This Guide is provided "as is." Any express or implied warranties, including but not limited to, the
implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event
shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or
consequential damages (including, but not limited to, procurement of substitute goods or services, loss
of use, data or profits, or business interruption) however caused and on any theory of liability, whether
in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of
this Guide, even if advised of the possibility of such damage.
The User of this Guide agrees to hold harmless and indemnify the United States Government, its agents
and employees from every claim or liability (whether in tort or in contract), including attorneys' fees,
court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not
limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage
to or destruction of property of User or third parties, and infringement or other violations of intellectual
property or technical data rights.
Nothing in this Guide is intended to constitute an endorsement, explicit or implied, by the U.S.
Government of any particular manufacturer's product or service.
This publication has not been authorized, sponsored, or otherwise approved by Google Inc.
Chrome™, Chromium™, Google™, Google Chrome™, Google Chrome Extensions™, Google Code™,
Google Instant™, Google Safe Browsing™, Google Suggest™, Google Sync™, Google Translate, ™ and
Google Updater™ are trademarks of Google Inc.
Microsoft®, Windows®, Silverlight®, Office®, Windows Vista®, Active Directory®, and Windows
PowerShell® are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
Adobe Flash®, Adobe Shockwave®, Adobe PDF®, and Adobe Reader® are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle® and Java® are registered trademarks of Oracle and/or its affiliates. Other names may be
trademarks of their respective owners.
Apple® and QuickTime® are trademarks of Apple Inc., registered in the U.S. and other countries.
RealPlayer® is a trademark or registered trademark of RealNetworks, Inc.
Google Chrome is a widely used, free web browser developed by Google based on the open source
Chromium project. Chrome has been available for consumers since 2008. Starting in 2010, Google
released an enterprise version of Chrome that is configurable through Group Policy and deployable with
a Windows Installer (MSI) file. These improvements make Chrome a manageable and deployable
browser in Windows domains.
Chrome supports modern security features
, such as sandboxing and safe browsing, which are designed
to help protect users and enterprise networks from malicious web sites. Chrome also supports enhanced
web site certificate checking mechanisms and automatic updates.
The Chrome sandbox is a security feature that helps protect users by preventing an exploit from gaining
highly privileged access to the system due to a vulnerability in Chrome. The security provided by the
sandbox on Windows systems is strongest when running Chrome on Windows Vista or newer operating
system versions since the sandbox leverages security mechanisms added to the operating system
starting with Windows Vista. Google released Chrome 8 in 2010 with an included Adobe PDF reader
plugin that runs inside a protected sandbox. Google released Chrome 21 in 2012 with an included Adobe
Flash plugin that runs inside a protected sandbox. These security enhancements limit the damage from
common attack vectors.
The Chrome safe browsing feature displays a warning message for web sites that are known to contain
malware or phishing attacks by looking up web sites in a known bad list maintained by Google. It is
important to note that safe browsing does not send web site URL information to Google. This provides a
security benefit without compromising privacy.
In addition to supporting industry standard web site certificate validation mechanisms, Chrome also has
a feature called CRLSet
that checks web site certificates against a locally stored list of revoked
certificates. This feature allows certificate revocation checks to occur even when the Certificate
Authority cannot be contacted to verify the revocation status of the certificate. Chrome automatically
updates the certificate revocation data without requiring a new version of Chrome to be installed and
the updates take effect without having to restart the browser.
Chrome automatically updates using Google Update. The Chrome updates are signed by Google and are
retrieved using a secure connection. Chrome also automatically updates some included plugins, any
extensions that support automatic updates, and certificate revocation data. Google releases Chrome
updates at a quick pace which leads to vulnerabilities being promptly patched.
This paper contains deployment guidance, recommended policies, and technical details for United
States government and Department of Defense administrators who want to use the enterprise version
of the Google Chrome web browser in their Windows Active Directory domain. Chrome 20.0.1132.47,
Chromium Security. http://chromium.org/Home/chromium-security
Revocation checking and Chrome’s CRL. http://www.imperialviolet.org/2012/02/05/crlsets.html
JPEG Image Viewer| What is JPEG
an easy-to-use interface enabling you to quickly convert your JPEG images into other file formats, including Bitmap, Png, Gif, Tiff, PDF, MS-Word change from pdf to jpg on; convert pdf image to jpg image
20.0.1132.57, and 21.0.1180.60 were tested on Windows 7 for the initial publication of this guide. The
guide has been updated to include new policies and remove deprecated policies in Chrome 22 and was
tested against Chrome version 22.214.171.124 on Windows 7. Future updates will only happen when new
relevant policies are introduced, when old policies are deprecated, or when policy recommendations
An administrator must download the latest version of the Chrome Windows Installer (MSI)
file and the
corresponding Chrome Group Policy templates
before deploying Chrome. Rename the MSI file to
include the full version number of Chrome since Google uses the same file name no matter which
version of Chrome the MSI file represents. The administrator should place the MSI file at a network path
that is accessible to workstations and is readable by domain users.
