+1-202-802-9399 U.S. Headquarters

Thycotic’s CyberSecurity Publication

POPULAR CATEGORIES

Securing Web Browsers Through Group Policy

September 9th, 2013


Secret Server

SHARE THIS

Tags

When developing a workflow to manage shared credentials, it’s important to take into account certain environmental factors that may cache credentials on their own. These factors can decrease security around shared credentials.

Here, we’ll focus on securing your web browsers through group policy.

Disable Password Caching for IE

Note: these instructions are specific to Windows Server 2012, however may be similarly applied in Windows Server 2008.

Caching of passwords and auto-completion of usernames and passwords used in IE can be disabled from the Group Policy Management Editor under:

  • User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Here, you can disable “Turn on the auto-complete feature for user names and passwords.”

Group Policy Management Editor - Disable Password Caching for IE

This will also prevent users from re-enabling the setting:

Prevent Users from enabling Auto Complete

Restriction of password caching in Mozilla Firefox

Locking down settings in Firefox requires use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.

Disable Password Caching in Google Chrome for Business

Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.

The Google Chrome Password Manager can be disabled at the user level by logging into the Google Admin console and navigating to the Settings menu. After selecting the “User Settings” menu, select an OU and under the Security settings disable Password Manager.

The Google Chrome Password Manager can be disabled at the device level through Windows GPO by adding two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINESoftwarePoliciesChrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords, each with a value of 0x00000000.

Disable Password Caching in Google Chrome - Google Chrome Password Manager can be disabled through Windows GPO

Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.

Offer to save passwords I enter on the web is now disabled

 

Disable Password Manager in Microsoft Edge

Note: for Server 2012 and 2016 the Microsoft Edge group policy settings may not be available. If they aren’t, you can copy the files from C:\Windows\PolicyDefinitions to the server to merge them and get the Policy Settings for Microsoft Edge.
You can also download them from Microsoft here:
microsoft.com/en-us/download/confirmation.aspx?id=53430.

Password saving and auto-completion of forms can be disabled in the Group Policy Management Editor under:

  • User Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge

Here, you can disable “Configure Password Manager disable “Configure Autofill” policies.

Disable Password Manager in Microsoft EdgeThis will prevent users from saving passwords in Edge or enabling the setting to do so.

Controlling credential caching in Mac OS X

Safari cannot be easily managed in a Windows environment, however Mac OS X Server provides a tool called Server Admin that may facilitate control of Safari settings in the OS X environment. Third-party tools are also available for this purpose.

Web Password Filler

Once you’ve secured your browsers, you can still utilize the credentials stored in Secret Server by using the Web Password Filler. For more information, see ‘Taking Web Password Filler On The Road’.

If you’re not already streamlining your admin tasks with Secret Server, try it for free here.

Or, achieve the highest level of convenience and security by automating your password management: compare password managers here.


The following two tabs change content below.

Leave a Reply

*