V-245539 for Chrome set to disabled

[kwygant]

The current check for v-245539 deletes and registry values in the key at the time the check is run, but does not protect against someone entering a url in the registry or change an existing policy if one exists to enable.

If the value was set to "**delvals." it would set the policy to disabled and delete any values in the reg key.

Group Title: SRG-APP-000080

Rule Title: Session only based cookies must be disabled.

Discussion: Cookies set by pages matching these URL patterns will be limited to the current session, i.e. they will be deleted when the browser exits.

For URLs not covered by the patterns specified here, or for all URLs if this policy is not set, the global default value will be used either from the 'DefaultCookiesSetting' policy, if it is set, or the user's personal configuration otherwise.

Check Text: Universal method:

1. In the omnibox (address bar) type chrome://policy.
2. If the policy "CookiesSessionOnlyForUrls" exists and has any defined values, this is a finding.

Windows method:

1. Start regedit.
2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls.
3. If this key exists and has any defined values, this is a finding.

Fix Text: Windows group policy:

1. Open the group policy editor tool with gpedit.msc
2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings.

• Policy Name: Limit cookies from matching URLs to the current session
  - Policy State: Disabled
• Policy Value: N/A

[erjenkin]

Hello @kwygant ,

Can you expand on this a bit - Please update with your proposed changes to the processed STIG. A picture of the proposed registry change would be helpful.

I have not been able to find references to this: **delvals."

Thank you,

Eric

[kwygant]

[MS-GPREG]: New or Changed GPO List Processing | Microsoft Learn<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpreg/57226664-ce00-4487-994e-a6b3820f3e49> The STIG setting is to delete all values, you can do so by adding the **delvals From: Eric Jenkins ***@***.***> Sent: Friday, September 15, 2023 11:47 AM To: microsoft/PowerStig ***@***.***> Cc: Mention ***@***.***>; Author ***@***.***> Subject: Re: [microsoft/PowerStig] V-245539 for Chrome set to disabled (Issue #1217) Hello @kwygant<https://github.com/kwygant> , Can you expand on this a bit - Please update with your proposed changes to the processed STIG. I have not been able to find references to this: **delvals." Thank you, Eric - Reply to this email directly, view it on GitHub<#1217 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIGEBTNXVUD6YKSMYXN6MJTX2SA6TBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTGMRRGAYDKMRZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRRGY2TMMBXGMYTOONHORZGSZ3HMVZKMY3SMVQXIZI>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[erjenkin]

I would be curious to know if this would trigger a positive hit on automated scanners such as Nessus or SCAP, because the STIG says ". If this key exists and has any defined values, this is a finding". Technically the key would exist and would have a value of **delvals. I will need to do a bit more research and try to get a scan to confirm this won't trigger a new finding.

[kwygant]

The reg key wouldn't exist, the **delvals is defined in the registry.pol which would in turn delete any reg values that exist. Ken Wygant Sr Cloud Solution Architect - Engineering Configuration Manager Microsoft Federal Office: (320) 434-6041 Mobile: (952) 463-6280 ***@***.******@***.***> ***@***.*** Recommended for Endpoint Configuration Manager Environments: Microsoft Endpoint Manager : Update Compliance Dashboard<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/customer-offerings-microsoft-endpoint-manager-update-compliance/ba-p/2113768> ***@***.******@***.******@***.******@***.*** From: Eric Jenkins ***@***.***> Sent: Monday, September 18, 2023 8:19 AM To: microsoft/PowerStig ***@***.***> Cc: Author ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/PowerStig] V-245539 for Chrome set to disabled (Issue #1217) I would be curious to know if this would trigger a positive hit on automated scanners such as Nessus or SCAP, because the STIG says ". If this key exists and has any defined values, this is a finding". Technically the key would exist and would have a value of **delvals. I will need to do a bit more research and try to get a scan to confirm this won't trigger a new finding. - Reply to this email directly, view it on GitHub<#1217 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIGEBTKGHGMMTIZ6XZLBNYDX3BC5RBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTGMRRGAYDKMRZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRRGY2TMMBXGMYTOONHORZGSZ3HMVZKMY3SMVQXIZI>. You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.