Our browsers are betraying us, all the time. Between forever cookies, browser exploits, cross site scripting, and various other techniques, our browsers exfiltrate data about us everywhere we turn.
The challenge here is to harden and reduce the xfil surface of our browser.
There is a lot of debate on what the most secure browser is. This post isn't meant to end that debate, but instead is meant to expand options.
I personally prefer Chrome unadulterated.
Extensions and plugins can be a vector for attack. I've personally seen extensions send telemetry data back to developers by analyzing SIEM traffic. Furthermore, in order for extensions to work they need to have a certain amount of access to what you're doing with your browser. Ergo, rather than trying to filter out the good and the bad, I choose to run nothing.
(What about adblock? I adblock using pihole)
Lastly, I use a windows batch file to launch Chrome in incogneto mode with its own unique data profile folder. Why? This allows me to run a browser window for Facebook that doesn't share memory or a profile with another browser window I'm Googling with. This helps to ensure 3rd party cookies and other tracking techniques are less effective.
Hardening Techniques - Setup
- Download ADMX File from Google
- Place ADMX file in %systemroot%\PolicyDefinitions\
Google Chrome can be hardened using a Group Policy Administrative Template, which is officially supported by Google.
The policies available change from time to time, and so it's important to periodically download and install new policy packages, then review what new policies are available.
For this to be useful it's important to know how to install ADMX template files and edit the machine's local policy (This presumes that you're doing this on a non domain attached device, this technique works great in active directory as well, and is a very easy way to configure Chrome via AD. Rather than go into details on how to do this, check out Microsoft's documentation.
Note: This can all be done using plists and OS X. Not being an OS X user I'll leave the details to someone else.
Hardening Techniques - Config
The following settings are not necessarily a perfect configuration. For instance there are some certificate settings that I've left as default for compatibility reasons (Google does a good job deprecating insecure certificate techniques and algorithms)
As such, take these as guidance and review the options available and choose your own security profile.
Lastly, while this guide is dated, it is a good baseline reference for an enterprise configuration.
Click for Details >
Policy Name Description Administratively Set Setting Configure remote access options
Configure the required domain name for remote access clients
Enable firewall traversal from remote access host
Configure the required domain name for remote access hosts
Enable or disable PIN-less authentication for remote access hosts
Allow gnubby authentication for remote access hosts
Restrict the UDP port range used by the remote access host
Policy overrides for Debug builds of the remote access host
Default cookies setting
4 = Keep cookies for the duration of the session
Default plugins setting
3 = Click to play
Default popups setting
2 = Do not allow any site to show popups
Default notification setting
3 = Ask every time a site wants to show desktop notifications
Default geolocation setting
2 = Do not allow any site to track the users' physical location
Default mediastream setting
2 = Do not allow any site to access the camera and microphone
Control use of the Web Bluetooth API
2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
Default key generation setting
2 = Do not allow any site to use key generation
Configure extension installation blacklist
Configure native messaging blacklist
Allow user-level Native Messaging hosts (installed without admin permissions).
Enable saving passwords to the password manager
Action on startup
5 = Open New Tab Page
Allow Dinosaur Easter Egg Game
Allow running plugins that are outdated
Define domains allowed to access Google Apps
Enable alternate error pages
Always runs plugins that require authorization
Allow or deny audio capture
Continue running background apps when Chromium is closed
Block third party cookies
Enable Bookmark Bar
Enable add person in profile manager
Enable guest mode in browser
Use built-in DNS client
Enable Google Cloud Print proxy
Enable submission of documents to Google Cloud Print
Set Chromium as Default Browser
Disable support for 3D graphics APIs
Specify whether the plugin finder should be disabled
Disable proceeding from the Safe Browsing warning page
If I were setting up my mothers computer I'd set this to enabled. I keep it not configured for myself
Disable taking screenshots
Disable SPDY protocol
Specify a list of disabled plugins
Enable network prediction
Use hardware acceleration when available
Hide the web store from the New Tab Page and app launcher
Import autofill form data from default browser on first run
Import bookmarks from default browser on first run
Import browsing history from default browser on first run
Import of homepage from default browser on first run
Import saved passwords from default browser on first run
Import search engines from default browser on first run
Incognito mode availability
2 = Incognito mode forced
Enable reporting of usage and crash-related data
Enable network prediction
Enable PAC URL stripping (for https://)
Allows QUIC protocol
Whether online OCSP/CRL checks are required for local trust anchors
Enable Safe Browsing
Allow users to opt in to Safe Browsing extended reporting
Disable saving browser history
Enable search suggestions
Allows sign in to Chromium
Enable or disable spell checking web service
Disable synchronization of data with Google
Allow or deny video capture
Enable WPAD optimization
Operational Data Segmentation
Browser segmentation prevents sites to be aware of other sites. This allows you to have multiple logins (Work Gmail vs home Gmail). This also provides some privacy as well so that your profile logged into Facebook doesn't interact with other active profiles.
To do this, the code is easy:
- Create a batch file in an easy to use location
- Copy and paste code into batch file
- Launch and enjoy
This code puts the profile in a directory on your desktop that's time stamped. Remove the incognito mode flag and this could be useful for pentesting or research as your browsing session is saved in a time stamp folder. Assuming the previous steps were followed to force GPO hardening of the browser, then each session launched launches with those settings preconfigured.
Click for Details >
for /f "tokens=2 delims==" %%I in ('wmic os get localdatetime /format:list') do set datetime=%%I
start "" "%PROGRAMFILES(x86)%\Google\Chrome\Application\chrome.exe" --user-data-dir="%userprofile%\Desktop\ChromeData\%datetime%" -incognito /secondary /minimized