Prevent Installation of Browser Extensions / Add-ons (Windows)
Guide for Microsoft IE, Google Chrome and Mozilla Firefox on Windows Device
When hardening a machine there is nothing more frustrating than when the user you are working to protect bypasses your controls using features of an application. By design, browser, are one of the biggest culprits; they continuously assume more and more control allowing users to bypass security controls. There is no better example of this than with browser extensions.
In this guide we’ll walk you through the process of updating your Windows machine so that the user is unable to add extensions to their browsers. This is especially important for VPN extensions that allow a user to bypass network based controls.
Setting up Appropriate Roles / Permissions
The key to this being effective on the machine you’re trying to harden is to ensure you’re configuring the machine with appropriate roles / permissions.
If the user you’re trying to protect has administrative privileges to the machine they will have the ability to undo everything shown in this guide.
Create a new User in Windows
Without getting into too many details, here are the rudimentary steps to creating a “standard” user on the Windows machine:
- Select Settings.
- Tap Accounts.
- Select Family & other users.
- Tap "Add someone else to this PC."
- Select "I don't have this person's sign-in information."
- Select "Add a user without a Microsoft account."
- Enter a username, type the account's password twice, provide answers to the three questions, and the user is created.
Windows by design will create a standard user account. By default, Windows provides two account types: administrator and standard. The easiest way to think of it is that an administrator can do anything they want on the machine, while a standard user can use the machine but can’t make system level changes. This will become more important later.
Disabling Extensions in Browsers (Edge, Microsoft, and Firefox)
To disable extensions in the browsers you are going to work in something called Windows Registry. You have to be an administrator to make this change. We are also assuming the user is on a Windows 10 machine.
Tech Disclaimer: Modifying your registry can cause catastrophic issues on your machine that might cause system failures that result in rebuilding your computer. We feel confident that if you follow these steps you’ll be safe, but it’s always good to make a backup of the registry before making any changes.
The key to getting this to work is to make the update in the right location. It starts with knowing where the registry keys have to go. You will make all the updates here: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\.
You can access the registry by opening RegEdit from your start command:
When you open the registry editor you’ll see a dialog that looks like it is stuck in Windows 95:
It is important you navigate the “Policies” and apply your configurations in this section. If you don’t, the browsers will not acknowledge your registry changes.
What you see in your policies directory will vary from machine to machine. Those “directories” are actually keys, but to help simplify this guide we’ll refer to them as directories.
You create a new directory by right-clicking Policies and selecting new Key. This will create what looks like the directory above.
With that basic knowledge, let’s disable some browser extensions.
Disabling Chrome Browser Extensions
To disable the users ability to disable extensions in Chrome you’re going to leverage the ExtensionInstallBlacklist key and using a string value that has the name “1” and data value of “*”.
By design, you use the ExtensionInstallBlacklist key to disable specific extensions, but it also supports a wildcard value which is what the “*” is.
It will look like this:
Tech Disclaimer: You do not need to reboot the machine after making this change
Open Chrome, and try to install an extension, any extension, it doesn’t matter. You will be greeted with this error:
Disabling Microsoft IE Browser Extensions
Disabling Microsoft’s IE browser is very similar, but you’ll be using a different key. You will want to create an Extensions key inside of the MicrosoftEdge key. You will create a DWORD attribute with the ExtensionsEnabled value and a data value of 0.
It will look like this:
Open Windows IE, and try to install an extension. You’ll notice that the extensions option is now disabled.
Disabling Mozilla Firefox Extensions
Disabling extensions in Mozilla Firefox browser is a bit different. You will create a ExtensionSettings key inside of a Firefox key, but it will have a multi-string value. The multi-string value will contain two specific attributes: install_source and installation_mode.
You will want these values:
- “install_sources”: [“https://addons.mozilla.org/”],
- “installation_mode”: “blocked”,
It will look like this:
Open Mozilla Firefox, and try to install an add-on. You will be greeted with this error:
Why Disable Browser Extensions?
One of the most effective ways users bypass network controls, kids or employees, is to leverage the features found in the browsers in the form of add-ons and extensions. These add-ons and extensions help extend the browsers capability, introducing things like Virtual Private Networks (VPN) in the name of privacy and in some instances are used as a medium to distribute malicious code (e.g., malware) presenting a potential security risk to your network, users, and family.
Remember, however, that deploying these additional protective controls are useless if you skip step 1 (removing the users administrative rights). The article above is intentionally vague in some areas to help prevent a user from reverse engineering the steps, but in the end if they are an administrator they will be able to undo the configuration.