18.9.48.9 Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'

Information

This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content.

The recommended state for this setting is: Enabled.

Note: This setting will not manage Adobe Flash usage from other web browsers, so we recommend that each organization make a determining decision on how to manage (or whether to uninstall) Adobe Flash for other browsers on their systems.

Rationale:

Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content 'opt-in', so the user has to choose to click on each specific piece of Flash content before it will run.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge\Configure the Adobe Flash Click-to-Run setting

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

Default Value:

Enabled. (Users will need to click on an Adobe Flash element to display its content.)

See Also

https://workbench.cisecurity.org/files/2992