KB227149039: WebCenter - How to ensure that user credential fields are not Prepopulated

Description

Since WebCenter 18.1, there is an option available to WebCenter Administrators that allows them to enable/disable prepopulating of user credential fields (shown to user at approval submission and/or task completion time as well as on the login page - based on the configuration of the application) by the browser.

All modern browsers have a "Password Management tool" that allows users to remember their username and password values for specific sites. This also applies to WebCenter. The option to disable the prepopulating of username and password was added with security implications in mind, so that the customer can make their users to always type in their user credentials manually to prevent any unwanted access of the system by intruders.

Even if the option to prepopulate the fields is disabled and the fields are initially left empty, as expected in most browsers when you click one of the two fields, the browser allows the user to populate the fields with values it has already remembered (every browser has its own solution for this behavior, based on its password tool manager implementation). This is something WebCenter application cannot prevent, as it is native behavior of the browser itself.

Procedure

To make sure Password Management tool never allows for such an easy ad hoc prepopulating of user credential fields, a Group Policy countermeasure should be applied by the customer's IT department.

Disable Password Caching for Internet Explorer (IE)

To disable the caching of passwords and auto-completion of usernames and passwords used in IE from the Group Policy Management Editor:

1. Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer.
2. Disable the option “Turn on the auto-complete feature for user names and passwords.”
   
3. This will also prevent users from re-enabling the setting:
   

Restrict Password Caching in Mozilla Firefox

Locking down settings in Firefox requires use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.

Disable Password Caching in Google Chrome for Business

Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.

To disable the Google Chrome Password Manager at the user level,

1. Logon to the Google Admin console.
2. Navigate to the Settings menu and select User Settings.
3. Select an OU.
4. Under the Security settings, disable Password Manager.

You can disable the Google Chrome Password Manager at the device level through Windows GPO by doing the following:

1. Add two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINESoftwarePoliciesChrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords
2. Set their value to 0x00000000.
   
3. Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.
   

Disable Password Manager in Microsoft Edge

To disable the Password saving and auto-completion of forms in the Group Policy Management Editor:

1. Browse to User Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge.
2. Disable “Configure Password Manager” and “Configure Autofill” policies.
   
3. This will prevent users from saving passwords in Edge or enabling the setting to do so.

More information

More details about how to deploy such measures is described in the following link: https://thycotic.com/company/blog/2013/09/09/securing-web-browsers-through-group-policy/