We recently shared some of our insights around Encryption, explaining what it is, and how it's affecting families and small network owners. In those articles, we explained how it's quickly becoming the #1 preferred mechanism to bypass network controls because of it's ease of use.
While I did talk about VPN's, I didn't talk much about another vector that is highly leveraged by children and employees alike - Browser Extensions.
This post will focus on that and will share ways to lock down access to extensions on your notebook and desktop devices.
What is a Browser Extension?
A browser extension is a mechanism that exists in most modern browsers allowing the browser's capabilities to be expanded. Think of it as a plugin of sorts, an add-on. Every browser is a bit different, some call it extensions, others call it an add-on.
Another way to think of them is as apps, similar to what you have on your mobile device. They are sold, and accessed, on the browser's web store.
A lot has changed in the world of extensions. Early on they could access a lot of the internal workings of the browser, but as new security threats were introduced, the rules tightened. But even with the tightened rules, extensions are still able to control a lot of what happens on the browser, and the corresponding network.
How Browser Extensions are Used to Bypass Networks
By design, accessing extensions on browsers is extremely simple. For example, in chrome, simple type the following into the URL:
This is what you will see:
From this page, a user can access the Chrome Web Store. Via the Chrome Web Store they are able to search for extensions across a wide range of capabilities. The most impactful to network owners are Virtual Private Networks (VPN).
A Virtual Private Network (VPN) as the name implies creates a tunnel to the outside world. It breaks through your networks defensive controls and allows a user to circumvent any rules you might in place.
Here is an illustration of how it works:
To better understand how VPN's work, we wrote an article to help - How to Block VPN Access At Home. For this article, what I want you to take away is that via a VPN, children and employees can access whatever they want and while there is a lot you can do to block VPN's, it's not realistic to think you'll be able to block them all - one of the reasons for this is because of how extensions have been introduced and its accessibility.
This means that similar to Encrypted DNS, controlling access falls into the hands of the network administrators (parents and organizations alike) responsible for creating family friendly networks.
The easiest way to do this in Windows is to use the Windows Registry. Via this mechanism, if coupled with our guidance on differentiating user roles, you can control what can, and can't, be installed on your devices.
What the Registry File Does
The registry file we provide above automates the process described in this article - Prevent Installation of Browser Extensions / Add-ons.
It specifically blocks the users' ability to install an extension by presenting them a "blocked" message when they open an extension.
Additionally, it leverages a whitelist model that allows you to specify which extensions are allowed. In this version, we whitelist:
- Google Docs Offline
- Google Docs
- Google Sheets
- Google Slides
It also includes the previous configuration to disable DOH in Chrome. We encourage all parents that have children using Windows to download this file (zip file). Decompress the file and double-click the .reg file. That will prompt you with a series of questions, accept and done.
The end result will be all non-approved extensions being "blocked" by default: