9

In the light of recent repeated critical Flash vulnerabilities there are recommendations to use browser plugins like click-to-play to prevent unnecessary Flash content from automatically loading with every Webpage.

I think this is a good idea however there is the matter of distribution and maintaining such plugins as well as selecting a well maintained and trusted one in the first place (for IE, Firefox, Chrome at least). I don't want to introduce another vulnerable surface into the environment.

So the question is:

  • Do you have experience using such Plugins in an enterprise environment with lots of Windows clients? (lets say 100+)
  • How do you deploy the plugin?
  • How do you maintain the plugin? (regular updates)
  • How do you centrally manage the configuration of this plugins? (GPOs?)

I'm interested in the enterprise feasibility and your experience with click-to-play'ish browser plugins in the enterprise.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Sebastian B.
  • 571
  • 3
  • 7

2 Answers2

3

This post by Google will help you set up extensions in Chrome via Group Policy and the master_preferences file - https://support.google.com/chrome/a/answer/188453?hl=en&ref_topic=2936229

Also, i'd recommend the following extensions (recommended by SANS):

  • Netcraft
  • NoScript
  • HTTPS Everywhere
  • Ghostery
  • Ublock Origin
16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20
  • I don't think all of these plugins are available for Chrome. Also, it is generally preferred to include key information from external sites in addition to the link. This is helpful for Google searches as well as external links going invalid over time. – Neil Smithline Dec 27 '15 at 06:19
  • These are all Chrome plugins. I have them installed. The information is from SANS official youtube channel. – 16b7195abb140a3929bbc322d1c6f1 Dec 27 '15 at 06:45
  • So I didn't think that NoScript was available for Chrome. There are a couple of addins with similar functionality, but not exactly NoScript. Do you have a link to the Chrome NoScript plugin? – Neil Smithline Dec 27 '15 at 17:31
2

I do my best to develop code in-house, and make use of "SWAMP" which you can apply for

access to. If you have coders in-house, you could implement your own plugin and potentially sell it on the side as an app. in the chrome-store.

https://www.mir-swamp.org/

For IE you may be able to simply release a memo with instructions on how to access browser tools, manage addons, choose 'disable' and then leave it at that...no updates needed.

Also worth reading is that Chrome (by default) uses a sandbox with Flash automatically, and also automatically updates flash by default.

http://chrome.blogspot.com/2012/08/an-even-more-secure-flash-player-for.html

In short, you can reduce your threat surface with a memo/email to disable flash, which is what I recommend. If the use of flash is not necessary (I'm guessing it would cut down on facebook time during work and also free up some bandwidth) then I suggest you send out the email and after a few days use Admin to check and ensure that all boxes have disabled flash.

I am of the opinion that flash will always be a threat vector and vulnerability, and only vary in critical values.

  • 2
    Thanks for the answer. I work on Computer Networks in non-IT-Industries with 2000+ users, where memos/emails/communications regarding Computer usage will never reach anything near 90% of the users and their comuters. The only Thing that works for me are centrally managed Tools that can be monitored somehow to verify that actually all endpoints are protected. Especially on security related topics like this i need to make sure that all machines on the network are secured in a timely manner. Im not saying that user communication is unnessecray tough, i just cannot solely rely on it... – Sebastian B. Feb 12 '15 at 11:28