Google Chrome Security Settings and Configuration Guide for Enterprise

by Ajit Gaddam on February 17, 2012

Google Chrome holds a market share of about 25% of the overall web browser market. It is growing faster and gaining more market share by the day than all the browsers out there. Most of these users seek to extend their usage of the Google Chrome browser to their work environment. The reason Internet Explorer is the dominant browser used in most companies is because Microsoft makes it easy to centrally deploy, manage, upgrade, and configure their web browser across a large number of Windows systems in the enterprise.

Browser Usage Statistics

Global Browser Trend Data as of December 2011

Figure 1: Global Browser Trend Data as of December 2011 from W3Counter.com

Google understands this and released Google Chrome for Business that enables an Enterprise IT department to easily configure and deploy Google Chrome on Windows, Mac, and Linux environments.

From an Information Security perspective, Google Chrome has been shown as the most secure browser with security features like Sandboxing, JIT hardening, ASLR, and DEP protection. You can read the full Accuvant Labs report here (pdf). http://www.accuvant.com/sites/default/files/AccuvantBrowserSecCompar_FINAL.pdf

Browser Security Comparison

Results summary from Dec’2011 Accuvant Report around Browser Security

In order to set Google Chrome Security Settings for the Business edition, you need to download couple items first from Google. They include the Google Chrome MSI and the ADM files which we will use to set Security settings for Google Chrome.

Google Chrome MSI and ADM files

Google Chrome for Business is available as an MSI installer package. What this means is that it allows enterprises to centrally roll out and update the browser using Group Policy or any other standard deployment tools to all their managed users.

Step 1: Download the Google Chrome MSI

https://www.google.com/intl/en/chrome/business/browser/

Step 2: Download the Google Chrome policy templates

The next step is to securely configure Google Chrome. Google provides policy templates, an ADM and an ADMX template. There are templates available for Linux with JSON files and Mac with MCX configuration as well.

Zip file of Google Chrome templates and documentation: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip

Step 3: Configure using Group Policy Editor

  1. Launch Group Policy Editor Start > Run > gpedit.msc
  2. Import the Google Chrome ADM template
  • Right click on Administrative Templates under Local Computer Policy > Computer Configuration > Administrative Templates
  • Under Add/Remove Templates, add the chrome.adm file (for Windows in the zip file, it is under Policy Templates > Windows > adm > en-US
  • Once complete, a Google folder will appear under Administrative Templates
Google Chrome ADM template

Google Chrome ADM template in Group Policy Editor

Figure 3: Google Chrome ADM template in Group Policy Editor

Google Chrome Security Settings Configuration

The following sections are recommendations for securely configuring Google Chrome for your enterprise. Please make sure to test the recommended configurations and tweak them as appropriate.

Google Update for Enterprise

This enables your enterprise to customize policies for Google update. The recommendation is to enable the Auto-update function in Google Chrome. If this option is not acceptable to your IT department for testing, reporting, or other management reasons, the Auto Update functionality can be disabled and you can follow the normal patch management/deployment cycle.

Now this route probably runs contrary to how you deploy software and OS patches at your company. The reasons are valid where you want to test for patches, assess and prioritize the risk, and roll them out in some fashion. What you may want to keep in mind is that the web browser represents the single greatest threat vector to companies and it may be prudent to update the browser as soon as possible. With that said, the template used: http://dl.google.com/update2/enterprise/GoogleUpdate.adm

Current Settings (Google -> Google Update -> Google Chrome):

  • Enable the Allow installation option to install Google Chrome updates including security updates using Google Update/Google Installer.
  • Under “update policy override,” select the Automatic silent updates option where updates are automatically applied when they are found via the periodic update check.
  • Check for auto updates once every 24 hours or 1440 minutes. Under Preferences, enable the Auto-update check period override and set it to a value of 1440.
  • Configure the Proxy Server settings. The recommendation is to customize via a .pac proxy script.

 Configure Remote Access Options

This option enables remote clients to discover and connect to the user’s machine even if they are separated by a firewall.

  • Disable the “Enable firewall traversal from remote access host” option.

Content Settings

This section customizes the JavaScript and other content rendering within the Chrome browser.

  • JavaScript is set to power the future of the web. Leave it to a “not configured” state and let the user choose when they want to deny a particular website from executing JavaScript.
  • Disable the Default Plugins setting. Customize plugin functionality through an approved whitelist by using the Allow plugins on these sites.
  • Leave the Default popups setting to “not configured.” This option will enforce the BlockPopups behavior by default and the user will be able to change it.
  • Enable the Default Geolocation setting and choose the “Ask whenever a site wants to track the user” option.

Google Chrome Frame

Google Chrome frame is not recommended as a secure alternative to render HTML in legacy browsers at this point.

  • Disable the default HTML renderer for Google Chrome Frame
  • Disable the Always render the following URL patterns in Google Chrome Frame
  • Disable the Always render the following URL patterns in the host browser

Default Search

This setting controls the default search provider to be used when a user types text in the omnibox that is not a URL.

  • There is no recommendation from Security for a default search provider. We recommend leaving it to the user to choose a provider of their choice.

Extensions

This option lets us customize the extensions the user can or cannot install. Make sure that all the extensions if any are approved and have a valid business case at your company. Disable this functionality and whitelist the approved extensions when required.

  • Enable the Configure extension installation blacklist and choose a value of ‘*’ to blacklist all extensions.
  • Disable the Configure extension installation whitelist unless there are approved exceptions.

Homepage

There is no recommendation for the default homepage. Users should be given the flexibility to configure it to a homepage of their preference.

Password Manager

Using the default password manager built into Google Chrome is not recommended as a viable password storage mechanism at this point.

