1.115 Ensure 'Specify if online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'

Information

This policy setting controls whether online certificate revocation checks (OCSP/CRL) are required and if a check online is not possible the certificate will be treated as though it is revoked.

The recommended state for this is Enabled.

Rationale:

Certificates should always be validated, not doing so could potentially allow a revoked certificate to be used to give a false sense of a secure connection.

Impact:

If Microsoft Edge is not able to obtain a revocation status, the certificate will be treated as though it is revoked, therefore the website will not be loaded.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Specify if online OCSP/CRL checks are required for local trust anchors

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 17fa6243d3b7d4eca42a3e69655d288a1e027d53afb809e36a137dfcc0ed59c0