2.3.3 Ensure 'Configure extension installation blocklist' is set to 'Enabled: *'

Information

Enabling this setting allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blocklisted.

Disabled (0): then the user can install any extension in Google Chrome.

The recommended state for this setting is: Enabled with a value of *

NOTE: Chrome does offer a more granular permission-based configuration called Extension management settings if blocklisting all extensions is too aggressive, which allows an organization to drill down to the exact permissions that they want to lock down. The extensions management settings require more coordination and effort to understand what the security requirements are to block site and device permissions globally as well as more IT management to deploy. The benefit would be allowing access to more extensions to their end-users. See link in reference section

NOTE: If Chrome Cleanup is Disabled, users may want to configure the extension blocklist instead of using the Extension Management option. Chrome Cleanup can help protect against malicious extensions when paired with the Extension Management setting.

Rationale:

This can be used to block extensions that could potentially allow remote control of the system through the browser. If there are extensions needed for securing the browser or for enterprise use, these can be enabled by configuring either the setting Configure extension installation allowlist or the setting Extension management settings.

Impact:

Any installed extension will be removed unless it is specified on the extension allowlist. If an organization is using any approved password managers, ensure that the extension is added to the allowlist.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled and a value of * for Extension IDs the user should be prevented from installing:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Extensions\Configure extension installation blocklist

Default Value:

Unset (Same as Disabled, and users can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: 0bb349a1e9804063ea95d6038eeb1f1976c905db6dc9c046216716cdc5fc823e