Extension whitelisting for Chrome
Chrome extensions have read/write access to the same files as the windows user account it runs in. This means it would be possible to create a ransomware extension, which neither UAC nor SRP would stop. Thankfully, Chrome allows administrators to enforce extension whitelisting. First, you will need to download a ZIP file from Google that gives you access to extra settings. Unzip it. Open your group policy editor. (click START type POLICY click EDIT GROUP POLICY) Under COMPUTER CONFIGURATION, right-click ADMINISTRATIVE TEMPLATES, and click ADD/REMOVE TEMPLATES. click ADD, and browse to the folder you unzipped, and choose \windows\adm\en-US\chrome.adm That will add the settings you need to tame Chrome. Now add * to the extension blacklist like this:
This will cause all existing extensions to be uninstalled for all windows users, and will disable their ability to install new extensions. If you want to whitelist certain extensions, you can list them in the force-installed list. The trick is, you have to know the extension ID, which you can get by going to the chrome settings, extensions, and enabling developer mode.
You will also have to append a semicolon and the "update url", which should always be the same if the extension is available in the chrome store. So, this is what the lines look like that the whitelists expect:
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
Not the easiest thing on the planet to figure out, but hopefully this article gave you a jump start. enjoy!
|
