1.1.34 Ensure 'Configure the list of names that will bypass the HSTS policy check' is set to 'Disabled'

Information

This policy setting allows a list of names to be specified that will be exempt from HTTP Strict Transport Security (HSTS) policy checks then potentially upgraded from http:// to https://.

The recommended state for this setting is: Disabled.

Rationale:

Allowing hostnames to be exempt from HSTS policy checks could allow for protocol downgrade attacks and cookie hijackings.

Impact:

There should be no adverse affect to users.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Configure the list of names that will bypass the HSTS policy check

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Not Configured.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4(8), CSCv7|7.4

Plugin: Windows

Control ID: ed2d495ffae2ffeaf47bc85844f2573ae2af6bf969d411454feb61f8f6d75ef6