Stopping a user with Google Chrome User browsing the C: drive

Is there a way, say in group policy, of stopping users with Google Chrome browsing the hard drive just by typing C:

Many thanks in advance

Mat
matedwardsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Do you mean only with Chrome? Or use an ACL
0
Rich RumbleSecurity SamuraiCommented:
No, you'd have to stop every program from doing the same thing, IE, Firefox, MS Word, windows-key+R (type C:)
There are 1000 ways to see the C:. There is a way to hide it from My Computer, but that is about all.
http://support.microsoft.com/kb/231289
Lot's of people ask this question, and unless you replace explorer.exe itself (it's what runs everything on your desktop, use task manager and kill it, everything goes away) there is always a way to see the drives, the OS can't function if it can't see them.
-rich
0
GaryCommented:
Chrome policies
http://www.chromium.org/administrators/policy-list-3
Keyword URLBlacklist

Same system for file://
0
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Rich RumbleSecurity SamuraiCommented:
0
DavidPresidentCommented:
You really cant. Think of how wonderful a virus one could write if there could be some HTML that prevented a user from accessing their boot drive..   You want to block this, you'll have to do it via active directory or something similar.
0
GaryCommented:
Did you read the question?
0
Rich RumbleSecurity SamuraiCommented:
Actually it doesn't work in the latest Chrome (or any gt 28), supposedly you can use a GPO and it works...
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\URLBlacklist]
new string value
1 ->file://
2 ->file:///
3 ->file:///C:/
I haven't tried it via GPO which modifies the registry (go figure)
https://code.google.com/p/chromium/issues/detail?id=259236
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GaryCommented:
You administer the restrictions through the GPO - that's what it is for and Chrome respects its rules. It was changed in later versions to make policy editing more seamless with the way everyone else does it.
0
DavidPresidentCommented:
So what is to prevent somebody from using 127.0.0.1/ or localhost:// and installing a local web server to get around chrome?

What about setting up an alias or share that makes E:\ the same as C:\ or a subset of that.  Even if you program Chrome to block C:\, they could still get what they want via this alias.

You might want to comment on the environment and what you are *really* trying to prevent.  Limiting access to a HDD via a single program will not provide any protection unless it is the only program that people can get to.  Even then, one could point a browser to a site with some javascript and they could still compromise a PC's security, or crash it, or install a virus.
0
GaryCommented:
Don't know if you are already using it/know about it but sounds like this may be better for you rather than the standard Chrome
http://www.google.com/intl/en/chrome/business/browser/admin/
0
DavidPresidentCommented:
Well there is another outside the box technique.   You could use the open source version of chrome instead, and make a very simple fix to the source code that resides next to the open() statement which checks to see the physical drive path and reacts accordingly.

This will be infallible, and will work regardless of group policy, or even if they are logged on as a local administrator.

The chromium browser source code is here along with all directions for building it.
http://dev.chromium.org/developers/how-tos/get-the-code

Any decent c programmer should be able do do this for you.  We're talking an hours worth of work. If you don't have any then I'm betting for a few hundred bucks you'll find plenty of takers who will turnkey the project at contract developer sites such as guru.com

(They won't be able to use physical drive / network aliases, and you can block them from being sneaky if they get creative with partitioning, or renaming the C: directory, changing drive letters, whatever.  You'll block on the physical disk and know the unique identifier for that drive, or have the means to block by specific serial numbers.  It will even work with RAID controllers or software RAID with a little more code.

You would just let them open the file to get a handle, then pass that into the GetFileInformationByHandle function.  This one function gives you the physical volume info.  
The physical volume info gives you the real hardware identifier, so you can block a specific drive, or any drive that is mapped as C, or whatever.

It would even protect if they configured a local webserver on their system to let them browse contents of the computer, or if they turned off the network connection.  

Group policy techniques will fail if they disconnect from the network and manage to log in as another user.


This technique will protect against all forms of hacking as long as you make sure they can't leave the confines of the patched browser.
0
matedwardsAuthor Commented:
These suggestions managed to obscure the C: drive for standard users.. not sure it completely blocked it because, before we could deploy, the Education version of Chrome totally messed up the test PC and we aborted rolling it out.. thanks for the suggestions and 'debate'..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.