Microsoft Windows 10

Basic authentication for RSS feeds over HTTP must not be used

STIG ID: WN10-CC-000300 | SRG: SRG-OS-000095-GPOS-00049 | Severity: Medium | CCI: CCI-000381 | Vulnerability ID: V-220854

Description

Basic authentication uses plain text passwords that could be used to compromise a system.

Check

C-22569r555047_chk

The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.If the registry value name below does not exist, this is not a finding.If it exists and is configured with a value of "0", this is not a finding.If it exists and is configured with a value of "1", this is a finding.Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\Value Name: AllowBasicAuthInClearValue Type: REG_DWORDValue: 0 (or if the Value Name does not exist)

Fix

F-22558r555048_fix

The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections.If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled".