Hacking against the IT-Department - Chrome Policies
Photo Source

What to do if…

the IT department changes Chrome policies so that Chrome becomes unusable or the usual (developer) user experience is lost?

Initial Situation

As a Google fan, I use obviously Google Chrome as my default browser. However, since a few days I had to find out every morning that I am not logged in on all pages (Google, Github, Stackoverflow, etc.). Daily new login with two-factor authentication is a real pain and takes a certain amount of time. About 30s per page if you are fast. Every day, five days a week. That’s not exactly productive and on my private Windows machine I can’t reproduce this behavior. So it definitely has something to do with the working environment. My first thought: Group Policy

I know the Chromium source code very well, but so far I was not familiar of anything about Windows Group-Policies and Google Chrome. After a short search I found this: https://support.google.com/chrome/a/answer/187202?hl=en

So, the IT department can set machine-wide policies for Google Chrome. And this is the reason for the strange/unknown behaviour of my browser. This is achieved by setting registry keys in: HKLM\\Software\\Policies\\Google\\Chrome

Why do they do this? My guess is that they want to customize and secure the Chrome installation which comes through the client management. Nice, but other Chrome installations are also affected by these policy settings.

And now? Using something other than Chrome or Chromium is not an option.

Solution 1: Observing the Windows Registry

I’ve written a Windows Service which observes the registry path HKLM\\Software\\Policies\\Google , deletes the Chrome subkey (and all other subentries) if it is there and let Chrome call a Javascript function which refreshes the policies. Same as the refresh-button over here: chrome://policy. This solution works but is not 100% good. Because if you close the browser and the policies are set…everything is lost and you need to login at the next startup. Resources are also needed.

Solution 2: Surfing in a Virtual Machine

Using a Linux based VM to browse. I love Linux based operating systems. But in this case I will loose the Endpoint Protection — and at the company it is sometimes good to have a feature like that (my opinion). And there are a few other disadvantages. First of all, when downloading software, the automatic selection for the operating system would no longer work. Because the host is Windows 10 and the VM a Ubuntu or something similar.

I changed my mind about this through the years.

Solution 3: Compile Chromium

It is widely known that the Chromium project is open source. Its homepage is https://www.chromium.org/ and you can get the code via the fetch command included in the depot_tools. See https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md for Windows build instructions.

In the Chromium source there are several occurences of HKLM\\Software\\Policies\\Google\\Chrome. If you want to go the easy way, change all these to something like HKLM\\Software\\Policies\\Google\\Chromium for example. Or disable the policy loader if you are more familiar with the Chromium project and don’t forget to generate the API-Key, Client-ID and Client-Secret. There is a HOWTO for this topic: https://www.chromium.org/developers/how-tos/api-keys

Chromium lacks a few features compared to Google Chrome (video formats, flash, etc), but will still be my favorite solution to avoid restrictions set through Group Policies managed by the IT Department.

To select Chromium as my standard Win10 Browser I’ve added some keys to the Registry:

Remember to change C:\\chromium\\ on your path.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium]
@="Chromium"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\Capabilities]
"ApplicationDescription"="Chromium ist ein Webbrowser, der Webseiten und Apps in Sekundenschnelle lädt und dabei äußerst stabil und nutzerfreundlich ist. Dank des integrierten Malware- und Phishing-Schutzes können Sie bedenkenlos im Internet surfen."
"ApplicationIcon"="C:\\chromium\\chrome.exe,0"
"ApplicationName"="Chromium"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\Capabilities\FileAssociations]
".htm"="ChromeHTML"
".html"="ChromeHTML"
".pdf"="ChromeHTML"
".shtml"="ChromeHTML"
".svg"="ChromeHTML"
".xht"="ChromeHTML"
".xhtml"="ChromeHTML"
".webp"="ChromeHTML"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\Capabilities\Startmenu]
"StartMenuInternet"="Chromium"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\Capabilities\URLAssociations]
"ftp"="ChromeHTML"
"http"="ChromeHTML"
"https"="ChromeHTML"
"irc"="ChromeHTML"
"mailto"="ChromeHTML"
"mms"="ChromeHTML"
"news"="ChromeHTML"
"nntp"="ChromeHTML"
"sms"="ChromeHTML"
"smsto"="ChromeHTML"
"tel"="ChromeHTML"
"urn"="ChromeHTML"
"webcal"="ChromeHTML"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\DefaultIcon]
@="C:\\chromium\\chrome.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\InstallInfo]
"ReinstallCommand"="\"C:\\chromium\\chrome.exe\" --make-default-browser"
"HideIconsCommand"="\"C:\\chromium\\chrome.exe\" --hide-icons"
"ShowIconsCommand"="\"C:\\chromium\\chrome.exe\" --show-icons"
"IconsVisible"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Chromium\shell\open\command]
@="\"C:\\chromium\\chrome.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"Chromium"="Software\\Clients\\StartMenuInternet\\Chromium\\Capabilities"

Notes

Google Chrome managed by Client Management is currently under test in our company. So, maybe I can change something on the limitations through the IT Department or remove the Group Policy for a specific group. There are good arguments for that.

Summary

No matter how the discussion with my friends at the IT Dep ends, it was another good exercise regarding Chrome, Windows Services, Windows Registry and Group Policies. And it didn’t really take that long.

Does your IT department do weird stuff like that? Without user/employee notification?

— Thanks :)

Remark: This is a takeover of the post originally published on medium