configuration called
Extension management settings if blocklisting all extensions is too aggressive, which
allows an organization to drill down to the exact permissions that they want to lock
down. The extensions management settings require more coordination and effort to
understand what the security requirements are to block site and device permissions
globally as well as more IT management to deploy. The benefit would be allowing
access to more extensions to their end-users. See link in reference section
NOTE: If Chrome Cleanup is Disabled, users may want to configure the extension
blocklist instead of using the Extension Management option. Chrome Cleanup can help
protect against malicious extensions when paired with the Extension Management
setting.
Rationale:
This can be used to block extensions that could potentially allow remote control of the
system through the browser. If there are extensions needed for securing the browser or
for enterprise use, these can be enabled by configuring either the setting Configure
extension installation allowlist or the setting Extension management settings.

Impact:
Any installed extension will be removed unless it is specified on the extension allowlist.
If an organization is using any approved password managers, ensure that the extension
is added to the allowlist.

Page 100
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to *:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist:
1

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and a value of * for Extension IDs the user should be prevented from
installing:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Extensions\Configure extension installation blocklist

Default Value:

Unset (Same as Disabled, and users can change)

References:

1. https://chromeenterprise.google/policies/#ExtensionInstallBlocklist

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins
Uninstall or disable any unauthorized browser or email client plugins or add-
● ●
on applications.

Page 101
2.3.4 (L2) Ensure 'Default third-party storage partitioning setting'
Is Enabled and Blocked (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting will block any site from accessing the storage session from any other site.
This will block third party trackers that are embedded on multiple sites from tracking a
user across the sites they visit. Blocking third party access to the user agent will not
allow sites to infer data about the user from the data from another site.
It can be configured to either:

• Enabled (1): Allow third-party storage partitioning to be enabled.

• Disabled (2): Block third-party storage partitioning from being enabled.

Rationale:
Setting this requires that user agent state needs to be keyed by more than a single
origin or site. It can also defend against timing attacks on web privacy.
Impact:
Enforcing this may cause users to experience issues with sites they regularly visit that
already grant access to third-parties.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Block third-party storage partitioning from being enabled.:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Default third-party storage partitioning setting

Default Value:
Not Configured

Page 102
References:

1. https://chromeenterprise.google/policies/#DefaultThirdPartyStoragePartitioningS
etting
2. https://privacycg.github.io/storage-partitioning/

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

14.6 Train Workforce Members on Recognizing and

v8 Reporting Security Incidents
Train workforce members to be able to recognize a potential incident and be
● ● ●
able to report such an incident.

3.3 Protect Dedicated Assessment Accounts

Page 103
2.3.5 (L1) Ensure 'Block third-party storage partitioning for these
origins' Is Configured (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting will block specific sites your organization selects from accessing the storage
session from any other site. This will allow an organization to block third party trackers
that are embedded on multiple sites from tracking a user across the sites they visit. It
will also allow blocking third party access to the user agent and to infer data about the
user from the data from another site.
Setting the Level 2 recommendation DefaultThirdPartyStoragePartitioningSetting
will block all sites, not just this set list in
ThirdPartyStoragePartitioningBlockedForOrigins

Rationale:
If your organization does not want to block all third-party sites from accessing the user
agent, you can configure a curated list of sites to block.

Impact:
This might cause the user experience to vary from allowed sites to blocked sites.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's allowed URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ThirdPartyStoragePartition
ingBlockedForOrigins\<number> = <url>
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ThirdPartyStoragePartition
ingBlockedForOrigins\1 = https://www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ThirdPartyStoragePartition
ingBlockedForOrigins\2 = [*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ThirdPartyStoragePartition
ingBlockedForOrigins\3 = https://www.example.net

Page 104
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and set Show to the approved URLs:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Block third-party storage partitioning for these
origins

References:

1. https://chromeenterprise.google/policies/#ThirdPartyStoragePartitioningBlockedF
orOrigins
2. https://groups.google.com/a/chromium.org/g/blink-dev/c/24hK6DKJnqY?pli=1

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 105
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
Set to Forced Only (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This policy setting controls extension management settings for Google Chrome,
specifically v2 extensions. This policy setting is being sunsetted as Google develops the
Manifest v3, but that rollout is currently postponed.
The policy can be configured to:

• Default (0): Default browser behavior

• Disabled (1): Manifest v2 is disabled
• Enabled (2): Manifest v2 is enabled
• Forced Only (3): Manifest v2 is enabled for forced extensions only

Rationale:

Setting this to Forced Only will not allow users to install any additional v2 extensions,
and all existing, non-forced, v2 extensions will be disabled.
Impact:
Users that use extensions regularly will have a set of them blocked, which will change
their user experience.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Manifest v2 is enabled for forced extensions only:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Extensions\Control Manifest v2 extension availability

References:

1. https://chromeenterprise.google/policies/#ExtensionManifestV2Availability

Page 106
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.2 Establish and Maintain a Remediation Process

v8 Establish and maintain a risk-based remediation strategy documented in a ● ● ●
remediation process, with monthly, or more frequent, reviews.

9.4 Apply Host-based Firewalls or Port Filtering

v7 Apply host-based firewalls or port filtering tools on end systems, with a
default-deny rule that drops all traffic except those services and ports that are
● ● ●
explicitly allowed.

Page 107
2.3.7 (L1) Ensure 'Control availability of extensions unpublished
on the Chrome Web Store' Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy disables any extensions in Google Chrome that were downloaded from the
Chrome Web Store and are now unpublished. The policy can be configured to either:

• Enabled (0): Allow unpublished extensions

• Disabled (1): Disable unpublished extensions

If the value for ExtensionUnpublishedAvailability is not changed from the default, it

will behave as it is enabled.
Note: Off-store extensions such as unpacked extensions installed using developer
mode and extensions installed using the command-line switch are ignored. Force-
installed extensions that are self-hosted are ignored. All version-pinned extensions are
also ignored.
Rationale:
Disabling unpublished extensions will remove the ability to run any extensions that are
no longer being updated or patched.

Impact:
This may disable extensions commonly used by users in your organization.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ExtensionUnpublishedAvaila
bility

Page 108
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Disable unpublished extensions:
Computer Configuration\Policies\Administrative Templates\Google
Chrome\Extensions\Control availability of extensions unpublished on the
Chrome Web Store.

Default Value:

Allow unpublished extensions

References:

1. https://chromeenterprise.google/policies/#ExtensionUnpublishedAvailability

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.2 Establish and Maintain a Remediation Process

v8 Establish and maintain a risk-based remediation strategy documented in a ● ● ●
remediation process, with monthly, or more frequent, reviews.

9.4 Apply Host-based Firewalls or Port Filtering

v7 Apply host-based firewalls or port filtering tools on end systems, with a
default-deny rule that drops all traffic except those services and ports that are
● ● ●
explicitly allowed.

Page 109
2.4 HTTP authentication

Page 110
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to
'Enabled: ntlm, negotiate' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Specifies which HTTP authentication schemes are supported by Google Chrome.
Disabled (0): Allows all supported authentication schemes.
The recommended state for this setting is: Enabled with the value of ntlm, negotiate

Rationale:
Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Basic and Digest
authentication do not provide sufficient security and can lead to submission of user
passwords in plaintext or minimal protection (Integrated Authentication is supported for
negotiate and ntlm challenges only).
Impact:
If some legacy application(s) or website(s) required insecure authentication
mechanisms they will not work correctly.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to ntlm, negotiate:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AuthSchemes

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: ntlm, negotiate:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\HTTP Authentication\Supported authentication schemes

Default Value:
Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#AuthSchemes

Page 111
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

16.5 Encrypt Transmittal of Username and

v7 Authentication Credentials
Ensure that all account usernames and authentication credentials are
● ●
transmitted across networks using encrypted channels.

Page 112
2.5 Native Messaging

Page 113
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set to
'Enabled: *' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Allows you to specify which native messaging hosts that should not be loaded.
Disabled (0): Google Chrome will load all installed native messaging hosts.
The recommended state for this setting is: Enabled with a value of *
NOTE: This needs to be handled carefully. If an extension is enabled, yet can't
communicate with its backend code, it could behave in strange ways which results in
helpdesk tickets + support load.
Rationale:

For consistency with Plugin and Extension policies, native messaging should be
blocklisted by default, requiring explicit administrative approval of applications for
allowlisting. An example of an application that uses native messaging is the 1Password
password manager.
Impact:
A blocklist value of '*' means all native messaging hosts are blocklisted unless they are
explicitly listed in the allowlist.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to *:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NativeMessagingBlocklist:1

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and the value of * set to Names of the forbidden native messaging hosts.
Computer Configuration\Polices\Administrative Templates\Google Chrome\Native
Messaging\Configure native messaging blocklist

Default Value:
Unset (Same as Disabled, and users can change)

Page 114
References:

1. https://chromeenterprise.google/policies/#NativeMessagingBlocklist

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.4 Restrict Unnecessary or Unauthorized Browser and

Email Client Extensions
v8 Restrict, either through uninstalling or disabling, any unauthorized or ● ●
unnecessary browser or email client plugins, extensions, and add-on
applications.

7.2 Disable Unnecessary or Unauthorized Browser or

v7 Email Client Plugins
Uninstall or disable any unauthorized browser or email client plugins or add-
● ●
on applications.

Page 115
2.6 Password manager

Page 116
2.6.1 (L1) Ensure 'Enable saving passwords to the password
manager' is Explicitly Configured (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome has a built-in password manager to store passwords for users. Chrome
will use local authentication to allow users to gain access to these passwords.
The recommended state for this setting is: Explicitly set to Enabled (1) or Disabled (0)
based on the organization's needs.
NOTE: If you choose to Enable this setting, please review Disable synchronization of
data with Google and ensure this setting is configured to meet organizational
requirements.
Rationale:

The Google Chrome password manager is Enabled by default and each organization
should review and determine if they want to allow users to store passwords in the
Browser. If another solution is used instead of the built in Chrome option then an
organization should configure the setting to Disabled.

Impact:
Organizationally dependent.
Audit:

Remediation:

To establish the recommended configuration via Group Policy, configure the following
setting to meet organizational requirements:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Password manager\Enable saving passwords to the password manager

Default Value:
Unset (Same as Enabled, but user can change)

Page 117
References:

1. https://chromeenterprise.google/policies/#PasswordManagerEnabled
2. https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
3. https://pages.nist.gov/800-63-3/sp800-63b.html

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 118
2.7 Printing

Page 119
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting enables Google Chrome to act as a proxy between Google Cloud Print and
legacy printers connected to the machine.
The recommended state for this setting is: Disabled (0)

Rationale:
Disabling this option will prevent users from printing documents from unmanaged
devices to an organization's printer.
Impact:

If this setting is disabled, users cannot enable the proxy, and the machine will not be
allowed to share its local printers with Google Cloud Print.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:CloudPrintProxyEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#CloudPrintProxyEnabled

Page 120
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running ● ●
Ensure that only network ports, protocols, and services listening on a system
with validated business needs, are running on each system.

Page 121
2.8 Remote access (Chrome Remote Desktop)

This section has recommendations specifically for configuring Chrome Remote

Desktop.

Page 122
2.8.1 Ensure 'Allow remote access connections to this machine' is
set to 'Disabled' (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This is a setting for Chrome Remote desktop. If this setting is Disabled, the remote
access host service cannot be started or configured to accept incoming connections.

• Disabled (0): Prevent remote access connections to this machine

• Enabled (1): Allow remote access connections to this machine

The recommended state for this setting is: Disabled (0)

Rationale:
Only approved remote access systems should be used.
NOTE: If Chrome Remote Desktop is approved and required for use, then this setting
can be ignored.
Impact:
This setting will disable Chrome Remote Desktop. In general, Chrome Remote Desktop
is not used by most businesses, so disabling it should have no impact.
Audit:

Default Value:
Unset (Same as Enabled, but user can change)

Page 123
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostAllowRemoteAcces
sConnections
2. https://remotedesktop.google.com/?pli=1

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

Manage access control for assets remotely connecting to enterprise resources.
v8 Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
● ●
configuration process, and ensuring the operating system and applications are up-
to-date.

12.12 Manage All Devices Remotely Logging into Internal

Network
v7 Scan all enterprise devices remotely logging into the organization's network ●
prior to accessing the network to ensure that each of the organization's security
policies has been enforced in the same manner as local network devices.

Page 124
2.8.2 (L1) Ensure 'Allow remote users to interact with elevated
windows in remote assistance sessions' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can be set to run the remote assistance host in a process with
uiAccess permissions. This allows remote users to interact with elevated windows on
the local user's desktop.
If this setting is disabled, the remote assistance host will run in the user's context.
Furthermore, remote users cannot interact with elevated windows on the desktop.
The recommended state for this setting is: Disabled (0)

Rationale:
Remote users shall not be able to escalate privileges.
Impact:

None - This is the default behavior.

Default Value:

Unset (Same as Disabled, but user can change)

Page 125
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostAllowUiAccessFor
RemoteAssistance

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 126
2.8.3 (L1) Ensure 'Configure the required domain names for
remote access clients' is set to 'Enabled' with a domain defined
(Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome allows the configuration of a list of domains that are allowed to access the
user's system. When enabled, remote systems can only connect if they are one of the
specified domains listed.
Setting this to an empty list (Disabled) allows remote systems from any domain to
connect to this user's system.
The recommended state for this setting is: Enabled (1) and at least one domain set
NOTE: The list of domains is organization specific.
Rationale:
Remote assistance connections shall be restricted.

Impact:
If this setting is enabled, only systems from the specified domains can connect to the
user's system.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This registry path will not exist if it is set to Disabled:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\RemoteAccessHostClientDoma
inList

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and enter an organizational specific domain(s) (e.g. nodomain.local):
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Remote access\Configure the required domain names for remote access
clients

Default Value:
Unset (Same as Disabled, but user can change)

Page 127
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostClientDomainList

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 128
2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is
set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows someone physically present at the host machine to see what a user
is doing while a remote connection is in progress.
If this setting is disabled, a host's physical input and output devices are enabled while a
remote connection is in progress.
The recommended state for this setting is: Disabled (0)

Rationale:
If a remote session is in progress, the user physically present at the host machine shall
be able to see what a remote user is doing.
Impact:
None - This is the default behavior.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostRequireCur
tain

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostRequireCurtain

Page 129
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 130
2.8.5 (L1) Ensure 'Enable firewall traversal from remote access
host' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome enables the usage of STUN servers which allows remote clients to discover
and connect to a machine even if they are separated by a firewall. By disabling this
feature, in conjunction with filtering outgoing UDP connections, the machine will only
allow connections from machines within the local network.
The recommended state for this setting is: Disabled (0)

Rationale:
If this setting is enabled, remote clients can discover and connect to these machines
even if they are separated by a firewall.
Impact:
If this setting is disabled and outgoing UDP connections are filtered by the firewall, this
machine will only allow connections from client machines within the local network.
Audit:

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostFirewallTraversal

Page 131
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 132
2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication for
remote access hosts' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome allows a user to opt-out of using user-specified PIN authentication and instead
pair clients and hosts during connection time.
The recommended state for this setting is: Disabled (0)

Rationale:
If this setting is enabled, users can opt to pair clients and hosts at connection time,
eliminating the need to enter a PIN every time.
Impact:

If this setting is disabled, users will be required to enter PIN every time.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostAllowClien
tPairing

Default Value:

Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostAllowClientPairing

Page 133
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 134
2.8.7 (L1) Ensure 'Enable the use of relay servers by the remote
access host' is set to 'Disabled'. (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome allows the use of relay servers when clients are trying to connect to this
machine and a direct connection is not available.

• Disable (0): The use of relay servers by the remote access host is not allowed
• Enabled (1): The use of relay servers by the remote access host is allowed

The recommended state for this setting is: Disabled (0)

Rationale:
Relay servers shall not be used to circumvent firewall restrictions.
Impact:

If this setting is disabled, remote clients can not use relay servers to connect to this
machine.
NOTE: Setting this to Disabled doesn't turn remote access off, but only allows
connections from the same network (not NAT traversal or relay).
Audit:

Default Value:
Unset (Same as Enabled, but user can change)

Page 135
References:

1. https://chromeenterprise.google/policies/#RemoteAccessHostAllowRelayedConn
ection

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.5 Manage Access Control for Remote Assets

12.12 Manage All Devices Remotely Logging into Internal

Page 136
2.9 First-Party Sets Settings

Controls policies for the First-Party Sets feature.

Page 137
2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy controls access to the First-Party Sets. First-party Sets are a way for sites to
declare relationships with each other and enable limited cross-site cookie access for
specific, user-facing purposes. It can configured to either:

• Disabled (0): Disable First-Party Sets for all affected users

• Enabled (1): Enable First-Party Sets for all affected users

Rationale:
Setting this policy will not allow sites to declare the relationships that allow them to
access the cross-site cookies.
Impact:

This may cause unexpected behavior as a user moves between affiliated sites.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:FirstPartySetsEnabled

Remediation:
To establish the recommended configuration via GP, set the following UI path to
Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google

Chrome\Content settings\Enable Firty-Party Sets

Default Value:
Enabled
References:

1. https://chromeenterprise.google/policies/#FirstPartySetsEnabled

Page 138
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with ● ● ●
the enterprise’s audit log management process.

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 139
2.10 Microsoft Active Directory Management Settings

Page 140
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
identity providers' Is Enabled (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy setting allows accounts backed by a Microsoft® cloud identity provider (i.e.,
Microsoft Azure Active Directory or the consumer Microsoft account identity provider)
can be signed into web properties using that identity automatically. It can be configured
to either:

• Disabled (0): Disable Microsoft® cloud authentication

• Enabled (1): Enable Microsoft® cloud authentication

If the value for CloudAPAuthEnabled is not changed from the default, it will behave as it
is disabled.

Rationale:
Enabling this policy setting allows users to use Microsoft Cloud Authentication for any
site that requires CA (Cloud Authentication) and does not require an extension.
Impact:
There should be no impact to the user.

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Enable Microsoft® cloud authentication:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Microsoft® Active Directory® management settings\Allow automatic sign-
in to Microsoft® cloud identity providers

Default Value:
Unset (Disabled)

Page 141
References:

1. https://chromeenterprise.google/policies/#CloudAPAuthEnabled

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 142
2.11 (L1) Ensure 'Allow download restrictions' is set to 'Enabled:
Block malicious downloads' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can block certain types of downloads, and won't let users bypass the
security warnings, depending on the classification of Safe Browsing.

• No special restrictions. Default. (0, Disabled) (Default)

• Block malicious downloads and dangerous file types. (1)
• Block malicious downloads, uncommon or unwanted downloads and dangerous
file types. (2)
• Block all downloads. (3)
• Block malicious downloads. Recommended. (4)

The recommended state for this setting is: Enabled with a value of Block malicious
downloads. Recommended. (4)

NOTE: These restrictions apply to downloads triggered from webpage content, as well
as the Download link... menu option. They don't apply to the download of the currently
displayed page or to saving as PDF from the printing options.
Rationale:
Users shall be prevented from downloading malicious file types, and shall not be able to
bypass security warnings.
Impact:

If this setting is enabled, all downloads are allowed, except for those that carry Safe
Browsing warnings. These are downloads that have been identified as risky or from a
risky source by the Google Safe Browsing Global intelligence engine.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 4:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DownloadRestrictions

Page 143
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Block malicious downloads. Recommended.:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Allow download restrictions

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#DownloadRestrictions
2. https://developers.google.com/safe-browsing

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with ● ● ●
the enterprise’s audit log management process.

10.5 Ensure Backups Have At least One Non-

v7 Continuously Addressable Destination
Ensure that all backups have at least one backup destination that is not
● ● ●
continuously addressable through operating system calls.

Page 144
2.12 (L2) Ensure 'Allow proceeding from the SSL warning page' is
set to 'Disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls whether a user is able to proceed to a webpage when an invalid
SSL certificate warning has occurred.
The recommended state for this setting is: Disabled (0)

Rationale:
Sites protected by SSL should always be recognized as valid in the web browser.
Allowing a user to make the decision as to whether there appears to be an invalid
certificate could open an organization up to users visiting a site that is otherwise not
secure and/or malicious in nature.
Impact:
Users will not be able to click past the invalid certificate error to view the website.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SSLErrorOverrideAllowed

Default Value:
Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#SSLErrorOverrideAllowed

Page 145
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 146
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing
warning page' is set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google provides the Safe Browsing service. It shows a warning page when users
navigate to sites that are flagged as potentially malicious.
Disabled (0): Users can choose to proceed to the flagged site after the warning
appears.
The recommended state for this setting is: Enabled (1)

Rationale:
Malicious web pages are widely spread on the internet and pose the most significant
threat to the user today. Users shall be prevented from navigating to potentially
malicious web content.
Impact:
Enabling this setting prevents users from proceeding anyway from the warning page to
the malicious site. In some cases legitimate sites could be blocked and users would be
prevented from accessing.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Safe Browsing settings\Disable proceeding from the Safe Browsing
warning page

Default Value:
Unset (Same as Disabled, but user can change)

Page 147
References:

1. https://chromeenterprise.google/policies/#DisableSafeBrowsingProceedAnyway

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 148
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls if every website will load into its own process.
Disabled (0): Doesn't turn off site isolation, but it lets users opt out.
The recommended state for this setting is: Enabled (1)

Rationale:
Chrome will load each website in its own process. Even if a site bypasses the same-
origin policy, the extra security will help stop the site from stealing your data from
another website.

Impact:
If the policy is enabled, each site will run in its own process which will cause the system
to use more memory. You might want to look at the Enable Site Isolation for
specified origins policy setting to get the best of both worlds – isolation and limited
impact for users – by using Enable Site Isolation for specified origins with a list
of the sites you want to isolate.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SitePerProcess

Default Value:
Unset (Same as Disabled, but user can change)

Page 149
References:

1. https://chromeenterprise.google/policies/#SitePerProcess
2. https://www.chromium.org/Home/chromium-security/site-isolation

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

8.3 Ensure Adequate Audit Log Storage

v8 Ensure that logging destinations maintain adequate storage to comply with ● ● ●
the enterprise’s audit log management process.

10.5 Ensure Backups Have At least One Non-

v7 Continuously Addressable Destination
Ensure that all backups have at least one backup destination that is not
● ● ●
continuously addressable through operating system calls.

Page 150
2.15 (L2) Ensure 'Force Google SafeSearch' is set to 'Enabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting ensures that web search results with Google are performed with
SafeSearch set to always active. Disabled means SafeSearch in Google Search is not
enforced.
The recommended state for this setting is: Enabled (1)

Rationale:
Allowing search results to present sites that may have malicious content should be
prohibited to help ensure users do not accidentally visit sites that are more prone to
malicious content including spyware, adware, and viruses.
Impact:
Users search results will be filtered and content such as adult text, videos and images
will not be shown.
Audit:

Remediation:
To establish the recommended configuration via GP, set the following UI path to
Enabled:

Computer Configuration\Policies\Administrative Templates\Google\Google

Chrome\Force Google SafeSearch

Default Value:

Unset (Same a Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#ForceGoogleSafeSearch

Page 151
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.3 Maintain and Enforce Network-Based URL Filters

7.4 Maintain and Enforce Network-Based URL Filters

Page 152
2.16 (L1) Ensure 'Notify a user that a browser relaunch or device
restart is recommended or required' is set to 'Enabled: Show a
recurring prompt to the user indication that a relaunch is required'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can notify users that it must be restarted to apply a pending update
once the notification period defined by the recommendation Set the time period for
update notifications is passed.

• Show a recurring prompt to the user indicating that a relaunch is

recommended (1)
• Show a recurring prompt to the user indicating that a relaunch is
required (2)

Disabled:Google Chrome indicates to the user that a relaunch is needed via subtle
changes to its menu.
The recommended state for this setting is: Enabled with a value of Show a recurring
prompt to the user indicating that a relaunch is required (2)

Rationale:
The end-user will receive a notification informing them that an update has been applied
and that the browser must be restarted in order for the update to be completed. Once
updates have been pushed by the organization it is pertinent that the update is applied
as soon as possible. Enabling this notification will ensure that users restart their browser
in a timely fashion.
Impact:

A recurring warning will be shown to the user indicating that a browser relaunch will be
forced once the notification period passes. The user's session is restored after the
relaunch of Google Chrome.

Page 153
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RelaunchNotification

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Show a recurring prompt to the user indicating that a relaunch is
required:

Computer Configuration\Polices\Administrative Templates\Google\Google

Chrome\Notify a user that a browser relaunch or device restart is recommended
or required

Default Value:

Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#RelaunchNotification

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 154
2.17 (L1) Ensure 'Proxy settings' is set to 'Enabled' and does not
contain "ProxyMode": "auto_detect" (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome offers the functionality to configure the proxy settings by automatic
discovery using WPAD (Web Proxy Auto-Discovery Protocol). Setting this configures
the proxy settings for Chrome and ARC-apps, which ignore all proxy-related options
specified from the command line.
Disabled (0): Lets users choose their proxy settings.
The recommended state for this setting is: Enabled and the value of ProxyMode is not set
to auto_detect

Rationale:

Attackers may abuse the WPAD auto-config functionality to supply computers with a
PAC file that specifies a rogue web proxy under their control.
Impact:
If the policy is enabled, the proxy configuration will no longer be discovered using
WPAD.

Remediation:

To establish the recommended configuration via Group Policy, make sure the following
UI path is set to 'Enabled' and the value of ProxyMode is not set to auto_detect:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Proxy settings

Default Value:
Unset (Same as Disabled, and users can change)

Page 155
References:

1. https://chromeenterprise.google/policies/#ProxySettings
2. http://www.ptsecurity.com/download/wpad_weakness_en.pdf
3. https://www.blackhat.com/us-16/briefings.html#crippling-https-with-unholy-pac

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

13.10 Perform Application Layer Filtering

v8 Perform application layer filtering. Example implementations include a filtering ●
proxy, application layer firewall, or gateway.

12.9 Deploy Application Layer Filtering Proxy Server

v7 Ensure that all network traffic to or from the Internet passes through an
authenticated application layer proxy that is configured to filter unauthorized
●
connections.

Page 156
2.18 (L2) Ensure 'Require online OCSP/CRL checks for local trust
anchors' is set to 'Enabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome performs revocation checking for server certificates that successfully
validate and are signed by locally-installed CA certificates. If Google Chrome is unable
to obtain revocation status information, such certificates will be treated as revoked
('hard-fail').
Disabled: Google Chrome uses existing online revocation-checking settings.
The recommended state for this setting is: Enabled (1)

Rationale:

Certificates shall always be validated.

Impact:
A revocation check will be performed for server certificates that successfully validate
and are signed by locally-installed CA certificates. if the OCSP server goes down, then
this will hard-fail and prevent browsing to those sites.
Audit:

Remediation:
To establish the recommended configuration via Group Policy, set the
following UI path to Enabled:
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Require online OCSP/CRL checks for local trust anchors

Default Value:
Unset (Same as Disabled, and users can change)

Page 157
References:

1. https://chromeenterprise.google/policies/#RequireOnlineRevocationChecksForLo
calAnchors

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 158
2.19 (L1) Ensure 'Set the time period for update notifications' is
set to 'Enabled: 86400000' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome allows to set the time period, in milliseconds, over which users are
notified that it must be relaunched to apply a pending update.
If not set, or Disabled, the default period of 604800000 milliseconds (7 days) is used.
The recommended state for this setting is: Enabled with value 86400000 (1 day)

Rationale:
This setting is a notification for the end-user informing them that an update has been
applied and that the browser must be restarted in order for the update to be completed.
Once updates have been pushed by the organization it is pertinent that said update
takes effect as soon as possible. Enabling this notification will ensure users restart the
browser in a timely fashion.
Impact:
After this time period, the user will be repeatedly informed of the need for an update
until a Browser restart is completed.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: 5265C00 (86400000 in Hexadecimal):
Computer Configuration\Polices\Administrative Templates\Google\Google
Chrome\Set the time period for update notifications

Default Value:
Unset (Same as Disabled, but user can change)

Page 159
References:

1. https://chromeenterprise.google/policies/#RelaunchNotificationPeriod

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.4 Perform Automated Application Patch Management

v8 Perform application updates on enterprise assets through automated patch ● ● ●
management on a monthly, or more frequent, basis.

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 160
2.20 (L1) Ensure 'Allow Web Authentication requests on sites with
broken TLS certificates' Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy setting controls the WebAuthn API and its interaction with sites that have a
broken TLS certificate. It can be configured to either:

• Disabled (0): Do not allow WebAuthn API requests on sites with broken TLS
certificates.
• Enabled (1): Allow WebAuthn API requests on sites with broken TLS
certificates.

If the value for AllowWebAuthnWithBrokenTlsCerts is not changed from the default, it will
behave as it is disabled.xempt.
Rationale:
Setting this policy will block the ability to authenticate to any website that does not have
a valid TLS certificate since the identity of the site cannot be verified.
Impact:

There should be no user impact.

Remediation:
To establish the recommended configuration via GP, set the following UI path to
Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google

Chrome\Allow Web Authentication requests on sites with broken TLS
certificates.

Default Value:
Unset (Disabled)

Page 161
References:

1. https://chromeenterprise.google/policies/#AllowWebAuthnWithBrokenTlsCerts

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

14.4 Train Workforce on Data Handling Best Practices

Train workforce members on how to identify and properly store, transfer, archive,
v8 and destroy sensitive data. This also includes training workforce members on clear
screen and desk best practices, such as locking their screen when they step away
● ● ●
from their enterprise asset, erasing physical and virtual whiteboards at the end of
meetings, and storing data and assets securely.

Page 162
2.21 (L1) Ensure 'Allow reporting of domain reliability related data'
Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the defaults for clipboard permission access from sites. It can be
configured to either:

• Disabled (0): Never send domain reliability data to Google

• Enabled (1): Domain Reliability data may be sent to Google depending on
Chrome User Metrics (UMA) policy

If the value for DomainReliabilityAllowed is not changed from the default, it will behave
as it is enabled.
Rationale:

Setting this policy to disabled can stop any accidental data leakage.
Impact:
There should be no impact on the user.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DomainReliabilityAllowed

Default Value:
Unset (Enabled)

References:

1. https://chromeenterprise.google/policies/#DomainReliabilityAllowed

Page 163
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.1 Maintain Inventory of Administrative Accounts

v7 Use automated tools to inventory all administrative accounts, including
domain and local accounts, to ensure that only authorized individuals have
● ●
elevated privileges.

Page 164
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is Enabled
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the defaults for using Encrypted ClientHello (ECH). ECH is an
extension to TLS and encrypts the initial handshake with a website that can only be
decrypted by that website. Google Chrome may, or may not, use ECH based on 3
factors: sever support, HTTPS DNS record availability, or rollout status. It can be
configured to either:

• Disabled (0): Disable the TLS Encrypted ClientHello experiment

• Enabled (1): Enable the TLS Encrypted ClientHello experiment

If the value for EncryptedClientHelloEnabled is not changed from the default, it will
behave as it is enabled.
Rationale:
Previously all handshakes were in the open and could expose sensitive information like
the name of the website that you are connecting to. Setting this policy will allow Google
Chrome to use an encrypted hello, or handshake, with a website where it is supported,
thus not exposing sensitive information.
Impact:
There should be no impact on the user.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:EncryptedClientHelloEnable
d

Page 165
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Enable TLS Encrypted ClientHello

Default Value:
Unset (Enabled)
References:

1. https://chromeenterprise.google/policies/#EncryptedClientHelloEnabled

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

14.4 Train Workforce on Data Handling Best Practices

Page 166
2.23 (L2) Ensure 'Determines whether the built-in certificate
verifier will enforce constraints encoded into trust anchors loaded
from the platform trust store' Is Enabled (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls constraints encoded into trust anchors loaded from the platform
trust store. It can be configured to either:

• Disabled (0): Do not enforce constraints in locally added trust anchors

• Enabled (1): Enforce constraints in locally added trust anchors

If the value for EnforceLocalAnchorConstraintsEnabled is not changed from the default,

it will behave as if it is enabled.
Rationale:
Setting this policy will not allow access to any sites that do not enforce constraints.
Impact:
Enabling this might cause certain internal sites to not properly load until they are
updated.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:EnforceLocalAnchorConstrai
ntsEnabled

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Determines whether the built-in certificate verifier will enforce
constraints encoded into trust anchors loaded from the platform trust store.

Default Value:

Unset (Enabled)

Page 167
References:

1. https://chromeenterprise.google/policies/#EnforceLocalAnchorConstraintsEnable
d

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 168
2.24 (L1) Ensure 'Keep browsing data when creating enterprise
profile by default' Is Enabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls keeping existing browser data when an enterprise profile is
created. It can be configured to either:

• Disabled (0): Do not check the option to keep existing browsing data by
default
• Enabled (1): Check the option to keep existing browsing data by default

If the value for EnterpriseProfileCreationKeepBrowsingData is not changed from the

default, it will behave as if it is enabled.
Note: Unlike other policy settings, the user does get to decide whether or not to keep
any existing browsing data when creating an enterprise profile.
Rationale:
Setting this policy gives the user the option to keep any previous browsing data after
setting up an enterprise profile.
Impact:

This should have no effect on the user.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Keep browsing data when creating enterprise profile by default

Default Value:
Unset (Enabled)

Page 169
References:

1. https://chromeenterprise.google/policies/#EnterpriseProfileCreationKeepBrowsin
gData

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 170
2.25 (L1) Ensure 'Allow file or directory picker APIs to be called
without prior user gesture' Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the ability for showOpenFilePicker(), showSaveFilePicker(), and
showDirectoryPicker() web APIs to be called without user interaction.

If the value for FileOrDirectoryPickerWithoutGestureAllowedForOrigins is not

changed from the default, it will behave as if it is disabled.
Rationale:
Setting this policy would allow the URLs selected to call the showOpenFilePicker(),
showSaveFilePicker(), and showDirectoryPicker() web APIs without any user
gesture/interaction. This policy does not need to be set for this reason.
Impact:
Disabling this policy should have no impact on the user.

Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should not exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\FileOrDirectoryPickerWitho
utGestureAllowedForOrigins\<number> = <url>

Remediation:
To establish the recommended configuration via GP, set the following UI path to
Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google

Chrome\Allow file or directory picker APIs to be called without prior user
gesture

Default Value:

Unset (Disabled)
References:

1. https://chromeenterprise.google/policies/#FileOrDirectoryPickerWithoutGestureAl
lowedForOrigins

Page 171
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.2 Establish and Maintain a Remediation Process

v8 Establish and maintain a risk-based remediation strategy documented in a ● ● ●
remediation process, with monthly, or more frequent, reviews.

9.4 Apply Host-based Firewalls or Port Filtering

v7 Apply host-based firewalls or port filtering tools on end systems, with a
default-deny rule that drops all traffic except those services and ports that are
● ● ●
explicitly allowed.

Page 172
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is Disabled
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the Google Search Side Panel. It can be configured to either:

• Disabled (0): Disable Google Search Side Panel on all web pages
• Enabled (1): Enable Google Search Side Panel on all web pages

Rationale:
Setting this policy will not allow the Google Search Side Panel on any webpages.
Impact:
This should have no user impact.

References:

1. https://chromeenterprise.google/policies/#GoogleSearchSidePanelEnabled

Page 173
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 174
2.27 (L1) Ensure 'Http Allowlist' Is Properly Configured (Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows administrators to list specific sites that will not be upgraded to
HTTPS and will not show an error interstitial if HTTPS-First Mode is enabled.
Note: Wildcards (*, [*], etc.) are not allowed in the URL listings.

Rationale:
Setting this policy allows organizations to maintain access to servers that do not support
HTTPS without having to disable HTTPS-First mode or HTTPS Upgrades.

Impact:
This should not have an impact on the user.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's allowed URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HttpAllowlist\<number> =
<url>
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HttpAllowlist\1 =
www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HttpAllowlist\2 =
[*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HttpAllowlist\3 =
www.example.net

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and set Show to the approved URLs:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\HTTP Allowlist

References:

1. https://chromeenterprise.google/policies/#HttpAllowlist

Page 175
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.7 Allowlist Authorized Scripts

Use technical controls, such as digital signatures and version control, to ensure
v8 that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to ●
execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.

2.5 Integrate Software and Hardware Asset Inventories

v7 The software inventory system should be tied into the hardware asset inventory ●
so all devices and associated software are tracked from a single location.

Page 176
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is Enabled
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the ability for Google Chrome to upgrade to HTTPS from HTTP
while navigating to certain sites. It can be configured to either:

• Disabled (0): Disable HTTPS Upgrades

• Enabled (1): HTTPS Upgrades may be applied depending on feature launch
status

If the value for HttpsUpgradesEnabled is not changed from the default, it will behave as
if it is enabled.
Rationale:

Enabling this setting will upgrade the connection to a site from HTTP to HTTPS where
available, verifying the identity of the site visited.
Impact:
This should have no impact on the user.
Note: If there are internal sites/servers that use HTTP only, set those in the policy
HttpAllowlist

Default Value:
Unset (Enabled)

Page 177
References:

1. https://chromeenterprise.google/policies/#HttpsUpgradesEnabled

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.5 Securely Dispose of Data

Securely dispose of data as outlined in the enterprise’s data management
v8 process. Ensure the disposal process and method are commensurate with the
● ● ●
data sensitivity.

7.4 Maintain and Enforce Network-Based URL Filters

Page 178
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes Enabled'
Is Disabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the ability for Google Chrome to allow legacy or insecure hashes
during the TLS handshake. It can be configured to either:

• Disabled (0): Do Not Allow Insecure Hashes in TLS Handshakes

• Enabled (1): Allow Insecure Hashes in TLS Handshakes

If the value for InsecureHashesInTLSHandshakesEnabled is not changed from the default,

it will behave as if it is enabled.
Rationale:
Setting this policy to disabled will block Google Chrome from using insecure hashes.
Using insecure, or legacy, hashes could allow sensitive data to be exposed.
Impact:
Users would be blocked from visiting sites that do not support more secure hashes.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:InsecureHashesInTLSHandsha
kesEnabled

Remediation:

Default Value:

Unset (Allow)

Page 179
References:

1. https://chromeenterprise.google/policies/#InsecureHashesInTLSHandshakesEna
bled

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

14.4 Train Workforce on Data Handling Best Practices

Page 180
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the ability for Google Chrome to allow the Render App Container
sandbox to be used while navigating to certain sites. It can be configured to either:

• Disabled (0): Disable the Renderer App Container sandbox

• Enabled (1): Enable the Renderer App Container sandbox

If the value for RendererAppContainerEnabled is not changed from the default, it will
behave as if it is enabled.
Rationale:
Disabling this policy would weaken the sandbox that Google Chrome uses for the
renderer process, and will have a detrimental effect on the security and stability of the
browser. This policy needs to be enabled to maintain security and stability.
Impact:
This would only impact users if there is third-party software that must run inside
renderer processes.

