Controlling Google Chrome Web Extensions for the Enterprise

There have been a few stories out now on how the Chrome Web store had extensions that were malicious in nature.

Here is some good info on the most recent events:

If you are running Google Chrome in your organization you really should be locking google chrome down with active directory group policy. To get started Google provides you with the resources for Enterprise Deployment at the following URL:

One of the first things you will want to download off the URL above in the chrome ADM/ADMX policies

One downloaded and extracted you will need to navigate to:

policy_templates\windows\admx

If you scroll at the bottom of the directory location you will see the following admx files:

Copy those two files to the following folder on your administrative workstation with the RSAT tools installed:

C:\Windows\PolicyDefinitions

No back to your original policy templates folder navigate to the following location:

policy_templates\windows\admx\en-US

There should be two adml files located in this directory:

Copy those two files to the following folder on your administrative workstation with the RSAT tools installed:

C:\Windows\PolicyDefinitions\en-US

So now you can get into group policy management and create a google chrome security policy that are computer or user based as shown below:

From there if you specifically want to start whitelisting Google chrome web store extensions you will need to go to the following area:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions

In the policy in the extensions folder, the setting you are looking for is called “Configure extension installation blacklist”:

You will need to enable the extension installation blacklist and click on the show button. Simply putting a * will blacklist all extensions unless they are explicitly listed in the whitelist.

Here is an example of it in action after updating group policy on a target device with the blacklist extension applied:

If you notice from the above picture it is immediately blocked by the administrator. This is what an end user will receive when you blacklist every extension.

This setting needs to be implemented with care. If you are doing this after post google browser deployment it will end up disabling all web extensions and end users will be locked out of their existing ones.

Here is how to whitelist this particular extension. Navigate to:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions

Enable “Configure extension installation whitelist” and click on Show contents. At this point you can add whatever values you need to allow through. You will need to know the extension ID that my previous screenshot shows.

Here is me adding the EFF’s privacy badger to my extension list:

Once added you now see I am able to successfully install after a group policy update:

If you want to do further group policy security enhancements to chrome you can look at the Defense Information Assurance Support Environment page. Here is the direct link: https://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx

If you want to download the group policy objects associated with guidance you can go here to download them: https://iase.disa.mil/stigs/gpo/Pages/index.aspx

Once you download the GPO guidance zip file you can locate the google chrome policy and import it into a blank GPO in your environment to start testing.