Meeting the Challenges of Remote Work with Chrome OS Policy Settings – Part I

Image

Many organizations, from enterprises to small businesses and schools, are focusing efforts on distance working and learning. One significant hurdle for those who are suddenly tasked with supporting remote users is the question of how to manage a fleet of new endpoints. One appealing solution for managing all these new remote users is to use Google Chromebooks. Chrome OS devices are versatile enough to perform most business and educational tasks while being an inexpensive way to add new devices where previously none might have existed. The Google Chrome Enterprise Upgrade unlocks the management capabilities that are innate in the cloud-native Chrome OS operating system. Chrome Enterprise mobile device management allows for the definition and enforcement of security controls plus user and device orchestration—all from a centralized cloud administration panel. Some administrators may feel overwhelmed by the myriad of configuration options available, however. This blog, delivered as a two-part series, will seek to help administrators by giving an overview of the Google Chrome OS policy settings which can be configured in the Google admin panel. It contains four sections of settings that control application settings, user settings, device settings and privacy settings.  This first blog will go over the application and user settings that you may want to investigate. This blog only includes those Google Chrome Enterprise Upgrade settings that are both relevant to security or privacy and also have default values which might warrant consideration. You will be guided through many interesting settings, but it is highly recommended to read through each available configuration option and determine how it pertains to your organization. This should not be considered an exhaustive list, as available settings and options are ever-evolving. Not all settings will apply to every environment. For instance, allowing the ability to change background wallpapers may be relevant to some and inconsequential to others. These types of settings are not discussed, and the reader is advised to investigate each setting to determine how it affects their organization. Only you know what is appropriate for your deployment. Each setting discussed may be applied in a hierarchical organizational unit structure. We will assume that all users in the organization need the same configuration policy but note that it is possible to customize policies for different groups of users using the organizational unit feature.

Application Settings

Application settings define which Android applications from the Google Play Store and which Chrome extensions from the Chrome Web Store can be installed on the device. This crucial setting can be found by navigating to the “User & Browser Settings” area in the G Suite Admin console via the following steps:

1. Visit https://admin.google.com and log into the Chrome Admin panel.
2. Select Devices from the home page.
3. Expand the Chrome entry within the left navigation.
4. Expand the Apps & extensions entry under the Chrome entry.
5. Select Users & browsers under the Apps & extensions entry.

Apps & Extensions

By default, all apps and extensions are allowed to be installed on the device. This is problematic for management because policy enforcement of native Chrome OS features can be circumvented by using an Android application which accomplishes a similar task. For instance, Safe Browsing could be circumvented by browsing via the Firefox Android application. It is recommended to change this setting to Block all other apps & extensions and then to create a list of approved Chrome extensions by adding them via the “add” button. This ensures that you are in complete control of which applications and extensions can be installed and that you are able to evaluate the possible security implications of each requested addition.

User Settings

User settings are enforced on a per-user basis depending on who is signed into the device. All entries discussed in this section can be found by navigating to the “User & Browser Settings” area in the G Suite Admin console via the following steps:

1. Visit https://admin.google.com and log into the Chrome Admin panel.
2. Select Devices from the home page.
3. Expand the Chrome entry within the left navigation.
4. Expand the Settings entry under the Chrome entry.
5. Select Users & browsers under the settings entry.

