1.1.50 Ensure 'Enable online OCSP/CRL checks' is set to 'Enabled'

Information

This policy setting controls whether online OCSP/CRL revocation checks will be required.

The recommended state for this setting is Enabled.

Rationale:

Allowing certificates that have not been validated opens an organization up for an attack in which illegitimate sites are could potentially be presented as trusted.

Impact:

Certificates that are not publicly verified will not be trusted and the user will be warned that the certificate is not trusted.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Enable online OCSP/CRL checks

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Windows

Control ID: b50c418c9b0e7bfc6e183ac0d59e92283c717b786c27671698df10dcf009efb7