Web browsers such as Chrome, Firefox, Edge, and a multitude of other would-be competitors are the primary means of your employees interacting with the outside world. In their default state, these browsers require some attention to prevent your workforce from potentially breaching your security with them.
Think of it; even email-borne malware and scams jump you to a browser to phish your credentials as soon as possible. Because of this, your window to the world needs some serious consideration. We focus on Google Chrome. Chrome is widely supported and generally works everywhere. “Did you try it in Chrome?” is a common refrain. We want to know how the standard performs before embarking on further troubleshooting.
Collett Systems always recommends the implementation of a well-planned Windows Group Policy at the local domain level to configure the browser. In a group policy configuration, all aspects of the browser can be configured from the top down across your entire organization without modification by the end-user.
Here are some critical areas for improvement:
Chrome Extensions and Plugins:
Chrome and other browsers offer a ‘plugin’ scheme to allow functionality beyond the stock performance of the browser. These can include Flash, Java, and other proprietary formats, as well as additional functionality such as adblocking. Because these plugins are generally not sandboxed by the browser and run in the security context of the logged-in user, they should scrutinize every plugin, before allowing their installation.
Additionally, anyone can write and distribute these extensions. For this reason, we like to implement a strict policy of ‘no plugins.’ Restricting plugins allows us a baseline to whitelist them as needed. While we are at it, we’ll also disable the running of outdated plugins. Outdated software is a significant threat vector and should be taken seriously, even that adobe reader installation.
We configure this to be enabled, while also disallowing ‘click-through’ which can enable users to access potentially malicious content with an extra click. Because of the severe impact of ransomware and other security incidents, we feel it prudent to disable this ‘click-through.’ If an innocuous website triggers this warning, as may occur rarely, an administrator can whitelist.
Search provider hijacks are common and can change the search engine used by default in Chrome. If that occurs, the search engine can send you wherever it wants, often to its commercial or criminal partners. It’s a safe bet your query won’t be satisfied and a possibility that you’ll be linked to further malicious content. For this reason, we lock down the change of this provider. Google, DuckDuckGo, Bing are all excellent choices, but whatever you choose, websites shouldn’t be able to prompt your users to change it.
Disable camera and microphone:
No site needs access to this in general. If Chrome is accessing these devices, it should be administrator-approved.
Modify Password manager:
Google Chrome has a built-in password manager. Group policy settings to prevent the unmasking of these passwords is CRITICAL. Block the unmasking and block this gold mine for intruders.
Disable Incognito Mode:
Incognito mode causes your browser to leave zero traces on the workstation in use. This is unsuitable for many corporate environments where strict audit trails and logging must be preserved. In addition to disabling the ability to clear history data, this allows complete reconstruction of any adverse situations; this could be productivity concerns or a security incident. “How did this happen” is a question we always want to be ready to answer. On a side note, you may find your workforce is more productive when they know their actions will be preserved for review.
Implementing these security features across your organization will have a tremendous effect on your overall security posture. Every inch you can move toward ‘that which is not explicitly allowed is denied’ security policy is going to be profitable for your overall attack surface and in keeping your business safe and productive.
If you need support for your business beyond ‘block pop-ups’ and ‘install an antivirus’, Collett Systems is at your service to implement rigorous security policies and procedures for your business. It’s not about add-on security products and services – the most gains are brought by simple configuration changes which your organization might be ignoring.