2.2.4 Ensure 'Default notification setting' is set to 'Enabled: Do not allow any site to show desktop notifications'

Information

Google Chrome offers websites the ability to display desktop notifications. These are push messages which are sent from the website operator through Google infrastructure to Chrome.

Allow sites to show desktop notifications (1)

Do not allow any site to show desktop notifications (2)

Ask every time a site wants to show desktop notifications (3)

The recommended state for this setting is: Enabled with a value of Do not allow any site to show desktop notifications (2)

Rationale:

If the website operator decides to send messages unencrypted, Google's servers may process it as plain text. Furthermore, potentially compromised or faked notifications might trick users into clicking on a malicious link.

Impact:

If this setting is enabled and set to Do not allow any site to show desktop notifications, notifications will not be displayed for any sites and the user will not be asked.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Do not allow any site to show desktop notifications:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Content Settings\Default notification setting

Default Value:

Unset (Same as Enabled, with 'Ask every time a site wants to show desktop notifications')

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a.

Plugin: Windows

Control ID: d72d58c99ef56568f59c4448395961c579663600f4d06b512a49e9b5b173ba35