Sign-in settings – Browser sign-in settings Change this setting to Force users to sign-in to the use the browser to ensure that your user-level Chrome policy settings that are configured in the Google Admin console are enforced on the users’ device. Be sure to check the Multiple sign-in access setting, as well. Sign-in settings – Restrict sign-in to pattern This setting defines a regular expression for which any sign-in attempt must match. In the regular expression of .*@example\.com, any user in the example.com domain will be allowed to sign in. To ensure a correct setting, you may wish to use a regular expression testing site such as https://regex101.com/ by placing some of your Google G Suite email account addresses into the test string box and working on your regular expression in the regular expression box. Apps and Extensions – Task Manager Most app and extension settings are set in the separate area mentioned above, but the Task Manager setting resides in the Apps and Extensions section. This setting should be changed to Block users from ending processes with the Chrome task manager to ensure that management extensions cannot be disabled. Site isolation – Site isolation Configuring this setting to Turn on site isolation for all websites enforces greater security against certain attacks, making it harder for malicious websites to bypass security controls and access data being used by other pages. If needed, you can enable site isolation only on specific sites by adding them to the isolated sites’ origin setting. Security – Idle settings: Idle time in minutes Set an idle timeout in minutes to protect against unauthorized access when a user steps away from the device. Best practices suggest an idle timeout no higher than 15 minutes. Security – Idle settings: Action on idle Select Lock Screen to ensure the device is protected from unauthorized access if it becomes idle while unsupervised. Security – Idle settings: Action on lid close Select Lock Screen to protect against unauthorized access if the device is unsupervised, lost or stolen. Security – Idle settings: Lock screen on sleep Configure the setting to Lock screen. Security – Incognito Mode You may wish to configure this setting to Disallow incognito mode, particularly if you will be using extensions for any user management, as Incognito Mode allows for the bypassing of extensions. Security – CPU task scheduler This setting can disable hyper threading for those concerned with side channel attacks from malicious sites. Remote Access – Remote access clients By default, users in any domain may use remote access clients. This setting should be changed to include only the domains of your organization’s users. Remote Access – Curtaining of remote access hosts This setting should be enabled so that a malicious local user cannot view or interact with windows used by a remote user. Content – SafeSearch Changing the SafeSearch setting to Always use SafeSearch for Google Search queries is likely desirable for both business and educational scenarios, as it allows for the filtering of offensive material from search results. Content – Restricted Mode for YouTube By default, all YouTube content is viewable. This setting, similar to SafeSearch, filters questionable content with two enforcement levels: moderate or strict content restriction. Content – JavaScript While JavaScript is pervasive on the modern web, there are security risks that come with it.  Highly security-conscious organizations could block JavaScript and selectively allow it on certain permitted websites with this setting. Content – Plugins Plugins are increasingly used less frequently. This setting should be changed to Block all plugins with only allowed plugins explicitly added where needed, such as Chrome PDF Viewer. Alternatively, organizations can add them on specific sites. Content - Outdated plugins Change this setting to Disallow outdated plugins to reduce the attack surface area. Content – URL Blocking This setting allows for selectively blocking specific URLs or blocking all URLs and selectively allowing those that are needed. There are a number of non-obvious URLs which can be blocked to guard against management-controlled extensions or settings being easily altered or disabled. For instance, adding “chrome-untrusted://crosh” can help block the Chrome OS Developer Shell.  Content – Network File Shares By default, users are allowed to access network file shares. You may wish to choose Block network file shares if it is appropriate for your environment, as users may be able to copy sensitive data to remote locations or otherwise access unauthorized material. User Experience – Developer tools Chrome developer tools are allowed by default, but they are one method which can be used to bypass protections offered by any security or monitoring extensions used by your management team. Choose Never allow use of built-in developer tools for this setting. User Experience – Multiple sign-in access By default, users are able to sign in with secondary personal accounts, which may present another method to bypass security and monitoring extensions used by your management team. Change this setting to Block multiple sign-in access for users in this organization if possible, particularly if your users are not bringing their own devices. User Experience – Sign-in to secondary accounts Like above, chose Block users from signing in to or out of secondary Google Accounts, particularly If using any management extensions for enforcing a policy. Hardware –External storage devices This setting will vary depending on your organizational needs. While some environments may require the use of US drives, higher security environments will want to disable this feature in order to limit the risk from data theft. User reporting – Reporting You can select Enable managed browser cloud reporting to receive daily profile and system state data in the Google Admin console. More information can be found here. Safe Browsing – Safe Browsing By default, the user is allowed to disable Safe Browsing. Change this setting to Always enable Safe Browsing to ensure that users will remain protected from websites that may contain malware or phishing content. Safe Browsing – Download restrictions By default, there are no restrictions on downloads. Most organizations will want to change this setting to Block potentially dangerous downloads with this setting, which is the highest restriction. Safe Browsing – Disable bypassing safe browsing warnings By default, users are allowed to bypass warnings about unsafe and dangerous files, and they may proceed to download them. Change this setting to Do not allow user to bypass Safe browsing warning. Chrome updates – Relaunch notification This setting can be changed to Force relaunch after a period with a time period set in order to ensure that updates are not only downloaded but installed within a specific time frame. It is important that updates be applied to ensure any vulnerabilities are remediated in a timely manner.

More Settings to Come

While there is no substitute for researching how each Chrome OS configuration option applies to your environment, this blog has attempted to draw attention to some of the more important settings for administrators new to the Chrome ecosystem. In part two of this mini-series, we delve into additional settings that are applicable to the physical device as well as settings that may bring up privacy concerns for your organization. Read the article here: https://www.tripwire.com/state-of-security/security-data-protection/security-controls/meeting-challenges-remote-work-chrome-os-policy-settings-part-ii/