Detections
Analytics

1.17.1 Ensure 'Specifies whether to allow insecure websites to make requests to more-private network endpoints' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting controls whether insecure websites are allowed to make requests to more private network endpoints.

A network endpoint is more private than another if:

Its IP address is localhost and the other is not.

Its IP address is private and the other is public. In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.

A website is deemed secure if it meets the definition of a secure context in https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts. Otherwise, it will be treated as an insecure context.

Note: This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.

Note #2: If this policy is not configured or set to Disabled, the default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests feature, which may be set by a field trial or on the command line.

The recommended state for this setting is: Disabled.

Rationale:

Allowing public internet sites to 'peek' behind your firewall by using the user's browser to mix intranet resources into internet-delivered pages represents a dangerous attack surface. The baseline requires enforcement of the new browser restriction that any such intranet requests are blocked if the internet page was delivered over insecure HTTP.

Note: If for some reason you need to permit insecure cross-network requests for legacy sites, you can configure temporary exceptions in Allow the listed sites to make requests to more-private network endpoints from insecure contexts.

Impact:

Users will be unable to allow non-secure public contexts to request resources from private addresses.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Private Network Request Settings\Specifies whether to allow insecure websites to make requests to more-private network endpoints

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Not configured. (The default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests feature.)

See Also

https://workbench.cisecurity.org/files/4094

Item Details

References: CSCv7|9.2

Plugin: Windows

Control ID: ce01a18727ac05496dc5f33f259cf9bc57b286c06ce89435e6f4368691ff6bb6