Saving Passwords to the Password Manager Enabled (CIS LEVEL 1 MS Edge)

Created:2023/03/01 | Revised:2023/04/03

SYXSCORE

Severity:A level of a security risk associated with a vulnerability exploitation
INFO
CVSS:Indication of a severity level of each CVE
N/A
Countermeasure:Availability of measures to reduce a probability of an attack or an impact of a threat
No
Public Aware:Availability of a public announcement of a vulnerability
Yes
Weaponized:Vulnerability being abused by exploit or malware
No

Overview

'Enable saving passwords to the password manager' policy setting recommended state is 'Disabled'

Description

Enable Microsoft Edge to save user passwords. The next time a user visits a site with a saved password, Microsoft Edge will enter the password automatically.

If you enable or don't configure this policy, users can save and add their passwords in Microsoft Edge.

If you disable this policy, users can't save and add new passwords, but they can still use previously saved passwords.

Impact

Saving passwords in Edge could lead to a user's web passwords being breached if an attacker were to gain access to their web browser especially in the case of an unattended and unlocked workstation.

Solution

To configure the policy as recommended, follow the steps below (choose one of the suggested ways):

Fix using Syxsense Console

This vulnerability can be automatically fixed within the Syxsense console.

Check the example of Syxsense Cortex Workflow implementation.

Using Local Group Policy Editor

  • Press Windows+R keys and type 'gpedit.msc' and press OK;

  • Navigate to: Computer Configuration > Administrative Templates > Microsoft Edge > Password manager and protection manager
  • On the right pane double click the 'Enable saving passwords to the password manager' policy setting

  • Set it to 'Disabled'
  • Click 'Ok'

Microsoft Edge folders do not exist by default, the Group Policy template MSEdge.admx/adml should be downloaded from Microsoft.

Use our tutorial on How to install Microsoft Edge Group Policy templates on Windows 10 (for individual computers).

For a domain environment adding the templates through Active Directory is required.


©2024 by Syxsense Inc. All Rights Reserved

Contact Us
Patch Management
Vulnerability Scanner