Web Browser Security Revisited (Part 5)

by [Published on 26 March 2014 / Last Updated on 26 March 2014]

In this article we’ll look at the special features Google provides for enterprise administrators with its Chrome for Business.

If you would like to read the other parts in this article series please go to

Introduction

In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they’re implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we’ll look specifically at the special features Google provides for enterprise administrators with its Chrome for Business

Google Chrome for Business

Chrome for Business can be deployed on all three of the popular client operating systems: Windows, Linux or Mac computers. Google provides a downloadable MSI file that you can use for offline installations. You can download it from the Google web site.

The MSI can be deployed via System Center Configuration Manager (SCCM) or other automated deployment tools, or can be scripted with the command:

Msiexec /q /I GoogleChrome.msi

Note that on corporate computers (in a domain), even if Chrome has already been installed by the user, the browser will still adhere to the policies.

Chrome for Business on Windows

On a Windows Server-based network, you can use Group Policy to control Chrome settings such as setting a common home page for all users, turning off auto updates, forcing accessibility settings, enabling firewall traversal for remote access, controlling cookies, plug-ins and JavaScript settings, blocking images, and much more.

Security-related Group Policy Settings

Some of the most important Group Policy settings, for those concerned with security, include the following:

  • RemoteAccessHostFirewallTraversal is a REG_DWORD value by which you can allow remote clients to discover and connect to the computer when separated by a firewall. If you want the computer to allow connections only from clients within the local area network, you need to disable this policy. It is enabled by default.
  • RemoteAccessHostDomain is a REG_SZ value by which you can configure a required host domain name for remote access hosts. Enabling the setting restricts sharing of hosts to accounts that are registered in that domain and users cannot change the host domain name. By default, any account can be used to share hosts.
  • RemoteAccessHostRequireTwoFactor is a REG_DWORD value by which you can require that users provide a two-factor authentication code to access a remote host computer. By default, a user-defined Personal Identification Number (PIN) is used to authenticate to remote access hosts.
  • RemoteAccessHostRequireCurtain is a REG_DWORD value by which you can disable the host computer’s physical input/output devices during remote connections. By default, local and remote users can both interact with a shared host.

There are also a number of settings that allow you to specify how Chrome will handle different types of content. These include:

  • DefaultCookiesSetting
  • DefaultImagesSetting
  • DefaultPluginsSetting
  • DefaultPopupsSetting
  • DefaultGeolocationSetting
  • DefaultJavaScriptSetting

The last one is especially important since allowing the running of JavaScript can pose security risks. Chrome’s sandboxing feature will ameliorate this but you can prevent web sites from running JavaScript by setting the value of this policy to “2.” By default, JavaScript is allowed and users can change the setting in the GUI.

In addition to default settings, there are policies by which you can fine-tune settings. For example, using the CookiesAllowedForUrls and CookiesBlockedForUrls policies, you can define specific URLs for sites that you want to allow to set cookies, or those that you want to block from setting cookies. You can do the same for display of images by web sites, allowing JavaScript for specific sites, and so forth.

The ExtensionInstallBlacklist policy can be used to specify Chrome browser extensions that users will not be allowed to install, and if extensions on the list are already installed on a computer, they will be removed. You can go even further and use a value of “*” to blacklist all extensions, with the exceptions of those that you specifically whitelist. As you might have surmised, there is also an ExtensionInstallWhitelist policy where you can specify allowed extensions. You can even force specific extensions to be installed with the ExtensionInstallForcelist policy.

Another helpful set of policies makes it possible for admins to create supervised (managed) users. This ability is enabled by default on consumer devices but disabled on enterprise devices (however, you can enable it using the SupervisedUsersEnabled policy).

You can also control whether or not users can show stored passwords in plain text. This is an option in the Chrome browser that has stirred up a bit of controversy. When a user goes to Settings | Show Advanced Settings | Passwords and forms | Manage saved passwords, Chrome lists the saved passwords and the user can click a Show button to display a particular password in plain text. This can obviously present a security risk since an unauthorized user could sit down at an unlocked computer and view the passwords. The Password Manager Group Policy settings can be used to prevent users from displaying the passwords, with the PasswordManagerAllowShowPasswords policy, or even prevent them from saving passwords entirely, with the PasswordManagerEnabled policy.

There are, as noted, many more settings for Chrome that can be configured through Group Policy. You can find a complete list with the details for how to configure each here.

You can set mandatory or recommended policies. Mandatory preferences go in the HKEY_LOCAL_MACHINE registry key and recommended preferences go in the HKEY_LOCAL_USER registry key.

Administrative Templates

There are ADM and ADMX templates available to download from Google. You can download them in a ZIP file here.

The procedure for importing the templates depends on whether you’re using the ADM or ADMX versions. To import ADM templates:

  1. Go to Start | Run and type gpedit.msc to open the Group Policy Editor console
  2. In the left pane, navigate to Local Computer Policy | Computer Configuration | Administrative Templates and right click
  3. Select Add/Remove Templates
  4. In the wizard, add chrome.adm
  5. A Google / Chrome folder should appear in the Local Computer Policy | Computer Configuration | Administrative Templates folder

To import ADMX templates:

  1. Copy the chrome.admx file to the following folder: %SystemRoot%\PolicyDefinitions
  2. Copy the appropriate language folders (e.g. en-US) to the same folder
  3. A Google / Chrome folder should appear in the Local Computer Policy | Computer Configuration | Administrative Templates folder

Chrome for Business on Linux and Mac

To deploy Chrome (or Chromium) on Linux, you can set up two types of policies. Those in the /etc/opt/chrome/policies/managed directory will be mandatory for users. Those in the /etc/opt/chrome/policies/recommended directory will be available and recommended but not required. You’ll need to set permissions on the files to ensure that users can’t overwrite your policies. You can use the same policies shown above in the list of Group Policies available for Windows. File names have the .JSON extension.

To deploy Chrome or Chromium on a Macintosh network, you need to install the Server Admin Tools for your version of OS X, then connect to the machine in the Workgroup Manager with an administrative account. Select a user, click Preferences | Details and check to see whether Chrome is listed as an application that you can manage. If not, you’ll need to add it to the list. To add a new policy, click New Key, then New Item, and select the desired value for the policy.

Understanding policies and policy settings

To find out which Chrome policies have been enabled and applied to a machine, open the Chrome browser and type chrome://policy in the address bar. The policies currently applied will be listed.

Note that you can set policies for devices as well as for users. Those that are set for the current user will say either “Device” or “Machine” (depending on whether you’re running Chrome on a Chrome device or a Windows, Linux or Mac computer. Those that are set for users will say “Applies to: Current user.”

Machine policies take precedence over other types of policies and apply to all users of the machine or device. User policies are applied to specific users when the user logs onto the computer (Windows and Mac), and take precedence over profile policies. Chrome profile policies are set by administrators via the admin console (not via a Group Policy Object). They are also referred to as cloud-based user policies. If the policies at different levels are in conflict, the “higher ranking” policy takes effect.

Summary

Google’s Chrome for Business allows you to control Chrome browser settings via Group Policy, the same way you can control Internet Explorer settings. This makes it easier to deploy and manage Chrome in an enterprise setting. In Part 6, we’ll look at how to best configure Mozilla Firefox, Apple Safari and Opera for the most secure browsing experience.

If you would like to read the other parts in this article series please go to

Featured Links