1 | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Welcome! | ||||||||||||
3 | This content is provided for general informational and educational purposes only and are not a substitute for security advice or legal advice. The information available in these documents are made in good faith, without verifying their accuracy, utility or security validity, and should not be relied upon as the sole basis for making decisions. This was a personal project done in my free time and has, and will continue to have, gaps in its assessment based upon my level of interest in digging into those topics. | ||||||||||||
4 | Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 International license. | ||||||||||||
5 | |||||||||||||
6 | |||||||||||||
7 | Administering Chromebooks | ||||||||||||
8 | |||||||||||||
9 | For team's traveling to complex and hostile environments | ||||||||||||
10 | |||||||||||||
11 | What is this? | ||||||||||||
12 | |||||||||||||
13 | If you are traveling to hostile or complex environments the phrase "use a chromebook" has become the "use signal, use tor" of border crossing device security. Nearly all of the individuals who work in these environments knows that, as with everything, "it's more complex than that." I decided to document and share my exploration of the various options for configuring and administering Chromebooks for globally distributed team's operating in a range of complex and hostile environments. | ||||||||||||
14 | |||||||||||||
15 | This project started as my chromebook setup and configuration notes. Those notes then became this set of spreadsheets for a few reasons: | ||||||||||||
16 | |||||||||||||
17 | 1. | It took a lot of time to consider each option and I wanted to save my colleagues from having to do their own setups from scratch. | |||||||||||
18 | |||||||||||||
19 | |||||||||||||
20 | 2. | There are more than a few narrative summaries out there of Chrome security. But, didn't seem to be any source to look at the security implications for each specific configuration option. | |||||||||||
21 | |||||||||||||
22 | 3. | I have concerns about mitigation’s that promote the use of fake user accounts to fool border official who force travelers to login to their devices and online services. But, I had not put together any public analysis of an alternative. I used this project as an opportunity to explore an alternative mitigation. | |||||||||||
23 | See the Proof of Inaccess mitigation for more information. | ||||||||||||
24 | |||||||||||||
25 | 4. | I wanted a chance to explore different methods for supporting risk management documentation using Google Sheets. | |||||||||||
26 | |||||||||||||
27 | 5. | It was fun! I like taxonomies. Deal with it. | |||||||||||
28 | |||||||||||||
29 | |||||||||||||
30 | Where do I Start? | ||||||||||||
31 | |||||||||||||
32 | The Index has suggestions for various ways to explore this project. | ||||||||||||
33 | |||||||||||||
34 | The Workflow page shows how to use this project to inform a Chromebook program. | ||||||||||||
35 | |||||||||||||
36 | |||||||||||||
37 | What's the Project's Progress | ||||||||||||
38 | |||||||||||||
39 | Currently Explored Settings | Settings Not Explored | |||||||||||
40 | Total | Done | ToDo. | Planned? | |||||||||
41 | Settings Page | 338 | 288 | 50 | Settings Page | 2 | |||||||
42 | User Settings | 238 | 203 | 35 | App Management | ✔ | |||||||
43 | Device settings | 100 | 85 | 15 | Mobile Device Management | ||||||||
44 | Android Application Settings | 9 | 5 | 4 | Chromebooks and VPNs | ✔ | |||||||
45 | Public session settings | 109 | 0 | 109 | Manage Using Active Directory | ||||||||
46 | |||||||||||||
47 | |||||||||||||
48 | |||||||||||||
49 | |||||||||||||
50 | |||||||||||||
51 | |||||||||||||
52 |
1 | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | |||||||||||||||||
3 | |||||||||||||||||
4 | Workflow | ||||||||||||||||
5 | |||||||||||||||||
6 | How to use this project to inform your Chromebook program. | ||||||||||||||||
7 | |||||||||||||||||
8 | Prepare, Deploy, Contribute back.... | ||||||||||||||||
9 | |||||||||||||||||
10 | Preparation | Supported By | |||||||||||||||
11 | Sections of this project that can help you as you evaluate and design a chromebook based travel program. | ||||||||||||||||
12 | |||||||||||||||||
13 | Needs Assessment | ● | ● | Cost Calculator | |||||||||||||
14 | Does this fit your teams operational requirements? | ● | ● | ● | Requirements List | ||||||||||||
15 | ● | ● | Information Stores | ||||||||||||||
16 | ● | ● | ● | Assumptions List | |||||||||||||
17 | Risk Assessment | ● | ● | ● | Mitigation List | ||||||||||||
18 | Does this match the risk profile of your team? | ● | ● | ● | Mitigation Process Considerations | ||||||||||||
19 | ● | ● | ● | Sources | |||||||||||||
20 | ● | ● | Threat Context | ||||||||||||||
21 | Program Design | ● | ● | Threat List | |||||||||||||
22 | Designing your teams chromebook travel program. | ● | ● | Threat Relationships | |||||||||||||
23 | |||||||||||||||||
24 | |||||||||||||||||
25 | Deployment | Supported By | |||||||||||||||
26 | Sections of this project that can help you as you deploy your chromebook based travel program. | ||||||||||||||||
27 | |||||||||||||||||
28 | Device Configuration | ● | Device Settings Overview | ||||||||||||||
29 | Configuring youir travel chromebook policies. | ● | ● | ● | Device Settings Comments | ||||||||||||
30 | ● | User Settings Overview | |||||||||||||||
31 | ● | ● | ● | User Settings Comments | |||||||||||||
32 | G Suite Sub-Organization Configuration | ● | ● | ● | Threat List | ||||||||||||
33 | Configuring your travel Sub-Organization policies. | ● | ● | ● | Threat Context | ||||||||||||
34 | ● | ● | ● | Threat Relationships | |||||||||||||
35 | ● | ● | ● | Requirements List | |||||||||||||
36 | Account Configuration | ● | ● | ● | Assumptions List | ||||||||||||
37 | Configuring your travel account policies. | ● | ● | ● | Mitigation List | ||||||||||||
38 | ● | ● | ● | Mitigation Process Considerations | |||||||||||||
39 | ● | ● | ● | Information Stores | |||||||||||||
40 | ● | ● | ● | Sources | |||||||||||||
41 | ● | ● | ● | Glossary | |||||||||||||
42 | |||||||||||||||||
43 | Contribute | Check Out | |||||||||||||||
44 | How you can contribute to this project. | ||||||||||||||||
45 | |||||||||||||||||
46 | Contribute Knoweledge | ● | |||||||||||||||
47 | Add, correct, or update content to the project | ● | TODO List | ||||||||||||||
48 | ● | ● | Sources | ||||||||||||||
49 | Contextual | ||||||||||||||||
50 | Contribute Time | ● | Requirements List | ||||||||||||||
51 | Help fix known issues and add desired enhancements | ● | Assumptions List | ||||||||||||||
52 | ● | Mitigation List | |||||||||||||||
53 | ● | Mitigation Process Considerations | |||||||||||||||
54 | Contribute Comments | ● | Threat List | ||||||||||||||
55 | Send comments, critiques, or thanks to me on twitter | ● | Threat Relationships | ||||||||||||||
56 | ● | Threat Context | |||||||||||||||
57 | ● | Threat ⮕ Information Store | |||||||||||||||
58 | ● | Information Stores | |||||||||||||||
59 | Technical | ||||||||||||||||
60 | ● | Device Settings Overview | |||||||||||||||
61 | ● | User Settings Overview | |||||||||||||||
62 | ● | ● | Public Session Settings Overview | ||||||||||||||
63 | ● | ● | Glossary |
1 | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||||||
3 | Key | |||||||||||||
4 | Symbol | Sheet Color | ||||||||||||
5 | ✎ | ● | Summary Information | |||||||||||
6 | Index | 🔍 | ● | In-Depth Information | ||||||||||
7 | ❓ | ● | Help & Meta-Data | |||||||||||
8 | 👓 | ● | Raw Data | |||||||||||
9 | ☐ | Section In Progress | ||||||||||||
10 | ||||||||||||||
11 | Settings Menus | |||||||||||||
12 | ||||||||||||||
13 | ☒ | Settings Overview | ☒ | User Settings | ||||||||||
14 | This page shows the current coverage of the project for each settings menu. | Can be used to enforce settings and policies on your organization’s users, regardless of which Chrome device they’re using. For example, an IT administrator can pre-install apps for specific users, enforce Safe Browsing, set up Single Sign-On (SSO), block specific plugins, blacklist specific URLs, manage bookmarks, and apply dozens of other settings to users across your organization. It does not require Chromebook device licenses. | ||||||||||||
15 | ||||||||||||||
16 | ||||||||||||||
17 | ✎ | ☒ Overview | 🔍 | ☒ Overview | 🔍 | ☒ Comments | ||||||||
18 | ||||||||||||||
19 | ||||||||||||||
20 | ☒ | Device Settings | ☐ | Public Session Settings | ||||||||||
21 | Can be used to enforce settings and policies on your organization's managed Chrome devices regardless of who signs in. For example, you can restrict sign-in to specific users, block guest mode, and configure auto-update settings. It requires licenses for every managed device. | Can be used to set up settings for shared devices in your domain. Public Sessions allows multiple users to share the same Chrome device without the need to sign in or authenticate. You can enforce settings, such as logging the user out after a specific amount of time or even launching the device as a Single App Kiosk. This option requires licenses for every managed device. | ||||||||||||
22 | ||||||||||||||
23 | ||||||||||||||
24 | 🔍 | ☒ Overview | 🔍 | ☒ Comments | 🔍 | ☐ Overview | 🔍 | ☐ Comments | ||||||
25 | ||||||||||||||
26 | ||||||||||||||
27 | ☐ | App Management | ||||||||||||
28 | This settings menu allows an administrator to manage team's settings on Chrome browsers and Chrome devices. The actual management of these apps occurs in user settings, but I am separating it out into a separate category for ease of reading. It does not require Chromebook device licenses. | |||||||||||||
29 | ||||||||||||||
30 | 🔍 | ☐ Overview | 🔍 | ☐ Comments | ||||||||||
31 | ||||||||||||||
32 | ||||||||||||||
33 | Context & Response | |||||||||||||
34 | ||||||||||||||
35 | ☐ | Assumptions | ☒ | Costs | ||||||||||
36 | This page explores some of the assumptions that were used to constrain the scope of this project. | This page includes a cost calculator for GSuite accounts & Device licenses for different setups. | ||||||||||||
37 | ||||||||||||||
38 | 🔍 | ☒ Assumptions List | ✎ | ☒ Costs | ||||||||||
39 | ||||||||||||||
40 | ||||||||||||||
41 | ☐ | Threats | ☐ | Mitigations | ||||||||||
42 | These pages explore the rough set of threats that came up while I was conducting this research. I'm actively avoiding anything close to an exhaustive threat taxonomy to avoid getting distracted. So, there are huge holes here. And, I'm fine with that. | These pages explore a variety of *possible* mitigations that have a *direct relevance* to the chromebook configurations and this project. The mitigations that are included in this project do not describe a complete digital security program for a team. Nor are they aprropriate for every possible team. | ||||||||||||
43 | ||||||||||||||
44 | ✎ | ☒ Summary | ✎ | ☒ Summary | ||||||||||
45 | ||||||||||||||
46 | ||||||||||||||
47 | 🔍 | ☒ Threat List | 🔍 | ☒ Mitigation List | ||||||||||
48 | ||||||||||||||
49 | ||||||||||||||
50 | ✎ | ☒ Threat Context | 👓 | ☐ Mitigation Process Considerations | ||||||||||
51 | ||||||||||||||
52 | ||||||||||||||
53 | 👓 | ☐ Threat Context Comments | ✎ | ☒ User Setting ⮕ Mitigation (Summary) | ||||||||||
54 | ||||||||||||||
55 | ||||||||||||||
56 | 👓 | ☐ Threat Relationships | ✎ | ☒ Device Setting ⮕ Mitigation (Summary) | ||||||||||
57 | ||||||||||||||
58 | ||||||||||||||
59 | 👓 | ☐ Information Stores | 👓 | ☐ Setting ⮕ Mitigation | ||||||||||
60 | ||||||||||||||
61 | ||||||||||||||
62 | 👓 | ☐ Setting ⮕ Threat | ||||||||||||
63 | ||||||||||||||
64 | ||||||||||||||
65 | 👓 | ☐ Threat ⮕ Information Store | ||||||||||||
66 | ||||||||||||||
67 | ||||||||||||||
68 | ☐ | Requirements | ||||||||||||
69 | These pages explore the requirements I set to constrain the scope of this project. | |||||||||||||
70 | ||||||||||||||
71 | ✎ | ☒ Summary | ||||||||||||
72 | ||||||||||||||
73 | ||||||||||||||
74 | 🔍 | ☐ Requirements List | ||||||||||||
75 | ||||||||||||||
76 | ||||||||||||||
77 | 👓 | ☐ Setting ⮕ Requirements | ||||||||||||
78 | ||||||||||||||
79 | ||||||||||||||
80 | MetaData | |||||||||||||
81 | ||||||||||||||
82 | ☐ | Glossary | ☐ | Sources | ||||||||||
83 | This is just a glossary of terms found in this document. | This is a collection of various higher-level references and sources used in this project. | ||||||||||||
84 | ||||||||||||||
85 | ❓ | ☐ Glossary | ❓ | ☐ Sources | ||||||||||
86 | ||||||||||||||
87 | ||||||||||||||
88 | ∞ | TODO List | ||||||||||||
89 | This is an ongoing personal project. This page explores the various tasks that I want to complete, the various unaddressed issues I have with the format. | |||||||||||||
90 | ||||||||||||||
91 | ❓ | ∞ TODO List | ||||||||||||
92 | ||||||||||||||
93 | ||||||||||||||
94 | ||||||||||||||
95 | ||||||||||||||
96 | ||||||||||||||
97 | ||||||||||||||
98 | ||||||||||||||
99 | ||||||||||||||
100 | ||||||||||||||
101 | ||||||||||||||
102 | ||||||||||||||
103 | ||||||||||||||
104 | ||||||||||||||
105 | ||||||||||||||
106 | ||||||||||||||
107 | ||||||||||||||
108 |
1 | < Index | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | |||||||||||||
3 | Settings Progress | ||||||||||||
4 | |||||||||||||
5 | Sorted by configuration menu | ||||||||||||
6 | |||||||||||||
7 | |||||||||||||
8 | User Setting Evaluation Status | Device Setting Evaluation Status | |||||||||||
9 | Done | ToDo | # N/A | Done | ToDo | # N/A | |||||||
10 | Settings Section | 204 | 41 | 20 | Settings Section | 85 | 18 | 41 | |||||
11 | Mobile | 1 | 1 | 1 | Enrollment & Access | 11 | 1 | 2 | |||||
12 | General | 4 | 1 | 1 | Sign-in Settings | 20 | 1 | 1 | |||||
13 | Enrollment Controls | 6 | 1 | 1 | Device Update Settings | 10 | 1 | 1 | |||||
14 | Apps and Extensions | 13 | 1 | 1 | Kiosk Settings | 19 | 6 | 19 | |||||
15 | Chrome Web Store | 6 | 3 | 1 | User & Device Reporting | 11 | 1 | 2 | |||||
16 | Android applications | 5 | 4 | 1 | Power & Shutdown | 5 | 1 | 1 | |||||
17 | Security | 28 | 9 | 1 | Other | 9 | 7 | 2 | |||||
18 | Session Settings | 2 | 1 | 1 | |||||||||
19 | Network | 8 | 5 | 1 | |||||||||
20 | Startup | 7 | 1 | 1 | Device Setting Evaluation Status | ||||||||
21 | Content | 65 | 1 | 1 | Done | ToDo | # N/A | ||||||
22 | Printing | 8 | 9 | 2 | Settings Section | 7 | 70 | 8 | |||||
23 | User Experience | 29 | 0 | 2 | General | 1 | 6 | 1 | |||||
24 | Omnibox Search Provider | 5 | 1 | 1 | Apps and Extensions | 1 | 5 | 1 | |||||
25 | Hardware | 11 | 1 | 2 | Security | 1 | 9 | 1 | |||||
26 | Verified Access | 2 | 1 | 1 | Network | 1 | 10 | 1 | |||||
27 | User Verification | 4 | 1 | 1 | Startup | 1 | 8 | 1 | |||||
28 | Content | 1 | 21 | 1 | |||||||||
29 | Printing | 1 | 11 | 1 | |||||||||
30 | User Experience | 1 | 18 | 1 | |||||||||
31 | Omnibox Search Provider | ||||||||||||
32 | Hardware |
1 | < Index | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | |||||||||||||
3 | Costs Calculator | ||||||||||||
4 | |||||||||||||
5 | |||||||||||||
6 | |||||||||||||
7 | Basic Pricing | ||||||||||||
8 | |||||||||||||
9 | G - Suite | Chrome licenses | Required for Device Settings | ||||||||||
10 | Type | Cost | Billed | per | Type | Cost | Billed | per | |||||
11 | Basic | $5 | Monthly | Account | License | $50 | Yearly | License/Device | |||||
12 | Business | $10 | Monthly | Account | |||||||||
13 | Enterprise | $26 | Monthly | Account | |||||||||
14 | |||||||||||||
15 | |||||||||||||
16 | Team Cost Calculator | ||||||||||||
17 | |||||||||||||
18 | Choose Account Type Here | How many team member's share 1 device | |||||||||||
19 | Account Costs with a | Business | Account. And, 1 Device per/ | 2 | team member's | ||||||||
20 | User Only | User + Device | |||||||||||
21 | traveler's / Month | Total devices | Monthly | Yearly | Monthly | Yearly | |||||||
22 | 1 | 1 | $10 | $120 | $14 | $170 | |||||||
23 | 2 | 1 | $20 | $240 | $24 | $290 | |||||||
24 | 3 | 2 | $30 | $360 | $38 | $460 | |||||||
25 | 4 | 2 | $40 | $480 | $48 | $580 | |||||||
26 | 5 | 3 | $50 | $600 | $62 | $750 | |||||||
27 | 6 | 3 | $60 | $720 | $72 | $870 | |||||||
28 | 7 | 4 | $70 | $840 | $86 | $1,040 | |||||||
29 | 8 | 4 | $80 | $960 | $96 | $1,160 | |||||||
30 | 9 | 5 | $90 | $1,080 | $110 | $1,330 | |||||||
31 | 10 | 5 | $100 | $1,200 | $120 | $1,450 | |||||||
32 | 11 | 6 | $110 | $1,320 | $134 | $1,620 | |||||||
33 | 12 | 6 | $120 | $1,440 | $144 | $1,740 | |||||||
34 | 13 | 7 | $130 | $1,560 | $158 | $1,910 | |||||||
35 | 14 | 7 | $140 | $1,680 | $168 | $2,030 | |||||||
36 | 15 | 8 | $150 | $1,800 | $182 | $2,200 | |||||||