Default Value:
Unset (Enabled)

Page 181
References:

1. https://chromeenterprise.google/policies/#RendererAppContainerEnabled

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 182
2.31 (L1) Ensure 'Enable strict MIME type checking for worker
scripts' Is Enabled (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the ability for Google Chrome to upgrade to HTTPS from HTTP
while navigating to certain sites. It can be configured to either:

• Disabled (0): Scripts for workers (Web Workers, Service Workers, etc.) use
lax MIME type checking. Worker scripts with legacy MIME types, like
text/ascii, will work.
• Enabled (1): Scripts for workers (Web Workers, Service Workers, etc.)
require a JavaScript MIME type, like text/javascript. Worker scripts
with legacy MIME types, like text/ascii, will be rejected.

If the value for StrictMimetypeCheckForWorkerScriptsEnabled is not changed from the

default, it will behave as if it is enabled.
Rationale:

Setting this policy will require worker scripts to use more secure and strict JavaScript
MIME types and ones with legacy MIME Types will be rejected.
Impact:
This should have no impact on users.
Audit:

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Enable strict MIME type checking for worker scripts

Default Value:
Unset (Enabled)

Page 183
References:

1. https://chromeenterprise.google/policies/#StrictMimetypeCheckForWorkerScripts
Enabled

Page 184
2.32 Ensure 'Allow remote debugging' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This policy setting controls whether users may use remote debugging. This feature
allows remote debugging of live content on a Windows 10 or later device from a
Windows or macOS computer.
The recommended state for this setting is: Disabled.

Rationale:
Disabling remote debugging enhances security and protects applications from
unauthorized access. Some attack tools can exploit this feature to extract information,
or to insert malicious code.
Impact:
Users will not be able access the remote debugging feature in Google Chrome.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0.
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome:RemoteDebuggingAllowed

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Allow remote debugging
Note: This Group Policy path may not exist by default. It is provided by the Group Policy
template google.admx/adml that can be downloaded from: Download Chrome Browser
for Your Business - Chrome Enterprise.

Default Value:
Enabled. (Users may use remote debugging by specifying --remote-debug-port and --
remote-debugging-pipe command line switches.)

Page 185
Additional Information:
I copied/adjusted this rule from MS Edge, rule 1.41
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

7.2 Establish and Maintain a Remediation Process

v8 Establish and maintain a risk-based remediation strategy documented in a ● ● ●
remediation process, with monthly, or more frequent, reviews.

13.5 Manage Access Control for Remote Assets

Page 186
3 Privacy
This section contains recommendations that help improve user privacy. Organizations
should review these settings and any potential impacts to ensure they make sense
within the environment since they restrict some browser functionality.

Page 187
3.1 Content settings

Page 188
3.1.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled: Keep
cookies for the duration of the session' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
When leaving the setting _RestoreOnStartup _unset results in the use of
_DefaultCookiesSetting _for all sites, if it's set. If _DefaultCookiesSetting _is not set, the
user's personal setting applies.

• Disabled (0, user's personal setting applies)

• Allow all sites to set local data (1)
• Do not allow any site to set local data (2)
• Keep cookies for the duration of the session (4)

The recommended state for this setting is: Enabled with a value of Keep cookies for
the duration of the session (4)

NOTE: If the RestoreOnStartup setting is set to restore URLs from previous sessions
this setting will not be respected and cookies will be stored permanently for those sites.
An example of those URLs are SSO or intranet sites.
Rationale:
Permanently stored cookies may be used for malicious intent.
Impact:
If this setting is enabled, cookies will be cleared when the session closes.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Keep cookies for the duration of the session:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content
Settings\Default cookies setting

Page 189
Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#DefaultCookiesSetting
2. https://chromeenterprise.google/policies/#RestoreOnStartup
3. https://chromeenterprise.google/policies/#CookiesSessionOnlyForUrls

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 190
3.1.2 (L1) Ensure 'Default geolocation setting' is set to 'Enabled:
Do not allow any site to track the users' physical location'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome supports tracking a user's physical location using GPS, data about
nearby Wi-Fi access points or cellular signal sites/towers (even if you’re not using
them), and your computer’s IP.

• Disabled (0, same as 3)

• Allow sites to track the users' physical location (1)
• Do not allow any site to track the users' physical location (2)
• Ask whenever a site wants to track the users' physical location (3)

The recommended state for this setting is: Enabled with a value Do not allow any site
to track the users' physical location (2)

Rationale:
From a privacy point of view it is not desirable to submit indicators regarding the
location of the device, since the processing of this information cannot be determined.
Furthermore, this may leak information about the network infrastructure around the
device.
Impact:
If this setting is disabled, chrome will no longer send data about nearby Wi-Fi access
points or cellular signal sites/towers (even if you’re not using them), and your
computer’s IP address to Google.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultGeolocationSetting

Page 191
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to track the users' physical location:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content
Settings\Default geolocation setting

Default Value:
Unset (Same as Disabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#DefaultGeolocationSetting
2. https://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-24.pdf

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 192
3.2 Google Cast

Page 193
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Cast can send the contents of tabs, sites, or the desktop from the browser to a
remote display and sound system.
The recommended state for this setting is: Disabled (0)

Rationale:
Google Cast may send the contents of tabs, sites, or the desktop from the browser to
non-trusted devices on the local network segment.
Impact:

If this is disabled, Google Cast is not activated and the toolbar icon is not shown.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:EnableMediaRouter

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Google
Cast\Enable Google Cast

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#EnableMediaRouter

Page 194
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running ● ●
Ensure that only network ports, protocols, and services listening on a system
with validated business needs, are running on each system.

Page 195
3.3 (L1) Ensure 'Allow websites to query for available payment
methods' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows you to set whether a website can check to see if the user has
payment methods saved.
The recommended state for this setting is: Disabled (0)

Rationale:
Saving payment information in Google Chrome could lead to sensitive data being
leaked and used for non-legitimate purposes.
Impact:

Websites will be unable to query whether payment information within Google Chrome is
available.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:PaymentMethodQueryEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#PaymentMethodQueryEnabled

Page 196
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 197
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome allows cookies to be set by web page elements that are not from the domain in
the user's address bar. Enabling this feature prevents third party cookies from being set.
The recommended state for this setting is: Enabled (1)

Rationale:
Blocking third-party cookies can help protect a user's privacy by eliminating a number of
website tracking cookies.
Impact:

Enabling this setting prevents cookies from being set by web page elements that are not
from the domain that is in the browser's address bar.
NOTE: Third Party Cookies and Tracking Protection are required for many business
critical websites, including Microsoft 365 web apps (Office 365), SalesForce, and SAP
Analytics Cloud. If these, or similar services, are needed by the organization, then this
setting can be Disabled.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BlockThirdPartyCookies

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Block
third party cookies

Default Value:
Unset (Same as Disabled, but user can change)

Page 198
References:

1. https://chromeenterprise.google/policies/#BlockThirdPartyCookies

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 199
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
Disabled browser sign-in' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome offers to sign in with your Google account and use account-related
services like Chrome sync. It is possible to sign in to Google Chrome with a Google
account to use services like synchronization, and can also be used for configuration and
management of the browser.

• Disable browser sign-in (0)

• Enable browser sign-in (1)
• Force users to sign-in to use the browser (2)

The recommended state for this setting is: Enabled with a value of Disable browser
sign-in (0)

NOTE: If an organization is a Google Workspace Enterprise customer, they will want to

leave this setting enabled so that users can sign in with Google accounts.
Rationale:
Since external accounts are unmanaged and potentially used to access several private
computer systems and many different websites, connecting accounts via sign-in poses
a security risk for the company. It interferes with the corporate management
mechanisms, as well as permits an unwanted leak of corporate information and possible
mixture with private, non-company data.
Impact:
If this setting is configured, the user cannot sign in to the browser and use Google
account-based services like Chrome sync.

Page 200
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Disable browser sign-in
Computer Configuration\Administrative Templates\Google\Google Chrome\Browser
sign in settings

Default Value:
Unset (Same as Enabled: Enable browser sign-in, but user can change)
References:

1. https://chromeenterprise.google/policies/#BrowserSignin

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 201
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data to
Google' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome provides a Cleanup feature to detect unwanted software. If this setting is
Enabled, the results of the cleanup may be shared with Google (based on the setting of
SafeBrowsingExtendedReportingEnabled) to assist with future unwanted software
detection. These results will contain file metadata, automatically installed extensions,
and registry keys.
If the setting is Disabled, the results of the cleanup will not be shared with Google
regardless of the value of SafeBrowsingExtendedReportingEnabled.
The recommended state for this setting is: Disabled (0)
NOTE: This setting is not available on Windows instances that are not joined to a
Microsoft® Active Directory® domain.
Rationale:
Anonymous crash/usage data can be used to identify people, companies, and
information, which can be considered data ex-filtration from company systems.

Impact:
Chrome Cleanup detected unwanted software and will no longer report metadata about
the scan to Google.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ChromeCleanupReportingEnab
led

Page 202
Remediation:
To establish the recommended configuration via Group Policy, set the
following UI path to Disabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Control
how Chrome Cleanup reports data to Google

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#MetricsReportingEnabled
2. https://www.google.com/chrome/privacy/whitepaper.html
3. https://chromeenterprise.google/policies/#SafeBrowsingExtendedReportingEnabl
ed

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 203
3.7 (L1) Ensure 'Disable synchronization of data with Google' is
set to 'Enabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can synchronize browser data using Google-hosted synchronization
services. Examples of synced data include, but are not limited to, history and favorites.
The recommended state for this setting is: Enabled (1)
NOTE: if your organization allows synchronization of data with Google, then disabling
this setting will synchronize saved passwords with Google.
Rationale:
Browser data shall not be synchronized into the Google Cloud.

Impact:
If this setting is enabled, browser data will no longer sync with Google across
devices/platforms, allowing users to pick up where they left off.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SyncDisabled

Default Value:
Unset (Same as Disabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#SyncDisabled

Page 204
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 205
3.8 (L1) Ensure 'Enable alternate error pages' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome offers to show suggestions for the page you were trying to reach when
it is unable to connect to a web address such as 'Page Not Found'.
The recommended state for this setting is: Disabled (0)

Rationale:
Using navigation suggestions may leak information about the web site intended to be
visited.
Impact:

If this setting is disabled, Chrome will no longer use a web service to help resolve
navigation errors.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AlternateErrorPagesEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AlternateErrorPagesEnabled

Page 206
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 207
3.9 (L1) Ensure 'Enable deleting browser and download history' is
set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can delete the browser and download history using the clear browsing
data menu.
The recommended state for this setting is: Disabled (0)
NOTE: Even when this setting is disabled, the browsing and download history aren't
guaranteed to be retained. Users can edit or delete the history database files directly,
and the browser itself may remove (based on expiration period) or archive any or all
history items at any time

Rationale:
If users can delete websites they have visited or files they have downloaded it will be
easier for them to hide evidence that they have visited unauthorized or malicious sites.
Impact:
If this setting is disabled, browsing and download history cannot be deleted by using the
clear browsing data menu.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AllowDeletingBrowserHistor
y

Default Value:
Unset (Same as Enabled, but user can change)

Page 208
References:

1. https://chromeenterprise.google/policies/#AllowDeletingBrowserHistory

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership ● ●
Configure systems to issue a log entry and alert when an account is added
to or removed from any group assigned administrative privileges.

Page 209
3.10 (L1) Ensure 'Enable predict network actions` is set to
'Enabled: Do not predict actions on any network connection'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome comes with the network prediction feature which provides DNS
prefetching, TCP and SSL preconnection, and prerendering of web pages.

• Predict network actions on any network connection (0) or (1)

• Do not predict network actions on any network connection (2)

The recommended state for this setting is: Enabled with a value of Do not predict
network actions on any network connection (2)

Rationale:
Opening connections to resources that may not be used could allow unneeded
connections increasing attack surface and in some cases could lead to opening
connections to resources which the user did not intend to utilize.
Impact:

Users will not be presented with web page predictions.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not predict network actions on any network connection:
Computer Configuration\Administrative Templates\Google\Google Chrome\Enable
network prediction

Default Value:
Unset (Same as Enabled with a value of Predict network actions on any network
connection)

Page 210
References:

1. https://chromeenterprise.google/policies/#NetworkPredictionOptions

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 211
3.11 (L1) Ensure 'Enable or disable spell checking web service' is
set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can use Google web service to help resolve spelling errors.
The recommended state for this setting is: Disabled (0)

Rationale:
Information typed in may be leaked to Google's spellcheck web service.
Impact:
After disabling this feature, Chrome no longer sends the entire contents of text fields to
Google as you type them. Spell checking can still be performed using a downloaded
dictionary. This setting only controls the usage of the online service.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SpellCheckServiceEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#SpellCheckServiceEnabled

Page 212
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 213
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
data' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls anonymous reporting of usage and crash-related data about
Google Chrome to Google.
The recommended state for this setting is: Disabled (0)
NOTE: This setting is not available on Windows instances that are not joined to a
Microsoft® Active Directory® domain.
Rationale:
Anonymous crash/usage data can be used to identify people, companies and
information, which can be considered data ex-filtration from company systems.
Impact:
If this setting is disabled, this information is not sent to Google.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:MetricsReportingEnabled

Default Value:
Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#MetricsReportingEnabled

Page 214
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 215
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is set
to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome can be adjusted to allow downloads without Safe Browsing checks
when the requested file is from a trusted source. Trusted sources can be defined using
recommendation 'Configure the list of domains on which Safe Browsing will not trigger
warnings'.
The recommended state for this setting is: Disabled (0)
NOTE: On Microsoft® Windows®, this functionality is only available on instances that
are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or
enrolled in Chrome Browser Cloud Management.
Rationale:
Information requested from trusted sources shall not be sent to Google's safe browsing
servers.
Impact:

If this setting is disabled, files downloaded from intranet resources will not be checked
by Google Services.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SafeBrowsingForTrustedSour
cesEnabled

Default Value:

Unset (Same as Enabled, but user can change)

Page 216
References:

1. https://chromeenterprise.google/policies/#SafeBrowsingForTrustedSourcesEnabl
ed

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 217
3.14 (L2) Ensure 'Enable search suggestions' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Google Chrome offers suggestions in Google Chrome's omnibox while a user is typing.
The recommended state for this setting is: Disabled (0)

Rationale:
Using search suggestions may leak information as soon as it is typed/pasted into the
omnibox, e.g. passwords, internal webservices, folder structures, etc.
Impact:
The user has to send the search request actively by using the search button or hitting
"Enter".
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:SearchSuggestEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#SearchSuggestEnabled

Page 218
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 219
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting enables Google translation services on Google Chrome.
The recommended state for this setting is: Disabled (0)

Rationale:
Content of internal web pages may be leaked to Google's translation service.
Impact:
After disabling this feature, the contents of a web page are no longer sent to Google for
translation.

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Enable
Translate

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#TranslateEnabled

Page 220
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 221
3.16 (L1) Ensure 'Enable URL-keyed anonymized data collection'
is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Google Chrome offers the feature URL-keyed anonymized data collection. This sends
URLs of pages the user visits to Google to optimize its services.
The recommended state for this setting is: Disabled (0)

Rationale:
Anonymized data collection shall be disabled, since it is unclear which information
exactly is sent to Google.
Impact:

Anonymized data will not be sent to Google to help optimize its services
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:UrlKeyedAnonymizedDataColl
ectionEnabled

Default Value:
Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#UrlKeyedAnonymizedDataCollectionEn
abled

Page 222
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

3.5 Deploy Automated Software Patch Management

Tools
v7 Deploy automated software update tools in order to ensure that third-party ● ● ●
software on all systems is running the most recent security updates provided by
the software vendor.

Page 223
4 Data Loss Prevention
This section contains recommendations to help prevent and protect against unwanted
loss of data. Organizations should review these settings and any potential impacts to
ensure they make sense within the environment, since they restrict some browser
functionality.

Page 224
4.1 Allow or deny screen capture

Page 225
4.1.1 (L2) Ensure 'Allow or deny screen capture' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls whether Google Chrome can use screen-share APIs including
web-based online meetings, video, or screen sharing.
The recommended state for this setting is: Disabled (0)
NOTE: This setting is not considered (and a site will be allowed to use screen-share
APIs) if the site matches an origin pattern in any of the following other settings:
ScreenCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins,
TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.

Rationale:
Allowing screen-share APIs within Google Chrome could potentially allow for sensitive
data to be shared via screen captures.
Impact:
Users will be unable to utilize APIs which support web-based meetings (video
conferencing screen sharing), video, and screen capture. This could potentially cause
disruption to users who may have utilized these abilities in the past.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ScreenCaptureAllowed

Default Value:
Unset (Same as Enabled, but user can change)

Page 226
References:

1. https://chromeenterprise.google/policies/#ScreenCaptureAllowed

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 227
4.2 Content settings

Page 228
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to 'Enabled:
Do not allow any site to request access to serial ports via the
Serial API' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls website access and use of the system serial port.

• Do not allow any site to request access to serial ports via the Serial
API (2)
• Allow sites to ask the user to grant access to a serial port (3)

The recommended state for this setting is: Do not allow any site to request access
to serial ports via the Serial API (2)

NOTE: If more granular control is needed (per website) then this setting can be used in
combination with the SerialAllowAllPortsForUrls, SerialAskForUrls and
SerialBlockedForUrls settings. For example, SerialAllowAllPortsForUrls can be used to
allow serial port access to specific sites. Please see the references below for more
information.

Rationale:
Preventing access to system serial ports may prevent malicious sites from using these
ports and accessing the devices attached.
Impact:
This setting would also prevent legitimate sites from accessing it as well.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultSerialGuardSetting

Page 229
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to request access to serial ports via the
Serial API:

Computer Configuration\Administrative Templates\Google\Google Chrome\Content

settings\Control use of the Serial API

Default Value:
Unset (Same as Enabled with Allow sites to ask the user to grant access to a serial port,
but user can change)

References:

1. https://chromeenterprise.google/policies/#DefaultSerialGuardSetting
2. https://chromeenterprise.google/policies/#SerialAskForUrls
3. https://chromeenterprise.google/policies/#SerialBlockedForUrls
4. https://chromeenterprise.google/policies/#SerialAllowAllPortsForUrls

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 230
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled: Do
not allow any site to access sensors' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls website access and use of system sensors such as motion and
light.

• Allow sites to access sensors (1)

• Do not allow any site to access sensors (2)

The recommended state for this setting is: Do not allow any site to access sensors
(2)
The recommended state for this setting is: Enabled with a value of Do not allow any
site to access sensors

NOTE: If more granular control is needed (per website) then this setting can be used in
combination with the SensorsAllowedForUrls and SensorsBlockedForUrls settings. For
example, SensorsAllowedForUrls can be used to allow sensor access to specific sites.
Please see the references below for more information.
Rationale:
Preventing access to system sensors may prevent malicious sites from using these
sensors for user profiling (OpSec).
Impact:
This setting would also prevent legitimate sites from accessing it as well.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultSensorsSetting

Page 231
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to access sensors:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content
settings\Default sensors setting

Default Value:
Unset (Same as Enabled with a value of Allow sites to access sensors, but user can
change)

References:

1. https://chromeenterprise.google/policies/#DefaultSensorsSetting
2. https://chromeenterprise.google/policies/#SensorsAllowedForUrls
3. https://chromeenterprise.google/policies/#SensorsBlockedForUrls

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

4.8 Uninstall or Disable Unnecessary Services on

9.2 Ensure Only Approved Ports, Protocols and Services

v7 Are Running
Ensure that only network ports, protocols, and services listening on a system
● ●
with validated business needs, are running on each system.

Page 232
4.2.3 (L1) Ensure 'Allow clipboard for these sites' Is Configured
(Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows administrators to list specific sites that have access to the clipboard
site permissions.
Note: This does not include using keyboard shortcuts. Those are not gated by the
clipboard site permission.
Rationale:
Setting this policy allows specified URLs to have access to the clipboard site
permissions. This will allow the specified sites to have access to data on the clipboard
that other sites do not. DefaultClipboardSetting is recommended to be set to
disabled, so this list would be the only sites that would have access to the clipboard
data.
Impact:
Enforcing this recommendation can cause the clipboard functionality to not work
identically for every site.

Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's allowed URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardAllowedForUrls\<n
umber> = <url>
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardAllowedForUrls\1
= https://www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardAllowedForUrls\2
= [*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardAllowedForUrls\3
= https://www.example.net

Page 233
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and set Show to the approved URLs:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Allow clipboard on these sites

Default Value:
DefaultClipboardSetting applies to all sites

References:

1. https://chromeenterprise.google/policies/#ClipboardAllowedForUrls
2. https://chromeenterprise.google/policies/url-patterns/

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 234
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured
(Manual)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows administrators to list specific sites that do not have access to the
clipboard site permissions.
Note: This does not include using keyboard shortcuts. Those are not gated by the
clipboard site permission.
Rationale:
Specifying URLs that do not have access to the clipboard site permissions limits data
for sites that have access to data on the clipboard, and allows for more sites to have
access.
Setting this policy denies specified URLs to have access to the clipboard site
permissions. This will limit the specified sites to access the data on the clipboard that
other sites do. DefaultClipboardSetting is recommended to be set to disabled, so this
list would be a backup to that policy in case it was enabled, left as the default, or
removed.
Impact:
Enforcing this recommendation can cause the clipboard functionality to not work
identically for every site.
Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's blocked URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardBlockedForUrls\<n
umber> = <url>
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardBlockedForUrls\1
= https://www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardBlockedForUrls\2
= [*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ClipboardBlockedForUrls3 =
https://www.example.net

Page 235
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and set Show to the blocked URLs:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Block clipboard on these sites

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 236
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to 'Deny
Permissions' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the defaults for clipboard permission access from sites. It can be
configured to either:

• Disabled (2): Does not allow access to the clipboard site permission by any site
• Enabled (3): Sites ask the user to allow access to the clipboard site permission

If the value for DefaultClipboardSetting is not changed from the default, it will behave
as if it is enabled. ClipboardAllowedForUrls or ClipboardBlockedForUrls will override
this setting for any site that matches the configured URL patterns.
With the setting disabled, organizations will need to set ClipboardAllowedForUrls for
any URLs they want to make exempt.
Rationale:
The clipboard stores data, text, and images that are shared between all applications. An
organization would disable clipboard access to restrict sites from reading the contents of
the clipboard when visiting.

Impact:
Not allowing sites to have access to the clipboard permission can cause issues with
formatting or access to needed images on the clipboard.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultClipboardSetting

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Do not allow any site to use the clipboard site permission:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Default clipboard setting

Page 237
Default Value:
Allow clipboard permission access
References:

1. https://chromeenterprise.google/policies/#DefaultClipboardSetting

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 238
4.2.6 (L2) Ensure 'Default Window Management permissions
setting' Is 'Enabled' to 'Deny Permission' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting can automatically deny access to the window management permissions by
sites. It can be configured to either:

• Disabled (2): Does not allow access to the Window Management permission by
any site
• Enabled (3): A site must ask the user any time it wants to access the Window
Management permission.

If the value for DefaultWindowManagementSetting is not changed from the default, it will
behave as if it is enabled. WindowManagementAllowedForUrls or
WindowManagementBlockedForUrls will override this setting for any site that matches the
configured URL patterns.
Rationale:
Denying access to Window Management can block rogue sites from opening additional
browser windows. By blocking the additional windows, an organization could stop
instances of nefarious sites being opened in locations of which the user is unaware.
Impact:
Disabling this would take away the functionality of the user to decide what sites get
access to the Window Management permission and could impact organizational
required URLs.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 2:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultWindowManagementSet
ting

Page 239
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and Denies the Window Management permission on all sites by default:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Default Window Management permission setting

Default Value:
Allow Window Management permission access
References:

1. https://chromeenterprise.google/policies/#DefaultWindowManagementSetting

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 240
4.2.7 (L2) Ensure 'Allow Window Management permission on
these sites' Is Configured (Manual)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting can automatically allow access to the window management permissions for
specific sites.
If the value for WindowManagementAllowedForUrls is not changed from the default, it will
follow the configuration of DefaultWindowManagementSetting.

Rationale:
Allowing only specific sites to have access to Window Management will only allow
permitted sites to see information about the device's screens, open additional browser
windows specifying location, and size of the window.
Impact:
Enforcing this recommendation can cause visited sites to not display as intended.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's allowed URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementAllowedFor
Urls\<number> = <url>

Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementAllowedFor
Urls\1 = https://www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementAllowedFor
Urls\2 = [*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementAllowedFor
Urls\3 = https://www.example.net

Page 241
References:

1. https://chromeenterprise.google/policies/#WindowManagementAllowedForUrls

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 242
4.2.8 (L2) Ensure 'Block Window Management permission on
these sites' Is Configured (Manual)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting can automatically deny access to the window management permissions for
specific sites. It can be configured to either:
If the value for WindowManagementBlockedForUrls is not changed from the default, it will
follow the configuration of DefaultWindowManagementSetting.

Rationale:
Specifying URLs that do not have access to the window management permissions limits
data for sites that have access to data on the clipboard, and allows for more sites to
have access.
Impact:
Enforcing this recommendation can cause visited sites to not display as intended.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set individually to your organization's allowed URLs:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementBlockedFor
Urls\<number> = <url>

Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementBlockedFor
Urls\1 = https://www.example.com
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementBlockedFor
Urls\2 = [*.]example.edu
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\WindowManagementBlockedFor
Urls\3 = https://www.example.net

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled and set Show to the blocked URLs:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Content settings\Block Window Management permission on these sites

Page 243
References:

1. https://chromeenterprise.google/policies/#WindowManagementBlockedForUrls

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 244
4.3 (L2) Ensure 'Allow invocation of file selection dialogs' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting allows access to local files by allowing file selection dialogs in Google
Chrome.
The recommended state for this setting is: Disabled (0)

Rationale:
Allowing users to import favorites, upload files, and save links could pose potential
security risks by allowing data to be uploaded to external sites or by downloading
malicious files. By not allowing the file selection dialog, the end-user will not be
prompted for uploads/downloads, preventing data exfiltration and possible system
infection by malware.
Impact:
If you disable this setting, users will no longer be prompted when performing actions
which would trigger a file selection dialog. Instead, the file selection dialog box assumes
the user clicked "Cancel". Being as this is not the default behavior, impact to the user
will be noticeable, and the user will not be able to upload and download files.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AllowFileSelectionDialogs

Remediation:
To establish the recommended configuration via GP, set the following UI path to
Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google

Chrome\Allow invocation of file selection dialogs

Default Value:
Unset (Same as Enabled, but user can change)

Page 245
References:

1. https://chromeenterprise.google/policies/#AllowFileSelectionDialogs

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

2.7 Allowlist Authorized Scripts

2.5 Integrate Software and Hardware Asset Inventories

v7 The software inventory system should be tied into the hardware asset inventory ●
so all devices and associated software are tracked from a single location.

Page 246
4.4 (L2) Ensure 'Allow or deny audio capture' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting allows administrators to set whether the end-user is prompted for access to
audio capture devices.

• Disabled (0): Turns off prompts and audio capture will only work for URLs
configured in the AudioCaptureAllowedUrls list.
• Enabled (1): With the exception of URLs set in the AudioCaptureAllowedUrls list,
users get prompted for audio capture access.

NOTE: The setting affects all audio input (not just the built-in microphone).
The recommended state for this setting is: Disabled

Rationale:
The end-user having the ability to allow or deny audio capture for websites in Google
Chrome could open an organization up to a malicious site that may capture proprietary
information through the browser. By limiting or disallowing audio capture, it removes the
end-user's discretion, leaving it up to the organization which sites are allowed to use this
ability.
Impact:
If you disable this setting, users will not be prompted for audio devices when using
websites which may need this access, such as a web-based conferencing system. If
there are sites which access will be allowed, configuration of the
AudioCaptureAllowedUrls setting will be necessary.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AudioCaptureAllowed

Page 247
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Allow or
deny audio capture

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AudioCaptureAllowed

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 248
4.5 (L2) Ensure 'Allow or deny video capture' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting allows administrators to set whether the end-user is prompted for access to
video capture devices.

• Disabled (0): Turns off prompts and video capture will only work for URLs
configured in the VideoCaptureAllowedUrls list.
• Enabled (1): With the exception of URLs set in the VideoCaptureAllowedUrls list,
users get prompted for video capture access.

NOTE: The setting affects all video input (not just the built-in camera).
The recommended state for this setting is: Disabled (0)

Rationale:
The end-user having the ability to allow or deny video capture for websites in Google
Chrome could open an organization up to a malicious site that may capture proprietary
information through the browser. By limiting or disallowing video capture, it removes the
end-user's discretion, leaving it up to the organization which sites are allowed to use this
ability.
Impact:
If you disable this setting, users will not be prompted for video devices when using
websites which may need this access, such as a web-based conferencing system. If
there are sites which access will be allowed, configuration of the
VideoCaptureAllowedUrls setting will be necessary.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:VideoCaptureAllowed

Page 249
Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Administrative Templates\Google\Google Chrome\Allow or
deny video capture

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#VideoCaptureAllowed
2. https://chromeenterprise.google/policies/#VideoCaptureAllowedUrls

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 250
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls whether users are able to utilize the Chrome feedback feature to
send feedback, suggestions, and surveys to Google, as well as issue reports.
The recommended state for this setting is: Disabled (0)

Rationale:
Data should not be shared with third-party vendors in an enterprise managed
environment.
Impact:

Users will not be able to send feedback to Google.

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#UserFeedbackAllowed

Page 251
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 252
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is set to
'Enabled: DNS-over-HTTPS without insecure fallback'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This controls the mode of the DNS-over-HTTPS resolver. Please note that this setting
will only set the default mode for each query. The mode may be overridden for special
types of queries, such as requests to resolve a DNS-over-HTTPS server hostname.

• Disable DNS-over-HTTPS (off)

• Enable DNS-over-HTTPS with insecure fallback (automatic) - Enable DNS-
over-HTTPS queries first if a DNS-over-HTTPS server is available and may
fallback to sending insecure queries on error.
• Enable DNS-over-HTTPS without insecure fallback (secure) - Only send DNS-
over-HTTPS queries and will fail to resolve on error.

The recommended state for this setting is: Enabled with a value of Enable DNS-over-
HTTPS without insecure fallback (secure)

Note: When enabling this policy, it is recommended to also configure the

DnsOverHttpsTemplates policy so that the URI templates are set. You can find out more
information on the DnsOverHttpsTemplates enterprise policy site.

Rationale:
DNS over HTTPS (DOH) has a couple primary benefits:

1. Encrypting DNS name resolution traffic helps to hide your online activities, since
DoH hides the name resolution requests from the ISP and from anyone listening
on intermediary networks.
2. DoH also helps to prevent DNS spoofing and man-in-the-middle (MitM) attacks.

Impact:
Not all DNS providers support DOH, so choice is limited. Also, Enterprises sometimes
monitor DNS requests to block access to malicious or inappropriate sites. DNS
monitoring can also sometimes be used to detect malware attempting to "phone home."
Because DoH encrypts name resolution requests, it can create a security monitoring
blind spot.

Page 253
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to secure:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DnsOverHttpsMode

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Enable DNS-over-HTTPS without insecure fallback:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Controls the mode of DNS-over-HTTPS

Default Value:
Unset (Same as Enable DNS-over-HTTPS with insecure fallback (automatic). If any
policy is set, either through being domain-joined or active policy with cloud management
(or profile lists), then it sometimes reverts to Disable DNS-over-HTTPS and users can’t
change it.
References:

1. https://chromeenterprise.google/policies/#DnsOverHttpsMode

CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.10 Encrypt Sensitive Data in Transit

v8 Encrypt sensitive data in transit. Example implementations can include: ● ●
Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

14.4 Train Workforce on Data Handling Best Practices

Page 254
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to 'Disabled'
(Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Chrome allows users to auto-complete web forms with saved information such as
address or phone number. Disabling this feature will prompt a user to enter all
information manually.
The recommended state for this setting is: Disabled (0)

Rationale:
If an attacker gains access to a user's machine where the user has stored address
AutoFill data, information could be harvested.

Impact:
If this setting is disabled, AutoFill will be inaccessible to users.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:AutofillAddressEnabled

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AutofillAddressEnabled

Page 255
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 256
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
Chrome allows users to auto-complete web forms with saved credit card information.
Disabling this feature will prompt a user to enter all information manually.
The recommended state for this setting is: Disabled (0)

Rationale:
If an attacker gains access to a user's machine where the user has stored credit card
AutoFill data, information could be harvested.
Impact:

If this setting is disabled, credit card AutoFill will be inaccessible to users.

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#AutofillCreditCardEnabled

Page 257
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 258
4.10 (L1) Ensure 'Import saved passwords from default browser
on first run' is set to 'Disabled' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls if saved passwords from the default browser can be imported (on
first run and later manually).
The recommended state for this setting is: Disabled (0)

Rationale:
In Chrome, passwords can be stored in plain-text and revealed by clicking the “show”
button next to the password field by going to chrome://settings/passwords/.
Impact:

If this setting is disabled, saved passwords from other browsers are not imported.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:ImportSavedPasswords

Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#ImportSavedPasswords

Page 259
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 260
4.11 (L1) Ensure 'List of types that should be excluded from
synchronization' is set to 'Enabled: passwords' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting allows you to specify data types that will be limited/excluded from uploading
data to the Google Chrome synchronization service.
The recommended state for this setting is: Enabled with the following text value
passwords (Case Sensitive)

NOTE: Other settings in addition to passwords can be included based on organizational

needs.
Rationale:
Storing and sharing information could potentially expose sensitive information including
but not limited to user passwords and login information. Allowing this synchronization
could also potentially allow an end user to pull corporate data that was synchronized
into the cloud to a personal machine.
Impact:
Password data will not be synchronized with the Google Chrome synchronization
service.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to passwords:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\SyncTypesListDisabled:1

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: passwords (Case Sensitive):
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\List of types that should be excluded from synchronization

Default Value:
Unset (Same as Disabled, but user can change)

Page 261
References:

1. https://chromeenterprise.google/policies/#SyncTypesListDisabled

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 262
4.12 (L2) Ensure 'Allow or deny screen capture' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
If enabled or not configured (default), a Web page can use screen-share APIs (e.g.,
getDisplayMedia() or the Desktop Capture extension API) to prompt the user to select a
tab, window, or desktop to capture.
Rationale:
The end-user having the ability to allow or deny screen capture for websites in Google
Chrome could open an organization up to a malicious site that may capture proprietary
information through the browser. By limiting or disallowing screen capture, it removes
the end-user's discretion, leaving it up to the organization which sites are allowed to use
this ability.
Impact:
When this policy is disabled, any calls to screen-share APIs will fail with an error. This
policy is not considered (and a site will be allowed to use screen-share APIs) if the site
matches an origin pattern in any of the following policies:
ScreenCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins,
TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
Audit:

Remediation:

To establish the recommended configuration via Group Policy, set the following UI path
to Disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Allow or deny screen capture\Allow or deny screen capture

Default Value:

Unset (Same as Enabled, but user can change)

Page 263
References:

1. https://chromeenterprise.google/policies/#ScreenCaptureAllowed
2. https://chromeenterprise.google/policies/#SameOriginTabCaptureAllowedByOrigi
ns
3. https://chromeenterprise.google/policies/#ScreenCaptureAllowedByOrigins
4. https://chromeenterprise.google/policies/#TabCaptureAllowedByOrigins
5. https://chromeenterprise.google/policies/#WindowCaptureAllowedByOrigins

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 264
5 Forensics (Post Incident)
This section contains recommendations to help in post-incident forensics and analysis.
Organizations should review these settings and any potential impacts to ensure they
make sense within their environment.

Page 265
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
'Disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
This setting controls whether a user may utilize guest profiles in Google Chrome.
The recommended state for this setting is: Disabled (0)

Rationale:
In a guest profile, the browser doesn't import browsing data from existing profiles, and it
deletes browsing data when all guest profiles are closed.
Deleting browser data will delete information that may be important for a computer
investigation, and investigators such as Computer Forensics Analysts may not be able
to retrieve pertinent information to the investigation.
Impact:
Users will not be able to initiate Guest mode for Google Chrome.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BrowserGuestModeEnabled

Default Value:
Unset (Same as Enabled, but user can change)

References:

1. https://chromeenterprise.google/policies/#BrowserGuestModeEnabled

Page 266
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

9.2 Use DNS Filtering Services

v8 Use DNS filtering services on all enterprise assets to block access to known ● ● ●
malicious domains.

4.8 Log and Alert on Changes to Administrative Group

v7 Membership
Configure systems to issue a log entry and alert when an account is added
● ●
to or removed from any group assigned administrative privileges.

Page 267
5.2 (L2) Ensure 'Incognito mode availability' is set to 'Enabled:
Incognito mode disabled' (Automated)
Profile Applicability:

• Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

Description:
Specifies whether the user may open pages in Incognito mode in Google Chrome. The
possible values are:

• Incognito mode available (0 - Same as Disabled))

• Incognito mode disabled (1)
• Incognito mode forced (2)

The recommended state for this setting is: Enabled: Incognito mode disabled (1)

Rationale:
Incognito mode in Chrome gives you the choice to browse the internet without your
activity being saved to your browser or device.
Allowing users to use the browser without any information being saved can hide
evidence of malicious behaviors. This information may be important for a computer
investigation, and investigators such as Computer Forensics Analysts may not be able
to retrieve pertinent information to the investigation.
Impact:

Users will not be able to initiate Incognito mode for Google Chrome.
Audit:
Navigate to the UI Path articulated in the Remediation section and confirm it is set as
prescribed. This group policy setting is backed by the following registry location which
should be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:IncognitoModeAvailability

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: Incognito mode disabled:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Incognito mode availability

Page 268
Default Value:
Unset (Same as Enabled, but user can change)
References:

1. https://chromeenterprise.google/policies/#IncognitoModeAvailability

CIS Controls:

Controls Version Control IG 1 IG 2 IG 3

v8 0.0 Explicitly Not Mapped

Explicitly Not Mapped

v7 0.0 Explicitly Not Mapped

Explicitly Not Mapped

Page 269
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to 'Enabled:
250609664' (Automated)
Profile Applicability:

• Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:
This setting controls the size of the cache, in bytes, used to store files on the disk.
The recommended state for this setting is: Enabled: 250609664 or greater
NOTE The value specified in this setting isn't a hard boundary but rather a suggestion to
the caching system; any value below a few megabytes is too small and will be rounded
up to a reasonable minimum.
Rationale:
Having enough disk space for browser cache is important for a computer investigation
and for investigators such as Computer Forensics Analysts to be able to retrieve
pertinent information to the investigation.
Impact:
Browser cache will take up to 250MB in disk space.
Audit:

Remediation:
To establish the recommended configuration via Group Policy, set the following UI path
to Enabled: 250609664:
Computer Configuration\Policies\Administrative Templates\Google\Google
Chrome\Set disk cache size in bytes

Default Value:

Unset (Same as Enabled with a system managed smaller default size, but the user can
change)
References:

1. https://chromeenterprise.google/policies/#DiskCacheSize

Page 270
CIS Controls:

Controls
Control IG 1 IG 2 IG 3
Version

3.5 Securely Dispose of Data

Securely dispose of data as outlined in the enterprise’s data management
v8 process. Ensure the disposal process and method are commensurate with the
● ● ●
data sensitivity.

