Download restrictions must be configured.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-221588 | SRG-APP-000089 | DTBC-0055 | SV-221588r1106670_rule | 2025-05-15 | 2 |
| Description |
|---|
| Setting the policy means users cannot bypass download security decisions. There are many types of download warnings within Chrome, which roughly break down into these categories: - Malicious, as flagged by the Safe Browsing server. - Uncommon or unwanted, as flagged by the Safe Browsing server. - A dangerous file type (e.g., all SWF downloads and many EXE downloads). Setting the policy blocks different subsets of these, depending on its value: 0 = No special restrictions. Default. 1 = Block malicious downloads and dangerous file types. 2 = Block malicious downloads, uncommon or unwanted downloads, and dangerous file types. 3 = Block all downloads. 4 = Block malicious downloads. Recommended. |
| ℹ️ Check |
|---|
| If the system is on the SIPRNet, this requirement is Not Applicable. Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is set to "0", this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "DownloadRestrictions" value name does not exist or its value data is set to "0", this is a finding. |
| ✔️ Fix |
|---|
| If the system is on the SIPRNet, this requirement is Not Applicable. Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Allow download restrictions Policy State: 1, 2, or 4 Policy Value: N/A |