Unless you've been locked away in a dungeon for the past few weeks, you should be aware that Google released its first web browser, Google Chrome. While I was cruising around the office the day of its release, I noticed that some of our users had installed and were using this web browser, violating corporate policy. By default, our users don’t have permissions to write to the restricted areas that most applications write to when they're installed, so it's our policy to have administrators install applications for users.
I decided to investigate how these users were able to install Google Chrome. My initial investigation revealed that the browser is designed to bypass restricted write areas and install into C:\Users\%username% in Windows Vista and C:\Documents and Settings\%username% in Windows XP. Because standard users can write to these areas, they're able to install the browser without Admin rights.
After installing Google Chrome on my Vista machine, I found that browser installed a setup file named chromesetup.exe, an executable named chrome.exe, and Windows Installer file named gears-chrome-opt.msi in the C:\Users\%username%\AppData\Local\Google\Chrome\Application folder. (In XP, the folder is C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application.) Armed with this information, I successfully created a software restriction policy named Block Google Chrome to disallow these three files.
Here's how you can create the Block Google Chrome software restriction policy for your Vista or XP machines:
- Open the Group Policy Management Console (GPMC).
- Right-click your domain and choose the Create a GPO in this domain, and link it here option.
- Name the Group Policy Object (GPO) Block Google Chrome and click OK.
- Right-click the policy you just created and click Edit.
- Navigate to the User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies folder.
- Right-click Software Restriction Policies and select New Software Restriction Policies.
- Right click Additional Rules and choose New Path Rule.
- In the Path field, type chromesetup.exe.
- In the Security level drop-down box, choose Disallowed and click OK.
- Repeat steps 7 through 9 for the chrome.exe and gears-chrome-opt.msi files.
- Repeat steps 7 through 9 for the path C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe for Vista machines or C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe for XP machines. You should include this rule in case some of your users have already installed the browser. After you implement the GPO and the Group Policy settings refresh on those users' local machines, they'll no longer be able to successfully run Google Chrome.
- Open a command-prompt window and run the command
gpupdate /forceto apply the new rules.
- Run the command
gpresult /Rin Vista SP1 or the command
gpresultin XP and Vista (pre-SP1) to verify that the newly created GPO has successfully been applied.
- As a final test, attempt to run the installer from the Google Chrome website. If the policy is successful, you should see the error that Figure 1 shows.
With the Block Google Chrome software restriction policy, you can stop users from installing and using Google's new web browser without IT's consent. (Note that if you want some users to be able to install and run the browser, you can filter the GPO so that it won't affect them.) You can even adapt these steps to block other applications that install to user-accessible areas in the OS and registry.
—Steve Di Bias, systems administrator, Las Vegas Convention Center