App Spotlight: Implementing Google Chrome security best practices with Fleetsmith

Google Chrome Configurations in Fleetsmith
By Jon Xavier

Google Chrome. It’s the most used browser in the world, which also makes it one of the most ubiquitous and important pieces of software in the corporate device world. Chances are good it’s the first thing your employees download upon getting a new laptop or mobile device. It’s on your fleet, whether you put it there or not.

If it is something you want to put on every device, Fleetsmith makes that really easy. As a part of our zero-touch deployment experience, we can not only install Chrome, but also add configuration profiles to Chrome and enforce them so that employees don’t inadvertently mess with something vital.

This month, we did a significant update to our Chrome functionality, adding a slew of new configuration options and augmenting the existing ones. This update gives security-minded admins a lot of power to establish enterprise-level browser security, but it’s packaged in such a way that you don’t need enterprise-level resources or knowhow. Our goal was to take Google’s Chrome security best practices and deliver them through a simple UI, so even very small teams could have enterprise-level of security for their whole company with less than an hour’s work.

Given the changes, we thought it might be a good time to take an in-depth look at Chrome and Chrome security. In this blog, we’re going to highlight the profiles you can apply in Fleetsmith and also provide a little advice about how to get the most out of each feature.

Let’s walk through each one of these options and talk about what you can do with it.

Install Extensions

Installing extensions remotely
One of the biggest advantages of using Chrome is the huge ecosystem of browser extensions built up around it. In fact, Chrome extensions are so powerful that in some cases employees end up using them instead of native app to fulfill critical tasks. In other cases, a native app might need a browser extension to get the most out of its functionality—password managers and video conferencing solutions are a common examples of this. Either way, once your business comes to depend on a Chrome extension for something, you need a way to ensure that it’s installed along with Chrome.

That’s where Fleetsmith comes in. We provide a small selection of extremely common extensions that can be enabled by checking a box—1Password, BlueJeans, Chrome Remote Desktop, LastPass, and Zoom. We also allow for a zero-touch deployment of any Chrome extension with a few extra clicks. Simply grab the IDs of the extensions you want and paste them into the box, separated by commas. They’ll be added to Chrome seamlessly on any device with a profile containing it. They’ll also be enforced on those devices, which makes it an ideal way to ensure the presence of any extensions you absolutely need for security or compliance reasons.

Password Alert

setting up Google's Password Alert Extension
Password Alert is Chrome extension developed by Google that helps protect users against credential harvesting attacks. Chrome already includes some protections against these sorts of attacks, which attempt to trick users into entering their login credentials into spoofed login pages. Password Alert layers on another, more robust safeguard in addition to this base level of protection.

The way it works is that the first time a password is entered on a protected login page, Chrome registers and hashes the keystrokes. From that point on, Chrome monitors password entry and compares with the saved hash—if it notices that a password is being used on a site that ISN’T the registered domain, it triggers a warning popup before users can compromise their credentials. Password Alert never saves the keystrokes themselves, and it does all comparisons locally—it doesn’t send data to Google or anyone else.

By default, Password Alert only works for logins to Google sites. Even this is useful to prevent your users from having their personal login email phished, which can often be used to unlock other accounts. It becomes even more powerful when you enable it for your own corporate domain and offer your login pages the same protection This takes a little extra work—you’ll need to set up Google’s Password Alert App Engine Server—but once that’s done Fleetsmith makes enforcing these protections on all of your devices as simple as a couple clicks.

One thing to note here is that you can only protect one domain from within Fleetsmith. If for example you have a different domain for your site in each country, you’ll want to have profiles for your devices in those countries with Password Alert configured on each, rather than a single configuration added to the Global profile.

Extension Security

Whitelisting and Blacklisting Chrome Extensions
The downside to the power of Chrome extensions is that they’re a potent malware vector — if a user inadvertently installs a malicious extension, it can lead to a lot of nasty business, including keylogging, data leaks, and remote code execution. Even if an extension isn’t actively malicious, there are a lot of dodgy, poorly written examples on the Chrome Web Store that introduce security vulnerabilities through sheer sloppiness.

And this isn’t even accounting for the fact that good extensions aren’t guaranteed to stay good. For example, one of our engineers recently had to uninstall an extension he’d used for years to manage his browser tabs because the developer got tired of maintaining it and sold it to a shady company that stuffed it full of adware.

Fleetsmith can provide some protection in the form of extension blacklisting and whitelisting, which we make extremely easy. Extension Security through Fleetsmith is also slightly more secure than when it is set through the Google Apps Admin Panel, because it can be applied to all instances of Chrome in your company, not just those where the user is signed in with their corporate G Suite login.

One nice feature of Extension Security is that it doesn’t just block extensions from being installed, it also disables them if they’ve already been installed, and makes it impossible for users to activate them. So if you catch a problematic extension on your machines, you can simply switch this on and eradicate it permanently across your fleet in a single click.

Blacklisting blocks specific extensions, and is good for situations where there’s an extension you know could cause problems. Whitelisting prevents any extension from being installed except the ones you specify. It’s extremely secure, but it’s also likely to annoy your users and generate a lot of requests to whitelist people’s favorite extensions. So you may want to limit it to devices that aren’t being used as general purpose work tools, such as kiosks.

Plugin Execution

Blocking Flash and Java Plugins
Web pages with embedded Flash or Java applets aren’t as common as they used to be, thanks to the extension of HTML5 to add native support for most of what developers once relied on them for. Still, plugins represent enough of a security risk that you may want to limit your exposure.

Fleetsmith makes this very easy. You can choose to block these plugins entirely or force them into a click-to-play mode, which is a compromise that gives your users a chance to reconsider whether they really want to punch the monkey to win an iPod before it starts executing arbitrary code.

Data Management

Safe Browsing, Autofill, password manager and more
Google Chrome includes a number of features for syncing data, dealing with cookies, and managing credentials. Depending on your setup, you may or may not want to have these enabled. Fleetsmith lets you configure them to your liking

  • Safe Browsing: This is Chrome’s built-in protection against phishing, poor site security, malware and unwanted software downloads. While this is usually something you want and usually enabled by default in Chrome, it’s worth noting that by setting it in Fleetsmith you will actually enforce it on your users’ machines so that they cannot turn it off.
  • Autofill on/off: Chrome can save and autofill commonly used information like email addresses, names, and payment information to online forms. While the Chrome team has taken steps to make this as secure as possible, there are situations where you might not want it enabled, such as for shared or public computers. Disabling this in Fleetsmith will enforce it so that it cannot be enabled by users.
  • Password Manager: Chrome ships with a its own lightweight password manager that gets the job done, but might be too minimalist for your needs as a business. If you’re using a more robust password manager like LastPass or 1Password, you will want to disable this to avoid credentials being stored in multiple places.
  • Chrome Sync: Chrome syncs personal information like extensions, cookies, and bookmarks between different browsers on different machines. This is not ideal for some security situations, so you may want to disable it.
  • 3rd Party Cookies: You can set Chrome to block 3rd party cookies—those cookies placed on a machine by a service other than the website you are visiting. These cookies are generally used for things like ad tracking rather than to support core site functionality, so blocking them will usually not disrupt a user’s experience.

Abusive Experiences

Abusive Experiences collects a group of features in Chrome aimed at blocking some of the web’s most annoying elements: aggressive popups, popunders, full-screen takeovers, abusive redirects etc. (The full list is here)

When this is enforced, Chrome will automatically block sites where these things have been found from opening new windows or tabs, making for a more pleasant web experience overall.

Download Restrictions

If you’re like a lot of IT managers, the thought of users being able to download any arbitrary file to machines on your network occasionally causes you to wake in a cold sweat. Download Restrictions gives you a way to assert a little more control in this area of Chrome security.

By default, Chrome will flag potentially suspicious downloads and pop up a warning to the user, but will allow the user to proceed if they want. You can instead set Chrome to disallow these downloads entirely — either blocking confirmed malicious downloads or those that are merely potentially dangerous.

What’s the difference here? Blocking malicious downloads means that Chrome will check your downloads against a blacklist maintained by Google, so the false positive rate will be fairly low. Blocking potentially malicious downloads, however, means blocking entire file types that could cause problems—.dmg or .exe files, for example—and has more potential to be disruptive. It might be more appropriate in cases where security trumps convenience. You can even set Chrome to disallow all downloads, but this pretty much guaranteed to be disruptive to user productivity, so you should limit it to public kiosks.

Google Chrome Authentication

Restricting Google Chrome Logins
Users with a Google account can use it to log in to their browser, which has two main functions. On the one hand, it enables things like bookmarks, extensions, history, and autofill to be synced between the browser and other Chrome instances where the user is signed in. On the other, if it is a corporate Google account, it lets admins push configurations down to the browser from a central G Suite administration panel.

This last is an important point for IT admins. G Suite offers a lot of great configuration features that you can use to totally customize Chrome to your organization’s needs. Yet these configurations only apply to browsers that have authed in with your corporate account. If your users don’t login in to Chrome, you can’t customize their browser.

And further, there are some devices where you might not want users to login, such as kiosks or public terminals. This is hard to prevent, because Google is pretty aggressive about authenticating Chrome—if a user logs in to their email, for example, they’ll also be logged in to Chrome.

Fleetsmith’s Google Chrome Authentication has an answer to both of these problems. If you set it to disabled, users won’t be able to login to Chrome at all, which is likely what you want for a public computer. Setting it to Forced, however, means they must login before they’re allowed to use the browser.

All of this is seperate from Google Sync. You could allow logins but not sync, in which case you’d have a one-way flow of data such that configurations were being pushed down from G Suite but local data was not being synced back—useful if you need to configure Chrome but don’t want any data to leave your machines.

We also allow you to restrict the domains that can be used to log in to a whitelist. By forcing Chrome Authentication and restricting it to your own G Suite domain, you can ensure that everyone auths into your G Suite instance, and you can prevent them from accidentally using their own personal Chrome account. If you don’t want to be that restrictive but still don’t want people using the wrong login, you can also whitelist the gmail.com domain — this will allow users to login with their personal account, but will prevent them from logging in with other corporate accounts.

Google Apps Authentication

Restricting Google Apps logins
Google Apps authentication lets you whitelist domains and restrict which accounts that can sign in to Google Apps accounts—Gmail, Drive, Docs, etc. Not being able to check personal email at work is likely to be annoying to users, but there’s a few good reasons you might want to do this.

For example, say you have a portion of your workforce that are contractors that are issued company devices, and you don’t want them using your computers to do work for their other clients on company time. In that case, you could whitelist your corporate domain, blocking them from logging in to any other company account from that device.

As with Google Chrome Authentication, if you’re feeling generous (or just don’t want to deal with the complaints) you can also whitelist the gmail.com domain to still allow access to personal accounts.

Site Isolation

Site isolation in Google Chrome
Site Isolation is a major change to the way Chrome loads web pages that protects against a class of attacks that seek to cause data to “leak” between browser tabs.

Normally, Chrome enforces a “Same Origin Policy”, which says that web pages and web apps can only access data from the same protocol, port, and host. This prevents scripts running on a web page from peeking at your other open browser tabs, or from receiving data from other web requests that are being processed concurrently. However, it was recently discovered that attackers can exploit near-universal flaws in computer hardware to gain unauthorized access to this data if two or more web requests are being handled by the same process — a huge security hole.

Site Isolation ensures that every browser tab is being run in a separate process, and it changes the way that sites are rendered such that potentially sensitive data isn’t sent until the browser has verified the environment is safe. This prevents data leaks from attacks like Meltdown and Spectre, and also provides protection against some types of cross site scripting (XSS) attack. It is a much more secure configuration for Chrome.

So why wouldn’t you want to enforce it on all your computers? Well, as with many things security related, there are tradeoffs involved. Since every tab now runs in its own process, tabs can no longer share resources for the sake of efficiency. This spikes memory usage by as much as 10%, and it gets worse the more tabs you have open. The changes to the rendering architecture can also cause some strangeness for websites that rely on iframes or cross-site scripts, but this is not a common design pattern so most users will never encounter it. Google says it’s actively working to make Site Isolation less of a resource hog, but for the moment there’s no way to use it without a small, yet noticeable, performance hit.

With Fleetsmith, you can choose to enforce Google Chrome Site Isolation on your devices, or you can leave it up to your users whether they want to have it enabled. It's turned on by default as of Chrome 67, and the process for a user to change this isn’t super convenient. Users would have to manually disable it from the command line, or use the rarely-visited chrome://flags/ settings page. So it's unlikely to be switched off by accident, but Fleetsmith removes the chance of that happening entirely.

To be clear, we think you probably should enforce this setting unless there’s an overwhelming reason not to. But because your situation is unique—you might have a segment of your fleet that’s RAM-constrained enough that the performance cost is a dealbreaker, for example—we wanted to give you the ability to make that assessment on your own.

Session Restore

Disabling Session Restore
By default, Chrome will save your open tabs when it is closed and then reload those tabs the next time it is started. This is not an ideal behavior for public kiosk computers or computers with shared users, so you will probably want to disable it in those instances.

Bookmarks

Remote bookmark setup in Google Chrome
And finally, you can now set up bookmarks remotely by adding them to a Chrome profile. We’ll set up a managed bookmarks folder on the target machine, which can be named whatever you want and which can’t be deleted, and stock it with whatever bookmarks you want. This is extremely handy for setting up new devices with onboarding content, as well as putting links to all of your cloud software tools at your employees’ fingertips so they can be productive immediately.

Enterprise-grade Chrome security without enterprise resources

Chrome is a very powerful browser but a lot of its most advanced security features are hidden or difficult to set up, and they’ve traditionally been hard to maintain across a whole device fleet.

This has meant that companies that have lot of resources tend to get more out of Chrome than those that don’t—it just isn’t top of mind when you’re the sole person in IT and you’re running as fast as you can to keep up with your workload.

What we’ve tried to do with Chrome in the Fleetsmith Catalog, and also with our product more generally, is make optimization easier so that anyone can do it. Our goal is to make enterprise-grade Chrome security simple to manage across an entire device fleet, no matter your situation.

We’re always iterating on this, too! If you’ve got a use case that you need to customize Chrome for or a new policy you need to enforce, let us know at support@fleetsmithhq.com. We love to hear from users, and we take this feedback very seriously as we set the roadmap for our catalog.

Subscribe to Fleetsmith Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!