In the second part of this blog series, we will be examining the capabilities of Google Chrome and Microsoft Edge browsers in the enterprise today. These apps have become steadily more powerful over time, and now feature capabilities that might surprise you.
Last time, we looked at a policy called DefaultWebBluetoothGuardSetting, which allows websites to communicate directly with Bluetooth devices. This time, we will consider a policy called “RemoteAccessHostAllowRemoteAccessConnections.”
This policy is designed to manage and control remote access capabilities. Although the policy is ostensibly designed to be used in business to provide services like Helpdesk and remote IT support, remote training/development, and even remote access and work enablement, both Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are in agreement that this policy should be specifically disabled and locked down. Let’s look at why.
The security risks
The business use cases for this policy seem fairly straightforward. Most of us have had occasion to ask IT or helpdesk teams to see what is happening on our endpoints, and often it leads to support asking if they can take control of the device to fix an issue or correct a configuration. This policy is designed to control and enhance the security of remote connections, particularly when using Chrome Remote Desktop, and determines whether a Chrome instance can connect to a remote host when a remote connection is initiated.
The results of this capability would probably be terrific – if only we lived in a world where threat actors are not constantly on the lookout for inroads that could be used to exploit the enterprise. Because that is not our environment, the enterprise needs to take a close look, as there are a myriad of ways that this seemingly helpful policy could be misused.
The first area of concern with this policy is that attackers could use it to establish unauthorized remote access, particularly in the case of remote connections that do not feature strong authentication. For the connection to work, the target endpoint must be powered on and unlocked, meaning that the remote attacker does not need credentials. In addition, the attacker can visualize every move that the target user makes during the remote session to access applications or information.
Another issue that can arise pertains to data leakage/data exfiltration. If an attacker gains access to the target’s machine on a network, that connection could be used to transfer data externally. The possibility of a network intrusion in which the attacker uses the connection to establish a beachhead and move laterally is a real possibility. This policy can also provide a workaround for security controls.
Taking action
In most cases, the safest approach is to disable this policy. Note that if this policy is left unset, it is the same as enabling it. Another thing to note is that this policy is part of Chrome’s Remote Access policy atomic group. There are a total of 24 different policies in that group. If you are doing this manually, you would need to look at each one… and, of course, consider the thousands of other policies that can be set.
A better way: Menlo Browser Posture Manager
Browser Posture Manager, from Menlo Security, makes this process simple. We leverage a decade of experience securing browsers for leading organizations.
With Browser Posture Manager, you can see how your current browser policies stack up against security industry benchmarks in just a few clicks. Just upload your browser settings as a .JSON file and select the benchmark you’d like to see. You’ll immediately be presented with a complete list of how your current policies stack up, along with a simple explanation of what each policy actually does.
But best of all, Menlo Browser Posture Manager does not dictate these choices for you. Our experience in securing the browser for some of the largest organizations in the world has confirmed our belief that every enterprise is different.
Find out more about how Browser Posture Manager from Menlo can make security simple here.