37 | |||||||||||||
38 |
1 | < Index | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||||||
3 | Threats / Chrome Setting | |||||||||||||
4 | ||||||||||||||
5 | Interactions between settings and threats | |||||||||||||
6 | ||||||||||||||
7 | ||||||||||||||
8 | ||||||||||||||
9 | ||||||||||||||
10 | ||||||||||||||
11 | User Settings | Device Settings | ||||||||||||
12 | Impact ↥ | Impact ↧ | Likelihood ↥ | Likelihood ↧ | Impact ↥ | Impact ↧ | Likelihood ↥ | Likelihood ↧ | ||||||
13 | Threat Category | 9 | 9 | 9 | 9 | Threat Category | 9 | 9 | 9 | 9 | ||||
14 | Confiscation | 1 | 1 | 1 | 1 | Confiscation | 1 | 1 | 1 | 1 | ||||
15 | Detained | 1 | 1 | 1 | 1 | Detained | 1 | 1 | 1 | 1 | ||||
16 | Forced Exposure | 1 | 1 | 1 | 1 | Forced Exposure | 1 | 1 | 1 | 1 | ||||
17 | Legal | 1 | 1 | 1 | 1 | Legal | 1 | 1 | 1 | 1 | ||||
18 | Login Forced | 1 | 1 | 1 | 1 | Login Forced | 1 | 1 | 1 | 1 | ||||
19 | Obstruction | 1 | 1 | 1 | 1 | Obstruction | 1 | 1 | 1 | 1 | ||||
20 | Surveillance | 1 | 1 | 1 | 1 | Surveillance | 1 | 1 | 1 | 1 | ||||
21 | Deception | 1 | 1 | 1 | 1 | Deception | 1 | 1 | 1 | 1 | ||||
22 | Insider Threat | 1 | 1 | 1 | 1 | Insider Threat | 1 | 1 | 1 | 1 | ||||
23 | ||||||||||||||
24 | ||||||||||||||
25 |
1 | < Index | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||||||
3 | Mitigations / Chrome Setting | |||||||||||||
4 | ||||||||||||||
5 | Interactions between settings and mitigations | |||||||||||||
6 | ||||||||||||||
7 | ||||||||||||||
8 | User Settings | Device Settings | ||||||||||||
9 | Both | Inhibits | Requires | Supports | Both | Inhibits | Requires | Supports | ||||||
10 | Mitigation | 0 | 0 | 0 | 0 | Mitigation | 0 | 0 | 0 | 0 | ||||
11 | ||||||||||||||
12 | ||||||||||||||
13 | ||||||||||||||
14 | ||||||||||||||
15 | ||||||||||||||
16 | ||||||||||||||
17 | ||||||||||||||
18 | ||||||||||||||
19 | ||||||||||||||
20 | ||||||||||||||
21 | ||||||||||||||
22 | ||||||||||||||
23 | ||||||||||||||
24 | ||||||||||||||
25 | ||||||||||||||
26 | ||||||||||||||
28 | ||||||||||||||
29 | ||||||||||||||
30 | ||||||||||||||
31 | ||||||||||||||
32 | ||||||||||||||
33 | ||||||||||||||
34 | ||||||||||||||
35 | ||||||||||||||
36 | ||||||||||||||
37 | ||||||||||||||
38 | ||||||||||||||
39 | ||||||||||||||
40 | ||||||||||||||
41 | ||||||||||||||
42 | ||||||||||||||
43 | ||||||||||||||
44 | ||||||||||||||
45 | ||||||||||||||
46 | ||||||||||||||
47 | ||||||||||||||
48 | ||||||||||||||
49 |
1 | < Index | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | Relationships between user settings and Mitigations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 | How different categories in the user settings menu "inhibit", "support", and/or "require" specific mitigations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 | How are relationship calculated? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9 | These charts show the number of times a specific mitigation (rows) is referenced by a user settings category (columns). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
11 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
13 | Settings that Inhibit Mitigations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
14 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
15 | Android applications | Apps and Extensions | Chrome Web Store | Content | Enrollment Controls | General | Hardware | Network | Security | Session Settings | Startup | User Experience | User Verification | Verified Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
16 | Account Monitoring and Control | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
17 | Appropriate Organizational Identifiers | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
18 | Boundary Defense | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 | Chrome Remote Desktop | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
20 | Cohesive Security Tool Adoption | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
21 | Controlled Access Based On Need to Know | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
22 | Emergency Communication Practices | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
23 | Encrypted External Storage devices | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
24 | Encrypted online archive | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
25 | External Enterprise Mobility Management Tool | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
26 | In-Country Device Swapping | 1 | 1 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
27 | In-country alternative working software identification | 2 | 2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
28 | Inventory of Authorized and Unauthorized Software | 1 | 1 | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
29 | Inventory of Authorized and Unauthorized devices | 2 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
30 | Maintenance, Monitoring, and Analysis of Audit Logs | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
31 | Multi-Factor Authentication | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
32 | Private Apps | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33 | Proof Of Inaccess | 1 | 4 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
34 | Secure Traffic Tunneling | 1 | 2 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
35 | Security Awareness and Training | 6 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
36 | Traveler Sub-Organization(s) | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
42 | Settings that Support Mitigations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
44 | Android applications | Apps and Extensions | Chrome Web Store | Content | Enrollment Controls | General | Hardware | Network | Security | Session Settings | Startup | User Experience | User Verification | Verified Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
45 | Account Monitoring and Control | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
46 | Appropriate Organizational Identifiers | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
47 | Blacklist(s) | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
48 | Chrome Remote Desktop | 1 | 1 | 1 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
49 | Cohesive Security Tool Adoption | 1 | 1 | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
50 | Controlled Access Based On Need to Know | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
51 | Device Wiping | 1 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
52 | Encrypted External Storage devices | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
53 | Encrypted online archive | 1 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
54 | External Enterprise Mobility Management Tool | 1 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
55 | In-Country Device Swapping | 1 | 2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
56 | In-country alternative working software identification | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
57 | Inventory of Authorized and Unauthorized Software | 2 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
58 | Inventory of Authorized and Unauthorized devices | 2 | 1 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
59 | Multi-Factor Authentication | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
60 | Proof Of Inaccess | 1 | 1 | 2 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
61 | Remote Access Management | 1 | 1 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
62 | Secure Traffic Tunneling | 2 | 1 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
63 | Security Awareness and Training | 1 | 1 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
64 | Whitelist(s) | 1 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
71 | Settings that Require Mitigations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
73 | Android applications | Apps and Extensions | Chrome Web Store | Content | Enrollment Controls | General | Hardware | Network | Omnibox Search Provider | Printing | Security | Startup | User Experience | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
74 | Account Monitoring and Control | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
75 | Appropriate Organizational Identifiers | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
76 | Blacklist(s) | 1 | 6 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
77 | Custom Chrome Web Store Homepage | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
78 | Desktop Virtualization | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
79 | Enrollment Contact Policies | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
80 | Inventory of Authorized and Unauthorized Software | 1 | 8 | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
81 | Multi-Factor Authentication | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
82 | Needs Assessment (Apps) | 1 | 1 | 7 | 3 | 4 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
83 | Private Apps | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
84 | Proof Of Inaccess | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
85 | Security Awareness and Training | 3 | 2 | 15 | 1 | 1 | 2 | 1 | 8 | 3 | 9 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
86 | Traveler Sub-Organization(s) | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
87 | Webcam cover | 1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
88 | Whitelist(s) | 8 | 5 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
99 |
1 | < Index | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||||||
3 | Requirements / Chrome Setting | |||||||||||||
4 | ||||||||||||||
5 | Interactions between settings and requirements | |||||||||||||
6 | ||||||||||||||
7 | ||||||||||||||
8 | User Settings | Device Settings | ||||||||||||
9 | Both | Inhibits | Requires | Supports | Both | Inhibits | Requires | Supports | ||||||
10 | Mitigation | 0 | 0 | 0 | 0 | Mitigation | 0 | 0 | 0 | 0 | ||||
11 | ||||||||||||||
12 | ||||||||||||||
13 | ||||||||||||||
14 | ||||||||||||||
15 | ||||||||||||||
16 | ||||||||||||||
17 | ||||||||||||||
18 | ||||||||||||||
19 | ||||||||||||||
20 | ||||||||||||||
21 | ||||||||||||||
22 | ||||||||||||||
23 | ||||||||||||||
24 | ||||||||||||||
25 | ||||||||||||||
26 | ||||||||||||||
28 | ||||||||||||||
29 | ||||||||||||||
30 | ||||||||||||||
31 | ||||||||||||||
32 | ||||||||||||||
33 | ||||||||||||||
34 | ||||||||||||||
35 | ||||||||||||||
36 | ||||||||||||||
37 | ||||||||||||||
38 | ||||||||||||||
39 | ||||||||||||||
40 | ||||||||||||||
41 | ||||||||||||||
42 | ||||||||||||||
43 | ||||||||||||||
44 | ||||||||||||||
45 | ||||||||||||||
46 | ||||||||||||||
47 | ||||||||||||||
48 | ||||||||||||||
49 |
1 | < Index | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
2 | ||||||||||
3 | Relationships between Device Settings and Mitigations | |||||||||
4 | ||||||||||
5 | How different categories in the Device Settings menu "inhibit", "support", and/or "require" specific mitigations | |||||||||
6 | ||||||||||
7 | How are relationship calculated? | |||||||||
8 | ||||||||||
9 | These charts show the number of times a specific mitigation (rows) is referenced by a Device Settings category (columns). | |||||||||
10 | ||||||||||
11 | ||||||||||
12 | ||||||||||
13 | Settings that Inhibit Mitigations | |||||||||
14 | ||||||||||
15 | Device Update Settings | Enrollment & Access | Other | Sign-in Settings | User & Device Reporting | |||||
16 | Account Monitoring and Control | 1 | ||||||||
17 | App Pinning | 1 | ||||||||
18 | Appropriate Organizational Identifiers | 1 | 6 | |||||||
19 | Chrome Remote Desktop | 1 | 1 | |||||||
20 | Cohesive Security Tool Adoption | 3 | ||||||||
21 | Custom Chrome Web Store Homepage | 1 | ||||||||
22 | Desktop Virtualization | 1 | ||||||||
23 | Emergency Communication Practices | 1 | ||||||||
24 | Encrypted online archive | 1 | ||||||||
25 | In-Country Device Swapping | 1 | ||||||||
26 | Inventory of Authorized and Unauthorized devices | 1 | 1 | 1 | ||||||
27 | Private Apps | 1 | ||||||||
28 | Project Specific GSuite Accounts | 1 | ||||||||
29 | Proof Of Inaccess | 4 | ||||||||
30 | Secure Traffic Tunneling | 1 | 1 | 2 | ||||||
31 | Temporary G Suite Accounts | 1 | ||||||||
32 | Traveler Sub-Organization(s) | 1 | 2 | |||||||
33 | Whitelist(s) | 1 | ||||||||
34 | ||||||||||
35 | ||||||||||
36 | ||||||||||
37 | ||||||||||
38 | Settings that Support Mitigations | |||||||||
39 | ||||||||||
40 | Chrome Web Store | Device Update Settings | Enrollment & Access | Other | Power & Shutdown | Sign-in Settings | User & Device Reporting | |||
41 | Account Monitoring and Control | 5 | 1 | |||||||
42 | Appropriate Organizational Identifiers | 1 | 6 | |||||||
43 | Chrome Remote Desktop | 2 | 1 | |||||||
44 | Crisis Identification | 4 | ||||||||
45 | Desktop Virtualization | 1 | ||||||||
46 | Device Wiping | 1 | 2 | 2 | ||||||
47 | Encrypted online archive | 2 | ||||||||
48 | In-country alternative working software identification | 1 | ||||||||
49 | Inventory of Authorized and Unauthorized devices | 1 | 3 | 2 | ||||||
50 | Multi-Factor Authentication | 1 | ||||||||
51 | Needs Assessment (Apps) | 1 | ||||||||
52 | Proof Of Inaccess | 1 | 5 | |||||||
53 | Secure Traffic Tunneling | 2 | 1 | |||||||
54 | Traveler Sub-Organization(s) | 1 | ||||||||
55 | Whitelist(s) | 1 | ||||||||
56 | ||||||||||
57 | ||||||||||
58 | ||||||||||
59 | ||||||||||
60 | ||||||||||
61 | ||||||||||
62 | ||||||||||
63 | Settings that Require Mitigations | |||||||||
64 | ||||||||||
65 | Device Update Settings | Enrollment & Access | Other | Power & Shutdown | Sign-in Settings | User & Device Reporting | ||||
66 | In-country alternative working software identification | 1 | ||||||||
67 | Security Awareness and Training | 1 | 2 | 2 | 2 | 1 | ||||
68 | Traveler Sub-Organization(s) | 2 | ||||||||
69 | ||||||||||
70 | ||||||||||
71 | ||||||||||
72 | ||||||||||
73 | ||||||||||
74 | ||||||||||
75 | ||||||||||
76 | ||||||||||
77 | ||||||||||
78 | ||||||||||
79 | ||||||||||
80 | ||||||||||
81 | ||||||||||
82 | ||||||||||
83 | ||||||||||
84 | ||||||||||
85 | ||||||||||
86 |
1 | < Index | Relevant Threat Context | ||||||
---|---|---|---|---|---|---|---|---|
2 | Category | Threat | Directly Targets / Impacts | Pre | Incoming | In-Country | Outgoing | Post |
3 | Confiscation | Targeted Workplace Raids | X | |||||
4 | Confiscation | In-Transit Robbery & Theft | X | X | X | |||
5 | Confiscation | Hotel Robbery & Theft | X | |||||
6 | Detained | Traveler Detained | Traveler | X | X | X | ||
7 | Confiscation | Device Confiscation | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder; Physical Notes / Documents; Social Media; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services | X | X | X | ||
8 | Forced Exposure | Decryption Forced (Device) | X | X | X | |||
9 | Forced Exposure | Decryption Forced (Service) | X | X | X | |||
10 | Forced Exposure | Usernames Exposed | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups | X | X | X | ||
11 | Forced Exposure | Forced Disclosure of Travel Information | X | X | X | |||
12 | Legal | Encryption Regulated | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups | X | X | |||
13 | Legal | Circumvention Tech Regulated | X | X | X | |||
14 | Legal | Encrypted Comms Regulated | Email; Social Media; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups | X | X | X | ||
15 | Legal | In-Country Activities Regulated | X | X | ||||
16 | Legal | In-Country Partners Targeted | X | X | ||||
17 | Legal | Traveler/Partner Association Regulated | X | X | X | |||
18 | Legal | Traveler Mislead/Lie to Border Officials | X | X | ||||
19 | Legal | Traveler Perceived to be Misleading/Lying to Border Officials | X | X | ||||
20 | Legal | Topical/Information Censorship | X | X | X | |||
21 | Login Forced | Login Forced (Service) | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Travel PGP Key; Primary PGP Key | X | X | X | ||
22 | Login Forced | Login Forced (Device) | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Physical Notes / Documents; Identity Cards (Passports); Camera; Video Recorder | X | X | X | ||
23 | Obstruction | Destruction (Device) | X | X | X | |||
24 | Obstruction | Application/Protocol Blocking | X | X | X | X | ||
25 | Obstruction | Endpoint/Route Disabling | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups | X | X | X | X | |
26 | Obstruction | App Store App Blocking/Restriction | X | X | X | |||
27 | Obstruction | Full Internet Shutdown | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | X | |||
28 | Obstruction | Satellite Comms Jamming | X | |||||
