Local browser config managed (cookies, downloads)
Demonstrate that browser configuration settings for cookies, downloads, and related privacy controls are centrally managed, consistently applied across endpoints, and prevent users from weakening security posture through local modifications.
Description
What this control does
This control ensures that web browser configurations—including cookie acceptance policies, download handling, and privacy settings—are centrally managed and enforced across endpoints through Group Policy, mobile device management (MDM), or configuration management tools. Managed browser configurations prevent users from disabling security protections such as third-party cookie blocking, automatic download execution, or storing credentials in browsers. This reduces the attack surface presented by web-based threats and ensures consistent privacy and security posture across the organization's browser fleet.
Control objective
What auditing this proves
Demonstrate that browser configuration settings for cookies, downloads, and related privacy controls are centrally managed, consistently applied across endpoints, and prevent users from weakening security posture through local modifications.
Associated risks
Risks this control addresses
- Malicious websites exploit permissive cookie policies to conduct session hijacking or cross-site request forgery attacks against authenticated users
- Drive-by download attacks automatically execute malicious payloads when browsers are configured to automatically open downloaded files without user interaction
- Browser-based credential theft occurs when users store passwords in unencrypted browser storage instead of enterprise password managers
- Tracking scripts and third-party cookies enable adversaries to profile user behavior and identify high-value targets for spear-phishing campaigns
- Users disable security warnings or certificate validation locally, exposing themselves to man-in-the-middle attacks and phishing sites
- Unmanaged browser extensions installed by users introduce malware, keyloggers, or data exfiltration channels
- Inconsistent download folder locations across endpoints hinder forensic investigation and data loss prevention monitoring
Testing procedure
How an auditor verifies this control
- Obtain documentation of the organization's browser configuration policy including approved cookie settings, download behaviors, and extension management requirements
- Review Group Policy Objects (GPOs), MDM profiles, or configuration management scripts that enforce browser settings across Windows, macOS, and Linux endpoints
- Select a representative sample of at least 15 workstations spanning different departments, operating systems, and user privilege levels for testing
- On sampled workstations, export active browser configurations using registry exports (Windows), configuration profile inspection (macOS), or chrome://policy and edge://policy pages for Chromium-based browsers
- Verify that critical settings are locked and grayed out in the browser interface, preventing users from modifying cookie policies, download behaviors, or certificate warnings
- Attempt to modify protected settings as a standard user to confirm that Group Policy or MDM enforcement prevents unauthorized changes and reverts to managed state
- Review centralized configuration management logs or MDM compliance reports to confirm continuous monitoring and automated remediation of configuration drift
- Cross-reference deployed browser configurations against the organization's baseline hardening standards (e.g., CIS Benchmarks for browsers) to identify any gaps or deviations
Where this control is tested