Centrally Managing Google Chrome
I’ve been reading a lot about various vulnerabilities in Google Chrome Extensions. Not to mention straight up malicious Extensions. This is a threat that I have been expressing to clients. This threat is very concerning because:
- It’s a threat contained in your browser which is your gateway to the scary internet
- You do not need admin rights on your PC to install these extensions
Probably the most notable instance of this is Cisco WebEx Browser Extension Remote Code Execution Vulnerability. This is a widely popular Chrome Extension.
So…. how do I mitigate this threat?
I’ve always known there was a way to centrally manage Google Chrome within your organization but never took the leap to investigate it until recently.
Here is a page to learn a little bit about centrally managing Chrome
https://cloud.google.com/chrome-enterprise/browser/
I originally thought I needed Chrome for Enterprise but learned from their sales staff that this requires a minimum of 1000 endpoints. All the Enterprise version really gets you is access to Google’s support team.
If you scroll down you see more information about central management.
Clicking on Get More Details brings you to https://cloud.google.com/chrome-enterprise/browser-management/
Click on Explore Bundles > Manage Policies
https://cloud.google.com/chrome-enterprise/browser/download/#chrome-browser-policies
Download Chrome ADM/ADMX
- Unzip the contents of Policy_templates
2. Open Windows >ADMX
3. Copy the chrome.admx file to C:\Windows\SYSVOL\sysvol\<domain name>\Policies\PolicyDefinitions
This is the file that contains the 300+ centrally manageable policies for Google Chrome.
You’ll see alot of guides that will tell you that need to save .admx files to central policy store located at \\sysvol\<domain name>\policies\Policies Definitions. Yes, this is where the policy will get stored but you cannot directly copy the .admx file to this location. If you try, you will get this error
You will need to get onto the system drive of a domain controller and copy the admx file to C:\Windows\SYSVOL\sysvol\<domain name>\Policies\PolicyDefinitions
4. Copy policy_templates/windows/admx.en-us/chrome.adml to C:\Windows\SYSVOL\sysvol\<domain name>\Policies\PolicyDefinitions\en-us
This is the language file that allows you to view the text in Group Policy
If you forget to do this, you will get the following error:
5.Open Group Policy Editor, edit a policy and navigate to Computer Configuration/Policies/Administrative Templates/Google Chrome.
You can see here now I have the option to whitelist/blacklist Google Chrome Extensions. Now I can dictate what Extensions my machines can use. My first revision will include blocking everything and then whitelisting apps such as
Authy
Windows Defender Browser Extension
My Apps Secure-Sign in (Microsoft Azure AD SSO)
If a user attempts to install an non-whitelisted application, they will be forced to open a help desk ticket. That request will then be approved/denied by IT Security.