29 | Obstruction | Mobile Data Shutdown | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | ||||
30 | Obstruction | Full Mobile Shutdown | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | ||||
31 | Obstruction | Power Outage | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder | X | ||||
32 | Obstruction | Intermittent Connectivity | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | ||||
33 | Obstruction | Lacking/Intermittent Access to Broadband | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | ||||
34 | Obstruction | Limited/Throttled Connectivity | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | ||||
35 | Surveillance | In-Country Partners / Contacts Accounts and/or devices | Email; Social Media | X | X | X | X | |
36 | Surveillance | Physical Stalking | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Local volume (USB/SD/Device); Travel Laptop (Chromebook); Physical Notes / Documents; Identity Cards (Passports); Camera; Video Recorder | X | ||||
37 | Surveillance | Passive Mobile Location Surveillance | X | |||||
38 | Surveillance | Passive Internet Surveillance | X | X | ||||
39 | Surveillance | Passive Mobile Data Surveillance | X | X | ||||
40 | Surveillance | Passive Mobile Comms Surveillance | X | X | ||||
41 | Surveillance | Data requests from online services | X | X | X | X | ||
42 | Surveillance | Passive Social Media Surveillance | X | X | X | X | X | |
43 | Surveillance | Compromised Account | X | X | X | X | X | |
44 | Surveillance | Compromised Device | X | X | X | X | X | |
45 | Deception | Phishing | X | X | X | X | X | |
46 | Deception | Pharming | X | X | X | |||
47 | Deception | Principal Spoof | Email; Social Media | X | X | X | X | X |
48 | Deception | Spoofed Access Point | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups; Email | X | X | X | ||
49 | Deception | Certificate Spoofing | X | X | X | |||
50 | Insider Threat | Traveler Circumvent Mitigations | X | X | X | X | X | |
51 | ||||||||
52 | ||||||||
53 | ||||||||
54 | ||||||||
55 | ||||||||
56 | ||||||||
57 | ||||||||
58 | ||||||||
59 |
1 | < Index | |
---|---|---|
2 | Title | Assumption |
3 | In-Country Access to Sensitive Information | Some team member's will need access to some sensitive data while they are in country. |
4 | What is Sensitive Changes | What constitutes sensitive data will change depending upon the traveler, the destination(s), who they are interacting with during their trip, the current political and/or social context in the region, and the type of work being conducted. |
5 | Forced Device Decryption will Occur | Team member's may be required to decrypt, and provide border officials access to, devices when crossing some borders. |
6 | Forced Access to Social Media Accounts will Occur | Team member's may be required to log into, and provide border officials access to, major social media accounts when crossing some borders. |
7 | Forced Email Access will Occur | Team member's may be required to log into, and provide border officials access to, email accounts when crossing some borders. |
8 | The risk of being caught in a lie is unacceptably high | The risks associated with unsuccessfully lying to border officials about not having access to social media accounts and/or getting caught when using "fake" social media accounts have impacts that are unacceptably high. Even the inaccurate perception of this by border officials can have the same impact as it being true. |
9 | Fake accounts are too much work for rarely working | The effort required to produce "fake" social media accounts that can withstand moderate scrutiny is far more than the effort required for ongoing sanitation and pre-travel preparation of a social media account. |
10 | Technical resources are limited | Technical support is limited and the people who provide that support will be overworked. I work in civil society. This document was written with average civil society capacity in mind. |
11 | Time for pre-trip preparation will be limited | Travelers will often not have much advanced notice before they travel. When they do, they will often forget to notify administrators until mere days before they leave. |
12 | traveler's will be tired and stressed | Travelers will be under increased levels of stress and fatigue while traveling. |
13 | traveler's will do what they must to get the work done | Team member's will circumvent security measures that disrupt their workflows. Their interest in "getting work done" will cause them to fail at, or disregard, overly onerous or complex practices if they interfere with them accomplishing their intended tasks. |
14 | Team member's won't use controls that seem arbitrary | Team member's will circumvent security measures that seem arbitrary. |
15 | Some team member's will have increased security and/or privacy requirements than what is provided | Some travelers will have their own increased requirements for privacy and/or security and their own tactics and technologies in place for implementing them. The tactics and technologies put in place under this process should aim to support these team member practices to the greatest extent possible with consideration given to the level of effort required to implement compatable tactics and technologies and the overall security impacts of providing the flexability required to accomidate them. |
16 | Sensitive information will be created in-country | Some team member's will create new sensitive information while they are in country that they will need after they have left the country. |
17 | Travelers will be traveling globally | Travelers will be traveling across borders between different countries. |
18 | Some sensitive contacts will be less secure than we want | Some (many) of the travelers in-country contacts will be unwilling/unable to use communication tools and techniques requested by the traveler. |
19 | Comprehensive adoption of moderately secure baselines is better than inconsistent adoption of very secure practices | Not knowing what your risk profile looks like means that you can't appropriately assess the risk that a user is taking when they travel. |
20 | All content in this project will be considered with respect to seperate phycological and physical security risk assessments | This project does not cover the threats and mitigations related to physical and/or psycological assaults. (i.e. Harassment, Threats (not including death threats), Death threats, Restriction on travel, Denial of right of return, Extortion, Murder, Injury, Abduction, Arrest or detention, or Torture) This project should not be taken as a complete threat assessment for complex and/or hostile environments. The threats that are explored that have serious associated physical and/or psycological risk (i.e. detention) do not attempt to explore the associated physical and/or psycological dimensions beyond their impact on the digital risks. |
1 | < Index | |||
---|---|---|---|---|
2 | Title | Short Requirement | Comments | Sources |
3 | Civilian team's | Travelers are not expected to resist coercion and/or physical violence in the protection of sensitive information when traveling. | ||
4 | Multi-Environment Trips | System needs to be able to support travelers moving between different countries with varying threat profiles (low-risk -> high risk) in the same trip. | ||
5 | In-Country Access to Sensitive Information | traveler's need to be able to access sensitive information while they are in country. | ||
6 | In-Country Access to Sensitive Contacts | traveler's need to be able to access the contact information of sensitive contact while they are in country. | ||
7 | In-Country Communication with Sensitive Contacts | traveler's need to be able to communicate with sensitive contact while they are in country. | ||
8 | Communication with Uncooperative Sensitive Contacts | traveler's need to be able to communicate with sensitive contacts who are unwilling to use the communications tools we put in place. | Some (many) of the travelers in-country contacts will be unwilling/unable to use communication tools and techniques requested by traveler. traveler's need to be able to communicate with sensitive contacts who are unwilling to use the communications tools we put in place. | |
9 | Traveler manages their own identity | The security practices must not force association with the team/organization onto the Traveler when they are travling. | The Traveler must be able to manage their own identity when they are travling. I will not attempt to cover practices for obsfucating the association of the individual with the team/org that is setting up the services, but I will include places where association can be forced and how to minimize it. In hostile and/or complex environments your team is going to be far more aware of their immediate needs than the administrator // security team was when they set up the systems. Comprehensive obsfucation would require a variety of other interventions and a separate obsfucated organization account. It can be done, but is out of scope for this project. | |
10 | Allow for Greater Security | The mandated security practices should provide a secure baseline for your traveler's. It should not limit their ability to attain greater security. | When mitigations support other ends (i.e. privacy or other non-travel related risks) we should default to allowing the team member to choose to be more secure, but not force them one way or another. For these options, we should make sure that we have conducted proper security awareness training and have easy to digest information available to those team member's to guide them in understanding what about these choices may impact their risk model. | |
11 | Only a traveler's Security System | The security practices should only attempt to create a travel device; never a permanent solution. | The temporal nature of these devices makes them less likely to be the device that a team member installs malicious extensions on, and we will be reviewing the applications and extensions that team member's wish to load on their devices. permanent devices have completely different needs and no attempt will be made to make a permanent solution. This means that some controls that would provide stronger security at a large usability cost can be left unimplemented because their likelihood of occurring is rather low on ephemeral devices. For more permanent chromebook implementations some of these options would need to be reconsidered. | |
12 | Only the managed device will access secure information | A Traveler must be able to accomplish their task with only managed devices able to access secure information. | Challenges of additional devices [discuss the problems with team member's having to bring additional devices along] | |
13 | Security must not make the traveler ineffective | Baseline security must be focused on allowing the Traveler to accomplish their work. If they can't accomplish their work either the security is wrong or they should never have traveled in the first place. | There are many individuals in the digital security space who are providing general digital security guidance right now to take advantage of this new-found agency. This can be valuable, if the right advice is taken. The effort that the member's of these groups go through to adopt the individual security practices and tools recommended now can be wasted effort if these do not respond the future threats that they actually face. And, taking action on inappropriate advice now can lead these newly activated groups to digital security exhaustion. | |
14 | Receptive and Trusted Admin/Security Team | A security team has to maintain a delicate balance between staff trusting that their security team is there to support them, even when they fail, and trusting that the security team is maintaining a hard enough line across the organization to keep them safe from the mistakes of others. | The team member's need to trust that the admins/security team will be receptive to hearing and seeking out alternatives to security systems put in place that they are finding get in the way of their work. If they are not telling you that their workflows are impacted because they think you don't care, won't work with them to find alternatives, or that they will be chastised you are opening up opportunities for team member's circumventing your other mitigations. Things that are seemingly unconsiquencial to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. It is not your team member's job to keep track of every reason for small security controls like this. But, unless the admin/sec team is receptive to their feedback and has built trust with them these types of interventions will be curcumvented. The risk assessments put in place based upon a security program that is being actively circumvented by its team member base is a flawed risk assessment. Things will go wrong. Processes will be fail. Team member's will have unique workflows. Team member's need to trust that you are there to support all of those. | |
15 | Support Personal Computing Needs | Security practices must support a traveler's personal computing needs (calls with family, personal banking, relaxation, etc.) so that they are not unaware of the changes to the risk landscape brought by the Traveler accomplishing those tasks. | We do not want team member's adding additional personal accounts to the device for any reason. So, we have to provide mechanisms to support their personal needs with the travel devices. | |
16 | Localizable & Internationalizable Practices | The team being supported are from a variety of regions. | This list is not only considering international travel, it is considering a diverse international team. Some of the choices I've made during this exercise go against traditional western security administration practices. (For example allowing team member's to install apps from unknown sources would rarely ever be acceptable practice for western security admins.) 1) International App Stores: If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.) | |
17 | Self-Managed Considerations | This exercise should highlight considerations for self-managed team's wherever possible. | ||
18 | Low Resourced Administrator | This exercise is targeted at team's whose administrator(s) and/or security team have limited time and resources. | ||
19 | Widely Dispersed Team | The team being supported are globally Dispersed and unable to meet with the security team in person before traveling. | This list is not only considering international travel it is considering a globally Dispersed team. This means that device management will be more difficult, and the team member's need to be able to implement device wiping and preparation without in-person support. | |
20 | Sensitive Information should be safe when border officials have full device access | Team member's must be able to have their logged in device confiscated at a border without leaking sensitive information. |
1 | < Index | ||
---|---|---|---|
2 | Name | Description | Existing Source |
3 | Chromebook(s) | This entire exercise is focused on the use of Chromebooks and the Google Apps ecosystem for integration into the tactics and technologies used for secure travel in complex and/or hostile environments. Depending upon the configuration options you choose Chromebook's require local connectivity to work. If you have team member's who are going to areas with limited connectivity make sure you explore how to allow the chromebook to support offline access. | |
4 | Proof Of Inaccess | The "proof of inaccess" mitigation is a set of smaller technical controls that are put in place to prove to a border official that the Traveler only has a specific level of access to sensitive information, devices, organizational services, and/or personal/social media accounts, that the reason they do not have access are legitimate and either imposed upon them by their organization or put in place for legitimate business reasons, and that they have no abiliity to regain access without an external party interveining. (Their organization's security team, etc.). There are unnacceptably high impacts for unsuccessfully lying to border officials about your level of access to online accounts or unsuccessfully attempting to provide "fake" device/social-media accounts when border officials request access. Even the inaccurate perception of either of these by a border officials can have the same impact on the Traveler as if it was true. This mitigation aims to be a viable alternative tothese two commonly encountered suggestions for securing sensitive accounts/information at borders: 1) "I'll just make fake accounts" I don't recommend lying in any situation where you're likely to go against people trained in detecting lies. The "Proof of Innaccess" mitigation aims to provide border officials with proof that you are being forthright about your level of access. (Also see the mitigation below about sanatizing your social media accounts. Because OSINT is not that hard and border officials can do it too.) 2) "I'll just leave my account information at home" When a request for greater access to information and/or accounts is enacted at a border it is essentially a "game of chicken" (in the game theory sense.) Each player (the border official and the Traveler) only benefits if the other player yields. If neither player yields, neither player benefits. The border official wants greater access to confirm that the Traveler is "safe" to enter the country. The Traveler wants to enter the country without providing access to sensitive information. If the border official fails to yield and the Traveler fails to yield then the conflict escilates. In situations where the border official is unwillling to yield a Traveler will want the ability to yield some greater level of access. In the context of the "proof of inaccess" mitigation they do this by contacting their secdurity team (which has the added effect of alerting their security team so that appropriate responses can happen from the organizational side.) This is also the reason why this mitigation may not be appropriate for an actor working on their own. Theoretically, an individual actor could also set up a Google Suite for themselves and leave the admin credentials offline when they travel. Their inability to yield, by providing access through an invested third party, puts them in a one sided game where the escilation of the game becomes entirely dependant on the willingness of the border official to yield. | |
5 | In-Country Device Swapping | This set of mitigations supports contingency planning around device loss and/or confiscation while a Traveler is in-country. The general idea is that with proper preparation and processes in place a travler who has their device stolen, confiscated, and/or compromised can aquire a new/used device in-country and quickly have that device up to nearly the same level of functionality as the device that was lost/compromised. In the Chromebook example this would look something like the following. 0) The travler has their device compromised, lost, destroyed, etc. and informs the admin/security team 1) The admin can use G Suites device management controls to disable the team member's previous device, 2) The Traveler can purchase a clean chromebook, and 3) The Traveler enables the new device to work with their travel account. | |
6 | Traveler Sub-Organization(s) | This "mitigation" is the creation of G Suite sub-organization(s) that are only used to create temporary accounts for your team members when they are traveling. If your team has created a seperate G Suite account or only uses a G Suite for travlers than this mitigation would only be used if you had different setups for different types/level of threats. (i.e low connectivity environments, high risk of detainment, high-risk of confiscation/attempted compromise without detainment, etc.) The sub-organization supports the overall travel security process in a few ways: * Ease & Consistancy of Setup: By creating sub-organizations within a G Suite account the admin is able to configure the device and user defaults of the sub-organization differently than the rest of the organization's defaults. This means that travel accounts and devices will be properly set up automatically upon being assigned to a user in this sub-organization. This will save the admin significant time they would have had to spend configuring each new device. * Isolation from Daily Accounts: See: "Temporary G Suite Accounts" * EXTRA PERK: Research Accounts: furthermore, If your team member's are doing investigative research where they must proceed to malicious sites a heavily locked down traveler sub organization account can be made for this type of research. These accounts, and the chromebooks they are associated with can be easily wiped after the research is complete. More, so through forced app installation and customization the researcher's toolkit can be easily provisioned. | |
7 | Encrypted online archive | To mitigate against the search or long-term confiscation of travel devices sensitive information that will be needed when traveling can be stored in online archives and downloaded after the traveler has safely arrived at destination, synced while traveling, and removed from their devices before starting their travel out of the country. The basic workflow is for a google apps folder containing the sensitive information to be prepared by the traveler before their trip. Ownership of that folder to be passed to an administrator account. The travelers access to be removed from this account. The traveler to travel to their destination. The traveler to contact an external party to have them share the google apps folder with the travelers travel account. The Traveler to have optional pre scheduled check-ins with the administrator that, if missed, will lead the administrator to remove the traveler's access to the archives. The Traveler, and or administrator, to remove access to the sensitive archive folder before begining travel out of the country. The administrator to pass ownership of the folder back to the traveler's primary account. | |
8 | Temporary PGP Keys | If a Traveler uses PGP in their communications they can create a "travel sub-key." This key will be signed by their primary key and attached to the "travel away message" on their primary email account. This away message will be signed by their primary key and notify anyone who e-mails that any PGP encrypted messages cannot be read until they return, but that they can send PGP encrypted messages to the travler using their secondary key if the message is urgent. (See: Traveler Away Message) While a travler could make a new "travel sub-key" for every trip this becomes unweildy for both the travler and others very quickly. I recommend creating a single travel sub-key and using that for all travel communications until a certain period of time has passed and/or you beleive that key may have been compromised. There are still considerations to be explored related to the process of moving all encrypted travel communications back to the primary account. The ideal situtation would have all travler email encrypted to the travlers primary key and moved over to that account. This would mean that the travler has access to all their historic emails using only their primary key and email address and that the travel PGP key only ever has access to emails that are being sent during travel. Sadly, I have yet to devise an easy to implement solution that accomplishes this. | |
9 | Temporary G Suite Accounts | Traveler's will only use the temporary G Suite accounts for document storage, email, etc. instead of their primary organizational accounts when travling. This will remove their access to historic sensitive information that may be contained in their primary accounts. By making travlers use a sub-organization account (See: Traveler Sub-Organization(s))., and removing their access to their primary accounts, the travler is isolated from any historic sensitive information while they are travling. (i.e. they only receive emails forwarded to their sub-org during this period, they don't have access to any documents in their normal G Suite docs account, etc.) This requires more preparation on the part of the travler to make sure they have prepared all the information they will need ahead of time, but it dramatically reduces the impact of a compromised account when traveling. During this period access to any of their primary accounts that may contain sensitive information (email, document storage, etc.) will be disabled. Re-Enabling these accounts during travel will require that the Traveler contact an administrator. (See: Social Media Account sanitation for exceptions). | |
10 | Social Media Account Sanitization | When traveling across borders where social media history is likely to be exposed, or where login may be forced, a travler will have to sanatize their social media account by hand. This may include deleting direct messages within the platform, temporarily leaving groups or deleting connections to individuals that may put them, or others, at risk when they are traveling, and/or deleting their previous posts that may lead to increased risks if exposed. This can be aided by using the open-source versions of the same type of "social media monitoring software" that is used to assess and search through a persons social media account and connections. (I'm not going to start listing all the tools here. Keywords to combine with "Social Media" when searching include things like "OSINT", "Mapping", "Marketing", "Analysis", etc.) | |
11 | Traveler Away Message | Traveler's will enable a "travel away message" on their primary email account that informs anyone who e-mail that * the Traveler that the Traveler is currently traveling and is using their travel email (XXXXX-travel@YYYYY.ZZZZZ), * will not able to access their primary GPG key while traveling, * that any sender should re-encrypt the message (to the attached travel PGP key) and send it to their travel email address (If they use GPG keys), and * the dates that they will be traveling. This away message, and the travel PGP key, will be signed by their primary key. | |
12 | Inventory of Authorized and Unauthorized devices | Have team member's confirm the number of enrolled devices that they have and un-enroll and investigate any non-confirmed devices. If it is a device in use the team member will contact the admins when it is disabled. [The risk of disconnecting a team member in a complex environment should always be weighed against enforcing a policy to the letter. If a team member cannot be gotten a hold of their devices should not be automatically shut down. Investigations of a devices activity can help determine if that device is malicious.] | SANS Critical Security Controls |
13 | Enrollment Contact Policies | Contact policies should be put in place that require a team member to contact the administrators within a certain period of time after they have enrolled a new device. These policies are put in place to allow for travler initiated "in-country device swapping" while also allowing for an up to date "inventory of authorized and unautorized devices." As with all contact policies for complex environments, the contact channel and practices that are put in place should consider adversaries who masquerade as a team member to enroll new devices and the possibility of team members being forced/coerced into providing confirmation. | |
14 | Possible Credential Disclosure Practices | Incident response policies for cases of possible credential disclosure. These policies should be consistant with your normal incident reponse practices. Depending upon the type of account that was compromised these policies may also include emergency contact procedures for possibly at-risk partners/in-country contacts, or disabling and/or locking the travler out of their unmanaged professional and/or personal accounts. * Dealing with professional and personal accounts that are not directly managed by your administrator (social media, non G Suite email accounts, etc.) ** Disabling a travlers unmanaged professional or personal accounts can be done by contacting the company directly. (There are a variety of civil society focused rapid response groups that can help with this). But, in these cases the users account is completely locked, and can be difficult to unlock once the traveler is back to safety. ** The other option is to lock the travler out of any accounts they have access to. A security team can lock travlers out of accounts they have access to without fully disabling them if the travlers has provided them with access to their primary "account creation" email address and given them one or more two-factor authentication recovery codes. The traveler can do this by using a password manager to share all account passwords with an "traveler incident" password account kept by the security team. They then can print out recovery codes for their unmanaged professional and personal accounts that use two-factor and provide the Security team with a small set of these codes for each account in a sealed envelope. In the case that the traveler's credentials may have been exposed all of these accounts can be locked down by the security team. Once the traveler has returned they can revoke the "traveler incident" access to those passwords and the security team can return the travelers envelope. (The workflow for this still needs to be worked out and it requires a LOT of trust since these may include personal accounts.) * How will team members will know if a device may be compromised (in the non obvious circumstances). Team member's will be taught to consider a device compromised if it is confiscated for any significant length of time. With a proper needs assessment and ongoing communication with users these devices should be less likely to be compromised because a team member has decided to install an unapproved (and also malicious) extensions/app on the device. But, in cases where a user determines that they do need an application and/or extension that the security team has not evaluated while they are traveling they should inform the security team so that the team can evaluate that software remotely and monitor their accounts more closely until the evaluation is complete. | |
15 | Needs Assessment (Apps) | The security team needs to create a map of their staffs travel workflow and digital footprint. This should provide them with an understanding of what software, services, and data staff need to have access to do their jobs when traveling, meet their personal computing needs when traveling ( see: Requirements - Support Personal Computing Needs), and which of these store sensitive information that will need to be isoluated and/or otherwise protected when traveling. This is a very large project that requires time and trust from staff and security team alike. One possible strategy is to start your program allowing everything (see: app management: "allow all except blocked") when you start your transition to this program. The security team can use this initial period of active use of travel devices to survey your travelers for what services, software, and data they used, and what they wish they had access to. This will allow you to develop a list of services, software, and data that are used / desired by your team member's. Once you have a list of all of these you can add a range of supported apps as forced and/or recommended on your travel devices. You can use the next period to identify any software and/or services that were missing. Finally you can implement a whitelist only model ("block all except whitelisted"). The start of the whitelist phase will have to be accompanied by an overly responsive security team to catch the few services, software, and accounts that were not brought to the teams attention ahead of time. | |
16 | Remote Access Management | We will be using the G Suites built in tools and account management to deal with remote mangement of devices. If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | |
21 | Multi-Factor Authentication | I'm not even going to go into the importance of multi-raptor authentication except to say two things. It has additional perks for this setup [1] and that it's not just U2F and Google Auth [2]. [1] Travel G Suite sub organizations should required its users to use multi-factor auth. By doing this their Chromebook will also require multi-factor auth for logging in. [2] Client certs: Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed. | |
22 | Inventory of Authorized and Unauthorized Software | "An organization without the ability to inventory and control its computers' installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it is the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern endpoint security suites. To evaluate the implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then verify that the software is blocked and unable to run." | SANS Critical Security Controls |
23 | Account Monitoring and Control | "Attackers frequently impersonate legitimate team member's through inactive team member accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third-party log analysis tools to analyze this information. The system must be capable of identifying unauthorized team member accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily." | SANS Critical Security Controls |
24 | Controlled Access Based On Need to Know | "Some organization's do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal team member's have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by team member's to access files without the appropriate privileges and must generate an alert or email for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 14 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information." | SANS Critical Security Controls |
25 | Security Awareness and Training | Administrators and/or security professionals will be conducting security awareness building and risk assessment activities with travelers. | |
26 | Chrome Remote Desktop | Set up specific desktops that will allow team member's to remotely use services that they cannot otherwise use on chrome while traveling. This can also be done for team member's that are doing investigative research and want to use a chromebook to proceed to malicious sites. They should likely not be using their primary device to do this work. If they wish to use chromebooks for these use cases instead of their primary browser then an admin can set up desposable VM's that they can remote into from their travel chromebook. If you want your travelers to be able to do this you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | https://support.google.com/chrome/a/answer/2799701?hl=en |
27 | Desktop Virtualization | If you still need to use legacy applications from Windows, Max, and/or Linux, Chrome devices support a variety of desktop virtualization solutions such as VMware and Citrix. Why would we do this when we have the option of remote desktop? If travlers need to use non-chromebook supported applications when traveling in areas with limited/intermittant/etc. internet connectivity. This, as with remote desktop, will requre that admins make virtualization app(s) [1] available. This can be done in the recommended app or through forced install. [1] https://chrome.google.com/webstore/detail/horizon-client-for-chrome/pckbpdplfajmgaipljfamclkinbjdnma?hl=en | https://cloud.googleblog.com/2014/02/vmware-to-bring-traditional-windows.html |
28 | External Enterprise Mobility Management Tool | External Enterprise mobility management tool (remote-management/wiping/control applications) were included in the mitigation list for the benefit of those who already use a service. This document almost entirely focuses on a threat model that only includes the G Suites built in EMM tools and permission management to deal with travel device management. I made this choice to limit the scope and cost of this project. But, there are configurations that impact these products so it stays in the mitigations. | |
29 | Appropriate Organizational Identifiers | A travelers device and accounts should impact the travelers identity upon casual inspection. This mitigation is about the admin/security-team **not** providing a traveler with a device that **innappropriately forces identificaticication.** If the Traveler's organization is regulated and/or known to do activities that are regulated in the country the traveler may not want to broadcast it to every official they meet. That aspect of their identity will increase the risk of an interaction escilating negatively. As such, if the device and/or accounts that have been put in place identify the organization the device belongs to upon casual inspection it will uncessecarily force the traveler into a more volitile environment. If a device is plastered with identifiers that cry out for border officials to instigate more intensive screening of the traveler you are putting your traveler at greater risk. For example, If your organizations name is "The Commission for Free Government Information by All Means Necessary" then it might not be a great idea to have your device ID tags have that displayed in large lettering. (This is also why I don't rock dozens of hacker stickers on my laptop.) At the same time, there are many contexts when properly used identifiers can de-escilate a situation. In environments where the organizational affiliation is positive (for example humanitarian and/or aid organizations with good reputations) then a well placed logo on your devices ID tags can help thwart the initial sparks that would escilate an interaction. The use of informal organizational identifiers (like device ID tags, and stickers) is the equivilant of an American student wearing a canadian flag on their backpack. It can only help reduce initial stresses from escilating. Any situation that does escilate will require more official proof of identity and tact on the part of the traveler. But, that does not mean that it cannot be used strategically. I had/have concerns about including this as a mitigation. There is a likelihood that the reader misinterpretes what I said as "you should conceil your affiliations from border officers" or "you should put your aid organziations stickers on your things." This is not what I just said. On the former: As someone who taught me a lot about civil society security once said: "I don't recommend lying in any situation where you're likely to go against people trained in detecting lies." On the latter: Humanitarian and aid workers get targeted for sanction and violence far too frequently. [1] One of the above mitigations that supports this process is the G Suite sub-organization through its inclusion or isolated from organizationally identifying domains. A sub-organization can have a completely different domain than the organziations primary domain. A separate sub-organization and/or GSuite Account that is non-identifying can be useful for environments where you want the Traveler to have near complete control over how they present their identity and affiliations. In environments where organizational identity is desired ensuring that your sub-organization uses the same domain will help provide the desired association depending upon the settings you choose. [1] http://www.insecurityinsight.org/aidindanger/digests/ | |
30 | In-country alternative working software identification | When software or services are censored or otherwise unavailable to a traveler in-country you should have mechanisms in place to support them in identifying alternative apps that serve the same need. This can be as simple as having 1st,2nd, and 3rd choices in your organizations recommended apps section. It can also be as complex as having incident response process in place specifically for identifying alternative applications and testing their availability. This mitigation often requires existing networks with technically adapt people who are from, or frequently travel to, the country in question. | |
31 | Device Wiping | This is a general term for all the smaller mitigations that aim to clear all user data from a device. This can range from having a user sign-out of the device on lock, to not saving local data on the device, to the user completing a full device reset. Implementing mitigations in this category should be considered carefully because they can be very inconvienent. This is especially true in areas with limited/intermittant connectivity where local data and applications are the only ones available to a user. It is also important to ensure that users understand the implications of these mitigations. Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly. | |
32 | Secure Traffic Tunneling | Provide your team member's with a secure way to tunnel their online traffic out of the in-country network. This can be done using built-in proxies and/or through applications that are provided to the traveler. Built in (secure) proxies offer greater user ease but come with a lack of control. This can be useful for travelers who are traveling to primarily well connected regions. Traveler control over when a proxy is used becomes more critical in low connectivity areas where their ability to prioritize access over security can allow them to accomplish non-sensitive tasks without the delays caused by a forced proxy. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance of for non-secured connections without impacting connections that already have TLS. If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy | |
33 | Whitelist(s) | Whitelists come with a range of problems. By codifying their inventories of authroized software and services into strict access rules an admin team will gain complete control over what is added to their environments. But, if they are too slow to respond to user needs, or are overly restrictive in what they allow they will push their users outside of the managed information ecosystem. This will lead to a "secure" IT infrastructure that has no bearing on the actual information security of the team. This can be accomplished by conducting an extensive needs assessment before whitelisting, being responsive to users needs, and generally by having your teams respect and trust. | |
34 | Blacklist(s) | Blacklists also come with a range of problems. By codifying their inventories of unauthorized software and services into strict access rules an admin team will be able to limit known-malicious sotware and services. But, anything that is blacklist based will only catch **known** signatures/behaviors/etc., will require constant updating with the latest content, and will miss much. But, this is not to say you should not do it. There are many ways to optimize your blacklist creation and update process to allow an admin to reduce the ease-of-compromise of their users. This process is out of scope for this document. | |
35 | Maintenance, Monitoring, and Analysis of Audit Logs | "At times, audit logs provide the only evidence of a successful attack. Many organization's keep audit records for compliance purposes but rarely review them. When audit logs are not reviewed, organization's do not know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems. To evaluate the implementation of Control 6 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts." | SANS Critical Security Controls |
36 | Boundary Defense | "By attacking Internet-facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. organization's should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped." | SANS Critical Security Controls |
37 | Encrypted External Storage devices | Storing sensitive information and credentials in encrypted volumes on external storage devices in case the primary device is stolen, confiscated, or targeted. This mitigation also provides greater storage capacity for local data in cases where the traveler has limited access to the Internet. This is a mitigation that I have seen used in a variety of ways. These devices can be mailed to a location before travel, they can be carried on the person to avoid casual inspection or in case a device get's confiscated/stolen, and they can be filled and transported out of the country seperately from the traveler. | |
38 | Webcam Cover | Reading through the very cool options available for disabling internal audio on ChromeBooks forced me to include a conversation about hardware on/off switches for sensors. So, it was only appropriate to talk about the "hardware switch" for disabling video. Compared to the expertiese and effort required to disable the internal camera [1] a webcam cover it is far more logical. It only costs about $3 and is almost [2] immediately intuitive to use for most users. [1] https://twitter.com/n8fr8/status/584552388117143554 [2] On more than one occation I have sat on a video conference where someone could not get the camera to work, only to realize that they had their webcam cover on. | |
39 | Emergency Communication Practices | Set up practices for how your traveler's will contact you during any emergency. (Not just info-sec emergencies. This is around every emergency) The information security mitigations that are put in place need to balance the risks of insecure communications with the risks of a traveler not being able to get ahold of support during an emergency. Travelers should be taught how to "ratchet down" security as needed until they are able to connect with someone who can help them. | |
40 | Project Specific GSuite Accounts | There are times when a traveler may need to access an entirely seperate G Suite account while they are in country. For instance, if the traveler has created a secondary G Suite account to communicate to local contacts in order to limit the risk that they will be associated with the travelers organziation if they are forced to reveal the contents of their e-mail. In cases such as this, a traveler may need to be able to manage multiple accounts while in country, or may need to have multiple accounts forwarded to the same travel account while in country. | |
41 | Crisis Identification | The monitoring that an admin/security team does on it's travelers devices can also be incorporated into their crisis identification processes. While traditional check-in's, etc. cannot be replaced with monitoring user behavior on their accounts abnormal behavior can be used as an indicator that a crisis may have occured (i.e. if they have not been logged in for an unusual period of time). These indicators can be used to initiate check-in procedures that might otherwise not be initiated until later. Any oppourtunity to get a started with crisis management earlier is a useful one. Setting this up to limit false positives will be a difficult task, and should be prioritized appropriately. There are also tools that are built for this purpose. The cost of setting up monitoring and tweaking the settings to make the alerts useful might be more than the cost of purchasing a preexisting tool that does this and more. | |
42 | Cohesive Security Tool Adoption | In distributed and/or largely independent team's there is a tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. A cohesive "baseline" set of tools used across your organization/team for specific purposes is important for a sustainable security program. The more varied the application landscape within your team, the more complex your risk assessments will have to be and the less likely that there will be a shared secure channel between different individuals. | |
43 | Personal Device Preparation | Preparing personal devices for travel by removing apps, updating them, etc. If a traveler brings along a personal device they also handle sensitive information with than that device would negate the security of the chromebook setup described in this project. As such, training, guidance, and support should be provided to users who are bringing their personal devices to sanatize them on sensitive information and access to privlaged services and systems before they travel. | |
44 | Password Manger | Using a password manager that allows sharing allows the security team to be able to share and revoke access to the secured archive and other services thrroughout the travlers trip. This can be done in response to specific conditions or user requests/actions. This will allow the user to travl through borders without access to the secure archive or even any indication that they have a secure archive at all. So, under some of the most compromising situations (the user is asked to open their password manager) the secure archive is not compromised. |
1 | < Index | ||||
---|---|---|---|---|---|
2 | Category | Name | Description | Source(s) | Related huri_code's |
3 | Confiscation | Targeted Workplace Raids | Raids and illegal searches of the travlers workplace during the trip. This could be a rented workplace for the travler, that of a partner organization, or even a raid that simply occurs during the travlers work-day (i.e. the location of meetings and/or interviews). The important difference between this threat and in-transit and hotel-robbery confiscation threats is that the travler is likely to have their device logged in to sensitive content when the raid occurs. | 40101000000, 120102000000 | |
4 | Confiscation | In-Transit Robbery & Theft | Theft of a device when the travler is in-transit. This could be theft of the travlers device during travel to/from the coutnry but also includes theft during daily in-country travel (i.e. when walking down the street, on public transit, etc.) | 130101000000 | |
