Google Chrome for Business with Policy Template

Thanks to member Kees1958 who provided the information, it is possible to harden Google Chrome with a Business version and importable Group Policy template found here.

I've got many of the settings enabled/configured and so far it is functioning as expected, with the exception of the "Configure the home page URL" setting. For some reason Chrome won't open to it, but that is the only issue, a minor one, so far

Some screen shots below...

 

You don't need the business version, you can enforce policies via a .json file in all versions of Chrome. At that point it's a matter of setting the file so that only an administrator can change things.

I don't see this as being useful unless you're hardening someone else's computer without giving them Admin access.

 

I actually believe that .json is only for Linux. Mac is MCX and Windows has group policies.

Source: -https://support.google.com/chromeos/a/bin/answer.py?hl=en&answer=188447

 

Installed policies:
When the rules are installed they have same impact. So I understand your point of view.

User interface
Someone with programming/scripting skills would prefer JSON, others will problably prefer a mechanism they allready known, like GPO. Downside of GPO you need to have at least a Pro version. So again I understand your point of view.

Authorisation
Group Policy changes are UAC protected and can't be changed from the protected object itself (with medium/user rights), where as JSON is Javascript Object Notification File which can be installed by an extension. Everyone entitled to his/her own opinion, but let's agree to disagree on this authority issue

Knowledge
Finding out yourself is good for knowledge development, being an forum enthousiast (not an expert) it is easier to follow GPO templates provided by SANS and NSA security experts. Again let's agree to disagree on this copycat issue
Link http://www.root777.com/security/goo...tings-and-configuration-guide-for-enterprise/

 

In terms of the JSON they (an attacker) would need access to it, which would be protected by simply setting the file to require admin access. If they already have admin access you're screwed, and even if they don't and you've set it to medium integrity you're assuming the process is compromised, meaning things like Javascript/Images won't really matter.

I wasn't trying to say GPO is worse than JSON, and I think m00n is correct that on Windows you use GPO.

What I mean is that this won't protect you. It's just useful for a business to stop users from changing default settings - I don't see a situation where having your scripting enforced through this as opposed to regular settings matters much.

Can't hurt though.

 

@ WAT0114,

Like you I have whitelisted my extensions (Bookmarks Menu = IE like bookmarks and New Tab Behaviour = new tab replaced by Startpage.com, also has the advantage that forced running incognito does not show the incognito tab). Blacklisting all except specified extensions, reduces Browser infection risks

See pics for home page and startup page

 

Example of extension that reduces ability to change options in default Chrome interface, runs on Windows https://chrome.google.com/webstore/detail/privacy-manager/giccehglhacakcfemddmfhdkahamfcmd?hl=nl

Not a bad extension, just an example why I like to control it with GPO myself

 

I see you're using this too, Kees I agree with Hungry this approach is not needed to govern oneself on a single user pc. However, on a multi-user pc this could help prevent others from messing with restrictive settings and adding useless and/or poor extensions, as well as restrict against running javascript in unwanted domains and such.

Another good reason

 

Since Vista I copy a subset of my GPO/SRP settings to my wife's laptop so copying GPO to other PC's in same network also is an usefull application

 

Has anyone here tried the URL whitelisting/blacklisting option in the Chrome templates?? It simply refuses to work. I was using "Whitelist for Chrome" extension but now its behaving weirdly after the latest chrome update(Reminds me of why m00nbl00d prefers to use the native functionality than extensions).

 

I don't see how Chrome could seriously be considered to be used in a business environment. Chrome seems more for entertainment and a long ways from being ready for business.

 

What exactly makes you say that?

 

The frequent updates present a browser that is essentially not stable enough to use in a business environment. Plus the way the browser handles documents and other business related tasks leaves a lot to be desired.