1.1.2 Ensure 'Allow download restrictions' is set to 'Enabled: Block potentially dangerous downloads'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy controls whether Microsoft Edge blocks certain types of downloads, and prevents users from bypassing security warnings, depending on the classification of Safe Browsing.

If this policy is not configured the default state of 'No special restrictions' will be used and the downloads will go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results if it is used.

Note: These restrictions only apply to downloads from web page content, as well as the 'download link...' context menu option. These restrictions don't apply to saving or downloading the currently displayed page, nor do they apply to the Save as PDF option from the printing options. For more information on Microsoft Defender SmartScreen, please visit Microsoft Defender SmartScreen Frequently Asked Questions.

Note #2: Microsoft Edge relies on the Internet Explorer zones (Local Machine, Local Intranet, Trusted, Internet, Restricted) to determine which sites may bypass this policy setting. Please see Security Zones in Edge - text/plain for more information.

The recommended state for this setting is: Enabled: Block potentially dangerous downloads.

Rationale:

Downloads can contain malware that has the potential to exfiltrate sensitive data or encrypt critical systems for ransom.

Impact:

Users will be prevented from downloading certain types of files, and will not be able to bypass security warnings.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Block potentially dangerous downloads.

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Allow download restrictions

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Enabled: No special restrictions. With the default value, the downloads will go through the usual security restrictions based on Microsoft Defender SmartScreen analysis results.

See Also

https://workbench.cisecurity.org/files/3907