7.4 Maintain and Enforce Network-Based URL Filters

Page 271
Appendix: Summary Table
CIS Benchmark Recommendation Set
Correctly

Yes No

1 Enforced Defaults

1.1 HTTP authentication

1.1.1 (L1) Ensure 'Cross-origin HTTP Authentication prompts'  

is set to 'Disabled' (Automated)

1.2 Safe Browsing settings

1.2.1 (L1) Ensure 'Configure the list of domains on which Safe  

Browsing will not trigger warnings' is set to 'Disabled'
(Automated)

1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to  

'Enabled: Safe Browsing is active in the standard mode.'
or higher (Manual)

1.3 (L1) Ensure 'Allow Google Cast to connect to Cast  

devices on all IP addresses' is set to 'Disabled'
(Automated)

1.4 (L1) Ensure 'Allow queries to a Google time service' is  

set to 'Enabled' (Automated)

1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to  

'Enabled' (Automated)

1.6 (L1) Ensure 'Ask where to save each file before  

downloading' is set to 'Enabled' (Automated)

1.7 (L1) Ensure 'Continue running background apps when  

Google Chrome is closed' is set to 'Disabled'
(Automated)

1.8 (L2) Ensure 'Control SafeSites adult content filtering' is  

set to 'Enabled: Filter top level sites (but not embedded
iframes) for adult content' (Automated)

Page 272
CIS Benchmark Recommendation Set
Correctly

Yes No

1.9 (L1) Ensure 'Determine the availability of variations' is  

set to 'Enable all variations' (Manual)

1.10 (L1) Ensure 'Disable Certificate Transparency  

enforcement for a list of Legacy Certificate Authorities' is
set to 'Disabled' (Automated)

1.11 (L1) Ensure 'Disable Certificate Transparency  

enforcement for a list of subjectPublicKeyInfo hashes' is
set to 'Disabled' (Automated)

1.12 (L1) Ensure 'Disable Certificate Transparency  

enforcement for a list of URLs' is set to 'Disabled'
(Automated)

1.13 (L1) Ensure 'Disable saving browser history' is set to  

'Disabled' (Automated)

1.14 (L1) Ensure 'DNS interception checks enabled' is set to  

'Enabled' (Automated)

1.15 (L1) Ensure 'Enable component updates in Google  

Chrome' is set to 'Enabled' (Automated)

1.16 (L1) Ensure 'Enable globally scoped HTTP auth cache' is  

set to 'Disabled' (Automated)

1.17 (L1) Ensure 'Enable online OCSP/CRL checks' is set to  

'Disabled' (Automated)

1.18 (L1) Ensure 'Enable security warnings for command-line  

flags' is set to 'Enabled' (Automated)

1.19 (L1) Ensure 'Enable third party software injection  

blocking' is set to 'Enabled' (Automated)

1.20 (L1) Ensure 'Enables managed extensions to use the  

Enterprise Hardware Platform API' is set to 'Disabled'
(Automated)

1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  

(Automated)

Page 273
CIS Benchmark Recommendation Set
Correctly

Yes No

1.22 (L1) Ensure 'Import autofill form data from default  

browser on first run' is set to 'Disabled' (Automated)

1.23 (L1) Ensure 'Import of homepage from default browser  

on first run' is set to 'Disabled' (Automated)

1.24 (L1) Ensure 'Import search engines from default browser  

on first run' is set to 'Disabled' (Automated)

1.25 (L1) Ensure 'List of names that will bypass the HSTS  
policy check' is set to 'Disabled' (Automated)

1.26 (L1) Ensure 'Origins or hostname patterns for which  

restrictions on insecure origins should not apply' is set to
'Disabled' (Automated)

1.27 (L1) Ensure 'Suppress lookalike domain warnings on  

domains' is set to 'Disabled' (Automated)

1.28 (L1) Ensure 'Suppress the unsupported OS warning' is  

set to 'Disabled' (Automated)

1.29 (L1) Ensure 'URLs for which local IPs are exposed in  
WebRTC ICE candidates' is set to 'Disabled'
(Automated)

2 Attack Surface Reduction

2.1 Update settings (Google section of GPO)

2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'  

with 'Always allow updates (recommended)' or
'Automatic silent updates' specified (Automated)

2.1.2 (L1) Ensure 'Auto-update check period override' is set to  

any value except '0' (Automated)

2.2 Content settings

2.2.1 (L1) Ensure 'Control use of insecure content exceptions'  

is set to 'Enabled: Do not allow any site to load mixed
content' (Automated)

Page 274
CIS Benchmark Recommendation Set
Correctly

Yes No

2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set  
to 'Enabled: Do not allow any site to request access to
Bluetooth devices via the Web Bluetooth API'
(Automated)

2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to  

'Enabled: Do not allow any site to request access to USB
devices via the WebUSB API' (Automated)

2.2.4 (L2) Ensure 'Default notification setting' is set to  

'Enabled: Do not allow any site to show desktop
notifications' (Automated)

2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on  

these sites in the PDF Viewer' Is Disabled (Automated)

2.3 Extensions

2.3.1 (L1) Ensure 'Blocks external extensions from being  

installed' is set to 'Enabled' (Automated)

2.3.2 (L1) Ensure 'Configure allowed app/extension types' is  

set to 'Enabled: extension, hosted_app, platform_app,
theme' (Automated)

2.3.3 (L1) Ensure 'Configure extension installation blocklist' is  

set to 'Enabled: *' (Automated)

2.3.4 (L2) Ensure 'Default third-party storage partitioning  

setting' Is Enabled and Blocked (Automated)

2.3.5 (L1) Ensure 'Block third-party storage partitioning for  

these origins' Is Configured (Manual)

2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is  

Set to Forced Only (Automated)

2.3.7 (L1) Ensure 'Control availability of extensions  

unpublished on the Chrome Web Store' Is Disabled
(Automated)

2.4 HTTP authentication

Page 275
CIS Benchmark Recommendation Set
Correctly

Yes No

2.4.1 (L2) Ensure 'Supported authentication schemes' is set to  

'Enabled: ntlm, negotiate' (Automated)

2.5 Native Messaging

2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set  

to 'Enabled: *' (Automated)

2.6 Password manager

2.6.1 (L1) Ensure 'Enable saving passwords to the password  

manager' is Explicitly Configured (Manual)

2.7 Printing

2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to  

'Disabled' (Automated)

2.8 Remote access (Chrome Remote Desktop)

2.8.1 Ensure 'Allow remote access connections to this  

machine' is set to 'Disabled' (Manual)

2.8.2 (L1) Ensure 'Allow remote users to interact with elevated  

windows in remote assistance sessions' is set to
'Disabled' (Automated)

2.8.3 (L1) Ensure 'Configure the required domain names for  

remote access clients' is set to 'Enabled' with a domain
defined (Manual)

2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is  

set to 'Disabled' (Automated)

2.8.5 (L1) Ensure 'Enable firewall traversal from remote  

access host' is set to 'Disabled' (Automated)

2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication  

for remote access hosts' is set to 'Disabled' (Automated)

2.8.7 (L1) Ensure 'Enable the use of relay servers by the  

remote access host' is set to 'Disabled'. (Automated)

Page 276
CIS Benchmark Recommendation Set
Correctly

Yes No

2.9 First-Party Sets Settings

2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled  

(Manual)

2.10 Microsoft Active Directory Management Settings

2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud  

identity providers' Is Enabled (Manual)

2.11 (L1) Ensure 'Allow download restrictions' is set to  

'Enabled: Block malicious downloads' (Automated)

2.12 (L2) Ensure 'Allow proceeding from the SSL warning  

page' is set to 'Disabled' (Automated)

2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing  

warning page' is set to 'Enabled' (Automated)

2.14 (L1) Ensure 'Require Site Isolation for every site' is set to  
'Enabled' (Automated)

2.15 (L2) Ensure 'Force Google SafeSearch' is set to  

'Enabled' (Automated)

2.16 (L1) Ensure 'Notify a user that a browser relaunch or  

device restart is recommended or required' is set to
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required' (Automated)

2.17 (L1) Ensure 'Proxy settings' is set to 'Enabled' and does  

not contain "ProxyMode": "auto_detect" (Automated)

2.18 (L2) Ensure 'Require online OCSP/CRL checks for local  

trust anchors' is set to 'Enabled' (Automated)

2.19 (L1) Ensure 'Set the time period for update notifications'  
is set to 'Enabled: 86400000' (Automated)

2.20 (L1) Ensure 'Allow Web Authentication requests on sites  

with broken TLS certificates' Is Disabled (Automated)

Page 277
CIS Benchmark Recommendation Set
Correctly

Yes No

2.21 (L1) Ensure 'Allow reporting of domain reliability related  

data' Is Disabled (Automated)

2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is  

Enabled (Automated)

2.23 (L2) Ensure 'Determines whether the built-in certificate  

verifier will enforce constraints encoded into trust
anchors loaded from the platform trust store' Is Enabled
(Automated)

2.24 (L1) Ensure 'Keep browsing data when creating  

enterprise profile by default' Is Enabled (Automated)

2.25 (L1) Ensure 'Allow file or directory picker APIs to be  

called without prior user gesture' Is Disabled
(Automated)

2.26 (L1) Ensure 'Enable Google Search Side Panel' Is  

Disabled (Automated)

2.27 (L1) Ensure 'Http Allowlist' Is Properly Configured  

(Manual)

2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is  

Enabled (Automated)

2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes  

Enabled' Is Disabled (Automated)

2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  

(Automated)

2.31 (L1) Ensure 'Enable strict MIME type checking for worker  
scripts' Is Enabled (Automated)

2.32 Ensure 'Allow remote debugging' is set to 'Disabled'  

(Automated)

3 Privacy

3.1 Content settings

Page 278
CIS Benchmark Recommendation Set
Correctly

Yes No

3.1.1 (L2) Ensure 'Default cookies setting' is set to 'Enabled:  

Keep cookies for the duration of the session'
(Automated)

3.1.2 (L1) Ensure 'Default geolocation setting' is set to  

'Enabled: Do not allow any site to track the users'
physical location' (Automated)

3.2 Google Cast

3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'  

(Automated)

3.3 (L1) Ensure 'Allow websites to query for available  

payment methods' is set to 'Disabled' (Automated)

3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  

(Automated)

3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:  

Disabled browser sign-in' (Automated)

3.6 (L1) Ensure 'Control how Chrome Cleanup reports data  

to Google' is set to 'Disabled' (Automated)

3.7 (L1) Ensure 'Disable synchronization of data with  

Google' is set to 'Enabled' (Automated)

3.8 (L1) Ensure 'Enable alternate error pages' is set to  

'Disabled' (Automated)

3.9 (L1) Ensure 'Enable deleting browser and download  

history' is set to 'Disabled' (Automated)

3.10 (L1) Ensure 'Enable predict network actions` is set to  

'Enabled: Do not predict actions on any network
connection' (Automated)

3.11 (L1) Ensure 'Enable or disable spell checking web  

service' is set to 'Disabled' (Automated)

Page 279
CIS Benchmark Recommendation Set
Correctly

Yes No

3.12 (L1) Ensure 'Enable reporting of usage and crash-related  

data' is set to 'Disabled' (Automated)

3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources'  

is set to 'Disabled' (Automated)

3.14 (L2) Ensure 'Enable search suggestions' is set to  

'Disabled' (Automated)

3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  

(Automated)

3.16 (L1) Ensure 'Enable URL-keyed anonymized data  

collection' is set to 'Disabled' (Automated)

4 Data Loss Prevention

4.1 Allow or deny screen capture

4.1.1 (L2) Ensure 'Allow or deny screen capture' is set to  

'Disabled' (Automated)

4.2 Content settings

4.2.1 (L2) Ensure 'Control use of the Serial API' is set to  

'Enabled: Do not allow any site to request access to
serial ports via the Serial API' (Automated)

4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled:  

Do not allow any site to access sensors' (Automated)

4.2.3 (L1) Ensure 'Allow clipboard for these sites' Is  

Configured (Manual)

4.2.4 (L1) Ensure 'Block clipboard on these sites' Is  

Configured (Manual)

4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to  

'Deny Permissions' (Automated)

4.2.6 (L2) Ensure 'Default Window Management permissions  

setting' Is 'Enabled' to 'Deny Permission' (Automated)

Page 280
CIS Benchmark Recommendation Set
Correctly

Yes No

4.2.7 (L2) Ensure 'Allow Window Management permission on  

these sites' Is Configured (Manual)

4.2.8 (L2) Ensure 'Block Window Management permission on  

these sites' Is Configured (Manual)

4.3 (L2) Ensure 'Allow invocation of file selection dialogs' is  

set to 'Disabled' (Automated)

4.4 (L2) Ensure 'Allow or deny audio capture' is set to  

'Disabled' (Automated)

4.5 (L2) Ensure 'Allow or deny video capture' is set to  

'Disabled' (Automated)

4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  

(Automated)

4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is  

set to 'Enabled: DNS-over-HTTPS without insecure
fallback' (Automated)

4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to  

'Disabled' (Automated)

4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to  

'Disabled' (Automated)

4.10 (L1) Ensure 'Import saved passwords from default  

browser on first run' is set to 'Disabled' (Automated)

4.11 (L1) Ensure 'List of types that should be excluded from  

synchronization' is set to 'Enabled: passwords'
(Automated)

4.12 (L2) Ensure 'Allow or deny screen capture' is set to  

'Disabled' (Automated)

5 Forensics (Post Incident)

5.1 (L2) Ensure 'Enable guest mode in browser' is set to  

'Disabled' (Automated)

Page 281
CIS Benchmark Recommendation Set
Correctly

Yes No

5.2 (L2) Ensure 'Incognito mode availability' is set to  

'Enabled: Incognito mode disabled' (Automated)

5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to  

'Enabled: 250609664' (Automated)

Page 282
Appendix: CIS Controls v7 IG 1 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.13 (L1) Ensure 'Disable saving browser history' is set to
 
'Disabled'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled

Page 283
Recommendation Set
Correctly
Yes No
3.16 (L1) Ensure 'Enable URL-keyed anonymized data
 
collection' is set to 'Disabled'

Page 284
Appendix: CIS Controls v7 IG 2 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe
 
Browsing will not trigger warnings' is set to 'Disabled'
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to
'Enabled: Safe Browsing is active in the standard mode.'  
or higher
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast
 
devices on all IP addresses' is set to 'Disabled'
1.4 (L1) Ensure 'Allow queries to a Google time service' is
 
set to 'Enabled'
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.7 (L1) Ensure 'Continue running background apps when
 
Google Chrome is closed' is set to 'Disabled'
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is
set to 'Enabled: Filter top level sites (but not embedded  
iframes) for adult content'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.13 (L1) Ensure 'Disable saving browser history' is set to
 
'Disabled'
1.14 (L1) Ensure 'DNS interception checks enabled' is set to
 
'Enabled'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.18 (L1) Ensure 'Enable security warnings for command-line
 
flags' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.20 (L1) Ensure 'Enables managed extensions to use the
 
Enterprise Hardware Platform API' is set to 'Disabled'
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  

Page 285
Recommendation Set
Correctly
Yes No
1.22 (L1) Ensure 'Import autofill form data from default
 
browser on first run' is set to 'Disabled'
1.23 (L1) Ensure 'Import of homepage from default browser
 
on first run' is set to 'Disabled'
1.24 (L1) Ensure 'Import search engines from default browser
 
on first run' is set to 'Disabled'
1.25 (L1) Ensure 'List of names that will bypass the HSTS
 
policy check' is set to 'Disabled'
1.27 (L1) Ensure 'Suppress lookalike domain warnings on
 
domains' is set to 'Disabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
 
WebRTC ICE candidates' is set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.2.1 (L1) Ensure 'Control use of insecure content exceptions'
is set to 'Enabled: Do not allow any site to load mixed  
content'
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set
to 'Enabled: Do not allow any site to request access to  
Bluetooth devices via the Web Bluetooth API'
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to
'Enabled: Do not allow any site to request access to USB  
devices via the WebUSB API'
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on
 
these sites in the PDF Viewer' Is Disabled
2.3.1 (L1) Ensure 'Blocks external extensions from being
 
installed' is set to 'Enabled'
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is
set to 'Enabled: extension, hosted_app, platform_app,  
theme'
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is
 
set to 'Enabled: *'
2.3.4 (L2) Ensure 'Default third-party storage partitioning
 
setting' Is Enabled and Blocked

Page 286
Recommendation Set
Correctly
Yes No
2.3.5 (L1) Ensure 'Block third-party storage partitioning for
 
these origins' Is Configured
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to
 
'Enabled: ntlm, negotiate'
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set
 
to 'Enabled: *'
2.6.1 (L1) Ensure 'Enable saving passwords to the password
 
manager' is Explicitly Configured
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
 
'Disabled'
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
 
identity providers' Is Enabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.12 (L2) Ensure 'Allow proceeding from the SSL warning
 
page' is set to 'Disabled'
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing
 
warning page' is set to 'Enabled'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.15 (L2) Ensure 'Force Google SafeSearch' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.21 (L1) Ensure 'Allow reporting of domain reliability related
 
data' Is Disabled
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled

Page 287
Recommendation Set
Correctly
Yes No
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is
 
Disabled
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is
 
Enabled
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  
3.1.2 (L1) Ensure 'Default geolocation setting' is set to
'Enabled: Do not allow any site to track the users'  
physical location'
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'  
3.3 (L1) Ensure 'Allow websites to query for available
 
payment methods' is set to 'Disabled'
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
 
Disabled browser sign-in'
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data
 
to Google' is set to 'Disabled'
3.7 (L1) Ensure 'Disable synchronization of data with Google'
 
is set to 'Enabled'
3.8 (L1) Ensure 'Enable alternate error pages' is set to
 
'Disabled'
3.9 (L1) Ensure 'Enable deleting browser and download
 
history' is set to 'Disabled'
3.11 (L1) Ensure 'Enable or disable spell checking web
 
service' is set to 'Disabled'
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled'
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is
 
set to 'Disabled'
3.14 (L2) Ensure 'Enable search suggestions' is set to
 
'Disabled'
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  
3.16 (L1) Ensure 'Enable URL-keyed anonymized data
 
collection' is set to 'Disabled'
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to
'Enabled: Do not allow any site to request access to  
serial ports via the Serial API'

Page 288
Recommendation Set
Correctly
Yes No
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled:
 
Do not allow any site to access sensors'
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured  
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to
 
'Deny Permissions'
4.4 (L2) Ensure 'Allow or deny audio capture' is set to
 
'Disabled'
4.5 (L2) Ensure 'Allow or deny video capture' is set to
 
'Disabled'
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to
 
'Disabled'
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
 
'Disabled'
4.10 (L1) Ensure 'Import saved passwords from default
 
browser on first run' is set to 'Disabled'
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
 
'Disabled'
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to
 
'Enabled: 250609664'

Page 289
Appendix: CIS Controls v7 IG 3 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe
 
Browsing will not trigger warnings' is set to 'Disabled'
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to
'Enabled: Safe Browsing is active in the standard mode.'  
or higher
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast
 
devices on all IP addresses' is set to 'Disabled'
1.4 (L1) Ensure 'Allow queries to a Google time service' is
 
set to 'Enabled'
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.7 (L1) Ensure 'Continue running background apps when
 
Google Chrome is closed' is set to 'Disabled'
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is
set to 'Enabled: Filter top level sites (but not embedded  
iframes) for adult content'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.13 (L1) Ensure 'Disable saving browser history' is set to
 
'Disabled'
1.14 (L1) Ensure 'DNS interception checks enabled' is set to
 
'Enabled'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.18 (L1) Ensure 'Enable security warnings for command-line
 
flags' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.20 (L1) Ensure 'Enables managed extensions to use the
 
Enterprise Hardware Platform API' is set to 'Disabled'
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  

Page 290
Recommendation Set
Correctly
Yes No
1.22 (L1) Ensure 'Import autofill form data from default
 
browser on first run' is set to 'Disabled'
1.23 (L1) Ensure 'Import of homepage from default browser
 
on first run' is set to 'Disabled'
1.24 (L1) Ensure 'Import search engines from default browser
 
on first run' is set to 'Disabled'
1.25 (L1) Ensure 'List of names that will bypass the HSTS
 
policy check' is set to 'Disabled'
1.27 (L1) Ensure 'Suppress lookalike domain warnings on
 
domains' is set to 'Disabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
 
WebRTC ICE candidates' is set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.2.1 (L1) Ensure 'Control use of insecure content exceptions'
is set to 'Enabled: Do not allow any site to load mixed  
content'
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set
to 'Enabled: Do not allow any site to request access to  
Bluetooth devices via the Web Bluetooth API'
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to
'Enabled: Do not allow any site to request access to USB  
devices via the WebUSB API'
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on
 
these sites in the PDF Viewer' Is Disabled
2.3.1 (L1) Ensure 'Blocks external extensions from being
 
installed' is set to 'Enabled'
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is
set to 'Enabled: extension, hosted_app, platform_app,  
theme'
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is
 
set to 'Enabled: *'
2.3.4 (L2) Ensure 'Default third-party storage partitioning
 
setting' Is Enabled and Blocked

Page 291
Recommendation Set
Correctly
Yes No
2.3.5 (L1) Ensure 'Block third-party storage partitioning for
 
these origins' Is Configured
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to
 
'Enabled: ntlm, negotiate'
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set
 
to 'Enabled: *'
2.6.1 (L1) Ensure 'Enable saving passwords to the password
 
manager' is Explicitly Configured
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
 
'Disabled'
2.8.1 Ensure 'Allow remote access connections to this
 
machine' is set to 'Disabled'
2.8.2 (L1) Ensure 'Allow remote users to interact with elevated
windows in remote assistance sessions' is set to  
'Disabled'
2.8.3 (L1) Ensure 'Configure the required domain names for
remote access clients' is set to 'Enabled' with a domain  
defined
2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is
 
set to 'Disabled'
2.8.5 (L1) Ensure 'Enable firewall traversal from remote access
 
host' is set to 'Disabled'
2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication
 
for remote access hosts' is set to 'Disabled'
2.8.7 (L1) Ensure 'Enable the use of relay servers by the
 
remote access host' is set to 'Disabled'.
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
 
identity providers' Is Enabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.12 (L2) Ensure 'Allow proceeding from the SSL warning
 
page' is set to 'Disabled'

Page 292
Recommendation Set
Correctly
Yes No
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing
 
warning page' is set to 'Enabled'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.15 (L2) Ensure 'Force Google SafeSearch' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.17 (L1) Ensure 'Proxy settings' is set to 'Enabled' and does
 
not contain "ProxyMode": "auto_detect"
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.21 (L1) Ensure 'Allow reporting of domain reliability related
 
data' Is Disabled
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is
 
Disabled
2.27 (L1) Ensure 'Http Allowlist' Is Properly Configured  
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is
 
Enabled
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  
3.1.2 (L1) Ensure 'Default geolocation setting' is set to
'Enabled: Do not allow any site to track the users'  
physical location'
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'  
3.3 (L1) Ensure 'Allow websites to query for available
 
payment methods' is set to 'Disabled'
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
 
Disabled browser sign-in'
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data
 
to Google' is set to 'Disabled'

Page 293
Recommendation Set
Correctly
Yes No
3.7 (L1) Ensure 'Disable synchronization of data with Google'
 
is set to 'Enabled'
3.8 (L1) Ensure 'Enable alternate error pages' is set to
 
'Disabled'
3.9 (L1) Ensure 'Enable deleting browser and download
 
history' is set to 'Disabled'
3.11 (L1) Ensure 'Enable or disable spell checking web
 
service' is set to 'Disabled'
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled'
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is
 
set to 'Disabled'
3.14 (L2) Ensure 'Enable search suggestions' is set to
 
'Disabled'
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  
3.16 (L1) Ensure 'Enable URL-keyed anonymized data
 
collection' is set to 'Disabled'
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to
'Enabled: Do not allow any site to request access to  
serial ports via the Serial API'
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled:
 
Do not allow any site to access sensors'
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured  
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to
 
'Deny Permissions'
4.3 (L2) Ensure 'Allow invocation of file selection dialogs' is
 
set to 'Disabled'
4.4 (L2) Ensure 'Allow or deny audio capture' is set to
 
'Disabled'
4.5 (L2) Ensure 'Allow or deny video capture' is set to
 
'Disabled'
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to
 
'Disabled'
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
 
'Disabled'

Page 294
Recommendation Set
Correctly
Yes No
4.10 (L1) Ensure 'Import saved passwords from default
 
browser on first run' is set to 'Disabled'
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
 
'Disabled'
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to
 
'Enabled: 250609664'

Page 295
Appendix: CIS Controls v7 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.2 (L1) Ensure 'Auto-update check period override' is set to
 
any value except '0'
2.20 (L1) Ensure 'Allow Web Authentication requests on sites
 
with broken TLS certificates' Is Disabled
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is
 
Enabled
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes
 
Enabled' Is Disabled
2.31 (L1) Ensure 'Enable strict MIME type checking for worker
 
scripts' Is Enabled
2.32 Ensure 'Allow remote debugging' is set to 'Disabled'  
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is
set to 'Enabled: DNS-over-HTTPS without insecure  
fallback'

Page 296
Appendix: CIS Controls v8 IG 1 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.18 (L1) Ensure 'Enable security warnings for command-line
 
flags' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  
1.22 (L1) Ensure 'Import autofill form data from default
 
browser on first run' is set to 'Disabled'
1.23 (L1) Ensure 'Import of homepage from default browser
 
on first run' is set to 'Disabled'
1.24 (L1) Ensure 'Import search engines from default browser
 
on first run' is set to 'Disabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
 
WebRTC ICE candidates' is set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on
 
these sites in the PDF Viewer' Is Disabled
2.3.4 (L2) Ensure 'Default third-party storage partitioning
 
setting' Is Enabled and Blocked
2.3.5 (L1) Ensure 'Block third-party storage partitioning for
 
these origins' Is Configured

Page 297
Recommendation Set
Correctly
Yes No
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.6.1 (L1) Ensure 'Enable saving passwords to the password
 
manager' is Explicitly Configured
2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled  
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
 
identity providers' Is Enabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.20 (L1) Ensure 'Allow Web Authentication requests on sites
 
with broken TLS certificates' Is Disabled
2.21 (L1) Ensure 'Allow reporting of domain reliability related
 
data' Is Disabled
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is
 
Enabled
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is
 
Disabled
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is
 
Enabled
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes
 
Enabled' Is Disabled
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  
2.32 Ensure 'Allow remote debugging' is set to 'Disabled'  

Page 298
Recommendation Set
Correctly
Yes No
3.3 (L1) Ensure 'Allow websites to query for available
 
payment methods' is set to 'Disabled'
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
 
Disabled browser sign-in'
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data
 
to Google' is set to 'Disabled'
3.7 (L1) Ensure 'Disable synchronization of data with Google'
 
is set to 'Enabled'
3.8 (L1) Ensure 'Enable alternate error pages' is set to
 
'Disabled'
3.9 (L1) Ensure 'Enable deleting browser and download
 
history' is set to 'Disabled'
3.11 (L1) Ensure 'Enable or disable spell checking web
 
service' is set to 'Disabled'
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled'
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is
 
set to 'Disabled'
3.14 (L2) Ensure 'Enable search suggestions' is set to
 
'Disabled'
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured  
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to
 
'Deny Permissions'
4.4 (L2) Ensure 'Allow or deny audio capture' is set to
 
'Disabled'
4.5 (L2) Ensure 'Allow or deny video capture' is set to
 
'Disabled'
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is
set to 'Enabled: DNS-over-HTTPS without insecure  
fallback'
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to
 
'Disabled'

Page 299
Recommendation Set
Correctly
Yes No
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
 
'Disabled'
4.10 (L1) Ensure 'Import saved passwords from default
 
browser on first run' is set to 'Disabled'
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
 
'Disabled'
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to
 
'Enabled: 250609664'

Page 300
Appendix: CIS Controls v8 IG 2 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe
 
Browsing will not trigger warnings' is set to 'Disabled'
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to
'Enabled: Safe Browsing is active in the standard mode.'  
or higher
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast
 
devices on all IP addresses' is set to 'Disabled'
1.4 (L1) Ensure 'Allow queries to a Google time service' is
 
set to 'Enabled'
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.7 (L1) Ensure 'Continue running background apps when
 
Google Chrome is closed' is set to 'Disabled'
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is
set to 'Enabled: Filter top level sites (but not embedded  
iframes) for adult content'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.14 (L1) Ensure 'DNS interception checks enabled' is set to
 
'Enabled'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.18 (L1) Ensure 'Enable security warnings for command-line
 
flags' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.20 (L1) Ensure 'Enables managed extensions to use the
 
Enterprise Hardware Platform API' is set to 'Disabled'
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  
1.22 (L1) Ensure 'Import autofill form data from default
 
browser on first run' is set to 'Disabled'

Page 301
Recommendation Set
Correctly
Yes No
1.23 (L1) Ensure 'Import of homepage from default browser
 
on first run' is set to 'Disabled'
1.24 (L1) Ensure 'Import search engines from default browser
 
on first run' is set to 'Disabled'
1.25 (L1) Ensure 'List of names that will bypass the HSTS
 
policy check' is set to 'Disabled'
1.27 (L1) Ensure 'Suppress lookalike domain warnings on
 
domains' is set to 'Disabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
 
WebRTC ICE candidates' is set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.2.1 (L1) Ensure 'Control use of insecure content exceptions'
is set to 'Enabled: Do not allow any site to load mixed  
content'
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set
to 'Enabled: Do not allow any site to request access to  
Bluetooth devices via the Web Bluetooth API'
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to
'Enabled: Do not allow any site to request access to USB  
devices via the WebUSB API'
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on
 
these sites in the PDF Viewer' Is Disabled
2.3.1 (L1) Ensure 'Blocks external extensions from being
 
installed' is set to 'Enabled'
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is
set to 'Enabled: extension, hosted_app, platform_app,  
theme'
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is
 
set to 'Enabled: *'
2.3.4 (L2) Ensure 'Default third-party storage partitioning
 
setting' Is Enabled and Blocked
2.3.5 (L1) Ensure 'Block third-party storage partitioning for
 
these origins' Is Configured

Page 302
Recommendation Set
Correctly
Yes No
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to
 
'Enabled: ntlm, negotiate'
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set
 
to 'Enabled: *'
2.6.1 (L1) Ensure 'Enable saving passwords to the password
 
manager' is Explicitly Configured
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
 
'Disabled'
2.8.1 Ensure 'Allow remote access connections to this
 
machine' is set to 'Disabled'
2.8.2 (L1) Ensure 'Allow remote users to interact with elevated
windows in remote assistance sessions' is set to  
'Disabled'
2.8.3 (L1) Ensure 'Configure the required domain names for
remote access clients' is set to 'Enabled' with a domain  
defined
2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is
 
set to 'Disabled'
2.8.5 (L1) Ensure 'Enable firewall traversal from remote access
 
host' is set to 'Disabled'
2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication
 
for remote access hosts' is set to 'Disabled'
2.8.7 (L1) Ensure 'Enable the use of relay servers by the
 
remote access host' is set to 'Disabled'.
2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled  
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
 
identity providers' Is Enabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.12 (L2) Ensure 'Allow proceeding from the SSL warning
 
page' is set to 'Disabled'

Page 303
Recommendation Set
Correctly
Yes No
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing
 
warning page' is set to 'Enabled'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.15 (L2) Ensure 'Force Google SafeSearch' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.20 (L1) Ensure 'Allow Web Authentication requests on sites
 
with broken TLS certificates' Is Disabled
2.21 (L1) Ensure 'Allow reporting of domain reliability related
 
data' Is Disabled
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is
 
Enabled
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is
 
Disabled
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is
 
Enabled
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes
 
Enabled' Is Disabled
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  
2.32 Ensure 'Allow remote debugging' is set to 'Disabled'  
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'  
3.3 (L1) Ensure 'Allow websites to query for available
 
payment methods' is set to 'Disabled'
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
 
Disabled browser sign-in'
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data
 
to Google' is set to 'Disabled'

Page 304
Recommendation Set
Correctly
Yes No
3.7 (L1) Ensure 'Disable synchronization of data with Google'
 
is set to 'Enabled'
3.8 (L1) Ensure 'Enable alternate error pages' is set to
 
'Disabled'
3.9 (L1) Ensure 'Enable deleting browser and download
 
history' is set to 'Disabled'
3.11 (L1) Ensure 'Enable or disable spell checking web
 
service' is set to 'Disabled'
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled'
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is
 
set to 'Disabled'
3.14 (L2) Ensure 'Enable search suggestions' is set to
 
'Disabled'
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to
'Enabled: Do not allow any site to request access to  
serial ports via the Serial API'
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled:
 
Do not allow any site to access sensors'
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured  
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to
 
'Deny Permissions'
4.4 (L2) Ensure 'Allow or deny audio capture' is set to
 
'Disabled'
4.5 (L2) Ensure 'Allow or deny video capture' is set to
 
'Disabled'
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is
set to 'Enabled: DNS-over-HTTPS without insecure  
fallback'
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to
 
'Disabled'
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
 
'Disabled'

Page 305
Recommendation Set
Correctly
Yes No
4.10 (L1) Ensure 'Import saved passwords from default
 
browser on first run' is set to 'Disabled'
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
 
'Disabled'
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to
 
'Enabled: 250609664'

Page 306
Appendix: CIS Controls v8 IG 3 Mapped
Recommendations
Recommendation Set
Correctly
Yes No
1.2.1 (L1) Ensure 'Configure the list of domains on which Safe
 
Browsing will not trigger warnings' is set to 'Disabled'
1.2.2 (L1) Ensure 'Safe Browsing Protection Level' is set to
'Enabled: Safe Browsing is active in the standard mode.'  
or higher
1.3 (L1) Ensure 'Allow Google Cast to connect to Cast
 
devices on all IP addresses' is set to 'Disabled'
1.4 (L1) Ensure 'Allow queries to a Google time service' is
 
set to 'Enabled'
1.5 (L1) Ensure 'Allow the audio sandbox to run' is set to
 
'Enabled'
1.7 (L1) Ensure 'Continue running background apps when
 
Google Chrome is closed' is set to 'Disabled'
1.8 (L2) Ensure 'Control SafeSites adult content filtering' is
set to 'Enabled: Filter top level sites (but not embedded  
iframes) for adult content'
1.9 (L1) Ensure 'Determine the availability of variations' is set
 
to 'Enable all variations'
1.14 (L1) Ensure 'DNS interception checks enabled' is set to
 
'Enabled'
1.15 (L1) Ensure 'Enable component updates in Google
 
Chrome' is set to 'Enabled'
1.18 (L1) Ensure 'Enable security warnings for command-line
 
flags' is set to 'Enabled'
1.19 (L1) Ensure 'Enable third party software injection
 
blocking' is set to 'Enabled'
1.20 (L1) Ensure 'Enables managed extensions to use the
 
Enterprise Hardware Platform API' is set to 'Disabled'
1.21 (L1) Ensure 'Ephemeral profile' is set to 'Disabled'  
1.22 (L1) Ensure 'Import autofill form data from default
 
browser on first run' is set to 'Disabled'

Page 307
Recommendation Set
Correctly
Yes No
1.23 (L1) Ensure 'Import of homepage from default browser
 
on first run' is set to 'Disabled'
1.24 (L1) Ensure 'Import search engines from default browser
 
on first run' is set to 'Disabled'
1.25 (L1) Ensure 'List of names that will bypass the HSTS
 
policy check' is set to 'Disabled'
1.27 (L1) Ensure 'Suppress lookalike domain warnings on
 
domains' is set to 'Disabled'
1.28 (L1) Ensure 'Suppress the unsupported OS warning' is
 
set to 'Disabled'
1.29 (L1) Ensure 'URLs for which local IPs are exposed in
 
WebRTC ICE candidates' is set to 'Disabled'
2.1.1 (L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or 'Automatic  
silent updates' specified
2.2.1 (L1) Ensure 'Control use of insecure content exceptions'
is set to 'Enabled: Do not allow any site to load mixed  
content'
2.2.2 (L2) Ensure 'Control use of the Web Bluetooth API' is set
to 'Enabled: Do not allow any site to request access to  
Bluetooth devices via the Web Bluetooth API'
2.2.3 (L2) Ensure 'Control use of the WebUSB API' is set to
'Enabled: Do not allow any site to request access to USB  
devices via the WebUSB API'
2.2.5 (L1) Ensure 'Allow local file access to file:// URLs on
 
these sites in the PDF Viewer' Is Disabled
2.3.1 (L1) Ensure 'Blocks external extensions from being
 
installed' is set to 'Enabled'
2.3.2 (L1) Ensure 'Configure allowed app/extension types' is
set to 'Enabled: extension, hosted_app, platform_app,  
theme'
2.3.3 (L1) Ensure 'Configure extension installation blocklist' is
 
set to 'Enabled: *'
2.3.4 (L2) Ensure 'Default third-party storage partitioning
 
setting' Is Enabled and Blocked
2.3.5 (L1) Ensure 'Block third-party storage partitioning for
 
these origins' Is Configured

Page 308
Recommendation Set
Correctly
Yes No
2.3.6 (L2) Ensure 'Control Manifest v2 extension availability' Is
 
Set to Forced Only
2.3.7 (L1) Ensure 'Control availability of extensions
 
unpublished on the Chrome Web Store' Is Disabled
2.4.1 (L2) Ensure 'Supported authentication schemes' is set to
 
