1.3.6 Ensure 'Control use of the File System API for writing' is set to 'Enabled: Don't allow any site to request write access to files and directories'

Information

This policy setting specifies whether websites can ask for write access to the host operating system's filesystem using the File System API. By default websites can ask for access. Users can change this setting. By setting this policy to (2), access is denied.

Policy options mapping:

BlockFileSystemWrite (2) = Don't allow any site to request write access to files and directories

AskFileSystemWrite (3) = Allow sites to ask the user to grant write access to files and directories

The recommended state for this setting is: Enabled: Don't allow any site to request write access to files and directories.

Rationale:

There is a large category of attack vectors that are opened up by allowing web applications access to files. By setting this policy to Enabled: Don't allow any site to request write access to files and directories implements additional protection to safeguard against accidental sharing of sensitive information contained in locals files.

Impact:

Users with creative roles that require the File System API access permission to write files for photo, video, and text editors or for creating integrated development environments will need additional permissions granted based on their role.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Don't allow any site to request write access to files and directories:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content settings\Control use of the File System API for writing

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

AskFileSystemWrite (3) = Allow sites to ask the user to grant write access to files and directories

See Also

https://workbench.cisecurity.org/files/4094

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: 114e9bf7f8c47e055fc60b063acb3b70804a4f6c8ee34550dd6899614d69c148