GRCWatch
Sign inStart free trial

CIS Control 9.4: Restrict Unnecessary Browser and Email Extensions

Browser and email extensions are a common attack vector for credential theft and malware distribution. CIS Control 9.4 requires you to uninstall or disable any unauthorized or unnecessary plugins and add-ons. This foundational control reduces your security risk with minimal disruption to user workflows.

What this means

Your organization must implement a policy requiring the uninstallation or disabling of any browser extensions (Chrome, Firefox, Safari, Edge) and email client add-ons (Outlook, Gmail, Thunderbird) that are not explicitly approved or business-critical. This includes plugins for PDF readers, ad blockers, and productivity tools that lack clear justification or introduce security vulnerabilities. The control applies organization-wide to all employee and contractor devices.

How to comply

  1. 1.Create and maintain an approved extensions list specifying which browser plugins and email add-ons are permitted
  2. 2.Inventory all currently installed extensions across your organization's devices
  3. 3.Disable or uninstall extensions not on the approved list within a defined remediation window
  4. 4.Configure browser and email client settings to prevent non-approved extensions from being installed
  5. 5.Establish a request process for employees needing new extensions, with security review before approval
  6. 6.Conduct monthly or quarterly audits to detect new or unauthorized extensions
  7. 7.Document all approved extensions with business justification and version information

Evidence auditors look for

  • Approved browser extensions list document with security review dates
  • Screenshots of managed extension policies in Group Policy (Windows) or MDM (macOS, mobile)
  • Compliance reports from endpoint management tools showing extension inventory across devices
  • Email records of extension approval requests and security assessments
  • Browser configuration files with restricted extension settings
  • Audit logs showing disabled/uninstalled unauthorized extensions with timestamps

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates extension compliance by scanning and inventorying browser plugins and email add-ons across your environment, comparing them against your approved list, and generating audit reports to prove CIS 9.4 compliance to auditors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 9.1 - Ensure Software is CurrentCIS 9.2 - Ensure Browser and Email Client SecurityCIS 9.3 - Disable Unnecessary MacrosCIS 2.4 - Use Unique Passwords