1.3.2 Ensure 'Control use of the WebUSB API' is set to 'Enabled: Do not allow any site to request access to USB'

Information

This policy setting controls whether websites can access connected USB devices.

The recommended state for this setting is Enabled: Do not allow any site to request access to USB devices via the WebUSB API.

Rationale:

WebUSB could potentially be used for attacks that may bypass other controls regarding connected USB hardware including hardware authentication devices.

Impact:

Websites will be unable to utilize connected USB devices via the API, this includes web cameras, microphones, and other USB devices.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Don't allow any site to request access to USB devices via the WebUSB API

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content settings\Control use of the WebUSB API

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from Microsoft here.

Default Value:

Enabled - Users will be asked whether websites can access USB devices. Users may change this setting.

See Also

https://workbench.cisecurity.org/files/3907

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-2, CSCv7|13.7

Plugin: Windows

Control ID: aca289959e65fbefa9c954f527e2d8707c74a0c7ccf2b0507d28fe64c023d0f6