Return to site

Chrome Non Admin Install

broken image


Install DoD root certificates with InstallRoot (32-bit, 64-bit or Non Administrator). In order for your machine to recognize your CAC certificates and DoD websites as trusted, run the InstallRoot utility ( 32-bit, 64-bit or Non Administrator ) to install the DoD CA certificates on Microsoft operating systems. Uninstalling non-admin install of Google Chrome (Part II) So my earlier attempt at uninstalling per-user / non-admin install of Google Chrome worked, but Google Updater was re-installing it daily. So I re-wrote it in PowerShell mostly because I'm finally taking the plunge to learn it.

  1. Chrome Non Admin Installation
  2. Install Chrome As Non Admin

You've set up your infrastructure to provide the most productive work environment possible for your users. You adhered to company management and IT policies and created a system to control access to the Internet for the company's and user's protection. Then you discover someone found a way to bypass those controls. Welcome to today's world in IT administration. Managing your users is not too different from parenting your children. They are going to test the boundaries. If they can, they will.

Chrome Non Admin Installation

I recently had been tasked with preventing users from installing and running Google Chrome. This company had an extensive Group Policy system in place to control how users are able to access the web via Internet Explorer. Whether or not it was because an astute user discovered they could bypass those controls using Google Chrome, or it was just 'automagically installed', it was against the company's IT security policy. These users do not have local administrator permissions on their machines, but alas, that is not necessary to install Chrome. Standard users can install it. Google Chrome installs to the user profile, in the AppDataLocal folder rather than the Program Files folder. Users have full administrative rights to their profiles folder, so therein lies the problem for us hall monitors. This is where Group Policy Software Restriction Policies come to the rescue to block Google Chrome from installing and running.

How to configure the policy to block installation of Google Chrome.

  1. Edit or create a new GPO contain the settings to disable Chrome.
  2. Navigate to User Configuration -> Windows Settings -> Security Settings
  3. Right-click Software Restriction Policies, and select New Software Restriction Policies.
  4. Right-click Additional Rules, and choose New Path Rule
  5. In the Path field, type exe.
  6. Select Disallowed in the Security level drop down menu, and click OK to save the rule.
  7. Add the following rules by repeating steps 4-6:
    • Chrome.exe
    • Gears-Chrome-Opt.msi
    • Chrome_Installer.exe
    • GoogleUpdate
    • C:Program FilesGoogleChromeApplication
    • C:Program Files (x86)GoogleChromeApplication
    • C:Users%username%AppDataLocalGoogleChromeApplicationChrome.exe
  8. When complete, this is how the Additional Rules in your Software Restriction Policy should look:
  9. Link the GPO to the domain, or for more refined restriction, to a specific OU.
  10. If you should need to also block Mozilla Firefox, you'll need to create 2 rules with these Paths:
    • Firefox exe
    • Firefox Setup*.exe

Installation of Google Chrome will now be disabled, and users will receive a notification that their system administrator has blocked the program. But now what do you do for admins or web designers who have permission to run Chrome, or other web browsers – for testing or whatever the need may be? Fortunately, you can control how Group Policies are applied by filtering the scope of the Group Policy Object. I need to point out that this process should be performed using group membership rather than individuals to simplify administrative overhead of keeping the filtering up to date. The following steps contain additional configuration for allowing Chrome access for specific groups.

How to allow Chrome access for specific groups.

  1. To exempt a group from being blocked, for example, Domain Admins, delegate permissions.
  2. In the GPO, on the Delegation tab, click on the Advanced
  3. Select the target group in the top window, and scroll down to Apply group policy in the bottom window, and check the box under Deny. Click OK.
  4. In the example above, I also created an AD security group, Google Chrome Block Exception, and added it by clicking the Add button. Then, I denied the policy from applying by checking the box. This group allows us to add members who need to use Chrome, but we don't have to make them a Domain Admin.

You have now disabled Google Chrome for all users that are not specifically allowed access to it. At the end of the day, it's just another tool we system admins have in our arsenal to combat the introduction of unauthorized applications into our network. That could compromise the security and productivity we've implemented in our network, which might make the end of the day come much later.

Donny Hilbern is a network and systems consultant specializing in analyzing, designing, and implementing network and enterprise systems. Donny has been working in the IT field for over 25 years, with nearly 20 years of that time invested in network and system administration and infrastructure technology. He has experienced a number of undocumented or lightly documented issues during that time. His desire is to leverage that experience in sharing about some of those issues and how they were resolved to make IT work for his clients.

Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines.

The new version runs a 'helper process' when IE starts up that can then load the Chrome Frame plug-in when it's requested, and you don't need admin privileges to do so. 'Yay for clever technical hacks that help users circumvent ossified IT bureaucracy,' said one commenter on Hacker News. But admins aren't likely to feel the same.

Google is well aware of this. But the company says that if admins don't like it, they can use separate Google admin tools to stop it from happening.

Mountain View announced its 'non-admin' Chrome Frame last month at its annual developer conference in San Francisco, but it has only just released a stable version of the new plug-in here. The change is part of Google's ongoing effort to bring the latest web applications to the older versions of Internet Explorer still running on so many machines across the globe. IE8 and earlier versions of Microsoft's browser lack support for HTML5, Canvas, and the latest CSS/Layout handling – not to mention slow JavaScript engines – but they're still widely used in the enterprise.

Older versions of IE can sit on machines for years, as admins seek to ensure that custom web applications will run properly. What's more, many machines are still on Microsoft's Windows XP operating system, which means they can't be upgraded to Microsoft's latest version of Internet Explorer, IE9, the release that finally brought the browser into the modern world. IE9 won't run on Windows XP.

Chrome Non Admin Install

In essence, Chrome Frame equips Microsoft's browser with the rendering and JavaScript engines at the heart of Google's Chrome browser, and despite vehement objections from Microsoft – and others – Google is intent on slipping the plug-in into as many existing installations of IE 6, 7, and 8 as it possibly can. On one level, Google is even hoping to get Chrome Frame into Internet Explorer 9, which does not support WebGL, the new standard for hardware accelerated 3D inside browsers.

'Google Chrome Frame ... is a bridge of sorts,' Google's Alex Russell said last month at Google's developer conference. 'Instead of asking users to replace their browser – or asking IT organizations to run two browsers side-by-side – Google Chrome Frame puts the power of Google chrome inside Internet Explorer.'

Install Chrome As Non Admin

If you visit a site that has been set up to do so, it will launch Chrome Frame rather than Microsoft's native engine. And users can set Chrome Frame as their default engine via a registry key. Google also provides tools that allow websites to readily encourage users to install Chrome Frame, and some sites, including Yahoo!, are already doing so. Google's Gmail uses Chrome Frame, and the company says the email service runs 30 per cent faster on the plug-in than on older version of IE.

Google has long urged admins to adopt Chrome Frame, offering tools for managing the installations and updates of the plug-in, but now it's also allowing end users to install the plug-in without an administrator's approval. Last month, Russell briefly touched on Google's technical workaround – which involves the use a Browser Helper Objects (BHOs) – but he provided little detail.

'A very small portion of Chrome Frame lives inside the process space of IE,' he said. 'This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space.' Google can do so even if the user doesn't have admin privileges.

When we asked Google about its end-run around admin controls, it pointed out that admins can still prevent the installation of the plug-in using Google Update controls. 'An admin can still apply policies as before, if they wish,' a company spokeswoman told us. 'They can have a policy in place that will prevent users from installing Chrome Frame, if desired, just as they can any other Google software managed by Google Update.'

It's a typical Google defense. The company is offering a way for you to prevent something from happening. But you first you have to realize it's happening. And Google knows that many will fail to realize it.

One wonders what Microsoft thinks of all this. But when we asked the company to comment, its response was guarded. 'We believe we deliver the best out-of-the-box browsing experience enabling users to get the best of the web without needing additional plug-ins or add-ons,' said a company spokeswoman.

Microsoft wail

Chrome Frame first hit the web in September 2009 as a developer preview, when Mountain View was preparing to expand access to Google Wave, the now-defunct communication platform that relied heavily on fresh standards such as HTML5 and requires rather speedy JavaScript and DOM performance. The day the plug-in was first released, Microsoft let out a wail.

'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' the company told us. 'Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'

Days later, Mozilla complained as well. Mozilla VP of engineering Mike Shaver pointed out that Chrome Frame sidestepped IE's built-in security tools, and he argued that it would end up confusing netizens. 'The user's understanding of the web's security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit,' he said, alluding to the fact that after you install Chrome Frame, individual websites decide when to launch it.

'It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5,' Shaver said.

Mozilla boss Mitchell Baker agreed. 'If you end up at a website that makes use of the Chrome Frame, the treatment of your passwords, security settings, personalization, and all the other things one sets in a browser is suddenly unknown,' she said. 'Will sites you tag or bookmark while browsing with one rendering engine show up in the other? Because the various parts of the browser are no longer connected, actions that have one result in the browser you think you're using won't have the same result in the Chrome browser-within-a-browser.'

With the release of the Chrome Frame beta the following summer, Google addressed some of this criticism. If you're using IE's private browsing mode and the browser flips on Chrome Frame, Google will turn on a similar setting. And in similar fashion, the plug-in also dovetails with IE's cache-clearing and cookie-blocking tools.

This may have satisfied some, but the latest version of the plug-in is sure to raise the ire of others. During his talk last month, Russell even acknowledged this. But his ultimate answer was to point admins to Google's official tools for managing Chrome Frame. '[Chrome Frame non-admin installs] scares the bejesus out of a lot of IT administrators. And admittedly, their concerns aren't wrong. If you're an IT administrator, you want your users to be running a locked-down configuration,' he said. 'So over the last year, we've done a lot of work to make sure Chrome and Chrome Frame can be administered in the way that you want.'

Chrome offline installer 32 bit

In essence, Chrome Frame equips Microsoft's browser with the rendering and JavaScript engines at the heart of Google's Chrome browser, and despite vehement objections from Microsoft – and others – Google is intent on slipping the plug-in into as many existing installations of IE 6, 7, and 8 as it possibly can. On one level, Google is even hoping to get Chrome Frame into Internet Explorer 9, which does not support WebGL, the new standard for hardware accelerated 3D inside browsers.

'Google Chrome Frame ... is a bridge of sorts,' Google's Alex Russell said last month at Google's developer conference. 'Instead of asking users to replace their browser – or asking IT organizations to run two browsers side-by-side – Google Chrome Frame puts the power of Google chrome inside Internet Explorer.'

Install Chrome As Non Admin

If you visit a site that has been set up to do so, it will launch Chrome Frame rather than Microsoft's native engine. And users can set Chrome Frame as their default engine via a registry key. Google also provides tools that allow websites to readily encourage users to install Chrome Frame, and some sites, including Yahoo!, are already doing so. Google's Gmail uses Chrome Frame, and the company says the email service runs 30 per cent faster on the plug-in than on older version of IE.

Google has long urged admins to adopt Chrome Frame, offering tools for managing the installations and updates of the plug-in, but now it's also allowing end users to install the plug-in without an administrator's approval. Last month, Russell briefly touched on Google's technical workaround – which involves the use a Browser Helper Objects (BHOs) – but he provided little detail.

'A very small portion of Chrome Frame lives inside the process space of IE,' he said. 'This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space.' Google can do so even if the user doesn't have admin privileges.

When we asked Google about its end-run around admin controls, it pointed out that admins can still prevent the installation of the plug-in using Google Update controls. 'An admin can still apply policies as before, if they wish,' a company spokeswoman told us. 'They can have a policy in place that will prevent users from installing Chrome Frame, if desired, just as they can any other Google software managed by Google Update.'

It's a typical Google defense. The company is offering a way for you to prevent something from happening. But you first you have to realize it's happening. And Google knows that many will fail to realize it.

One wonders what Microsoft thinks of all this. But when we asked the company to comment, its response was guarded. 'We believe we deliver the best out-of-the-box browsing experience enabling users to get the best of the web without needing additional plug-ins or add-ons,' said a company spokeswoman.

Microsoft wail

Chrome Frame first hit the web in September 2009 as a developer preview, when Mountain View was preparing to expand access to Google Wave, the now-defunct communication platform that relied heavily on fresh standards such as HTML5 and requires rather speedy JavaScript and DOM performance. The day the plug-in was first released, Microsoft let out a wail.

'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' the company told us. 'Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'

Days later, Mozilla complained as well. Mozilla VP of engineering Mike Shaver pointed out that Chrome Frame sidestepped IE's built-in security tools, and he argued that it would end up confusing netizens. 'The user's understanding of the web's security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit,' he said, alluding to the fact that after you install Chrome Frame, individual websites decide when to launch it.

'It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5,' Shaver said.

Mozilla boss Mitchell Baker agreed. 'If you end up at a website that makes use of the Chrome Frame, the treatment of your passwords, security settings, personalization, and all the other things one sets in a browser is suddenly unknown,' she said. 'Will sites you tag or bookmark while browsing with one rendering engine show up in the other? Because the various parts of the browser are no longer connected, actions that have one result in the browser you think you're using won't have the same result in the Chrome browser-within-a-browser.'

With the release of the Chrome Frame beta the following summer, Google addressed some of this criticism. If you're using IE's private browsing mode and the browser flips on Chrome Frame, Google will turn on a similar setting. And in similar fashion, the plug-in also dovetails with IE's cache-clearing and cookie-blocking tools.

This may have satisfied some, but the latest version of the plug-in is sure to raise the ire of others. During his talk last month, Russell even acknowledged this. But his ultimate answer was to point admins to Google's official tools for managing Chrome Frame. '[Chrome Frame non-admin installs] scares the bejesus out of a lot of IT administrators. And admittedly, their concerns aren't wrong. If you're an IT administrator, you want your users to be running a locked-down configuration,' he said. 'So over the last year, we've done a lot of work to make sure Chrome and Chrome Frame can be administered in the way that you want.'

There you have it. Google has offered a way for users to skirt admin controls. And if admins don't like it, they can put a stop to it by setting up other controls. Of course, many won't even be aware that 'non-admin' Google Chrome Frame even exists. There's a reason Google has launched the thing. ®

Get ourTech Resources




broken image