  • Disable the Enable the password manager option to prevent the saving of passwords or using already saved passwords.
  • Disable the Allow users to show passwords in Password Manager. This prevents the password manager from not showing passwords in clear text in the password manager window.

HTTP Authentication

HTTP supports authentication using the WWW-Authenticate request headers and the Authorization response headers.

  • Disable the basic access authentication method, which transmits credentials in plaintext to the server or proxy.
  • Configure the authentication schemes to “digest, ntlm, negotiate.” The default Chrome behavior chooses Negotiate first followed by NTLM and finally the digest mode.
  • Choose the CNAME lookup option to “not configured” for determining the canonical name of the server via CNAME lookup instead of using the server name.
  • Choose the authentication server whitelist to “not configured.” With this option, the servers in the Local Machine or Local Intranet security zone are in the permitted list.
  • Disable the Cross-origin HTTP Basic Auth prompts option. This controls whether third-party sub-content on a page is allowed to pop-up an HTTP basic authentication dialog box. This is disabled as a phishing defense. If a challenge comes from a server outside of the permitted list, the user will need to enter the username and password.

Proxy Server

This section enables us to specify the proxy server used by Google Chrome. Configure it to your current proxy settings. If you are using IE, you can easily replicate those current settings.

Chrome Detailed Security Configuration Settings

Configuration

Setting

Rationale

Allow Google Chrome Frame to handle the listed content types

Disabled

Google Chrome frame is not being presented as a secure option

Allow invocation of file selection dialogs

Not configured

Allow file selection dialogs as normal

Allow running plugins that are outdated

Disabled

Outdated plugins are prevented from running as normal plugins

Enable alternate error pages

Not configured

Enables the use of alternate error pages built into Google Chrome

Always run plugins that require authentication

 Disabled

External plugins are disabled unless whitelisted via approved business case

Application locale

Not configured

Defaults to en-US and lets users customize

Enable AutoFill

Disabled

Prevents auto completion of forms using previously stored information such as credit card numbers

Block third party cookies

Not configured

User discretion

Enable bookmark bar

Not configured

User discretion

Clear site data on browser shutdown

Not configured

Preserves site data on browser shut down and user will be able to change it

Enable Google Cloud Print Proxy

Disabled

Prevents the local computer from acting as a proxy to share its local printers with Google Cloud Print

Enable submission of documents to Google Cloud Print

Disabled

Prevents users from submitting print jobs to Google Cloud Print

Set Chrome as Default browser

Not configured

User discretion

Disable Developer Tools

Not configured

Allows access to developer tools and the JS console

Disable support for 3D graphics APIs

Not configured

User discretion

Specify whether the plugin finder should be disabled

Disabled

Prevents search for and installation of non-approved plugins

Disable SPDY protocol

Not configured

Allows usage of SPDY protocol

Specify a list of disabled plugins

Not configured

Setting customized by EnabledPlugins and DisabledPluginsExceptions

Specify a list of plugins that the user can enable or disable

Not configured

Setting customized by EnabledPlugins and DisabledPluginsExceptions

Disable URL protocol schemes

Not configured

All listed protocol schemes are set to be accessible in Chrome

Set disk cache directory

Not configured

User discretion

Set disk cache size in megabytes

Not configured

User discretion

Enable network prediction

Not configured

User discretion

Set download directory

Not configured

User discretion

Enables or disables bookmark editing

Not configured

User discretion

Specify a list of enabled plugins

Disabled

Prevents installation of non-approved plugins

Enterprise web store name

Not configured

Customize to your internal App Store

Enterprise web store URL

Not configured

Customize to your internal App Store

Set Google Chrome Frame user data directory

Disabled

Chrome Frame is disabled

Prevent app promotions from appearing on the new tab page

Enabled

Promotions for Chrome Web Store apps will not appear on the new tab page

Import bookmarks from default browser on first run

Not configured

User discretion

Import browsing history from default browser on first run

Not configured

User discretion

Import of homepage from default browser on first run

Not configured

User discretion

Import saved passwords from default browser on first run

Disabled

Prevents import of saved passwords from current IE browser

Import search engines from default browser on first run

Not configured

User discretion

Incognito mode availability

Disabled

Set to Incognito Mode disabled. This data aids in investigations and forensic analysis if required

Enable instant

Not configured

User discretion

Maximal number of concurrent connections to the proxy server

Not configured

The default value of 32 will be used to specify the max number of simultaneous connections to the proxy

Set media disk cache size

Not configured

User discretion

Enable reporting of usage and crash-related data

Disabled

Prevents reporting of usage and browser crash related data to Google

Enable printing

Not configured

User discretion

Enable safe browsing

Enabled

Enables the safe browsing feature including phishing and malware protection

Disable saving browser history

Disabled

Saves browsing history

Enable search suggestions

Not configured

User discretion

Show Home button on toolbar

Not configured

User discretion

Disable synchronization of data with Google

Enabled

Prevent synchronization of data, for example with Google Docs

Enable Translate

Not configured

User discretion

Block access to a list of URLs

Not configured

Managed via Proxy

Allows access to a list of URLs

Not configured

Managed via Proxy

Set user data directory

Not configured

User discretion


 References

http://googleenterprise.blogspot.com/2010/12/chrome-is-ready-for-business.html

http://dev.chromium.org/administrators/policy-list-3

http://support.google.com/installer/bin/answer.py?hl=en&answer=146164

https://support.google.com/chrome/bin/answer.py?hl=en&answer=95589&topic=14666&ctx=topic

http://dev.chromium.org/developers/design-documents/http-authentication

http://support.google.com/installer/bin/answer.py?hl=en&safe=active&answer=146164

Similar Posts:

Previous post:

Next post: