Site tracking users location must be disabled

From Google Chrome v24 Windows STIG

Part of DTBC0002 - Disable all sites from tracking a users location

Associated with IA controls: ECSC-1

Associated with: CCI-001588

SV-46906r2_rule Site tracking users location must be disabled

Vulnerability discussion

Tracking of user location data over time poses a significant OPSEC issue."allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.       1 = Allow sites to track the users' physical location       2 = Do not allow any site to track the users' physical location       3 = Ask whenever a site wants to track the users' physical location" - Google Chrome Administrators Policy List

Check content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to Do not allow any site to track the users’ physical location under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.

Fix text

Valid for Chrome Browser version 10 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: DefaultGeolocationSetting Value Type: REG_DWORD Value Data: 2 Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: Default geolocation setting Policy State: Enabled Policy Value: Do not allow any site to track the users' physical location

Pro Tips

Powered by sagemincer