1.7.3 Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'

Information

This setting specifies what HTTP authentication methods are supported by Microsoft Edge.

The recommended setting is Enabled: ntlm, negotiate.

Rationale:

Basic and Digest authentication do not provide sufficient security and can lead to submission of user's password in plaintext or minimal protection (Integrated Authentication is supported for negotiate and ntlm challenges only).

Impact:

Any sites that utilize Basic or Digest Authentication will be impacted. Sites will need to be reconfigured to support a more secure form of authentication.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: ntlm, negotiate:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\HTTP authentication\Supported authentication schemes

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Enabled. (The following schemes will be used: basic, digest, ntlm, and negotiate.)

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: c4e7e271e26dede0939558f23fca204066638a6591781fe0924461225c0d9f5f