Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part I
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part I

5 years ago Ben Layer
Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part I

Many organizations, from enterprises to small businesses and schools, are focusing efforts on distance working and learning. One significant hurdle for those who are suddenly tasked with supporting remote users is the question of how to manage a fleet of new endpoints. One appealing solution for managing all these new remote users is to use Google Chromebooks. Chrome OS devices are versatile enough to perform most business and educational tasks while being an inexpensive way to add new devices where previously none might have existed.

The Google Chrome Enterprise Upgrade unlocks the management capabilities that are innate in the cloud-native Chrome OS operating system. Chrome Enterprise mobile device management allows for the definition and enforcement of security controls plus user and device orchestration—all from a centralized cloud administration panel.

Some administrators may feel overwhelmed by the myriad of configuration options available, however. This blog, delivered as a two-part series, will seek to help administrators by giving an overview of the Google Chrome OS policy settings which can be configured in the Google admin panel. It contains four sections of settings that control application settings, user settings, device settings and privacy settings.  This first blog will go over the application and user settings that you may want to investigate.

This blog only includes those Google Chrome Enterprise Upgrade settings that are both relevant to security or privacy and also have default values which might warrant consideration. You will be guided through many interesting settings, but it is highly recommended to read through each available configuration option and determine how it pertains to your organization. This should not be considered an exhaustive list, as available settings and options are ever-evolving.

Not all settings will apply to every environment. For instance, allowing the ability to change background wallpapers may be relevant to some and inconsequential to others. These types of settings are not discussed, and the reader is advised to investigate each setting to determine how it affects their organization. Only you know what is appropriate for your deployment.

Each setting discussed may be applied in a hierarchical organizational unit structure. We will assume that all users in the organization need the same configuration policy but note that it is possible to customize policies for different groups of users using the organizational unit feature.

Application Settings

Application settings define which Android applications from the Google Play Store and which Chrome extensions from the Chrome Web Store can be installed on the device.

This crucial setting can be found by navigating to the “User & Browser Settings” area in the G Suite Admin console via the following steps:

  1. Visit https://admin.google.com and log into the Chrome Admin panel.
  2. Select Devices from the home page.
  3. Expand the Chrome entry within the left navigation.
  4. Expand the Apps & extensions entry under the Chrome entry.
  5. Select Users & browsers under the Apps & extensions entry.

Apps & Extensions

By default, all apps and extensions are allowed to be installed on the device. This is problematic for management because policy enforcement of native Chrome OS features can be circumvented by using an Android application which accomplishes a similar task. For instance, Safe Browsing could be circumvented by browsing via the Firefox Android application.

It is recommended to change this setting to Block all other apps & extensions and then to create a list of approved Chrome extensions by adding them via the “add” button. This ensures that you are in complete control of which applications and extensions can be installed and that you are able to evaluate the possible security implications of each requested addition.

User Settings

User settings are enforced on a per-user basis depending on who is signed into the device. All entries discussed in this section can be found by navigating to the “User & Browser Settings” area in the G Suite Admin console via the following steps:

  1. Visit https://admin.google.com and log into the Chrome Admin panel.
  2. Select Devices from the home page.
  3. Expand the Chrome entry within the left navigation.
  4. Expand the Settings entry under the Chrome entry.
  5. Select Users & browsers under the settings entry.

Sign-in settings – Browser sign-in settings

Change this setting to Force users to sign-in to the use the browser to ensure that your user-level Chrome policy settings that are configured in the Google Admin console are enforced on the users’ device. Be sure to check the Multiple sign-in access setting, as well.

Sign-in settings – Restrict sign-in to pattern

This setting defines a regular expression for which any sign-in attempt must match. In the regular expression of .*@example.com, any user in the example.com domain will be allowed to sign in. To ensure a correct setting, you may wish to use a regular expression testing site such as https://regex101.com/ by placing some of your Google G Suite email account addresses into the test string box and working on your regular expression in the regular expression box.

Apps and Extensions – Task Manager

Most app and extension settings are set in the separate area mentioned above, but the Task Manager setting resides in the Apps and Extensions section. This setting should be changed to Block users from ending processes with the Chrome task manager to ensure that management extensions cannot be disabled.

Site isolation – Site isolation

Configuring this setting to Turn on site isolation for all websites enforces greater security against certain attacks, making it harder for malicious websites to bypass security controls and access data being used by other pages. If needed, you can enable site isolation only on specific sites by adding them to the isolated sites’ origin setting.

Security – Idle settings: Idle time in minutes

Set an idle timeout in minutes to protect against unauthorized access when a user steps away from the device. Best practices suggest an idle timeout no higher than 15 minutes.

Security – Idle settings: Action on idle

Select Lock Screen to ensure the device is protected from unauthorized access if it becomes idle while unsupervised.

