Securing Web Browsers Through Group Policy
Updated Feb, 2019
When developing a workflow to manage shared credentials, it’s important to take into account certain environmental factors that may cache credentials on their own. These factors can decrease security around shared credentials.
Here, we’ll focus on securing your web browsers through group policy.
This blog will walk you through these steps:
- Determine the extent of your problem
- Disable Password Caching for:
a. Internet Explorer
b. Mozilla Firefox
c. Google Chrome for Business
d. Microsoft Edge
e. Mac OS X and Safari
- Confirm that Password Caching is disabled across your domain after making changes
- Consider the impact on the user experience, and how to ensure strong web passwords
- What do to about non-domain joined computers
First, determine the extent of your problem
There are several steps to make sure your organization’s web browsers are secure and not caching website passwords. So first, we recommend running the Browser Stored Password Discovery tool. This will give you a full list of all users and browsers currently storing website credentials for devices on your domain. Also, you’ll be able to see which sites are saved, so you’ll know right away if there are critical business sites being stored.
Download the free Browser Stored Password Discovery tool. It’s totally free, developed by Delinea to help organizations understand their level of risk caused by browser-stored passwords.
Disable password Caching for IE
Note: these instructions are specific to Windows Server 2012, however may be similarly applied in Windows Server 2008.
Caching of passwords and auto-completion of usernames and passwords used in IE can be disabled from the Group Policy Management Editor under:
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Here, you can disable “Turn on the auto-complete feature for user names and passwords.”
This will also prevent users from re-enabling the setting:
Restrict password caching in Mozilla Firefox
Locking down settings in Firefox requires the use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.
Disable Password saving / caching in Google Chrome for Business
Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.
The Google Chrome Password Manager can be disabled at the user level by logging into the Google Admin console and navigating to the Settings menu. After selecting the “User Settings” menu, select an OU, and under the Security settings disable Password Manager.
The Google Chrome Password Manager can be disabled at the device level through Windows GPO by adding two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINESoftwarePoliciesChrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords, each with a value of 0x00000000.
Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.
Disable Password Manager in Microsoft Edge
Note: for Server 2012 and 2016 the Microsoft Edge group policy settings may not be available. If they aren’t, you can copy the files from C:\Windows\PolicyDefinitions to the server to merge them and get the Policy Settings for Microsoft Edge.
You can also download them from Microsoft here:
Password saving and auto-completion of forms can be disabled in the Group Policy Management Editor under:
User Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge
Here, you can disable “Configure Password Manager” disable “Configure Autofill” policies.
This will prevent users from saving passwords in Edge or enabling the setting to do so.
Control credential caching in Mac OS X
Safari cannot be easily managed in a Windows environment, however, Mac OS X Server provides a tool called Server Admin that may facilitate control of Safari settings in the OS X environment. Third-party tools are also available for this purpose.
Double-check that your changes covered all stored passwords
Now that you’ve updated group policy settings so that browsers do not store website passwords, make sure you got everything by rerunning the Browser Stored Password Discovery tool.
Make your password caching policy automated forever without impacting user productivity
By removing users’ ability to store passwords in their browser, you’ve made your organization much more secure, but that security can also cause some pain to users when they have to remember their passwords. This can cause fatigue and frustration, which often leads to users choosing weak passwords to make their lives easier.
Instead, give users a password vault, so they only have one password to remember, and can launch into any website from the vault, without having to remember or type all their different web passwords. This can be done with Delinea Secret Server’s Web Password Filler. Once you’ve secured your browsers, you can still utilize the credentials stored in Secret Server by using the Web Password Filler.
If you’re a small organization, you can get started with Secret Server Free, an on-premise vault for storing and managing website and IT admin passwords.
If you’re a larger organization, paid Secret Server editions give you all kinds of automation and security for IT Admin accounts, like Local Windows Admin, Cisco Enable, and Service and Application Accounts. Complete the form to start your free trial.
Do you have lots of non-domain joined computers, for consultants or employees working from home?
GPO only works for domain-joined computers. If you have consultants or employees who work from home and are not connected to the domain, it is possible to enforce your browser-stored password policy. To do this, you can use Delinea Privilege Manager, which installs a lightweight agent for each machine, and then you can enforce group policy rules on all managed endpoints.