Introduction
This document gives information with examples to establish a secure configuration for Google Chrome. By following these recommendations we can make browsers secure and prevent them from threats.
Recommendations
1. Enforced Defaults
Recommendations here are configured by default when you install google chrome. Enforcing this setting can prevent it from changing to a less secure option
- Remote Access
- E.g Ensure ‘Enable curtaining of remote access hosts’ is set to ‘Disable
Description:
Chrome allows controls to prevent someone physically present at the host machine from seeing what a user is doing while a remote connection is in progress.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostRequireCurtain
Remediation:
To establish the recommended configuration via group policy, set the following path to ‘Disabled’:
Computer Configuration\Administrative Templates\Google\Google Chrome\Configure remote access options\Enable curtaining of remote access host
- E.g Ensure ‘Continue running background apps when Google Chrome is closed’ is set to ‘Disabled’
Description:
Chrome allows for processes started while the browser is open to remain running once the browser has been closed.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:BackgroundModeEnabled
Remediation:
To establish the recommended configuration via group policy, set the following UI path to ‘Disabled’:
Computer Configuration\Administrative Templates\Google\Google Chrome\Continue running background apps when Google Chrome is closed
2. Attack Surface Reduction
Using this recommendation we can reduce the overall surface attack.
- E.g Ensure ‘Default flash setting’ is set to ‘Enabled’
Description:
Malicious plugins can cause browser instability and erratic behaviour so setting the value to ‘click to play’ will allow a user to only run necessary plugins.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultPluginsSetting
Remediation:
To establish the recommended configuration via group policy, set the following UI path to ‘Enabled’ with ‘Click to play’ selected from the dropdown:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\Default Flash Setting
In a similar way, we can ensure other options i.e enabled or disabled based on recommendations.
3. Services
User privacy can be improved using these recommendations.
- E.g Confirm ‘Default cookies setting’ is set to ‘Enabled’
Description:
Permanently stored cookies may be used for malicious intent.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:DefaultCookiesSetting
Remediation:
To establish the recommended configuration via group policy, set the following UI path to ‘Enabled’ with ‘Cookies from the duration of the session’ selected from the dropdown:
Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\Default Cookies Setting
Similarly, we can Ensure other options i.e enabled or disabled based on recommendations.
4. Management/Visibility/Performance
This Recommends for management, visibility and performance of Google Chrome.
- Remote Access
These recommendations are related to Remote Access
- E.g Ensure ‘Enable firewall traversal from remote access host’ is set to ‘Disabled’
Description:
By disabling this feature, the machine will only allow connections from machines within the local network.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:RemoteAccessHostFirewallTraversal
Remediation:
To establish the recommended configuration via group policy, set the following UI path to ‘Disabled’
Computer Configuration\Administrative Templates\Google\Google Chrome\Configure remote access options\Enable firewall traversal from remote access host
In a similar way we can Ensure for other options i.e enabled or disabled based on recommendations.
5. Data Loss Prevention
Using these recommendations we can prevent and protect against unwanted loss of data.
- E.g Ensure ‘Enable submission of documents to Google Cloud print’ is set to ‘Disabled’
Description:
This setting enables Google Chrome to submit documents to google cloud print for printing.
Audit:
Navigate to the UI path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome:CloudPrintSubmitEnabled
Remediation:
To establish the recommended configuration via group policy, set the following UI path to ‘Disabled’
Computer Configuration\Administrative Templates\Google\Google Chrome\Printing\Enable submission of documents to Google Cloud print
In a similar way we can Ensure for other options i.e enabled or disabled based on recommendations.
Conclusion
We can secure web browsers like Google Chrome and prevent it from threats like cyberattacks by following CIS Benchmarks.