5 | Confiscation | Hotel Robbery & Theft | Theft of a device from a travlers hotel and/or temporary place of residence when travling. This includes both theft of a device when it is left in the room/safe unattended as well as theft of the device from the room when the travler is sleeping, showering, or otherwise unaware of the break-in. The latter is often also used as a form of harrasment. | 40101000000 | |
6 | Detained | Traveler Detained | The travler is temporarily detained and/or arrested. This threat is not directly connected to any specific settings beign evaluated, but it is a requirement for a variety of other threats that do have security implications (i.e. forced logins, forced decryption, etc.) We only look at temporary detainment in this project and not prolonged detention/imprisonment because the information security risks related to those threats are the same and they have far more complex physical and psycological risks that we will not be covering as a part of this project. (See: Assumptions - "All content in this project will be considered with respect to seperate phycological and physical security risk assessments") | 30101000000,30102000000, 30102010000, 30104000000 | |
7 | Confiscation | Device Confiscation | "An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time." | 130107000000 | |
8 | Forced Exposure | Decryption Forced (Device) | The travler is forced to decrypt files, encrypted volumes, and/or their device and hand it over to an adversary for inspection. This is different than forced device login in that the travler may not be forced to log in to the user account. The least dangerous version of this is seen when border officials are attempting to acertain if a laptop contains explosives (instead of a battery) and want the user to proove that it is a fully functional laptop. This includes decryption of the primary hard-drive, encrypted volumes on external media brought with the user, and/or encrypted files on the users device. The distinction between this and service decryption is that this type of decryption *directly* exposes sensitive information to the adversary, whereas the forced service decryption *indirectly* exposes sensitive information by the adversary gaining access to key/login material. | 40100000000 | |
9 | Forced Exposure | Decryption Forced (Service) | The traveler is forced to decrypt content provided tp/by a service on their device. This includes password managers, PGP keys, the secure archive described in the mitigations section, the key material for any encrypted messagining applications, the key material for online encrypted backups, etc. This does *not* include forced decryption of the primary hard-drive, and encrypted volumes on external media brought with the user, or encrypted files that are not used in protecting a service. The distinction between this and device decryption is that tdevice decryption *directly* exposes sensitive information, whereas this type of forced decryption *indirectly* exposes sensitive information by the adversary gaining access to key/login material. | 40100000000 | |
10 | Forced Exposure | Usernames Exposed | The travler is forced to expose the user-names they use to communicate online. This includes, but is not limited to, social media account names and email addresses. | ||
11 | Forced Exposure | Forced Disclosure of Travel Information | Any direct actions which violate the travlers right to privacy including interrogation about the travlers activities in country and/or association in country, forced proof of travel plans, etc. | ||
12 | Legal | Encryption Regulated | Laws exist that prohit the use of encryption software, require that the government be given access to encryption keys, and/or require the use of insecure encryption algorithms? | 42100000000, 40000000000, 42101000000 | |
13 | Legal | Circumvention Tech Regulated | Laws exist that prohibit the use of censorship circumvention and/or online (pseudo)anonymity providing software. (i.e. VPN's, Tor, etc.) | ||
14 | Legal | Encrypted Comms Regulated | Laws exist that require that communications intermediaries (messaging apps, etc.) are able to reveal the content of a communication upon request. | - http://www.telegraph.co.uk/technology/2017/07/14/malcolm-turnbull-says-laws-australia-trump-laws-mathematics/ | 42100000000, 40000000000, 42101000000 |
15 | Legal | In-Country Activities Regulated | Threats related to the project working on themes and/or conducting activities that are unwelcome by the host-nations government (i.e. democracy and governance, gender equality, women’s rights, free press, ethnic minority or religious rights, etc). | - http://fatfplatform.org/wp-content/uploads/2015/02/DCS_Report_Second_Edition_English.pdf | |
16 | Legal | In-Country Partners Targeted | Threats related to the project's involvement with populations that are targeted by the host-nations government? (i.e. advocacy groups and activists, LGBTI populations, women’s groups, journalists, human rights observers, ethnic minority or religious groups, etc) | ||
17 | Legal | Traveler/Partner Association Regulated | Laws are in place to prevent or stifle the free exchange of contact, communication, partnership, or the development of financial relationships between local partners and the travlers organization. | - http://fatfplatform.org/wp-content/uploads/2015/02/DCS_Report_Second_Edition_English.pdf - Illustrative List Of Overregulation Of Non Profit Organizations (IV. Limitation To The Right To Communication And Cooperation) : http://fatfplatform.org/wp-content/uploads/2015/10/Catalogue-of-government-overregulation-July-2015_final-.pdf#page=6 | 120000000000 |
18 | Legal | Traveler Mislead/Lie to Border Officials | The threat that a travler will be caught attempting to mislead and/or lie to border officials. (See: Assumptions List - "The risk of being caught in a lie is unacceptably high") | ||
19 | Legal | Traveler Perceived to be Misleading/Lying to Border Officials | The threat of a border official perveiving the travler as attempting to mislead and/or lie to them. (See: Assumptions List - "The risk of being caught in a lie is unacceptably high") | ||
20 | Legal | Topical/Information Censorship | Laws are in place to restrict individuals from engaging in the full range of free expression and public policy advocacy around specific topics. This is especially relevant if the travler's work is focused on those topics. For our purposes this threat includes threats related to anti-defamation laws, restirctions against "unofficial sources" reporting on specific topics, or "unofficial" restrictions, and possible retaliation, for speaking about contentious issues (i.e. official corruption, the role of the armed forces or the political opposition, human rights, or religion) | 100101000000 | |
21 | Login Forced | Login Forced (Service) | The travler is forced to login to a user account on their device and hand it over to an adversary for inspection. This is different than forced device decryptionin that the travler is forced to log in to the user account, not just decrypt the harddrive. (This distinction blurs a bit when we start talking about chromebooks) | 40100000000 | |
22 | Login Forced | Login Forced (Device) | "there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense." - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model | 40100000000 | |
23 | Obstruction | Destruction (Device) | "An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended." | 130103000000 | |
24 | Obstruction | Application/Protocol Blocking | The adversary blocks or otherwise obstructs a specific application and/or protocol. This is often done to secure protocols/applications to force users onto less secure protocols/applications. | https://capec.mitre.org/data/definitions/595.html https://capec.mitre.org/data/definitions/596.html | 100101000000 |
25 | Obstruction | Endpoint/Route Disabling | The adversary denies the availability of specific services or content to users by blocking a specific enpoint or route. This may be as targeted as a single website and/or application or as broad as all major social media websites. | https://capec.mitre.org/data/definitions/582.html https://capec.mitre.org/data/definitions/603.html https://capec.mitre.org/data/definitions/589.html https://capec.mitre.org/data/definitions/590.html http://www.mfwa.org/opposition-demonstration-eclipsed-by-social-media-blackout/ | 100101000000 |
26 | Obstruction | App Store App Blocking/Restriction | The number of countries who are having Google restrict the applications that are available in their app store is increasing. If there are applications that your team member's will require that may not be available from Google Play when the team member is setting up their device in their origin country, or when setting up a new device in-country because their other device was lost/compromised/stolen they will need to be able to install from unknown sources. This can also increase the attack surface considerably. | 100101000000 | |
27 | Obstruction | Full Internet Shutdown | Intentional disruption of the internet in response to political or social events, whether temporary or long term. | https://www.accessnow.org/keepiton-shutdown-tracker/ https://freedomhouse.org/report/freedom-net-methodology | |
28 | Obstruction | Satellite Comms Jamming | In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a target and a satellite. This includes both orbital and terrestrial techniques for satellite jamming. | https://capec.mitre.org/data/definitions/599.html https://capec.mitre.org/data/definitions/559.html | |
29 | Obstruction | Mobile Data Shutdown | Intentional disruption of cellphone data networks in response to political or social events, whether temporary or long term. | ||
30 | Obstruction | Full Mobile Shutdown | Intentional disruption of cellphone networks in response to political or social events, whether temporary or long term. | ||
31 | Obstruction | Power Outage | Threats related to intentional and/or unintentional power outages. This includes both short term, but frequent "brown outs" or long-term "black-outs". | ||
32 | Obstruction | Intermittent Connectivity | Intermittent connectivity inlcudes non-malicious "spotty" connectivity that causes short interruppted sessions as well time delimited access. Time delimited access is when an adversary drops a targets traffic streams after a specified period of time. The attacker is therefore able to frustrate the target and reduce their ability to use the targeted protocol or service in order to discourage its use. For example, in May of 2013 all unknown, and encrypted, traffic streams in Iran were dropped after a period of 60 seconds. | ||
33 | Obstruction | Lacking/Intermittent Access to Broadband | Threats related to lacking and/or intermittent access to broadband connectivity. This threat is especially focused on the low bandwith, and high costs associated with uploading/downloading content in these environments. This is especially important to this project because of the high-reliance on online services and storage. | ||
34 | Obstruction | Limited/Throttled Connectivity | This threat includes non-malicious limited connectivity as well as when an adversary intentionally slows the internet service of the target by limiting the total transfer capacity of the target. In the latter case the attacker is able to limit communication, frustrate the target, or reduce the quality of a specific protocol or service in order to discourage its use. | ||
35 | Surveillance | In-Country Partners / Contacts Accounts and/or devices | Threat of malicious activities and/or social engineering type attacks that make use of trusted email, social media, or other online accounts belonging to in-country partners and/or contacts. | 120104000000 | |
36 | Surveillance | Physical Stalking | An adversary physically surveills the travler in an attempt to gain access to sensitive information. This can be done by overhearing conversations, observing behavior and/or meetings, and "shoulder surfing" to observe digital activities that occur on a users devices, or those devices usernames and/or passwords | 20103040000 | |
37 | Surveillance | Passive Mobile Location Surveillance | The disclosure of a travlers location to the cell provider they use when travling. This is somewhat dependant on the existance of "real-id laws" in the country for sim cards, and how stringently those laws are enforced. (The technology being evaluated in this project does not really have much/any impact on this threat. I'll likely remove it at some point as I have done with others. | 120104000000 | |
38 | Surveillance | Passive Internet Surveillance | "An adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information. The adversary doesn't prevent reception or change content but simply observes and reads the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information." | 120104000000 | |
39 | Surveillance | Passive Mobile Data Surveillance | "Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted." | 120104000000 | |
40 | Surveillance | Passive Mobile Comms Surveillance | "Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted." | 120104000000 | |
41 | Surveillance | Data requests from online services | Laws or regulations might require online companies to share information about a travler and/or might prohibit or discourage the company from disclosing what user information they shared. In some instances extra-judicial information sharing has been also seen between a company and government and/or non-governmental actors. | - https://blog.fox-it.com/2017/09/13/fox-it-debunks-report-on-bylock-app-that-landed-75000-people-in-jail-in-turkey/amp/ - https://www.theguardian.com/technology/2016/aug/03/turkey-coup-gulen-movement-bylock-messaging-app - https://www.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached | 120104000000 |
42 | Surveillance | Passive Social Media Surveillance | The covert monitoring, collection, and analysis of the travler's and/or their in-country partner's social media accounts with "social media monitoring software" in order to gather information on their activities and relationships with others. | 120104000000 | |
43 | Surveillance | Compromised Account | The client has lost access to, suspects or has confirmed malicious activity might be taking place through their account. | ||
44 | Surveillance | Compromised Device | "This is essentially the same situation as with physically-local attacks. The attacker's code, when it runs as your user account on your machine, can do anything you can do." - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-compromised_infected-machines-in-Chromes-threat-model | ||
45 | Deception | Phishing | "Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information." | ||
46 | Deception | Pharming | "A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one." | ||
47 | Deception | Principal Spoof | "A Principle Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principle Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity." | ||
48 | Deception | Spoofed Access Point | "An adversary provides a malicious [Access Point] at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource." | ||
49 | Deception | Certificate Spoofing | Threat of use of rogue certificates for man in the middle/session hijacking and/or signed malware in social engineering. | ||
50 | Insider Threat | Traveler Circumvent Mitigations | Security threats that come to pass because of unauthorised use of approved devices and systems by the travler or the use of unauthorized devices and systems. While this threat can be enacted by a travler who has malicious intent, it is most often seen because one or more of the "Requirements" of a security program are not met. (See: Requirements) |
1 | < Index | Level of [X] required to implement correctly. | Extra [X] required if implemented incorrectly. | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Traveler | Admin | In-Country Partners | Out-Of-Country Partners | Traveler | Admin | In-Country Partners | Out-Of-Country Partners | ||||||||||||||||||
3 | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | Effort | Cost | Expertise | ||
4 | Proof Of Inaccess | 0 | 0 | 0 | 3 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 3 | ||||||||||||
5 | In-Country Device Swapping | 1 | 0 | 3 | 1 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | |||||||||||||
6 | Traveler Sub-Organization(s) | |||||||||||||||||||||||||
7 | Encrypted online archive | |||||||||||||||||||||||||
8 | Temporary PGP Keys | |||||||||||||||||||||||||
