2.2.5 Ensure 'Allow local file access to file:// URLs on these sites in the PDF Viewer' Is Disabled

Information

This setting will allow specified URLs to access file:// URLs in the PDF Viewer. By default all domains are blocked from accessing file:// URLs in the PDF Viewer

Rationale:

Blocking all domains, or a restricted list of domains, from opening a downloaded PDF file blocks the possibility of a malicious file being masked as a PDF. It could also block unknown or malicious code contained within the PDF that would run on the immediate opening within a browser tab.

Impact:

Users will be required to open PDF files manually in the PDF Viewer or in the organization's PDF viewing application.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Content settings\Allow local file access to file:// URLs on these sites in the PDF Viewer

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|3.3

Plugin: Windows

Control ID: 7b4c73bf4b2939b4eac1121409396a3103c1aacbec973506439c2d32441db011