Hardening Google Chrome (on Windows)

Steps to harden Google Chrome:

  • Updating Google Chrome
  • Review best practices
  • Configure Group Policy settings

Vulnerabilities

Vulnerabilities can be identified with Tenable Nessus.

Updating Google Chrome

Put the following in the address bar:

chrome://help/

If automatic update is enabled then this will trigger the update process.

Verify if Policies are implemented

Put the following in the address bar:

chrome://policy/

or via Powershell

Test-Path 'HKLM:\SOFTWARE\Policies\Google\Chrome'

or via LGPO and verify the settings under Software\Policies\Google\Chrome.

LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Configuration best practices

Apply the CIS settings for Google Chrome

Create a text file with the content below which we will process with LGPO.

Computer
Software\Policies\Google\Chrome
AllowFileSelectionDialogs
DWORD:1

Computer
Software\Policies\Google\Chrome
AlternateErrorPagesEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
AutoFillEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
BackgroundModeEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
BlockThirdPartyCookies
DWORD:1

Computer
Software\Policies\Google\Chrome
AllowOutdatedPlugins
DWORD:0

Computer
Software\Policies\Google\Chrome
AlwaysAuthorizePlugins
DWORD:0

Computer
Software\Policies\Google\Chrome
DisablePluginFinder
DWORD:1

Computer
Software\Policies\Google\Chrome
CloudPrintProxyEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
CloudPrintSubmitEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
ImportSavedPasswords
DWORD:0

Computer
Software\Policies\Google\Chrome
MetricsReportingEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
RemoteAccessHostFirewallTraversal
DWORD:0

Computer
Software\Policies\Google\Chrome
RemoteAccessHostAllowClientPairing
DWORD:0

Computer
Software\Policies\Google\Chrome
RemoteAccessHostRequireCurtain
DWORD:1

Computer
Software\Policies\Google\Chrome
DefaultCookiesSetting
DWORD:4

Computer
Software\Policies\Google\Chrome
DefaultPluginsSetting
DWORD:3

Computer
Software\Policies\Google\Chrome
PasswordManagerEnabled
DWORD:0

Computer
Software\Policies\Google\Chrome
RemoteAccessHostDomain
SZ:VERIFYIT.NL

Computer
Software\Policies\Google\Chrome\DisabledPlugins
*
DELETEALLVALUES

Computer
Software\Policies\Google\Chrome\DisabledPlugins
1
SZ:*

Computer
Software\Policies\Google\Chrome\ExtensionInstallBlacklist
*
DELETEALLVALUES

Computer
Software\Policies\Google\Chrome\ExtensionInstallBlacklist
1
SZ:*

Convert the text file to a policy file

LGPO.exe /r textfile.txt /w registry.pol

Run the following commands to import the settings in the Local Group Policy:

LGPO.exe /m registry.pol

Nessus auditfile

CPE

cpe:/a:google:chrome

References