DTBC-0006 - Extensions that are approved for use must be allowlisted.

Information

The allowlist should only contain organizationally approved extensions. This is to prevent a user from accidently allowlisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of '*' means all extensions are blacklisted and users can only install extensions listed in the allowlist. By default, no extensions are allowlisted. If all extensions have been blacklisted by policy, then the allowlist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are allowlisted, then no extensions can be installed when combined with blacklisting all extensions.

Solution

Windows group policy:
1. Open the group policy editor tool with gpedit.msc
2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
Policy Name: Configure extension installation allowlist
Policy State: Enabled
Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf

Note: oiigbmnaadbkfbmpbfijlflahbdbdgdfis the extension ID for scriptno (a commonly used Chrome extension), other extension IDs may vary.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Chrome_V2R9_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4), CAT|II, CCI|CCI-001170, Rule-ID|SV-221563r879630_rule, STIG-ID|DTBC-0006, STIG-Legacy|SV-57563, STIG-Legacy|V-44729, Vuln-ID|V-221563

Plugin: Windows

Control ID: 1f5c9d5e60fe823ec1fa67676c6e0b498472a403d89b022669d31de9110d4a5e