Security – Idle settings: Action on lid close

Select Lock Screen to protect against unauthorized access if the device is unsupervised, lost or stolen.

Security – Idle settings: Lock screen on sleep

Configure the setting to Lock screen.

Security – Incognito Mode

You may wish to configure this setting to Disallow incognito mode, particularly if you will be using extensions for any user management, as Incognito Mode allows for the bypassing of extensions.

Security – CPU task scheduler

This setting can disable hyper threading for those concerned with side channel attacks from malicious sites.

Remote Access – Remote access clients

By default, users in any domain may use remote access clients. This setting should be changed to include only the domains of your organization’s users.

Remote Access – Curtaining of remote access hosts

This setting should be enabled so that a malicious local user cannot view or interact with windows used by a remote user.

Content – SafeSearch

Changing the SafeSearch setting to Always use SafeSearch for Google Search queries is likely desirable for both business and educational scenarios, as it allows for the filtering of offensive material from search results.

Content – Restricted Mode for YouTube

By default, all YouTube content is viewable. This setting, similar to SafeSearch, filters questionable content with two enforcement levels: moderate or strict content restriction.

Content – JavaScript

While JavaScript is pervasive on the modern web, there are security risks that come with it.  Highly security-conscious organizations could block JavaScript and selectively allow it on certain permitted websites with this setting.

Content – Plugins

Plugins are increasingly used less frequently. This setting should be changed to Block all plugins with only allowed plugins explicitly added where needed, such as Chrome PDF Viewer. Alternatively, organizations can add them on specific sites.

Content – Outdated plugins

Change this setting to Disallow outdated plugins to reduce the attack surface area.

Content – URL Blocking

This setting allows for selectively blocking specific URLs or blocking all URLs and selectively allowing those that are needed. There are a number of non-obvious URLs which can be blocked to guard against management-controlled extensions or settings being easily altered or disabled. For instance, adding “chrome-untrusted://crosh” can help block the Chrome OS Developer Shell.

 Content – Network File Shares

By default, users are allowed to access network file shares. You may wish to choose Block network file shares if it is appropriate for your environment, as users may be able to copy sensitive data to remote locations or otherwise access unauthorized material.

User Experience – Developer tools

Chrome developer tools are allowed by default, but they are one method which can be used to bypass protections offered by any security or monitoring extensions used by your management team. Choose Never allow use of built-in developer tools for this setting.

User Experience – Multiple sign-in access

By default, users are able to sign in with secondary personal accounts, which may present another method to bypass security and monitoring extensions used by your management team. Change this setting to Block multiple sign-in access for users in this organization if possible, particularly if your users are not bringing their own devices.

User Experience – Sign-in to secondary accounts

Like above, chose Block users from signing in to or out of secondary Google Accounts, particularly If using any management extensions for enforcing a policy.

Hardware –External storage devices

This setting will vary depending on your organizational needs. While some environments may require the use of US drives, higher security environments will want to disable this feature in order to limit the risk from data theft.

User reporting – Reporting

You can select Enable managed browser cloud reporting to receive daily profile and system state data in the Google Admin console. More information can be found here.

Safe Browsing – Safe Browsing

By default, the user is allowed to disable Safe Browsing. Change this setting to Always enable Safe Browsing to ensure that users will remain protected from websites that may contain malware or phishing content.

Safe Browsing – Download restrictions

By default, there are no restrictions on downloads. Most organizations will want to change this setting to Block potentially dangerous downloads with this setting, which is the highest restriction.

Safe Browsing – Disable bypassing safe browsing warnings

By default, users are allowed to bypass warnings about unsafe and dangerous files, and they may proceed to download them. Change this setting to Do not allow user to bypass Safe browsing warning.

Chrome updates – Relaunch notification

This setting can be changed to Force relaunch after a period with a time period set in order to ensure that updates are not only downloaded but installed within a specific time frame. It is important that updates be applied to ensure any vulnerabilities are remediated in a timely manner.

More Settings to Come

While there is no substitute for researching how each Chrome OS configuration option applies to your environment, this blog has attempted to draw attention to some of the more important settings for administrators new to the Chrome ecosystem. Stay tuned for the conclusion of this two-part blog series in which we delve into additional settings that are applicable to the physical device as well as settings that may bring up privacy concerns for your organization.

The post ” Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part I” appeared first on TripWire

Source:TripWire – Ben Layer

Tags: Android, Cloud, Google, Google Chrome, Moderate Severity, Mozzila Firefox, Phishing, Privacy, TripWire

Continue Reading

Previous CISO: What the Job REALLY Entails and How It’s Evolved over the Years
Next Chinese APT Debuts Sepulcher Malware in Spear-Phishing Attacks

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

51 mins ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

3 days ago [email protected] (The Hacker News)

Recent Posts

  • eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
  • Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT