Browser Segmentation

or How I learned to stop worrying and love Google Chrome (Part 1)

Posted by vgrsec on July 25, 2016

Introduction

Our browsers are betraying us, all the time. Between forever cookies, browser exploits, cross site scripting, and various other techniques, our browsers exfiltrate data about us everywhere we turn.

The challenge here is to harden and reduce the xfil surface of our browser.

There is a lot of debate on what the most secure browser is. This post isn't meant to end that debate, but instead is meant to expand options.

I personally prefer Chrome unadulterated.

Extensions and plugins can be a vector for attack. I've personally seen extensions send telemetry data back to developers by analyzing SIEM traffic. Furthermore, in order for extensions to work they need to have a certain amount of access to what you're doing with your browser. Ergo, rather than trying to filter out the good and the bad, I choose to run nothing.

Article

(What about adblock? I adblock using pihole)

Lastly, I use a windows batch file to launch Chrome in incogneto mode with its own unique data profile folder. Why? This allows me to run a browser window for Facebook that doesn't share memory or a profile with another browser window I'm Googling with. This helps to ensure 3rd party cookies and other tracking techniques are less effective.

Hardening Techniques - Setup

  1. Download ADMX File from Google
  2. Place ADMX file in %systemroot%\PolicyDefinitions\

Google Chrome can be hardened using a Group Policy Administrative Template, which is officially supported by Google.

The policies available change from time to time, and so it's important to periodically download and install new policy packages, then review what new policies are available.

https://support.google.com/chrome/a/answer/187202?hl=en
https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
http://www.chromium.org/administrators/policy-list-3

For this to be useful it's important to know how to install ADMX template files and edit the machine's local policy (This presumes that you're doing this on a non domain attached device, this technique works great in active directory as well, and is a very easy way to configure Chrome via AD. Rather than go into details on how to do this, check out Microsoft's documentation.
https://msdn.microsoft.com/en-us/library/bb530196.aspx

Note: This can all be done using plists and OS X. Not being an OS X user I'll leave the details to someone else.
https://themacwrangler.wordpress.com/2016/01/07/managing-google-chrome-on-mac-os-x/

Hardening Techniques - Config

The following settings are not necessarily a perfect configuration. For instance there are some certificate settings that I've left as default for compatibility reasons (Google does a good job deprecating insecure certificate techniques and algorithms)

As such, take these as guidance and review the options available and choose your own security profile.

Lastly, while this guide is dated, it is a good baseline reference for an enterprise configuration.
https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/deploying-and-securing-google-chrome-in-a-windows-enterprise.cfm

Click for Details >
Policy NameDescriptionAdministratively Set Setting
Configure remote access options
RemoteAccessHostClientDomain Configure the required domain name for remote access clients Disabled
RemoteAccessHostFirewallTraversal Enable firewall traversal from remote access host Disabled
RemoteAccessHostDomain Configure the required domain name for remote access hosts Disabled
RemoteAccessHostAllowClientPairing Enable or disable PIN-less authentication for remote access hosts Disabled
RemoteAccessHostAllowGnubbyAuth Allow gnubby authentication for remote access hosts Disabled
RemoteAccessHostUdpPortRange Restrict the UDP port range used by the remote access host 0
RemoteAccessHostDebugOverridePolicies Policy overrides for Debug builds of the remote access host Disabled
Content Settings
DefaultCookiesSetting Default cookies setting 4 = Keep cookies for the duration of the session
DefaultPluginsSetting Default plugins setting 3 = Click to play
DefaultPopupsSetting Default popups setting 2 = Do not allow any site to show popups
DefaultNotificationsSetting Default notification setting 3 = Ask every time a site wants to show desktop notifications
DefaultGeolocationSetting Default geolocation setting 2 = Do not allow any site to track the users' physical location
DefaultMediaStreamSetting Default mediastream setting 2 = Do not allow any site to access the camera and microphone
DefaultWebBluetoothGuardSetting Control use of the Web Bluetooth API 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
DefaultKeygenSetting Default key generation setting 2 = Do not allow any site to use key generation
Extensions
ExtensionInstallBlacklist Configure extension installation blacklist *
Native Messaging
NativeMessagingBlacklist Configure native messaging blacklist *
NativeMessagingUserLevelHosts Allow user-level Native Messaging hosts (installed without admin permissions). Disabled
Password manager
PasswordManagerEnabled Enable saving passwords to the password manager Disabled
Startup pages
RestoreOnStartup Action on startup 5 = Open New Tab Page
Everything Else
AllowDinosaurEasterEgg Allow Dinosaur Easter Egg Game Disabled
AllowOutdatedPlugins Allow running plugins that are outdated Disabled
AllowedDomainsForApps Define domains allowed to access Google Apps No
AlternateErrorPagesEnabled Enable alternate error pages Enabled
AlwaysAuthorizePlugins Always runs plugins that require authorization Disabled
AudioCaptureAllowed Allow or deny audio capture Disabled
AutoFillEnabled Enable AutoFill Disabled
BackgroundModeEnabled Continue running background apps when Chromium is closed Disabled
BlockThirdPartyCookies Block third party cookies Enabled
BookmarkBarEnabled Enable Bookmark Bar Enabled
BrowserAddPersonEnabled Enable add person in profile manager Disabled
BrowserGuestModeEnabled Enable guest mode in browser Enabled
BuiltInDnsClientEnabled Use built-in DNS client Disabled
CloudPrintProxyEnabled Enable Google Cloud Print proxy Disabled
CloudPrintSubmitEnabled Enable submission of documents to Google Cloud Print Disabled
DefaultBrowserSettingEnabled Set Chromium as Default Browser Enabled
Disable3DAPIs Disable support for 3D graphics APIs Enabled
DisablePluginFinder Specify whether the plugin finder should be disabled Enabled
DisableSafeBrowsingProceedAnyway Disable proceeding from the Safe Browsing warning page If I were setting up my mothers computer I'd set this to enabled. I keep it not configured for myself
DisableScreenshots Disable taking screenshots Enabled
DisableSpdy Disable SPDY protocol enabled
DisabledPlugins Specify a list of disabled plugins "Java"
DnsPrefetchingEnabled Enable network prediction Disabled
EnableMediaRouter Enables cast False
ForceEphemeralProfiles Ephemeral profile True
HardwareAccelerationModeEnabled Use hardware acceleration when available False
HideWebStoreIcon Hide the web store from the New Tab Page and app launcher True
ImportAutofillFormData Import autofill form data from default browser on first run Disabled
ImportBookmarks Import bookmarks from default browser on first run Disabled
ImportHistory Import browsing history from default browser on first run Disabled
ImportHomepage Import of homepage from default browser on first run Disabled
ImportSavedPasswords Import saved passwords from default browser on first run Disabled
ImportSearchEngine Import search engines from default browser on first run Disabled
IncognitoModeAvailability Incognito mode availability 2 = Incognito mode forced
MetricsReportingEnabled Enable reporting of usage and crash-related data Disabled
NetworkPredictionOptions Enable network prediction Disabled
PacHttpsUrlStrippingEnabled Enable PAC URL stripping (for https://) True
QuicAllowed Allows QUIC protocol False
RequireOnlineRevocationChecksForLocalAnchors Whether online OCSP/CRL checks are required for local trust anchors True
SafeBrowsingEnabled Enable Safe Browsing Disabled
SafeBrowsingExtendedReportingOptInAllowed Allow users to opt in to Safe Browsing extended reporting Disabled
SavingBrowserHistoryDisabled Disable saving browser history Disabled
SearchSuggestEnabled Enable search suggestions Disabled
SigninAllowed Allows sign in to Chromium Disabled
SpellCheckServiceEnabled Enable or disable spell checking web service Disabled
SyncDisabled Disable synchronization of data with Google Enabled
TranslateEnabled Enable Translate Disabled
VideoCaptureAllowed Allow or deny video capture Disabled
WPADQuickCheckEnabled Enable WPAD optimization Disabled

Operational Data Segmentation

Browser segmentation prevents sites to be aware of other sites. This allows you to have multiple logins (Work Gmail vs home Gmail). This also provides some privacy as well so that your profile logged into Facebook doesn't interact with other active profiles.

To do this, the code is easy:

  1. Create a batch file in an easy to use location
  2. Copy and paste code into batch file
  3. Launch and enjoy

This code puts the profile in a directory on your desktop that's time stamped. Remove the incognito mode flag and this could be useful for pentesting or research as your browsing session is saved in a time stamp folder. Assuming the previous steps were followed to force GPO hardening of the browser, then each session launched launches with those settings preconfigured.

chromelaunch.bat
Click for Details > for /f "tokens=2 delims==" %%I in ('wmic os get localdatetime /format:list') do set datetime=%%I
set datetime=%datetime:~0,8%-%datetime:~8,6%
echo %datetime%
mkdir "%userprofile%\Desktop\ChromeData\%datetime%"
start "" "%PROGRAMFILES(x86)%\Google\Chrome\Application\chrome.exe" --user-data-dir="%userprofile%\Desktop\ChromeData\%datetime%" -incognito /secondary /minimized