2.1 Version Management
Deploying and updating Google Chrome may be handled in two ways. The first method is deploying
Chrome and leaving automatic updates enabled which is the default behavior. The Google Update
service is responsible for keeping Chrome updated to the newest version. This method is recommended
since Chrome is updated frequently and these updates often contain critical security fixes. This method
is especially beneficial for enterprises where IT staff is either not trained or not available for monitoring,
testing, and deploying new versions to keep pace with a frequent release schedule.
The second method is disabling automatic updates and manually deploying new versions of Chrome as
they are released. The overhead of manually testing and deploying each version of Chrome that is
released, while trying to keep up with frequent releases, may be considerable. This method is more
suitable for enterprises that have full time staff dedicated to testing and deploying software updates in a
timely fashion. IT staff may find it a better investment in allowing Chrome to automatically update itself
so they may focus on testing and deploying software updates for software that is commonly exploited
Major Chrome stable channel releases occur about every 6 weeks. Approximately 3-6 minor versions
may be released before the next major version. Even minor Chrome stable channel updates are
important to install since they frequently contain critical security fixes. Since Chrome is an open source
browser, attackers can see the exact code changes made for a security fix which could assist them in
attacking outdated versions of Chrome. Running the most recently patched version of Chrome is always
recommended to prevent exploitation of known vulnerabilities. Google only officially supports the latest
stable channel release of Chrome. The latest stable channel version number for Chrome on Windows
can be found at http://omahaproxy.appspot.com/win.
Chrome Browser for Businesses. http://www.google.com/intl/en/chrome/business/browser
Policy Templates – The Chromium Projects. http://www.chromium.org/administrators/policy-templates
2.2 Import Policy Templates
The Chrome policy_template.zip file contains both ADM and ADMX versions of the Group Policy
settings. Enterprises using Windows Server 2008 or above can use the ADM or the ADMX policy file. If
using Windows Server 2003 to manage domain policies, then use the ADM file.
Before deploying Chrome, use the Group Policy Management snap-in to create a new Group Policy
Object (GPO) for Chrome policies. Apply this newly created GPO to the Organization Unit(s) within the
domain for which Chrome will be installed and managed.
If Chrome is installed on servers or workstations used for administrative tasks, then consider using a
separate GPO that enforces more strict policies such as Chrome’s URL whitelisting policy
to only allow
access to specific internal web sites. Internet web browsing should never be performed on privileged
workstations or servers. Administrators should also enforce more strict policies that limit execution of
The steps below demonstrate how to import the ADM template file into the new GPO using the Group
Policy Management Editor.
1. Extract the Chrome policy_template.zip file. The chrome.adm file for the English language can
be found in \policy_templates\windows\adm\en-US\chrome.adm.
2. Navigate to Computer Configuration > Policies > Administrative Templates. Right click on
Administrative Templates and select Add/Remove Templates.
3. In the Add/Remove Templates dialog, click the Add button and select the chrome.adm file from
the extracted Chrome policy templates location.
4. Once the template is loaded, Chrome policies can be managed by navigating to Computer
Configuration > Policies > Administrative Templates > Google > Google Chrome and then
configuring the appropriate individual policy settings as shown in Figure 1 below.
Figure 1: Chrome Group Policy location
URL Whitelist. http://www.chromium.org/administrators/policy-list-3#URLWhitelist
Notice in Figure 1 that there are two folders that contain Chrome policies: Google Chrome and Google
Chrome (Recommended). The policies in the Google Chrome (Recommended) folder are a subset of the
policies contained in the Google Chrome folder. If policies are configured under the Google Chrome
(Recommended) folder, then these policies are only effective if the same policies are not configured
under the Google Chrome folder. This behavior may not be intuitive to Windows administrators so only
configuring policies under the Google Chrome folder is recommended to prevent confusion. While the
policies under the Google Chrome (Recommended) folder can be used to set defaults for user
overridable options, a Windows administrator can achieve the same effect by configuring policies under
the Google Chrome folder within the User Configuration section of Group Policy rather than Computer
2.3 Initial Deployment
Deployment of Google Chrome in a Windows enterprise is straightforward. An administrator should
determine which of the three common deployment methods they will use:
1. A commercial software deployment tool.
2. Windows Group Policy software installation.
3. A computer startup or shutdown script.
This paper only covers the Windows Group Policy software installation deployment method since it is
available at no extra cost and is easier to use than a script.
Use the Group Policy Object created in the Import Policy Templates section for configuring Chrome
policies or use the Group Policy Management snap-in to create a new GPO for Chrome deployment. To
deploy Chrome using Windows Group Policy software installation:
1. In the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Software Settings > Software installation, right click on Software installation, and select New >
Package. This will display an Open File dialog.
2. Browse to the network path location of the Chrome MSI file. Make sure the network location of
the MSI file is accessible to workstations and that domain users have read access to it. Select the
MSI and click the OK button. This will open the Deploy Software dialog.
3. In the Deploy Software dialog, leave the default selection and then click the OK button and wait
a few seconds for the Group Policy Management Editor to show the newly published package as
shown in Figure 2 below. It may take some time for the new Group Policy settings to apply to
systems and it may also take 2-3 reboots before the package is installed on the system.
Figure 2: Deploying Chrome via Group Policy software installation
The user friendly Chrome version number will not match the version reported in the software
installation Group Policy window. Notice in Figure 2 the Version column shows a value of 65.27 for a
deployment of Chrome 20.0.1132.47. The same value will display for a deployment of Chrome
20.0.1132.57. Chrome 21.0.1180.60 will display a value of 65.39. Renaming the Chrome MSI file so that
it includes the full user friendly Chrome version number information is recommended to prevent
confusion about which version of Chrome is being deployed by the software installation policy. Also
note that when checking the Chrome version information in the Programs and Features dialog in
Windows, the version number will not match the full user friendly Chrome version number either. For
example, Chrome 20.0.1132.47 displays as 65.27.47, Chrome 20.0.1132.57 displays as 65.27.57, and
Chrome 21.0.1180.60 displays as 65.39.60 in the Programs and Features dialog.
It is possible that users may have already installed the consumer version of Chrome since it does not
require administrative privileges to install. Deploying the enterprise version of Chrome will remove an
existing consumer installation of Chrome but will retain user settings and preferences.
2.4 Update Deployment
Enterprises that choose to disable the automatic update mechanisms provided by Google Update can
use the Group Policy software installation feature to manually deploy new versions of Chrome. To
deploy a new version of Chrome using Group Policy software installation:
1. Right click on the currently assigned software installation policy for Chrome, as shown in Figure
2, and select All Tasks > Remove.
2. At the Remove Software dialog, select Allow users to continue to use the software, but prevent
new installations and click the OK button. This will leave Chrome installed on systems.
3. Now create a new Group Policy software installation policy for the new version of Chrome, using
the same directions listed in the Initial Deployment section, but select the new Chrome MSI file.
The above steps result in the same upgrade behavior that happens with Chrome’s automatic update
mechanism. The Chrome MSI correctly upgrades over the existing installation using the Group Policy
software installation mechanism just like it does when using Chrome automatic updates. Chrome leaves
folders from previous versions behind, in case a rollback is needed, as shown in Figure 3.
Figure 3: Chrome Application folder containing the current and previous version of Chrome
Administrators may want to create maintenance scripts to remove the old folders since each folder uses
100MB to 200MB of disk space. The old versions should only be removed after administrators have
verified the new version of Chrome is working correctly.
2.5 Policy Updates
Administrators should download the latest Chrome Group Policy templates when a major version of
Chrome is released. Major Chrome releases may have new policies added or current policies removed
due to being deprecated. Administrators should compare the policy templates for the current version of
Chrome they are using against the newly downloaded policy templates and note any additions or
removals. This can be achieved by using a file comparison tool to review the changes between the two
versions of the templates.
Administrators can also identify deprecated policies in Chrome by installing the new version of Chrome
but not immediately updating the policy templates used in their Chrome GPO to the latest policy
templates. Then administrators can check the Chrome policies tab for deprecated policies by opening
chrome://policy and looking for the text This policy has been deprecated under the Status column. This
notice is displayed since Chrome still recognizes the registry data associated with deprecated policies for
approximately 4 major releases of Chrome before it is completely removed.
Before administrators update the Chrome GPO with the latest policy template they should first modify
any deprecated policies in their current GPO. Use the Group Policy Management Editor to set all the
deprecated policies to Not Configured. The registry data for the deprecated policies will be removed
from systems once Group Policy updates have been applied. If this procedure isn’t used, then registry
data for the deprecated policies will remain indefinitely. Once Group Policy updates have been applied
to all systems, then administrators should update their Chrome GPO to use the latest Chrome Group
Policy template and configure any newly added policies.
Table 1 contains a list of recommended policies and values to harden and secure Chrome. These policies
are based on a balance between usability and security and are recommended for most enterprises.
Some policies could be further hardened or relaxed based on operational needs of the network and are
discussed as optional example policies in the sections within the Policies section. Complete policy
descriptions can be found on the Chrome Policy List web page
The policies in this guide are configured within the Computer Configuration section of Group Policy
under the Google Chrome folder. These policies will create registry keys and values on systems under
the registry key of HKLM\Software\Policies\Google\Chrome\. See Appendix B for a complete mapping
of all policy names to their registry values and example registry data that corresponds to the
recommended and example optional policies from this guide.
Chrome Policy List. http://www.chromium.org/administrators/policy-list-3
Documents you may be interested
Documents you may be interested