Google Chrome Hardening Guide
In order to protect it from potential security risks like malware or unauthorized access to sensitive data, Google Chrome must be hardened. One way to improve the security of the software is to disable (BlockThirdPartyCookies, PasswordManagerEnabled and BackgroundModeEnabled) settings via the registry. We did this already with Adobe Acrobat Reader DC – if you are interestedin this App “click here“. In Fact look at your Recommendation Page and see what Application do you all have. It’s important to keep in mind, though, that some Cookies that depend on these features may not function properly.
Table of Contents
Defender 365 Recommendations
In the Microsoft 365 Defender portal, new recommendations from Microsoft are constantly being added. When Defender detects a system on the network that has Google Chrome installed, the following two security enhancements are automatically suggested.
To fix this it is suggested to adjust the following registry keys on the device.
BackgroundModeEnabled / PasswordManagerEnabled / BlockThirdPartyCookies
Intune Powershell Script Deployment
Now there are several ways to distribute this via Microsoft Intune Portal. One way would be via PowerShell Script. Home -> Devices -> Scripts
$path1 = 'HKLM:\SOFTWARE\Policies\Google\Chrome'
New-item -Path $path1 -Force
New-ItemProperty -Path $path1 -Name 'BlockThirdPartyCookies' -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $path1 -Name 'PasswordManagerEnabled' -Value 0 -PropertyType DWord -Force
New-ItemProperty -Path $path1 -Name 'BackgroundModeEnabled' -Value 0 -PropertyType DWord -Force
This way is relatively quick to implement and the security of the application increase in a few minutes.
Intune Proactive Remediation Solution
The second way would be to do it with Pro. I think this is the better way because here a whole error handling can setup and the subsequent overview of the deployment is more transparent.
Home -> Reports | Endpoint Analytics -> Endpoint Analytics -> Proactive remediations
Detection script
path1 = Test-Path -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome'
$key1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome'
$key2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome'
$key3 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome'
if (($path1 -eq 'TRUE'))
{
if (($key1.BlockThirdPartyCookies -eq '1') -AND ($key2.PasswordManagerEnabled -eq '0') -AND ($key3.BackgroundModeEnabled -eq '0')){
Write-Output "GoogleChrome Security Defaults successful"
exit 0
}
else
{
Write-Output "Keys missing"
exit 1
}
}
else
{
Write-Output "Paths missing"
exit 1
}
Remediation script
$path1 = 'HKLM:\SOFTWARE\Policies\Google\Chrome'
try {
New-item -Path $path1 -Force
New-ItemProperty -Path $path1 -Name 'BlockThirdPartyCookies' -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $path1 -Name 'PasswordManagerEnabled' -Value 0 -PropertyType DWord -Force
New-ItemProperty -Path $path1 -Name 'BackgroundModeEnabled' -Value 0 -PropertyType DWord -Force
exit 0
}
catch {
$errMsg = $_.Exception.Message
Write-host $errMsg
exit 1
}
Assign to a device group and that’s it, within a few hours results are visible.
Conclusion
In conclusion, hardening Google Chrome by disabling (BlockThirdPartyCookies, PasswordManagerEnabled adn BackgroundModeEnabled) via the registry is a crucial step in improving the security of the application in a company environment. In today’s increasingly digital world, it is essential for companies to take proactive measures to secure their applications and protect their data.
There are many more Steps to improve Security, look here: