‫ Web Browser Security Revisited (Part 5)-part one

Number: IRCAR201410237
Date: 2014/10/21
In this article, we’ll look specifically at the special features Google provides for enterprise administrators with its Chrome for Business.
Google Chrome for Business
Chrome for Business can be deployed on all three of the popular client operating systems: Windows, Linux or Mac computers. Google provides a downloadable MSI file that you can use for offline installations. You can download it from the Google web site.
The MSI can be deployed via System Center Configuration Manager (SCCM) or other automated deployment tools, or can be scripted with the command:
Msiexec /q /I GoogleChrome.msi
Note that on corporate computers (in a domain), even if Chrome has already been installed by the user, the browser will still adhere to the policies.
Chrome for Business on Windows
On a Windows Server-based network, you can use Group Policy to control Chrome settings such as setting a common home page for all users, turning off auto updates, forcing accessibility settings, enabling firewall traversal for remote access, controlling cookies, plug-ins and JavaScript settings, blocking images, and much more.
Security-related Group Policy Settings
Some of the most important Group Policy settings, for those concerned with security, include the following:
  • RemoteAccessHostFirewallTraversal is a REG_DWORD value by which you can allow remote clients to discover and connect to the computer when separated by a firewall. If you want the computer to allow connections only from clients within the local area network, you need to disable this policy. It is enabled by default.
  • RemoteAccessHostDomain is a REG_SZ value by which you can configure a required host domain name for remote access hosts. Enabling the setting restricts sharing of hosts to accounts that are registered in that domain and users cannot change the host domain name. By default, any account can be used to share hosts.
  • RemoteAccessHostRequireTwoFactor is a REG_DWORD value by which you can require that users provide a two-factor authentication code to access a remote host computer. By default, a user-defined Personal Identification Number (PIN) is used to authenticate to remote access hosts.
  • RemoteAccessHostRequireCurtain is a REG_DWORD value by which you can disable the host computer’s physical input/output devices during remote connections. By default, local and remote users can both interact with a shared host.
There are also a number of settings that allow you to specify how Chrome will handle different types of content. These include:
  • DefaultCookiesSetting
  • DefaultImagesSetting
  • DefaultPluginsSetting
  • DefaultPopupsSetting
  • DefaultGeolocationSetting
  • DefaultJavaScriptSetting
The last one is especially important since allowing the running of JavaScript can pose security risks. Chrome’s sandboxing feature will ameliorate this but you can prevent web sites from running JavaScript by setting the value of this policy to “2.” By default, JavaScript is allowed and users can change the setting in the GUI.
In addition to default settings, there are policies by which you can fine-tune settings. For example, using the CookiesAllowedForUrls and CookiesBlockedForUrls policies, you can define specific URLs for sites that you want to allow to set cookies, or those that you want to block from setting cookies. You can do the same for display of images by web sites, allowing JavaScript for specific sites, and so forth.
The ExtensionInstallBlacklist policy can be used to specify Chrome browser extensions that users will not be allowed to install, and if extensions on the list are already installed on a computer, they will be removed. You can go even further and use a value of “*” to blacklist all extensions, with the exceptions of those that you specifically whitelist. As you might have surmised, there is also an ExtensionInstallWhitelist policy where you can specify allowed extensions. You can even force specific extensions to be installed with the ExtensionInstallForcelist policy.
Another helpful set of policies makes it possible for admins to create supervised (managed) users. This ability is enabled by default on consumer devices but disabled on enterprise devices (however, you can enable it using the SupervisedUsersEnabled policy).
You can also control whether or not users can show stored passwords in plain text. This is an option in the Chrome browser that has stirred up a bit of controversy. When a user goes to Settings | Show Advanced Settings | Passwords and forms | Manage saved passwords, Chrome lists the saved passwords and the user can click a Show button to display a particular password in plain text. This can obviously present a security risk since an unauthorized user could sit down at an unlocked computer and view the passwords. The Password Manager Group Policy settings can be used to prevent users from displaying the passwords, with the PasswordManagerAllowShowPasswords policy, or even prevent them from saving passwords entirely, with the PasswordManagerEnabled policy.
You can set mandatory or recommended policies. Mandatory preferences go in the HKEY_LOCAL_MACHINE registry key and recommended preferences go in the HKEY_LOCAL_USER registry key.


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 29 مهر 1393



امتیاز شما
تعداد امتیازها:0