CIS Benchmark v2.0.0 for Google Chrome Provides Updated Security Recommendations
The CIS Benchmarks team is excited to announce the release of our newest browser security recommendations. CIS Google Chrome Benchmark v2.0.0 contains coverage for v75 of Google Chrome. This CIS Benchmark was developed in partnership with the Google Cloud Team and the CIS volunteer community on CIS WorkBench. “It really shows the spirit of collaboration that makes up all our consensus-developed CIS Benchmarks,” says Jordan Rakoske, Senior Technical Product Manager at CIS. Subject matter experts worked together to create this major update.
New and notable
Content-wise there are 41 new security recommendations, 1 removal, and 4 which were updated. We have also revised the entire structure of the benchmark from an ADMX-based layout to be more risk-based. The new layout will help users quickly identify and act based on areas of risk. The new structure will also allow us to create Chrome benchmarks for different OS in the future. We have carefully gone through and reviewed all existing and new content with the Google Cloud Team to help identify impactful recommendations and add more detail to each of those sections. Overall, we hope this update will help your organization harden its Chrome v75 instances in a more user-friendly, risk-informed way.
Major content changes
Password Managers
We have changed the password manager recommendation ((L1) Ensure ‘Enable saving passwords to the password manager’ is Configured) to an “Informational” recommendation. This does not mean there is no value; it means that an organization will need to review and choose to either enable or disable the built-in manager. Password managers can provide a security benefit but we felt it important to still mention it is on by default, so that Admins can make sure the setting meets their internal policy. CIS SecureSuite Members who are scanning with CIS-CAT Pro Assessor will receive information about the password manager’s configure state.
New Update Recommendation
We have added a new recommendation: (L1) Ensure ‘Notify a user that a browser relaunch or device restart is recommended or required’ is set to ‘Enabled’ with ‘Show a recurring prompt to the user indication that a relaunch is required’ specified. This recommendation is important so that users can easily identify that an update is available and a relaunch is needed. Google pushes updates all the time to help provide both features and security improvements and some of these updates are important to apply ASAP.
New Layout
We have updated the CIS Benchmark structure to be more risk-based. This makes it easier for organizations to make implementation decisions. The new layout contains five sections and looks like this:
- Enforced Defaults – This section contains settings that are on by default. CIS still recommends that these settings are enforced (via Group Policy Object) so that the settings stay configured in the default secure state.
- Attack Surface Reduction – This section contains settings that will help reduce the overall attack surface. These recommendations will limit some features as by design and we have worked with Google to identify areas of impact.
- Privacy – This section contains settings that are related to user privacy. If organizations are concerned with user privacy, these settings can help control this.
- Management/Visibility/Performance – This section contains recommendations around management. Remote access settings are listed under this section.
- Data Loss Prevention – This section contains settings that can help prevent data loss. These settings control how data is synced and where data is sent.
A team effort
The creation and ongoing development of the CIS Benchmarks is thanks to a wide community. We are always looking for ways to improve the CIS Benchmarks, so if you have any feedback on this release or any others, please let us know. We welcome your participation in our communities via CIS WorkBench:
Visit CIS WorkBench
Our deepest gratitude goes to all of the users that helped make this major update happen.