1.3.1 Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled: Do not allow any site to request access to Bluetooth'

Information

This policy setting controls whether websites can access connected Bluetooth devices.

The recommended state for this setting is: Enabled: Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API.

Rationale:

Web Bluetooth could potentially be used for attacks that may bypass other controls regarding connected Bluetooth hardware including microphones, cameras, and other devices which information could be gathered from or inappropriately utilzed.

Impact:

Websites will be unable to utilize connected Bluetooth devices via the API, this includes web cameras, microphones, and other USB devices.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content settings\Control use of the Web Bluetooth API

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Enabled - Users will be asked whether websites can access any Bluetooth device. Users may change this setting.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-18(3), CSCv7|15.9

Plugin: Windows

Control ID: c47fee8dcc259b9308f93eb4c7ae2a5e88ec0ba867e009cba11bfb341f4955d2