9 | Temporary G Suite Accounts | |||||||||||||||||||||||||
10 | Social Media Account Sanitization | |||||||||||||||||||||||||
11 | Traveler Away Message | |||||||||||||||||||||||||
12 | Inventory of Authorized and Unauthorized devices | |||||||||||||||||||||||||
13 | Enrollment Contact Policies | |||||||||||||||||||||||||
14 | Possible Credential Disclosure Practices | |||||||||||||||||||||||||
15 | Needs Assessment (Apps) | |||||||||||||||||||||||||
16 | Remote Access Management | |||||||||||||||||||||||||
17 | App Pinning | |||||||||||||||||||||||||
18 | Custom Chrome Web Store Homepage | |||||||||||||||||||||||||
19 | org-specific services (App store) | |||||||||||||||||||||||||
20 | Private Apps | |||||||||||||||||||||||||
21 | Multi-Factor Authentication | |||||||||||||||||||||||||
22 | Inventory of Authorized and Unauthorized Software | |||||||||||||||||||||||||
23 | Account Monitoring and Control | |||||||||||||||||||||||||
24 | Controlled Access Based On Need to Know | |||||||||||||||||||||||||
25 | Security Awareness and Training | |||||||||||||||||||||||||
26 | Chrome Remote Desktop | |||||||||||||||||||||||||
27 | Desktop Virtualization | |||||||||||||||||||||||||
28 | External Enterprise Mobility Management Tool | |||||||||||||||||||||||||
29 | Appropriate Organizational Identifiers | |||||||||||||||||||||||||
30 | In-country alternative working software identification | |||||||||||||||||||||||||
31 | Device Wiping | |||||||||||||||||||||||||
32 | Secure Traffic Tunneling | |||||||||||||||||||||||||
33 | Whitelist(s) | |||||||||||||||||||||||||
34 | Blacklist(s) | |||||||||||||||||||||||||
35 | Maintenance, Monitoring, and Analysis of Audit Logs | |||||||||||||||||||||||||
36 | Boundary Defense | |||||||||||||||||||||||||
37 | Encrypted External Storage devices | |||||||||||||||||||||||||
38 | Webcam Cover | |||||||||||||||||||||||||
39 | Emergency Communication Practices | |||||||||||||||||||||||||
40 | Project Specific GSuite Accounts | |||||||||||||||||||||||||
41 | Crisis Identification | |||||||||||||||||||||||||
42 | Cohesive Security Tool Adoption | |||||||||||||||||||||||||
43 | Personal Device Preparation | |||||||||||||||||||||||||
44 | Password Manger | |||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||
101 | ||||||||||||||||||||||||||
102 | ||||||||||||||||||||||||||
103 | ||||||||||||||||||||||||||
104 | ||||||||||||||||||||||||||
105 | ||||||||||||||||||||||||||
106 | ||||||||||||||||||||||||||
107 | ||||||||||||||||||||||||||
108 | ||||||||||||||||||||||||||
109 | ||||||||||||||||||||||||||
110 | ||||||||||||||||||||||||||
111 | ||||||||||||||||||||||||||
112 | ||||||||||||||||||||||||||
113 | ||||||||||||||||||||||||||
114 | ||||||||||||||||||||||||||
115 | ||||||||||||||||||||||||||
116 | ||||||||||||||||||||||||||
117 | ||||||||||||||||||||||||||
118 | ||||||||||||||||||||||||||
119 | ||||||||||||||||||||||||||
120 | ||||||||||||||||||||||||||
121 | ||||||||||||||||||||||||||
122 | ||||||||||||||||||||||||||
123 | ||||||||||||||||||||||||||
124 | ||||||||||||||||||||||||||
125 | ||||||||||||||||||||||||||
126 | ||||||||||||||||||||||||||
127 | ||||||||||||||||||||||||||
128 | ||||||||||||||||||||||||||
129 | ||||||||||||||||||||||||||
130 | ||||||||||||||||||||||||||
131 | ||||||||||||||||||||||||||
132 | ||||||||||||||||||||||||||
133 | ||||||||||||||||||||||||||
134 | ||||||||||||||||||||||||||
135 | ||||||||||||||||||||||||||
136 | ||||||||||||||||||||||||||
137 | ||||||||||||||||||||||||||
138 | ||||||||||||||||||||||||||
139 | ||||||||||||||||||||||||||
140 | ||||||||||||||||||||||||||
141 | ||||||||||||||||||||||||||
142 | ||||||||||||||||||||||||||
143 | ||||||||||||||||||||||||||
144 | ||||||||||||||||||||||||||
145 | ||||||||||||||||||||||||||
146 | ||||||||||||||||||||||||||
147 | ||||||||||||||||||||||||||
148 | ||||||||||||||||||||||||||
149 | ||||||||||||||||||||||||||
150 | ||||||||||||||||||||||||||
151 | ||||||||||||||||||||||||||
152 | ||||||||||||||||||||||||||
153 | ||||||||||||||||||||||||||
154 | ||||||||||||||||||||||||||
155 | ||||||||||||||||||||||||||
156 | ||||||||||||||||||||||||||
157 | ||||||||||||||||||||||||||
158 | ||||||||||||||||||||||||||
159 | ||||||||||||||||||||||||||
160 | ||||||||||||||||||||||||||
161 | ||||||||||||||||||||||||||
162 | ||||||||||||||||||||||||||
163 | ||||||||||||||||||||||||||
164 | ||||||||||||||||||||||||||
165 | ||||||||||||||||||||||||||
166 | ||||||||||||||||||||||||||
167 | ||||||||||||||||||||||||||
168 | ||||||||||||||||||||||||||
169 | ||||||||||||||||||||||||||
170 | ||||||||||||||||||||||||||
171 | ||||||||||||||||||||||||||
172 | ||||||||||||||||||||||||||
173 | ||||||||||||||||||||||||||
174 | ||||||||||||||||||||||||||
175 | ||||||||||||||||||||||||||
176 | ||||||||||||||||||||||||||
177 | ||||||||||||||||||||||||||
178 | ||||||||||||||||||||||||||
179 | ||||||||||||||||||||||||||
180 | ||||||||||||||||||||||||||
181 | ||||||||||||||||||||||||||
182 | ||||||||||||||||||||||||||
183 | ||||||||||||||||||||||||||
184 | ||||||||||||||||||||||||||
185 | ||||||||||||||||||||||||||
186 | ||||||||||||||||||||||||||
187 | ||||||||||||||||||||||||||
188 | ||||||||||||||||||||||||||
189 | ||||||||||||||||||||||||||
190 | ||||||||||||||||||||||||||
191 | ||||||||||||||||||||||||||
192 | ||||||||||||||||||||||||||
193 | ||||||||||||||||||||||||||
194 | ||||||||||||||||||||||||||
195 | ||||||||||||||||||||||||||
196 | ||||||||||||||||||||||||||
197 | ||||||||||||||||||||||||||
198 | ||||||||||||||||||||||||||
199 | ||||||||||||||||||||||||||
200 | ||||||||||||||||||||||||||
201 | ||||||||||||||||||||||||||
202 | ||||||||||||||||||||||||||
203 | ||||||||||||||||||||||||||
204 | ||||||||||||||||||||||||||
205 | ||||||||||||||||||||||||||
206 | ||||||||||||||||||||||||||
207 | ||||||||||||||||||||||||||
208 | ||||||||||||||||||||||||||
209 | ||||||||||||||||||||||||||
210 | ||||||||||||||||||||||||||
211 | ||||||||||||||||||||||||||
212 | ||||||||||||||||||||||||||
213 | ||||||||||||||||||||||||||
214 | ||||||||||||||||||||||||||
215 | ||||||||||||||||||||||||||
216 | ||||||||||||||||||||||||||
217 | ||||||||||||||||||||||||||
218 | ||||||||||||||||||||||||||
219 | ||||||||||||||||||||||||||
220 | ||||||||||||||||||||||||||
221 | ||||||||||||||||||||||||||
222 | ||||||||||||||||||||||||||
223 | ||||||||||||||||||||||||||
224 | ||||||||||||||||||||||||||
225 | ||||||||||||||||||||||||||
226 | ||||||||||||||||||||||||||
227 | ||||||||||||||||||||||||||
228 | ||||||||||||||||||||||||||
229 | ||||||||||||||||||||||||||
230 | ||||||||||||||||||||||||||
231 | ||||||||||||||||||||||||||
232 | ||||||||||||||||||||||||||
233 | ||||||||||||||||||||||||||
234 | ||||||||||||||||||||||||||
235 | ||||||||||||||||||||||||||
236 | ||||||||||||||||||||||||||
237 | ||||||||||||||||||||||||||
238 | ||||||||||||||||||||||||||
239 | ||||||||||||||||||||||||||
240 | ||||||||||||||||||||||||||
241 | ||||||||||||||||||||||||||
242 | ||||||||||||||||||||||||||
243 | ||||||||||||||||||||||||||
244 | ||||||||||||||||||||||||||
245 | ||||||||||||||||||||||||||
246 | ||||||||||||||||||||||||||
247 | ||||||||||||||||||||||||||
248 | ||||||||||||||||||||||||||
249 | ||||||||||||||||||||||||||
250 | ||||||||||||||||||||||||||
251 | ||||||||||||||||||||||||||
252 | ||||||||||||||||||||||||||
253 | ||||||||||||||||||||||||||
254 | ||||||||||||||||||||||||||
255 | ||||||||||||||||||||||||||
256 | ||||||||||||||||||||||||||
257 | ||||||||||||||||||||||||||
258 | ||||||||||||||||||||||||||
259 | ||||||||||||||||||||||||||
260 | ||||||||||||||||||||||||||
261 | ||||||||||||||||||||||||||
262 | ||||||||||||||||||||||||||
263 | ||||||||||||||||||||||||||
264 | ||||||||||||||||||||||||||
265 | ||||||||||||||||||||||||||
266 | ||||||||||||||||||||||||||
267 | ||||||||||||||||||||||||||
268 | ||||||||||||||||||||||||||
269 | ||||||||||||||||||||||||||
270 | ||||||||||||||||||||||||||
271 | ||||||||||||||||||||||||||
272 | ||||||||||||||||||||||||||
273 | ||||||||||||||||||||||||||
274 | ||||||||||||||||||||||||||
275 | ||||||||||||||||||||||||||
276 | ||||||||||||||||||||||||||
277 | ||||||||||||||||||||||||||
278 | ||||||||||||||||||||||||||
279 | ||||||||||||||||||||||||||
280 | ||||||||||||||||||||||||||
281 | ||||||||||||||||||||||||||
282 | ||||||||||||||||||||||||||
283 | ||||||||||||||||||||||||||
284 | ||||||||||||||||||||||||||
285 | ||||||||||||||||||||||||||
286 | ||||||||||||||||||||||||||
287 | ||||||||||||||||||||||||||
288 | ||||||||||||||||||||||||||
289 | ||||||||||||||||||||||||||
290 | ||||||||||||||||||||||||||
291 | ||||||||||||||||||||||||||
292 | ||||||||||||||||||||||||||
293 | ||||||||||||||||||||||||||
294 | ||||||||||||||||||||||||||
295 | ||||||||||||||||||||||||||
296 | ||||||||||||||||||||||||||
297 | ||||||||||||||||||||||||||
298 | ||||||||||||||||||||||||||
299 | ||||||||||||||||||||||||||
300 | ||||||||||||||||||||||||||
301 | ||||||||||||||||||||||||||
302 | ||||||||||||||||||||||||||
303 | ||||||||||||||||||||||||||
304 | ||||||||||||||||||||||||||
305 | ||||||||||||||||||||||||||
306 | ||||||||||||||||||||||||||
307 | ||||||||||||||||||||||||||
308 | ||||||||||||||||||||||||||
309 | ||||||||||||||||||||||||||
310 | ||||||||||||||||||||||||||
311 | ||||||||||||||||||||||||||
312 | ||||||||||||||||||||||||||
313 | ||||||||||||||||||||||||||
314 | ||||||||||||||||||||||||||
315 | ||||||||||||||||||||||||||
316 | ||||||||||||||||||||||||||
317 | ||||||||||||||||||||||||||
318 | ||||||||||||||||||||||||||
319 | ||||||||||||||||||||||||||
320 | ||||||||||||||||||||||||||
321 | ||||||||||||||||||||||||||
322 | ||||||||||||||||||||||||||
323 | ||||||||||||||||||||||||||
324 | ||||||||||||||||||||||||||
325 | ||||||||||||||||||||||||||
326 | ||||||||||||||||||||||||||
327 | ||||||||||||||||||||||||||
328 | ||||||||||||||||||||||||||
329 | ||||||||||||||||||||||||||
330 | ||||||||||||||||||||||||||
331 | ||||||||||||||||||||||||||
332 | ||||||||||||||||||||||||||
333 | ||||||||||||||||||||||||||
334 | ||||||||||||||||||||||||||
335 | ||||||||||||||||||||||||||
336 | ||||||||||||||||||||||||||
337 | ||||||||||||||||||||||||||
338 | ||||||||||||||||||||||||||
339 | ||||||||||||||||||||||||||
340 | ||||||||||||||||||||||||||
341 | ||||||||||||||||||||||||||
342 | ||||||||||||||||||||||||||
343 | ||||||||||||||||||||||||||
344 | ||||||||||||||||||||||||||
345 | ||||||||||||||||||||||||||
346 | ||||||||||||||||||||||||||
347 | ||||||||||||||||||||||||||
348 | ||||||||||||||||||||||||||
349 | ||||||||||||||||||||||||||
350 | ||||||||||||||||||||||||||
351 | ||||||||||||||||||||||||||
352 | ||||||||||||||||||||||||||
353 | ||||||||||||||||||||||||||
354 | ||||||||||||||||||||||||||
355 | ||||||||||||||||||||||||||
356 | ||||||||||||||||||||||||||
357 | ||||||||||||||||||||||||||
358 | ||||||||||||||||||||||||||
359 | ||||||||||||||||||||||||||
360 | ||||||||||||||||||||||||||
361 | ||||||||||||||||||||||||||
362 | ||||||||||||||||||||||||||
363 | ||||||||||||||||||||||||||
364 | ||||||||||||||||||||||||||
365 | ||||||||||||||||||||||||||
366 | ||||||||||||||||||||||||||
367 | ||||||||||||||||||||||||||
368 | ||||||||||||||||||||||||||
369 | ||||||||||||||||||||||||||
370 | ||||||||||||||||||||||||||
371 | ||||||||||||||||||||||||||
372 | ||||||||||||||||||||||||||
373 | ||||||||||||||||||||||||||
374 | ||||||||||||||||||||||||||
375 | ||||||||||||||||||||||||||
376 | ||||||||||||||||||||||||||
377 | ||||||||||||||||||||||||||
378 | ||||||||||||||||||||||||||
379 | ||||||||||||||||||||||||||
380 | ||||||||||||||||||||||||||
381 | ||||||||||||||||||||||||||
382 | ||||||||||||||||||||||||||
383 | ||||||||||||||||||||||||||
384 | ||||||||||||||||||||||||||
385 | ||||||||||||||||||||||||||
386 | ||||||||||||||||||||||||||
387 | ||||||||||||||||||||||||||
388 | ||||||||||||||||||||||||||
389 | ||||||||||||||||||||||||||
390 | ||||||||||||||||||||||||||
391 | ||||||||||||||||||||||||||
392 | ||||||||||||||||||||||||||
393 | ||||||||||||||||||||||||||
394 | ||||||||||||||||||||||||||
395 | ||||||||||||||||||||||||||
396 | ||||||||||||||||||||||||||
397 | ||||||||||||||||||||||||||
398 | ||||||||||||||||||||||||||
399 | ||||||||||||||||||||||||||
400 | ||||||||||||||||||||||||||
401 | ||||||||||||||||||||||||||
402 | ||||||||||||||||||||||||||
403 | ||||||||||||||||||||||||||
404 | ||||||||||||||||||||||||||
405 | ||||||||||||||||||||||||||
406 | ||||||||||||||||||||||||||
407 | ||||||||||||||||||||||||||
408 | ||||||||||||||||||||||||||
409 | ||||||||||||||||||||||||||
410 | ||||||||||||||||||||||||||
411 | ||||||||||||||||||||||||||
412 | ||||||||||||||||||||||||||
413 | ||||||||||||||||||||||||||
414 | ||||||||||||||||||||||||||
415 | ||||||||||||||||||||||||||
416 | ||||||||||||||||||||||||||
417 | ||||||||||||||||||||||||||
418 | ||||||||||||||||||||||||||
419 | ||||||||||||||||||||||||||
420 | ||||||||||||||||||||||||||
421 | ||||||||||||||||||||||||||
422 | ||||||||||||||||||||||||||
423 | ||||||||||||||||||||||||||
424 | ||||||||||||||||||||||||||
425 | ||||||||||||||||||||||||||
426 | ||||||||||||||||||||||||||
427 | ||||||||||||||||||||||||||
428 | ||||||||||||||||||||||||||
429 | ||||||||||||||||||||||||||
430 | ||||||||||||||||||||||||||
431 | ||||||||||||||||||||||||||
432 | ||||||||||||||||||||||||||
433 | ||||||||||||||||||||||||||
434 | ||||||||||||||||||||||||||
435 | ||||||||||||||||||||||||||
436 | ||||||||||||||||||||||||||
437 | ||||||||||||||||||||||||||
438 | ||||||||||||||||||||||||||
439 | ||||||||||||||||||||||||||
440 | ||||||||||||||||||||||||||
441 | ||||||||||||||||||||||||||
442 | ||||||||||||||||||||||||||
443 | ||||||||||||||||||||||||||
444 | ||||||||||||||||||||||||||
445 | ||||||||||||||||||||||||||
446 | ||||||||||||||||||||||||||
447 | ||||||||||||||||||||||||||
448 | ||||||||||||||||||||||||||
449 | ||||||||||||||||||||||||||
450 | ||||||||||||||||||||||||||
451 | ||||||||||||||||||||||||||
452 | ||||||||||||||||||||||||||
453 | ||||||||||||||||||||||||||
454 | ||||||||||||||||||||||||||
455 | ||||||||||||||||||||||||||
456 | ||||||||||||||||||||||||||
457 | ||||||||||||||||||||||||||
458 | ||||||||||||||||||||||||||
459 | ||||||||||||||||||||||||||
460 | ||||||||||||||||||||||||||
461 | ||||||||||||||||||||||||||
462 | ||||||||||||||||||||||||||
463 | ||||||||||||||||||||||||||
464 | ||||||||||||||||||||||||||
465 | ||||||||||||||||||||||||||
466 | ||||||||||||||||||||||||||
467 | ||||||||||||||||||||||||||
468 | ||||||||||||||||||||||||||
469 | ||||||||||||||||||||||||||
470 | ||||||||||||||||||||||||||
471 | ||||||||||||||||||||||||||
472 | ||||||||||||||||||||||||||
473 | ||||||||||||||||||||||||||
474 | ||||||||||||||||||||||||||
475 | ||||||||||||||||||||||||||
476 | ||||||||||||||||||||||||||
477 | ||||||||||||||||||||||||||
478 | ||||||||||||||||||||||||||
479 | ||||||||||||||||||||||||||
480 | ||||||||||||||||||||||||||
481 | ||||||||||||||||||||||||||
482 | ||||||||||||||||||||||||||
483 | ||||||||||||||||||||||||||
484 | ||||||||||||||||||||||||||
485 | ||||||||||||||||||||||||||
486 | ||||||||||||||||||||||||||
487 | ||||||||||||||||||||||||||
488 | ||||||||||||||||||||||||||
489 | ||||||||||||||||||||||||||
490 | ||||||||||||||||||||||||||
491 | ||||||||||||||||||||||||||
492 | ||||||||||||||||||||||||||
493 | ||||||||||||||||||||||||||
494 | ||||||||||||||||||||||||||
495 | ||||||||||||||||||||||||||
496 | ||||||||||||||||||||||||||
497 | ||||||||||||||||||||||||||
498 | ||||||||||||||||||||||||||
499 | ||||||||||||||||||||||||||
500 | ||||||||||||||||||||||||||
501 | ||||||||||||||||||||||||||
502 | ||||||||||||||||||||||||||
503 | ||||||||||||||||||||||||||
504 | ||||||||||||||||||||||||||
505 | ||||||||||||||||||||||||||
506 | ||||||||||||||||||||||||||
507 | ||||||||||||||||||||||||||
508 | ||||||||||||||||||||||||||
509 | ||||||||||||||||||||||||||
510 | ||||||||||||||||||||||||||
511 | ||||||||||||||||||||||||||
512 | ||||||||||||||||||||||||||
513 | ||||||||||||||||||||||||||
514 | ||||||||||||||||||||||||||
515 | ||||||||||||||||||||||||||
516 | ||||||||||||||||||||||||||
517 | ||||||||||||||||||||||||||
518 | ||||||||||||||||||||||||||
519 | ||||||||||||||||||||||||||
520 | ||||||||||||||||||||||||||
521 | ||||||||||||||||||||||||||
522 | ||||||||||||||||||||||||||
523 | ||||||||||||||||||||||||||
524 | ||||||||||||||||||||||||||
525 | ||||||||||||||||||||||||||
526 | ||||||||||||||||||||||||||
527 | ||||||||||||||||||||||||||
528 | ||||||||||||||||||||||||||
529 | ||||||||||||||||||||||||||
530 | ||||||||||||||||||||||||||
531 | ||||||||||||||||||||||||||
532 | ||||||||||||||||||||||||||
533 | ||||||||||||||||||||||||||
534 | ||||||||||||||||||||||||||
535 | ||||||||||||||||||||||||||
536 | ||||||||||||||||||||||||||
