The HTTP Authentication must be set to negotiate

From Google Chrome v24 Windows STIG

Part of DTBC0012 - Set HTTP Authentication to negotiate

Associated with IA controls: ECSC-1

Associated with: CCI-001588

SV-47046r2_rule The HTTP Authentication must be set to negotiate

Vulnerability discussion

"Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used." - Google Chrome Administrators Policy List

Check content

Universal method (Requires Chrome Browser v15 or later): 1. In the omnibox (address bar) type chrome://policy 2. If AuthSchemes is not displayed under the Policy Name column or it is not set to negotiate under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome 3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding.

Fix text

Valid for Chrome Browser version 9 or later. Windows registry: Key Path: HKLM\Software\Policies\Google\Chrome\ Value Name: AuthSchemes Value Type: String (REG_SZ) Value Data: negotiate Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\ Policy Name: Supported authentication schemes Policy State: Enabled Policy Value: negotiate

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer