Controlling Google Chrome Web Extensions for the Enterprise

Root ♊
Root ♊
Apr 23, 2018 · 4 min read

There have been a few stories out now on how the Chrome Web store had extensions that were malicious in nature.

Here is some good info on the most recent events:

If you are running Google Chrome in your organization you really should be locking google chrome down with active directory group policy. To get started Google provides you with the resources for Enterprise Deployment at the following URL:

One of the first things you will want to download off the URL above in the chrome ADM/ADMX policies

Image for post
Image for post

One downloaded and extracted you will need to navigate to:

policy_templates\windows\admx

If you scroll at the bottom of the directory location you will see the following admx files:

Image for post
Image for post

Copy those two files to the following folder on your administrative workstation with the RSAT tools installed:

C:\Windows\PolicyDefinitions

Now back to your original policy templates folder navigate to the following location:

policy_templates\windows\admx\en-US

There should be two adml files located in this directory:

Image for post
Image for post

Copy those two files to the following folder on your administrative workstation with the RSAT tools installed:

C:\Windows\PolicyDefinitions\en-US

So now you can get into group policy management and create a google chrome security policy that are computer or user based as shown below:

Image for post
Image for post

From there if you specifically want to start whitelisting Google chrome web store extensions you will need to go to the following area:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions

In the policy in the extensions folder, the setting you are looking for is called “Configure extension installation blacklist”:

Image for post
Image for post

You will need to enable the extension installation blacklist and click on the show button. Simply putting a * will blacklist all extensions unless they are explicitly listed in the whitelist.

Here is an example of it in action after updating group policy on a target device with the blacklist extension applied:

Image for post
Image for post

If you notice from the above picture it is immediately blocked by the administrator. This is what an end user will receive when you blacklist every extension.

This setting needs to be implemented with care. If you are doing this after post google browser deployment it will end up disabling all web extensions and end users will be locked out of their existing ones.

Here is how to whitelist this particular extension. Navigate to:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions

Enable “Configure extension installation whitelist” and click on Show contents. At this point you can add whatever values you need to allow through. You will need to know the extension ID that my previous screenshot shows.

Here is me adding the EFF’s privacy badger to my extension list:

Image for post
Image for post

Once added you now see I am able to successfully install after a group policy update:

Image for post
Image for post

If you want to do further group policy security enhancements to chrome you can look at the Defense Information Assurance Support Environment page. Here is the direct link: https://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx

If you want to download the group policy objects associated with guidance you can go here to download them: https://iase.disa.mil/stigs/gpo/Pages/index.aspx

Once you download the GPO guidance zip file you can locate the google chrome policy and import it into a blank GPO in your environment to start testing.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store