How to Secure Google Chrome: Disable Secure DNS and Harden Browser Policies

To strengthen your organization’s security posture, it’s essential to secure browser settings, particularly for widely used browsers like Google Chrome. By leveraging Chrome’s Group Policy settings, administrators can control browser behavior and limit potential vulnerabilities. This includes disabling features like Secure DNS (DNS-over-HTTPS), which can bypass network-level filtering and pose a security risk. Additionally, managing policies to restrict or block extensions, enforce SafeSites filtering, and control built-in DNS clients can further reduce exposure to cyber threats. This guide provides detailed, step-by-step instructions on how to configure Chrome through administrative templates to harden your browser and protect your network environment.

Installing Administrative Templates

Step 1: Download Chrome Administrative Template

1. Download the Administrative Template: First, you need to download the Chrome administrative template from the Chrome Enterprise page as a bundle. It contains the necessary files within it (https://chromeenterprise.google/browser/download/#download-browser).
2. Extract the Contents: The download will include a ZIP file containing the template and documentation. Extract the contents of this ZIP file to a folder.

Step 2: Add the Template to Group Policy

1. Open Group Policy Management: Press Windows Key + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
2. Navigate to Administrative Templates: Go to Local Computer Policy > Computer Configuration > Administrative Templates.
3. Add/Remove Templates: Right-click on Administrative Templates, and select Add/Remove Templates.
4. Add the Chrome Template: Click on Add, navigate to the location where you extracted the Chrome policy templates, and select the chrome.adm or chrome.admx file (depending on your version of Windows). If you’re using the ADMX template, you should copy the ADMX file and its language folder (ADML) to the C:\Windows\PolicyDefinitions directory instead of using the Add/Remove Templates option.
5. Close the Dialog: After adding the template, click Close in the Add/Remove Templates dialog.

Configure Chrome Policy for Blocking Extensions and Allowing Some

1. Navigate to Chrome Policies: Back in the Group Policy Editor, you’ll now see a Google or Google Chrome section under Administrative Templates (the exact path might vary slightly based on the template version). Navigate to it.
2. Enable Extension Allow List: Look for a policy named Configure extension installation allow list
   • Enable the Policy: Double-click the policy, set it to Enabled.
   Specify the IDs in the options off all the extensions you want to allow: In the options, add the IDs of the extensions you want to allow.
3. Disable Extension Installation: Look for a policy named something like Configure extension installation blocklist.
   • Enable the Policy: Double-click the policy, set it to Enabled.
   Specify * to Block All Extensions: In the options, add * to the list. This wildcard character blocks the installation of all new extensions not in the allow list.
4. Apply the Policy: Click OK or Apply to save the policy settings.

Configuring “Control SafeSites adult content filtering” in Google Chrome via Group Policy:

To configure this policy, you will need to have administrative access to Group Policy Editor and the Chrome Administrative Template installed.

1. Open Group Policy Editor:
   • Press Win + R, type gpedit.msc, and press Enter.
2. Navigate to Chrome Policies:
   • Go to Computer Configuration > Administrative Templates > Google > Google Chrome.
3. Locate and Configure the Policy:
   • Find the Control SafeSites adult content filtering policy within the list.
   • Double-click on it to open the policy settings.
   • You can choose to Enable it to enforce SafeSites filtering or Disable it if you want to turn off the filtering. There may also be an option to leave the setting as Not Configured, which means the default behavior of Chrome (typically filtering disabled) will apply.
4. Apply the Policy:
   • After selecting your preferred option, click Apply and then OK.

Disable DNS over HTTPS

Step 1: Open Group Policy Editor

1. Press Win + R to open the Run dialog.
2. Type gpedit.msc and press Enter to launch the Local Group Policy Editor.

Step 2: Navigate to Chrome Policies

1. In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Google > Google Chrome.If you’re managing user settings, you might instead go to User Configuration > Administrative Templates > Google > Google Chrome.

Step 3: Configure the “Controls the mode of DNS-over-HTTPS” Policy

1. Find the policy named “Controls the mode of DNS-over-HTTPS” in the list.
2. Double-click the policy to edit it.
3. Set the policy to Enabled. This allows you to control the DoH settings.
4. In the options section, you will see a field to specify the mode. Enter Disable DNS-over-HTTPS to disable DNS-over-HTTPS.
5. Click Apply, then OK to save the changes.

Step 4: Disable Built-in DNS Client

1. Find the policy named Use built-in DNS client
2. Set it to Disabled

ALTERNATIVELY Force a Specific DNS over HTTPS URI

1. Find the policy named Specify URI template of desired DNS-over-HTTPS resolver
2. Enable the policy and set value to DoH URI
3. Find the policy Controls the mode of DNS-over-HTTPS and set it to Enable DNS-over-HTTPS without insecure fallback . This is considered the secure policy value.

Force Google SafeSearch and YouTube Restricted Mode

1. Find the policy Force Google SafeSearch and enable it
2. Find the policy Force minimum YouTube Restricted Mode and enable it. Set it to Moderate or Strict

Note: These settings may be redundant if DNS is doing its job

Testing Policies

On a target client device, open Chrome and go to chrome://policy/ to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately. You might need to close and reopen Chrome if it was open while you were configuring policy settings.