Title

Extensions installation must be blocklisted by default. (Cat II impact)

Discussion

Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blocklisted. A blocklist value of '*' means all extensions are blocklisted unless they are explicitly listed in the allowlist. If this policy is left not set the user can install any extension in Google Chrome.

Check Content

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If ExtensionInstallBlocklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding.

Fix Text

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ Policy Name: Configure extension installation blocklist Policy State: Enabled Policy Value: *

Additional Identifiers

Rule ID: SV-221562r879559_rule

Vulnerability ID: V-221562

Group Title: SRG-APP-000089

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.