'Enabled: ntlm, negotiate'
2.5.1 (L2) Ensure 'Configure native messaging blocklist' is set
 
to 'Enabled: *'
2.6.1 (L1) Ensure 'Enable saving passwords to the password
 
manager' is Explicitly Configured
2.7.1 (L1) Ensure 'Enable Google Cloud Print Proxy' is set to
 
'Disabled'
2.8.1 Ensure 'Allow remote access connections to this
 
machine' is set to 'Disabled'
2.8.2 (L1) Ensure 'Allow remote users to interact with elevated
windows in remote assistance sessions' is set to  
'Disabled'
2.8.3 (L1) Ensure 'Configure the required domain names for
remote access clients' is set to 'Enabled' with a domain  
defined
2.8.4 (L1) Ensure 'Enable curtaining of remote access hosts' is
 
set to 'Disabled'
2.8.5 (L1) Ensure 'Enable firewall traversal from remote access
 
host' is set to 'Disabled'
2.8.6 (L1) Ensure 'Enable or disable PIN-less authentication
 
for remote access hosts' is set to 'Disabled'
2.8.7 (L1) Ensure 'Enable the use of relay servers by the
 
remote access host' is set to 'Disabled'.
2.9.1 (L1) Ensure 'Enable First-Party Sets' Is Disabled  
2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud
 
identity providers' Is Enabled
2.11 (L1) Ensure 'Allow download restrictions' is set to
 
'Enabled: Block malicious downloads'
2.12 (L2) Ensure 'Allow proceeding from the SSL warning
 
page' is set to 'Disabled'

Page 309
Recommendation Set
Correctly
Yes No
2.13 (L1) Ensure 'Disable proceeding from the Safe Browsing
 
warning page' is set to 'Enabled'
2.14 (L1) Ensure 'Require Site Isolation for every site' is set to
 
'Enabled'
2.15 (L2) Ensure 'Force Google SafeSearch' is set to
 
'Enabled'
2.16 (L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
 
'Enabled: Show a recurring prompt to the user indication
that a relaunch is required'
2.17 (L1) Ensure 'Proxy settings' is set to 'Enabled' and does
 
not contain "ProxyMode": "auto_detect"
2.19 (L1) Ensure 'Set the time period for update notifications'
 
is set to 'Enabled: 86400000'
2.20 (L1) Ensure 'Allow Web Authentication requests on sites
 
with broken TLS certificates' Is Disabled
2.21 (L1) Ensure 'Allow reporting of domain reliability related
 
data' Is Disabled
2.22 (L1) Ensure 'Enable TLS Encrypted ClientHello' Is
 
Enabled
2.25 (L1) Ensure 'Allow file or directory picker APIs to be
 
called without prior user gesture' Is Disabled
2.26 (L1) Ensure 'Enable Google Search Side Panel' Is
 
Disabled
2.27 (L1) Ensure 'Http Allowlist' Is Properly Configured  
2.28 (L1) Ensure 'Enable automatic HTTPS upgrades' Is
 
Enabled
2.29 (L1) Ensure 'Insecure Hashes in TLS Handshakes
 
Enabled' Is Disabled
2.30 (L1) Ensure 'Enable Renderer App Container' Is Enabled  
2.32 Ensure 'Allow remote debugging' is set to 'Disabled'  
3.2.1 (L1) Ensure 'Enable Google Cast' is set to 'Disabled'  
3.3 (L1) Ensure 'Allow websites to query for available
 
payment methods' is set to 'Disabled'
3.4 (L1) Ensure 'Block third party cookies' is set to 'Enabled'  

Page 310
Recommendation Set
Correctly
Yes No
3.5 (L2) Ensure 'Browser sign in settings' is set to 'Enabled:
 
Disabled browser sign-in'
3.6 (L1) Ensure 'Control how Chrome Cleanup reports data
 
to Google' is set to 'Disabled'
3.7 (L1) Ensure 'Disable synchronization of data with Google'
 
is set to 'Enabled'
3.8 (L1) Ensure 'Enable alternate error pages' is set to
 
'Disabled'
3.9 (L1) Ensure 'Enable deleting browser and download
 
history' is set to 'Disabled'
3.11 (L1) Ensure 'Enable or disable spell checking web
 
service' is set to 'Disabled'
3.12 (L1) Ensure 'Enable reporting of usage and crash-related
 
data' is set to 'Disabled'
3.13 (L1) Ensure 'Enable Safe Browsing for trusted sources' is
 
set to 'Disabled'
3.14 (L2) Ensure 'Enable search suggestions' is set to
 
'Disabled'
3.15 (L2) Ensure 'Enable Translate' is set to 'Disabled'  
4.2.1 (L2) Ensure 'Control use of the Serial API' is set to
'Enabled: Do not allow any site to request access to  
serial ports via the Serial API'
4.2.2 (L2) Ensure 'Default Sensors Setting' is set to 'Enabled:
 
Do not allow any site to access sensors'
4.2.4 (L1) Ensure 'Block clipboard on these sites' Is Configured  
4.2.5 (L1) Ensure 'Default clipboard setting' Is 'Enabled' to
 
'Deny Permissions'
4.3 (L2) Ensure 'Allow invocation of file selection dialogs' is
 
set to 'Disabled'
4.4 (L2) Ensure 'Allow or deny audio capture' is set to
 
'Disabled'
4.5 (L2) Ensure 'Allow or deny video capture' is set to
 
'Disabled'
4.6 (L1) Ensure 'Allow user feedback' is set to 'Disabled'  

Page 311
Recommendation Set
Correctly
Yes No
4.7 (L2) Ensure 'Controls the mode of DNS-over-HTTPS' is
set to 'Enabled: DNS-over-HTTPS without insecure  
fallback'
4.8 (L2) Ensure 'Enable AutoFill for addresses' is set to
 
'Disabled'
4.9 (L1) Ensure 'Enable AutoFill for credit cards' is set to
 
'Disabled'
4.10 (L1) Ensure 'Import saved passwords from default
 
browser on first run' is set to 'Disabled'
5.1 (L2) Ensure 'Enable guest mode in browser' is set to
 
'Disabled'
5.3 (L1) Ensure 'Set disk cache size, in bytes' is set to
 
'Enabled: 250609664'

Page 312
Appendix: CIS Controls v8 Unmapped
Recommendations
Recommendation Set
Correctly
Yes No
2.1.2 (L1) Ensure 'Auto-update check period override' is set to
 
any value except '0'
2.31 (L1) Ensure 'Enable strict MIME type checking for worker
 
scripts' Is Enabled

Page 313
Appendix: Change History
Date Version Changes for this version

May 23, 2017 1.2.0 _Status, Listing Order_ on **[Recommendation] 1.7.2

1.7.2 Configure extension installation whitelist** were
updated.

Jun 19, 2018 1.3.0 _Status, Listing Order_ on **[recommendation] 1.12.1

(L1) Ensure 'Supported authentication schemes' is set
to 'Enabled' (ntlm, negotiate)** were updated.

Jun 26, 2018 1.3.0 _Listing Order, Status_ on **[section] 1.10.1 New
section being proposed by bhowson** were updated.

Jun 26, 2018 1.3.0 _Listing Order, Status_ on **[section] 1.10.2 1.10.1 (L1)
Ensure 'Configure native messaging blacklist' is set to
'Enabled' ("*" for all messaging applications)** were
updated.

Jan 28, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.2.1P (L2)

Ensure 'Default cookies setting' is set to 'Enabled' (Keep
cookies for the duration of the session)** was updated.

Jan 28, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.2.1P (L1)

Ensure 'Default Flash Setting' is set to 'Enabled' (Click
to Play)** was updated.

Jan 28, 2019 1.4.0 _Status_ on **[section] 2 Google Update** was updated.

Jan 29, 2019 1.4.0 _Status_ on [section] 3 Applications was updated.

Feb 6, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.4.1P (L1)

Ensure 'Configure extension installation blacklist' is set
to 'Enabled' ("*" for all extensions)** was updated.

Feb 6, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.8.1P (L1)

Ensure `Configure native messaging blacklist` is set to
'Enabled' ("*" for all messaging applications)** was
updated.

Feb 6, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.15P (L1)

Ensure 'Block third party cookies' is set to 'Enabled'**
was updated.

Page 314
Date Version Changes for this version

Feb 6, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.15P (L1)

Ensure 'Block third party cookies' is set to 'Enabled'**
was updated.

Feb 6, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.15P (L1)

Ensure 'Enable Site Isolation for every site' is set to
'Enabled'** was updated.

Feb 8, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.15P (L1)

Ensure 'Continue running background apps when
Google Chrome is closed' is set to 'Disabled'** was
updated.

Feb 8, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.15P (L1)

Ensure 'Block third party cookies' is set to 'Enabled'**
was updated.

Feb 8, 2019 1.4.0 _Status, Listing Order_ on **[recommendation] 1.1.12.1

(L1) Ensure 'Choose how to specify proxy server
settings' is not set to 'Enabled' with 'Auto detect proxy
settings'** were updated.

Feb 20, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.1.5

(L1) Ensure 'Configure the required domain names for
remote access clients' is set to 'Enabled' with a domain
defined** were updated.

Feb 20, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.1.6

(L1) Ensure 'Allow remote users to interact with elevated
windows in remote assistance sessions' is set to
'Disabled'** were updated.

Feb 20, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.1.7

(L1) Ensure 'Enable the use of relay servers by the
remote access host' is set to 'Disabled'.** were updated.

Feb 20, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.1.8

(L1) Ensure 'Allow gnubby authentication for remote
access hosts' is set to 'Disabled'.** were updated.

Feb 20, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.2.3

(L1) Ensure 'Default geolocation setting' is set to
'Enabled' with 'Do not allow any site to track the users'
physical location'** were updated.

Page 315
Date Version Changes for this version

Feb 20, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.2.1P (L2)

Ensure 'Default cookies setting' is set to 'Enabled' (Keep
cookies for the duration of the session)** was updated.

Mar 5, 2019 1.4.0 _Status, Listing Order, Remediation Procedure,

Rationale Statement_ on **[recommendation] 1.1.5.1
(L1) Ensure 'Enable Google Cast' is set to 'Disabled'**
were updated.

Mar 5, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.2.4

(L2) Ensure 'Default notification setting' is set to
'Enabled' with 'Do not allow any site to show desktop
notifications'** were updated.

Mar 7, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.25 (L1) Ensure 'Enable AutoFill
for credit cards' is set to 'Disabled'** were updated.

Mar 7, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.26

(L1) Ensure 'Enable AutoFill for addresses' is set to
'Disabled'** were updated.

Mar 7, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.1.1P (L1)

Ensure 'Enable curtaining of remote access hosts' is set
to 'Disabled'** was updated.

Mar 7, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.2.5 (L2) Ensure 'Control use of
the Web Bluetooth API' is set to 'Enabled' with 'Do not
allow any site to request access to Bluetooth devices via
the Web Bluetooth API'** were update

Mar 7, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.2.6 (L2) Ensure 'Control use of
the WebUSB API' is set to 'Enabled' with 'Do not allow
any site to request access to USB devices via the
WebUSB API'** were updated.

Mar 7, 2019 1.4.0 _Status, Listing Order, Remediation Procedure_ on

**[recommendation] 1.1.4.2 (L1) Ensure 'Configure
allowed app/extension types' is set to 'Enabled' with the
values 'extension', 'hosted_app', 'platform_app', 'theme'
speciﬁed** were updated.

Page 316
Date Version Changes for this version

Mar 7, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.4.1P (L1)

Ensure 'Configure extension installation blacklist' is set
to 'Enabled' ("*" for all extensions)** was updated.

Mar 7, 2019 1.4.0 _Listing Order_ on **[recommendation] 1.1.10.1P (L1)

Ensure 'Enable saving passwords to the password
manager' is set to 'Disabled'** was updated.

Mar 7, 2019 1.4.0 _Status, Listing Order, references_ on

**[recommendation] 2.1.1.1 (L1) Ensure 'Update policy
override' is set to 'Enabled' with 'Always allow updates
(recommended)' or 'Automatic silent updates' specified**
were updated.

Mar 7, 2019 1.4.0 _Status, Listing Order_ on **[recommendation] 2.1.2.1

(L1) Ensure 'Update policy override' is set to 'Enabled'
with 'Always allow updates (recommended)' or
'Automatic silent updates' specified** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.27 (L1) Ensure 'Allow download
restrictions' is set to 'Enabled' with 'Block dangerous
downloads' specified.** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.28 (L1) Ensure 'Ask where to
save each file before downloading' is set to 'Enabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.29

(L1) Ensure 'Control how Chrome Cleanup reports data
to Google' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.30

(L1) Ensure 'Browser sign in settings' is set to 'Enabled'
with 'Disabled browser sign-in' specified** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.31

(L1) Ensure 'Disable proceeding from the Safe Browsing
warning page' is set to 'Enabled'** were updated.

Page 317
Date Version Changes for this version

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.32 (L1) Ensure 'Disable saving
browser history' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.33

(L1) Ensure 'Enable HTTP/0.9 support on non-default
ports' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.34

(L1) Ensure 'Enable PAC URL stripping (for https://)' is
set to 'Enabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.35 (L1) Ensure 'Enable
Translate' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.36 (L1) Ensure 'Enable
component updates in Google Chrome' is set to
'Enabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.37

(L1) Ensure 'Enable deprecated web platform features
for a limited time' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.38

(L1) Ensure 'Enable network prediction' is set to
'Enabled' with 'Do not predict actions on any network
connection' selected** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.39 (L1) Ensure 'Enable search
suggestions' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.40 (L1) Ensure 'Enable or
disable spell checking web service' is set to 'Disabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.41 (L1) Ensure 'Enable
alternate error pages' is set to 'Disabled'** were
updated.

Page 318
Date Version Changes for this version

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.42 (L1) Ensure 'Enable third
party software injection blocking' is set to 'Enabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.43 (L1) Ensure 'Extend Flash
content setting to all content' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.44

(L1) Ensure 'Notify a user that a browser relaunch or
device restart is recommended or required' is set to
'Enabled' with 'Show a recurring prompt to the user
indication that a relaunch is required' spe

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.45

(L1) Ensure 'Set the time period for update notifications'
is set to 'Enabled' with '86400000' (1 day) specified**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.46 (L1) Ensure 'Suppress the
unsupported OS warning' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.47 (L1) Ensure 'Whether online
OCSP/CRL checks are performed' is set to 'Disabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.48 (L2) Ensure 'Whether online
OCSP/CRL checks are required for local trust anchors'
is set to 'Enabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.49 (L1) Ensure 'Allow
WebDriver to Override Incompatible Policies' is set to
'Disabled'** were updated.

Page 319
Date Version Changes for this version

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.50 (L1) Ensure 'Control
SafeSites adult content filtering.' is set to 'Enabled' with
value 'Do not filter sites for adult content' specified**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.51 (L1) Ensure 'Disable support
for 3D graphics APIs' is set to 'Enabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.52 (L1) Ensure 'Disable
synchronization of data with Google' is set to 'Enabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.53 (L1) Ensure 'Enable Safe
Browsing for trusted sources' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.54 (L1) Ensure 'Origins or
hostname patterns for which restrictions on insecure
origins should not apply' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.55 (L1) Ensure 'Enable URL-
keyed anonymized data collection' is set to 'Disabled'**
were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.56 (L1) Ensure 'Enable Chrome
Cleanup on Windows' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.57 (L1) Ensure 'Disable
Certificate Transparency enforcement for a list of
Legacy Certificate Authorities' is set to 'Disabled'** were
updated.

Page 320
Date Version Changes for this version

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.58 (L1) Ensure 'Disable
Certificate Transparency enforcement for a list of URLs'
is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.59 (L1) Ensure 'Disable
Certificate Transparency enforcement for a list of
subjectPublicKeyInfo hashes' is set to 'Disabled'** were
updated.

Mar 8, 2019 1.4.0 _Listing Order, Status, Remediation Procedure_ on

**[recommendation] 1.1.60 (L1) Ensure 'Use built-in
DNS client' is set to 'Disabled'** were updated.

Mar 8, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.61

New recommendation being proposed by gojo** were
updated.

Apr 4, 2019 1.4.0 _Listing Order, Status_ on **[recommendation] 1.1.62

(L1) Ensure 'Enable deleting browser and download
history' is set to 'Disabled'** were updated.

May 3, 2019 2.0.0 **[recommendation] 2.2P (L1) Ensure 'Update policy

override' is set to 'Enabled' with 'Always allow updates
(recommended)' or 'Automatic silent updates' specified**
was created.

Aug 16, 2021 2.1.0 DELETE - 1.5 (L1) Ensure 'Enable HTTP/0.9 support on
non-default ports' is set to 'Disabled' (Ticket 11881)

Aug 16, 2021 2.1.0 DELETE - 1.6 (L1) Ensure 'Enable deprecated web
platform features for a limited time' is set to 'Disabled'
(Ticket 11882)

Aug 16, 2021 2.1.0 DELETE - 1.7 (L1) Ensure 'Extend Flash content setting
to all content' is set to 'Disabled' (Ticket 13370)

Aug 16, 2021 2.1.0 DELETE - 1.9 (L1) Ensure 'Allow WebDriver to Override
Incompatible Policies' is set to 'Disabled' (Ticket 13371)

Aug 16, 2021 2.1.0 DELETE - 2.1 (L1) Ensure 'Default Flash Setting' is set
to 'Enabled' (Click to Play) (Ticket 13372)

Page 321
Date Version Changes for this version

Aug 16, 2021 2.1.0 DELETE - 2.11 (L1) Ensure 'Allow running plugins that
are outdated' is set to 'Disabled' (Ticket 13375)

Sep 22, 2021 2.1.0 DELETE - Section 4

(Managment/visability\performance) (Ticket 13811)

Sep 22, 2021 2.1.0 DELETE - Section 1.1 (Remote Access) (Ticket 13812)

Oct 7, 2021 2.1.0 DELETE - 1.1.2 (L1) Ensure 'Allow gnubby

authentication for remote access hosts' is set to
'Disabled'. (Ticket 11879)

Oct 7, 2021 2.1.0 UPDATE - All Reference URLs in Recommendations

Updated (Ticket 13664)

Oct 7, 2021 2.1.0 UPDATE - (L1) Ensure 'Configure allowed

app/extension types' is set to 'Enabled' with the values
'extension', 'hosted_app', 'platform_app', 'theme'
speciﬁed (Ticket 13373)

Oct 7, 2021 2.1.0 UPDATE - (L2) Ensure 'Configure native messaging

blocklist' is set to 'Enabled' ("*" for all messaging
applications) (Ticket 13016)

Oct 7, 2021 2.1.0 UPDATE - (L2) Ensure 'Whether online OCSP/CRL

checks are required for local trust anchors' is set to
'Enabled' (Ticket 13854)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow cross-origin HTTP Basic Auth
prompts' is set to 'Disabled' (Ticket 13909)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Set disk cache size, in bytes' is set
to 'Enabled: 250609664' (Ticket 13907)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Enforce Google SafeSearch' is set
to 'Disabled' (Ticket 13905)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Enable renderer code integrity' is
set to 'Enabled' (Ticket 13902)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Enable use of ephemeral profiles' is
set to 'Disabled' (Ticket 13904)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Enable security warnings for
command-line flags' is set to 'Enabled' (Ticket 13903)

Page 322
Date Version Changes for this version

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Enable guest mode' is set to
'Disabled' (Ticket 13901)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Enable globally scoped HTTP auth
cache' is set to 'Disabled' (Ticket 13900)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'DNS interception checks enabled' is
set to 'Enabled' (Ticket 13899)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Configure the list of types that are
excluded from synchronization' is set to 'Enabled'
(Ticket 13898)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Configure the list of names that will
bypass the HSTS policy check' is set to 'Disabled'
(Ticket 13897)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow websites to query for
available payment methods' is set to 'Disabled' (Ticket
13896)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Allow users to proceed from the
HTTPS warning page' is set to 'Disabled' (Ticket 13895)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow user feedback' is set to
'Disabled' (Ticket 13894)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Allow file selection dialog' is set to
'Disabled' (Ticket 13885)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow the audio sandbox to run' is
set to 'Enabled' (Ticket 13893)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow queries to a Browser Network
Time service' is set to 'Enabled' (Ticket 13892)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Allow or deny screen capture' is set
to 'Disabled' (Ticket 13891)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow managed extensions to use
the Enterprise Hardware Platform API' is set to
'Disabled' (Ticket 13890)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow importing of home page
settings' is set to 'Disabled' (Ticket 13888)

Page 323
Date Version Changes for this version

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow importing of autofill form data'
is set to 'Disabled' (Ticket 13887)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow Google Cast to connect to
Cast devices on all IP addresses' is set to 'Disabled'
(Ticket 13886)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow importing of search engine
settings' is set to 'Disabled' (Ticket 13889)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Allow or deny video capture' is set
to 'Disabled' (Ticket 13936)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Allow or block audio capture' is set
to 'Disabled' (Ticket 13937)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Control use of the Serial API' is set
to 'Enable: Do not allow any site to request access to
serial ports via the Serial API' (Ticket 13939)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Determine the availability of

variations' is set to 'Disabled' (Ticket 13940)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Suppress lookalike domain

warnings on domains' is set to 'Disabled' (Ticket 13941)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Configure the list of domains on
which Safe Browsing will not trigger warnings' is set to
'Disabled' (Ticket 13942)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Safe Browsing Protection Level' is
set to 'Enabled: Standard Protection' or higher (Ticket
13943)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Controls the mode of DNS-over-
HTTPS" is set to 'Enabled: secure' (Ticket 13944)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Allow remote access connections to
this machine' is set to 'Disabled' (Ticket 13945)

Oct 7, 2021 2.1.0 UPDATE - (L1) Ensure 'Configure extension installation

blocklist' is set to 'Enabled' ("*" for all extensions) (Ticket
11701)

Page 324
Date Version Changes for this version

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Manage exposure of local IP

addresses by WebRTC' is set to 'Disabled' - (Ticket
13906)

Oct 7, 2021 2.1.0 UPDATE - (L1) Ensure 'Enable component updates in

Google Chrome' is set to 'Enabled' (Ticket 13768)

Oct 7, 2021 2.1.0 UPDATE - (L1) Ensure 'Proxy settings' is set to

'Enabled' and does not contain "ProxyMode":
"auto_detect" (Ticket 13374)

Oct 7, 2021 2.1.0 NEW - (L2) Ensure 'Incognito mode availability ' is set to
'Disabled' (Ticket 13949)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Blocks external extensions from
being installed' is set to 'Enabled' (Ticket 13951)

Oct 7, 2021 2.1.0 NEW - (L1) Ensure 'Control use of insecure content
exceptions' is set to 'Enabled: Do not allow any site to
load mixed content' (Ticket 13953)

Nov 23, 2021 2.1.0 UPDATE - Recommendation grouping and ordering

(Ticket 14181)

Dec 9, 2021 2.1.0 DELETE - (L2) Ensure 'Use built-in DNS client' is set to
'Disabled' (Ticket 13442)

Dec 1, 2023 3.0.0 Draft Released

Oct 31, 2023 3.0.0 AlternateErrorPagesEnabled is set twice (Ticket 17868)

Jan 8, 2024 3.0.0 Audit Procedure does not include the registries (Ticket
20443)

Jan 29, 2024 3.0.0 Create recommendation for 'ScreenCaptureAllowed'

policy (Ticket 20773)

Jan 29, 2024 3.0.0 Create recommendation for

'WindowManagementBlockedForUrls' policy (Ticket
20772)

Jan 29, 2024 3.0.0 Create recommendation for

'WindowManagementAllowedForUrls' policy (Ticket
20771)

Page 325
Date Version Changes for this version

Jan 29, 2024 3.0.0 Create recommendation for

'DefaultWindowManagementSetting' policy (Ticket
20770)

Jan 29, 2024 3.0.0 Create recommendation for 'DefaultClipboardSetting'

policy (Ticket 20769)

Jan 29, 2024 3.0.0 Create recommendation for 'ClipboardBlockedForUrls'

policy (Ticket 20768)

Jan 29, 2024 3.0.0 Create recommendation for 'ClipboardAllowedForUrls'

policy (Ticket 20767)

Jan 29, 2024 3.0.0 Create recommendations for

'RemoteDebuggingAllowed' policy (Ticket 20766)

Jan 29, 2024 3.0.0 Create recommendations for

'StrictMimetypeCheckForWorkerScriptsEnabled' policy
(Ticket 20765)

Jan 29, 2024 3.0.0 Create recommendations for

'RendererAppContainerEnabled' policy (Ticket 20764)

Jan 29, 2024 3.0.0 Create recommendations for

'InsecureHashesInTLSHandshakesEnabled' policy
(Ticket 20763)

Jan 29, 2024 3.0.0 Create recommendations for 'HttpsUpgradesEnabled'

policy (Ticket 20762)

Jan 29, 2024 3.0.0 Create recommendations for 'HttpAllowlist' policy (Ticket
20761)

Jan 29, 2024 3.0.0 Create recommendations for

'FileOrDirectoryPickerWithoutGestureAllowedForOrigins'
policy (Ticket 20760)

Jan 29, 2024 3.0.0 Create recommendations for

'EnterpriseProfileCreationKeepBrowsingData' policy
(Ticket 20759)

Jan 29, 2024 3.0.0 Create recommendations for

'EnforceLocalAnchorConstraintsEnabled' policy (Ticket
20758)

Page 326
Date Version Changes for this version

Jan 29, 2024 3.0.0 Create recommendations for

'EncryptedClientHelloEnabled' policy (Ticket 20757)

Jan 29, 2024 3.0.0 Create recommendations for 'DomainReliabilityAllowed'

policy (Ticket 20756)

Jan 29, 2024 3.0.0 Create recommendations for

'AllowWebAuthnWithBrokenTlsCerts' policy (Ticket
20754)

Jan 29, 2024 3.0.0 Create recommendations for 'CloudAPAuthEnabled'

policy (Ticket 20753)

Jan 29, 2024 3.0.0 Create new sub-section for Microsoft Active Directory
Management Settings (Ticket 20752)

Jan 29, 2024 3.0.0 Create recommendations for 'FirstPartySetsEnabled'

policy (Ticket 20751)

Jan 29, 2024 3.0.0 Create new sub-section for First-Party Sets Settings
(Ticket 20750)

Jan 29, 2024 3.0.0 Create recommendations for

'ExtensionUnpublishedAvailability' policy (Ticket 20749)

Jan 29, 2024 3.0.0 Create recommendations for

'ExtensionManifestV2Availability' policy (Ticket 20748)

Jan 29, 2024 3.0.0 Create recommendations for

'ThirdPartyStoragePartitioningBlockedForOrigins' policy
(Ticket 20747)

Jan 29, 2024 3.0.0 Create recommendations for

'DefaultThirdPartyStoragePartitioningSetting' policy
(Ticket 20746)

Jan 29, 2024 3.0.0 Add recommendation using

'PdfLocalFileAccessAllowedForDomains' policy (Ticket
20745)

Jan 29, 2024 3.0.0 1.5 - Ensure 'Allow the audio sandbox to run' is set to
'Enabled' - Update CIS Controls v7 & v8 (Ticket 20744)

Page 327
Date Version Changes for this version

Jan 29, 2024 3.0.0 1.1 - Ensure 'Cross-origin HTTP Authentication prompts'
is set to 'Disabled' - Update remediation path (Ticket
20743)

Jan 29, 2024 3.0.0 Published Released

Page 328

MR Marmalade PDF
No ratings yet
MR Marmalade PDF
26 pages
Bio-Stats Step 3
100% (6)
Bio-Stats Step 3
9 pages
CIS IBM AIX 7 Benchmark v1.0.0
No ratings yet
CIS IBM AIX 7 Benchmark v1.0.0
592 pages
CIS Microsoft 365 Foundations Benchmark v3.0.0
No ratings yet
CIS Microsoft 365 Foundations Benchmark v3.0.0
396 pages
CIS Google Workspace Foundations Benchmark v1.1.0
No ratings yet
CIS Google Workspace Foundations Benchmark v1.1.0
270 pages
CIS Google Cloud Platform Foundation Benchmark v2.0.0
No ratings yet
CIS Google Cloud Platform Foundation Benchmark v2.0.0
335 pages
AWS D1.1 - Example PQR & WPS Documents
0% (1)
AWS D1.1 - Example PQR & WPS Documents
4 pages
CIS Cisco IOS 17.x Benchmark v2.0.0
No ratings yet
CIS Cisco IOS 17.x Benchmark v2.0.0
241 pages
Chemistry Lab Report
No ratings yet
Chemistry Lab Report
6 pages
CIS Google Chrome Benchmark v1.3.0
No ratings yet
CIS Google Chrome Benchmark v1.3.0
52 pages
CIS Microsoft Edge Benchmark v3.0.0
No ratings yet
CIS Microsoft Edge Benchmark v3.0.0
341 pages
CIS Microsoft Edge Benchmark v2.0.0
No ratings yet
CIS Microsoft Edge Benchmark v2.0.0
343 pages
CIS Google Cloud Platform Foundation Benchmark v3.0.0
No ratings yet
CIS Google Cloud Platform Foundation Benchmark v3.0.0
329 pages
CIS Google Container-Optimized OS Benchmark v1.1.0
No ratings yet
CIS Google Container-Optimized OS Benchmark v1.1.0
274 pages
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
From Everand
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
Michael Basler
No ratings yet
CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1
No ratings yet
CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1
941 pages
CIS Apache Tomcat 9 Benchmark v1.2.0 PDF
No ratings yet
CIS Apache Tomcat 9 Benchmark v1.2.0 PDF
170 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 PDF
No ratings yet
CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 PDF
865 pages
CIS Google Kubernetes Engine (GKE) Benchmark v1.5.0 PDF
No ratings yet
CIS Google Kubernetes Engine (GKE) Benchmark v1.5.0 PDF
219 pages
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
CIS Google Cloud Platform Foundation Benchmark v4.0.0
No ratings yet
CIS Google Cloud Platform Foundation Benchmark v4.0.0
331 pages
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0
No ratings yet
CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0
1,013 pages
CIS Google Container-Optimized OS Benchmark v1.2.0
No ratings yet
CIS Google Container-Optimized OS Benchmark v1.2.0
274 pages
CIS Microsoft 365 Foundations Benchmark v3.1.0
No ratings yet
CIS Microsoft 365 Foundations Benchmark v3.1.0
417 pages
CIS NGINX Benchmark
No ratings yet
CIS NGINX Benchmark
158 pages
CIS Apple MacOS 15.0 Sequoia Cloud-Tailored Benchmark v1.0.0
No ratings yet
CIS Apple MacOS 15.0 Sequoia Cloud-Tailored Benchmark v1.0.0
177 pages
CIS BottleRocket Benchmark V1.0.0 PDF
No ratings yet
CIS BottleRocket Benchmark V1.0.0 PDF
95 pages
CIS Microsoft Azure Storage Services Benchmark v1.0.0
No ratings yet
CIS Microsoft Azure Storage Services Benchmark v1.0.0
274 pages
CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0
No ratings yet
CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0
1,064 pages
Plain JavaScript: Learning the Front-End
From Everand
Plain JavaScript: Learning the Front-End
Roger Beans-Rivet
No ratings yet
CIS Ubuntu Linux 20.04 LTS Benchmark v3.0.0
No ratings yet
CIS Ubuntu Linux 20.04 LTS Benchmark v3.0.0
1,030 pages
CIS FreeBSD 14 Benchmark v1.0.0
No ratings yet
CIS FreeBSD 14 Benchmark v1.0.0
456 pages
CIS Google Kubernetes Engine (GKE) Benchmark v1.4
No ratings yet
CIS Google Kubernetes Engine (GKE) Benchmark v1.4
259 pages
CIS Google Chrome Benchmark v1.2.0
No ratings yet
CIS Google Chrome Benchmark v1.2.0
48 pages
CIS Oracle Linux 9 Benchmark v2.0.0
No ratings yet
CIS Oracle Linux 9 Benchmark v2.0.0
1,033 pages
CIS Cisco NX-OS Benchmark v1.1.0
No ratings yet
CIS Cisco NX-OS Benchmark v1.1.0
235 pages
CIS Debian Linux 12 Benchmark v1.0.1
No ratings yet
CIS Debian Linux 12 Benchmark v1.0.1
1,011 pages
CIS Apache Tomcat 10 Benchmark v1.1.0
No ratings yet
CIS Apache Tomcat 10 Benchmark v1.1.0
168 pages
Final Release CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0
No ratings yet
Final Release CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0
1,036 pages
Mastering Python Advanced Concepts and Practical Applications
From Everand
Mastering Python Advanced Concepts and Practical Applications
Aissa Younes
No ratings yet
CIS Tomcat 10 Benchmark v1.0.0 PDF
No ratings yet
CIS Tomcat 10 Benchmark v1.0.0 PDF
169 pages
CIS SUSE Linux Enterprise 12 Benchmark v3.2.0
No ratings yet
CIS SUSE Linux Enterprise 12 Benchmark v3.2.0
524 pages
CIS Oracle Linux 9 Benchmark v1.0.0
No ratings yet
CIS Oracle Linux 9 Benchmark v1.0.0
803 pages
Draft CIS Apple MacOS 15.0 Sequoia Intune Benchmark v1.0.0
No ratings yet
Draft CIS Apple MacOS 15.0 Sequoia Intune Benchmark v1.0.0
236 pages
CIS Benchmarks
No ratings yet
CIS Benchmarks
3 pages
CIS SUSE Linux Enterprise 15
No ratings yet
CIS SUSE Linux Enterprise 15
1,026 pages
A To Z of Internet: Everything You Wanted to Know
From Everand
A To Z of Internet: Everything You Wanted to Know
Bittu Kumar
No ratings yet
CIS Microsoft Azure Foundations Benchmark v2.0.0
No ratings yet
CIS Microsoft Azure Foundations Benchmark v2.0.0
587 pages
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
From Everand
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
Jay Nans
No ratings yet
CIS Microsoft Azure Foundations Benchmark v3.0.0
No ratings yet
CIS Microsoft Azure Foundations Benchmark v3.0.0
621 pages
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
CIS Microsoft Azure Foundations Benchmark v4.0.0
No ratings yet
CIS Microsoft Azure Foundations Benchmark v4.0.0
561 pages
CIS Cisco IOS XE 17.x Benchmark v2.2.0
No ratings yet
CIS Cisco IOS XE 17.x Benchmark v2.2.0
225 pages
Python Graphics
From Everand
Python Graphics
Williams Asiedu
No ratings yet
CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0
No ratings yet
CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0
1,078 pages
CIS Microsoft Office Enterprise Benchmark v1.1.0
No ratings yet
CIS Microsoft Office Enterprise Benchmark v1.1.0
609 pages
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.6.0 PDF
No ratings yet
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.6.0 PDF
170 pages
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
CIS Kubernetes Benchmark v1.11.1 - PDF
No ratings yet
CIS Kubernetes Benchmark v1.11.1 - PDF
350 pages
CIS Aparch Tomcat 10.1 Benchmark v1.0.0 PDF
No ratings yet
CIS Aparch Tomcat 10.1 Benchmark v1.0.0 PDF
168 pages
CIS IBM Db2 11 Benchmark v1.0.0
No ratings yet
CIS IBM Db2 11 Benchmark v1.0.0
482 pages
CIS IBM I V7R4M0 Benchmark v2.0.0
No ratings yet
CIS IBM I V7R4M0 Benchmark v2.0.0
256 pages
Mercury Drugs Vs Serrano
No ratings yet
Mercury Drugs Vs Serrano
7 pages
HJ 1
No ratings yet
HJ 1
1 page
Whitley Penn NY Trump Crap
No ratings yet
Whitley Penn NY Trump Crap
10 pages
Case Study of Slum Redevelopment - Jaipur
0% (1)
Case Study of Slum Redevelopment - Jaipur
22 pages
QUESTION BANK - (Laplace and Fourier Transform - CUTM1002)
No ratings yet
QUESTION BANK - (Laplace and Fourier Transform - CUTM1002)
7 pages
Hunshu
No ratings yet
Hunshu
6 pages
2024 Style Guide Template
No ratings yet
2024 Style Guide Template
7 pages
Nutrition in Plants All Sets Quiz
No ratings yet
Nutrition in Plants All Sets Quiz
8 pages
THE Infinite Game: Simon Sinek
No ratings yet
THE Infinite Game: Simon Sinek
27 pages
Chuyên Đề 13 Cụm Động Từ (Phrasal Verbs)
No ratings yet
Chuyên Đề 13 Cụm Động Từ (Phrasal Verbs)
13 pages
Notice To IEA Dwarka Museum
No ratings yet
Notice To IEA Dwarka Museum
2 pages
Fortum Investor Presentation May 2019 0
No ratings yet
Fortum Investor Presentation May 2019 0
56 pages
Upd EYE TATTOO AND ITS ADVERSE EVENTS
No ratings yet
Upd EYE TATTOO AND ITS ADVERSE EVENTS
14 pages
Financial Accounting and Reporting Quiz Bowl - Quizizz
No ratings yet
Financial Accounting and Reporting Quiz Bowl - Quizizz
13 pages
Weber Vinogradov 2001 Nonvertebrate Hemoglobins Functions and Molecular Adaptations
No ratings yet
Weber Vinogradov 2001 Nonvertebrate Hemoglobins Functions and Molecular Adaptations
60 pages
The Art of Strategy and Force Planning
No ratings yet
The Art of Strategy and Force Planning
14 pages
FQ P1YIydaRO5Vamw3Z8XJDmy3y9
No ratings yet
FQ P1YIydaRO5Vamw3Z8XJDmy3y9
6 pages
SH3532 95石油化工换热设备施工及验收规范
No ratings yet
SH3532 95石油化工换热设备施工及验收规范
30 pages
Unit 6 - Extra Test
100% (1)
Unit 6 - Extra Test
5 pages
One Snowy Night
No ratings yet
One Snowy Night
7 pages
Butterfly Arrow 500 W Mixer Grinder: Grand Total 1625.00
No ratings yet
Butterfly Arrow 500 W Mixer Grinder: Grand Total 1625.00
1 page
TA1 English - Mini Excavator
No ratings yet
TA1 English - Mini Excavator
15 pages
DPT R8-3W Cat
No ratings yet
DPT R8-3W Cat
2 pages
Chapter 1 - Notes - Fixed Income Analysis
No ratings yet
Chapter 1 - Notes - Fixed Income Analysis
3 pages
Navdeep Singh Sodhi
No ratings yet
Navdeep Singh Sodhi
35 pages
YETI Documentation: Release 1.0
No ratings yet
YETI Documentation: Release 1.0
53 pages