537 | ||||||||||||||||||||||||||
538 | ||||||||||||||||||||||||||
539 | ||||||||||||||||||||||||||
540 | ||||||||||||||||||||||||||
541 | ||||||||||||||||||||||||||
542 | ||||||||||||||||||||||||||
543 | ||||||||||||||||||||||||||
544 | ||||||||||||||||||||||||||
545 | ||||||||||||||||||||||||||
546 | ||||||||||||||||||||||||||
547 | ||||||||||||||||||||||||||
548 | ||||||||||||||||||||||||||
549 | ||||||||||||||||||||||||||
550 | ||||||||||||||||||||||||||
551 | ||||||||||||||||||||||||||
552 | ||||||||||||||||||||||||||
553 | ||||||||||||||||||||||||||
554 | ||||||||||||||||||||||||||
555 | ||||||||||||||||||||||||||
556 | ||||||||||||||||||||||||||
557 | ||||||||||||||||||||||||||
558 | ||||||||||||||||||||||||||
559 | ||||||||||||||||||||||||||
560 | ||||||||||||||||||||||||||
561 | ||||||||||||||||||||||||||
562 | ||||||||||||||||||||||||||
563 | ||||||||||||||||||||||||||
564 | ||||||||||||||||||||||||||
565 | ||||||||||||||||||||||||||
566 | ||||||||||||||||||||||||||
567 | ||||||||||||||||||||||||||
568 | ||||||||||||||||||||||||||
569 | ||||||||||||||||||||||||||
570 | ||||||||||||||||||||||||||
571 | ||||||||||||||||||||||||||
572 | ||||||||||||||||||||||||||
573 | ||||||||||||||||||||||||||
574 | ||||||||||||||||||||||||||
575 | ||||||||||||||||||||||||||
576 | ||||||||||||||||||||||||||
577 | ||||||||||||||||||||||||||
578 | ||||||||||||||||||||||||||
579 | ||||||||||||||||||||||||||
580 | ||||||||||||||||||||||||||
581 | ||||||||||||||||||||||||||
582 | ||||||||||||||||||||||||||
583 | ||||||||||||||||||||||||||
584 | ||||||||||||||||||||||||||
585 | ||||||||||||||||||||||||||
586 | ||||||||||||||||||||||||||
587 | ||||||||||||||||||||||||||
588 | ||||||||||||||||||||||||||
589 | ||||||||||||||||||||||||||
590 | ||||||||||||||||||||||||||
591 | ||||||||||||||||||||||||||
592 | ||||||||||||||||||||||||||
593 | ||||||||||||||||||||||||||
594 | ||||||||||||||||||||||||||
595 | ||||||||||||||||||||||||||
596 | ||||||||||||||||||||||||||
597 | ||||||||||||||||||||||||||
598 | ||||||||||||||||||||||||||
599 | ||||||||||||||||||||||||||
600 | ||||||||||||||||||||||||||
601 | ||||||||||||||||||||||||||
602 | ||||||||||||||||||||||||||
603 | ||||||||||||||||||||||||||
604 | ||||||||||||||||||||||||||
605 | ||||||||||||||||||||||||||
606 | ||||||||||||||||||||||||||
607 | ||||||||||||||||||||||||||
608 | ||||||||||||||||||||||||||
609 | ||||||||||||||||||||||||||
610 | ||||||||||||||||||||||||||
611 | ||||||||||||||||||||||||||
612 | ||||||||||||||||||||||||||
613 | ||||||||||||||||||||||||||
614 | ||||||||||||||||||||||||||
615 | ||||||||||||||||||||||||||
616 | ||||||||||||||||||||||||||
617 | ||||||||||||||||||||||||||
618 | ||||||||||||||||||||||||||
619 | ||||||||||||||||||||||||||
620 | ||||||||||||||||||||||||||
621 | ||||||||||||||||||||||||||
622 | ||||||||||||||||||||||||||
623 | ||||||||||||||||||||||||||
624 | ||||||||||||||||||||||||||
625 | ||||||||||||||||||||||||||
626 | ||||||||||||||||||||||||||
627 | ||||||||||||||||||||||||||
628 | ||||||||||||||||||||||||||
629 | ||||||||||||||||||||||||||
630 | ||||||||||||||||||||||||||
631 | ||||||||||||||||||||||||||
632 | ||||||||||||||||||||||||||
633 | ||||||||||||||||||||||||||
634 | ||||||||||||||||||||||||||
635 | ||||||||||||||||||||||||||
636 | ||||||||||||||||||||||||||
637 | ||||||||||||||||||||||||||
638 | ||||||||||||||||||||||||||
639 | ||||||||||||||||||||||||||
640 | ||||||||||||||||||||||||||
641 | ||||||||||||||||||||||||||
642 | ||||||||||||||||||||||||||
643 | ||||||||||||||||||||||||||
644 | ||||||||||||||||||||||||||
645 | ||||||||||||||||||||||||||
646 | ||||||||||||||||||||||||||
647 | ||||||||||||||||||||||||||
648 | ||||||||||||||||||||||||||
649 | ||||||||||||||||||||||||||
650 | ||||||||||||||||||||||||||
651 | ||||||||||||||||||||||||||
652 | ||||||||||||||||||||||||||
653 | ||||||||||||||||||||||||||
654 | ||||||||||||||||||||||||||
655 | ||||||||||||||||||||||||||
656 | ||||||||||||||||||||||||||
657 | ||||||||||||||||||||||||||
658 | ||||||||||||||||||||||||||
659 | ||||||||||||||||||||||||||
660 | ||||||||||||||||||||||||||
661 | ||||||||||||||||||||||||||
662 | ||||||||||||||||||||||||||
663 | ||||||||||||||||||||||||||
664 | ||||||||||||||||||||||||||
665 | ||||||||||||||||||||||||||
666 | ||||||||||||||||||||||||||
667 | ||||||||||||||||||||||||||
668 | ||||||||||||||||||||||||||
669 | ||||||||||||||||||||||||||
670 | ||||||||||||||||||||||||||
671 | ||||||||||||||||||||||||||
672 | ||||||||||||||||||||||||||
673 | ||||||||||||||||||||||||||
674 | ||||||||||||||||||||||||||
675 | ||||||||||||||||||||||||||
676 | ||||||||||||||||||||||||||
677 | ||||||||||||||||||||||||||
678 | ||||||||||||||||||||||||||
679 | ||||||||||||||||||||||||||
680 | ||||||||||||||||||||||||||
681 | ||||||||||||||||||||||||||
682 | ||||||||||||||||||||||||||
683 | ||||||||||||||||||||||||||
684 | ||||||||||||||||||||||||||
685 | ||||||||||||||||||||||||||
686 | ||||||||||||||||||||||||||
687 | ||||||||||||||||||||||||||
688 | ||||||||||||||||||||||||||
689 | ||||||||||||||||||||||||||
690 | ||||||||||||||||||||||||||
691 | ||||||||||||||||||||||||||
692 | ||||||||||||||||||||||||||
693 | ||||||||||||||||||||||||||
694 | ||||||||||||||||||||||||||
695 | ||||||||||||||||||||||||||
696 | ||||||||||||||||||||||||||
697 | ||||||||||||||||||||||||||
698 | ||||||||||||||||||||||||||
699 | ||||||||||||||||||||||||||
700 | ||||||||||||||||||||||||||
701 | ||||||||||||||||||||||||||
702 | ||||||||||||||||||||||||||
703 | ||||||||||||||||||||||||||
704 | ||||||||||||||||||||||||||
705 | ||||||||||||||||||||||||||
706 | ||||||||||||||||||||||||||
707 | ||||||||||||||||||||||||||
708 | ||||||||||||||||||||||||||
709 | ||||||||||||||||||||||||||
710 | ||||||||||||||||||||||||||
711 | ||||||||||||||||||||||||||
712 | ||||||||||||||||||||||||||
713 | ||||||||||||||||||||||||||
714 | ||||||||||||||||||||||||||
715 | ||||||||||||||||||||||||||
716 | ||||||||||||||||||||||||||
717 | ||||||||||||||||||||||||||
718 | ||||||||||||||||||||||||||
719 | ||||||||||||||||||||||||||
720 | ||||||||||||||||||||||||||
721 | ||||||||||||||||||||||||||
722 | ||||||||||||||||||||||||||
723 | ||||||||||||||||||||||||||
724 | ||||||||||||||||||||||||||
725 | ||||||||||||||||||||||||||
726 | ||||||||||||||||||||||||||
727 | ||||||||||||||||||||||||||
728 | ||||||||||||||||||||||||||
729 | ||||||||||||||||||||||||||
730 | ||||||||||||||||||||||||||
731 | ||||||||||||||||||||||||||
732 | ||||||||||||||||||||||||||
733 | ||||||||||||||||||||||||||
734 | ||||||||||||||||||||||||||
735 | ||||||||||||||||||||||||||
736 | ||||||||||||||||||||||||||
737 | ||||||||||||||||||||||||||
738 | ||||||||||||||||||||||||||
739 | ||||||||||||||||||||||||||
740 | ||||||||||||||||||||||||||
741 | ||||||||||||||||||||||||||
742 | ||||||||||||||||||||||||||
743 | ||||||||||||||||||||||||||
744 | ||||||||||||||||||||||||||
745 | ||||||||||||||||||||||||||
746 | ||||||||||||||||||||||||||
747 | ||||||||||||||||||||||||||
748 | ||||||||||||||||||||||||||
749 | ||||||||||||||||||||||||||
750 | ||||||||||||||||||||||||||
751 | ||||||||||||||||||||||||||
752 | ||||||||||||||||||||||||||
753 | ||||||||||||||||||||||||||
754 | ||||||||||||||||||||||||||
755 | ||||||||||||||||||||||||||
756 | ||||||||||||||||||||||||||
757 | ||||||||||||||||||||||||||
758 | ||||||||||||||||||||||||||
759 | ||||||||||||||||||||||||||
760 | ||||||||||||||||||||||||||
761 | ||||||||||||||||||||||||||
762 | ||||||||||||||||||||||||||
763 | ||||||||||||||||||||||||||
764 | ||||||||||||||||||||||||||
765 | ||||||||||||||||||||||||||
766 | ||||||||||||||||||||||||||
767 | ||||||||||||||||||||||||||
768 | ||||||||||||||||||||||||||
769 | ||||||||||||||||||||||||||
770 | ||||||||||||||||||||||||||
771 | ||||||||||||||||||||||||||
772 | ||||||||||||||||||||||||||
773 | ||||||||||||||||||||||||||
774 | ||||||||||||||||||||||||||
775 | ||||||||||||||||||||||||||
776 | ||||||||||||||||||||||||||
777 | ||||||||||||||||||||||||||
778 | ||||||||||||||||||||||||||
779 | ||||||||||||||||||||||||||
780 | ||||||||||||||||||||||||||
781 | ||||||||||||||||||||||||||
782 | ||||||||||||||||||||||||||
783 | ||||||||||||||||||||||||||
784 | ||||||||||||||||||||||||||
785 | ||||||||||||||||||||||||||
786 | ||||||||||||||||||||||||||
787 | ||||||||||||||||||||||||||
788 | ||||||||||||||||||||||||||
789 | ||||||||||||||||||||||||||
790 | ||||||||||||||||||||||||||
791 | ||||||||||||||||||||||||||
792 | ||||||||||||||||||||||||||
793 | ||||||||||||||||||||||||||
794 | ||||||||||||||||||||||||||
795 | ||||||||||||||||||||||||||
796 | ||||||||||||||||||||||||||
797 | ||||||||||||||||||||||||||
798 | ||||||||||||||||||||||||||
799 | ||||||||||||||||||||||||||
800 | ||||||||||||||||||||||||||
801 | ||||||||||||||||||||||||||
802 | ||||||||||||||||||||||||||
803 | ||||||||||||||||||||||||||
804 | ||||||||||||||||||||||||||
805 | ||||||||||||||||||||||||||
806 | ||||||||||||||||||||||||||
807 | ||||||||||||||||||||||||||
808 | ||||||||||||||||||||||||||
809 | ||||||||||||||||||||||||||
810 | ||||||||||||||||||||||||||
811 | ||||||||||||||||||||||||||
812 | ||||||||||||||||||||||||||
813 | ||||||||||||||||||||||||||
814 | ||||||||||||||||||||||||||
815 | ||||||||||||||||||||||||||
816 | ||||||||||||||||||||||||||
817 | ||||||||||||||||||||||||||
818 | ||||||||||||||||||||||||||
819 | ||||||||||||||||||||||||||
820 | ||||||||||||||||||||||||||
821 | ||||||||||||||||||||||||||
822 | ||||||||||||||||||||||||||
823 | ||||||||||||||||||||||||||
824 | ||||||||||||||||||||||||||
825 | ||||||||||||||||||||||||||
826 | ||||||||||||||||||||||||||
827 | ||||||||||||||||||||||||||
828 | ||||||||||||||||||||||||||
829 | ||||||||||||||||||||||||||
830 | ||||||||||||||||||||||||||
831 | ||||||||||||||||||||||||||
832 | ||||||||||||||||||||||||||
833 | ||||||||||||||||||||||||||
834 | ||||||||||||||||||||||||||
835 | ||||||||||||||||||||||||||
836 | ||||||||||||||||||||||||||
837 | ||||||||||||||||||||||||||
838 | ||||||||||||||||||||||||||
839 | ||||||||||||||||||||||||||
840 | ||||||||||||||||||||||||||
841 | ||||||||||||||||||||||||||
842 | ||||||||||||||||||||||||||
843 | ||||||||||||||||||||||||||
844 | ||||||||||||||||||||||||||
845 | ||||||||||||||||||||||||||
846 | ||||||||||||||||||||||||||
847 | ||||||||||||||||||||||||||
848 | ||||||||||||||||||||||||||
849 | ||||||||||||||||||||||||||
850 | ||||||||||||||||||||||||||
851 | ||||||||||||||||||||||||||
852 | ||||||||||||||||||||||||||
853 | ||||||||||||||||||||||||||
854 | ||||||||||||||||||||||||||
855 | ||||||||||||||||||||||||||
856 | ||||||||||||||||||||||||||
857 | ||||||||||||||||||||||||||
858 | ||||||||||||||||||||||||||
859 | ||||||||||||||||||||||||||
860 | ||||||||||||||||||||||||||
861 | ||||||||||||||||||||||||||
862 | ||||||||||||||||||||||||||
863 | ||||||||||||||||||||||||||
864 | ||||||||||||||||||||||||||
865 | ||||||||||||||||||||||||||
866 | ||||||||||||||||||||||||||
867 | ||||||||||||||||||||||||||
868 | ||||||||||||||||||||||||||
869 | ||||||||||||||||||||||||||
870 | ||||||||||||||||||||||||||
871 | ||||||||||||||||||||||||||
872 | ||||||||||||||||||||||||||
873 | ||||||||||||||||||||||||||
874 | ||||||||||||||||||||||||||
875 | ||||||||||||||||||||||||||
876 | ||||||||||||||||||||||||||
877 | ||||||||||||||||||||||||||
878 | ||||||||||||||||||||||||||
879 | ||||||||||||||||||||||||||
880 | ||||||||||||||||||||||||||
881 | ||||||||||||||||||||||||||
882 | ||||||||||||||||||||||||||
883 | ||||||||||||||||||||||||||
884 | ||||||||||||||||||||||||||
885 | ||||||||||||||||||||||||||
886 | ||||||||||||||||||||||||||
887 | ||||||||||||||||||||||||||
888 | ||||||||||||||||||||||||||
889 | ||||||||||||||||||||||||||
890 | ||||||||||||||||||||||||||
891 | ||||||||||||||||||||||||||
892 | ||||||||||||||||||||||||||
893 | ||||||||||||||||||||||||||
894 | ||||||||||||||||||||||||||
895 | ||||||||||||||||||||||||||
896 | ||||||||||||||||||||||||||
897 | ||||||||||||||||||||||||||
898 | ||||||||||||||||||||||||||
899 | ||||||||||||||||||||||||||
900 | ||||||||||||||||||||||||||
901 | ||||||||||||||||||||||||||
902 | ||||||||||||||||||||||||||
903 | ||||||||||||||||||||||||||
904 | ||||||||||||||||||||||||||
905 | ||||||||||||||||||||||||||
906 | ||||||||||||||||||||||||||
907 | ||||||||||||||||||||||||||
908 | ||||||||||||||||||||||||||
909 | ||||||||||||||||||||||||||
910 | ||||||||||||||||||||||||||
911 | ||||||||||||||||||||||||||
912 | ||||||||||||||||||||||||||
913 | ||||||||||||||||||||||||||
914 | ||||||||||||||||||||||||||
915 | ||||||||||||||||||||||||||
916 | ||||||||||||||||||||||||||
917 | ||||||||||||||||||||||||||
918 | ||||||||||||||||||||||||||
919 | ||||||||||||||||||||||||||
920 | ||||||||||||||||||||||||||
921 | ||||||||||||||||||||||||||
922 | ||||||||||||||||||||||||||
923 | ||||||||||||||||||||||||||
924 | ||||||||||||||||||||||||||
925 | ||||||||||||||||||||||||||
926 | ||||||||||||||||||||||||||
927 | ||||||||||||||||||||||||||
928 | ||||||||||||||||||||||||||
929 | ||||||||||||||||||||||||||
930 | ||||||||||||||||||||||||||
931 | ||||||||||||||||||||||||||
932 | ||||||||||||||||||||||||||
933 | ||||||||||||||||||||||||||
934 | ||||||||||||||||||||||||||
935 | ||||||||||||||||||||||||||
936 | ||||||||||||||||||||||||||
937 | ||||||||||||||||||||||||||
938 | ||||||||||||||||||||||||||
939 | ||||||||||||||||||||||||||
940 | ||||||||||||||||||||||||||
941 | ||||||||||||||||||||||||||
942 | ||||||||||||||||||||||||||
943 | ||||||||||||||||||||||||||
944 | ||||||||||||||||||||||||||
945 | ||||||||||||||||||||||||||
946 | ||||||||||||||||||||||||||
947 | ||||||||||||||||||||||||||
948 | ||||||||||||||||||||||||||
949 | ||||||||||||||||||||||||||
950 | ||||||||||||||||||||||||||
951 | ||||||||||||||||||||||||||
952 | ||||||||||||||||||||||||||
953 | ||||||||||||||||||||||||||
954 | ||||||||||||||||||||||||||
955 | ||||||||||||||||||||||||||
956 | ||||||||||||||||||||||||||
957 | ||||||||||||||||||||||||||
958 | ||||||||||||||||||||||||||
959 | ||||||||||||||||||||||||||
960 | ||||||||||||||||||||||||||
961 | ||||||||||||||||||||||||||
962 | ||||||||||||||||||||||||||
963 | ||||||||||||||||||||||||||
964 | ||||||||||||||||||||||||||
965 | ||||||||||||||||||||||||||
966 | ||||||||||||||||||||||||||
967 | ||||||||||||||||||||||||||
968 | ||||||||||||||||||||||||||
969 | ||||||||||||||||||||||||||
970 | ||||||||||||||||||||||||||
971 | ||||||||||||||||||||||||||
972 | ||||||||||||||||||||||||||
973 | ||||||||||||||||||||||||||
974 | ||||||||||||||||||||||||||
975 | ||||||||||||||||||||||||||
976 | ||||||||||||||||||||||||||
977 | ||||||||||||||||||||||||||
978 | ||||||||||||||||||||||||||
979 | ||||||||||||||||||||||||||
980 | ||||||||||||||||||||||||||
981 | ||||||||||||||||||||||||||
982 | ||||||||||||||||||||||||||
983 | ||||||||||||||||||||||||||
984 | ||||||||||||||||||||||||||
985 | ||||||||||||||||||||||||||
986 | ||||||||||||||||||||||||||
987 | ||||||||||||||||||||||||||
988 | ||||||||||||||||||||||||||
989 | ||||||||||||||||||||||||||
990 | ||||||||||||||||||||||||||
991 | ||||||||||||||||||||||||||
992 | ||||||||||||||||||||||||||
993 | ||||||||||||||||||||||||||
994 | ||||||||||||||||||||||||||
995 | ||||||||||||||||||||||||||
996 | ||||||||||||||||||||||||||
997 | ||||||||||||||||||||||||||
998 | ||||||||||||||||||||||||||
999 | ||||||||||||||||||||||||||
1000 | ||||||||||||||||||||||||||
1001 | ||||||||||||||||||||||||||
1002 |
1 | < Index | Relevant Threat Context | |
---|---|---|---|
2 | Threat | Threat Context | Comment |
3 | App Store App Blocking/Restriction | Incoming | |
4 | App Store App Blocking/Restriction | In-Country | |
5 | App Store App Blocking/Restriction | Outgoing | |
6 | Application/Protocol Blocking | Pre | Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc) |
7 | Application/Protocol Blocking | Incoming | |
8 | Application/Protocol Blocking | In-Country | |
9 | Application/Protocol Blocking | Outgoing | |
10 | Certificate Spoofing | Incoming | |
11 | Certificate Spoofing | In-Country | |
12 | Certificate Spoofing | Outgoing | |
13 | Circumvention Tech Regulated | Pre | Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc) |
14 | Circumvention Tech Regulated | Incoming | |
15 | Circumvention Tech Regulated | In-Country | |
16 | Compromised Account | Pre | Exposes all communication with the compromised project contacts (partners, fixers, etc) that used this account |
17 | Compromised Account | Pre | If the primary communications account it exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
18 | Compromised Account | Incoming | |
19 | Compromised Account | In-Country | |
20 | Compromised Account | Outgoing | |
21 | Compromised Account | Post | |
22 | Compromised Device | Pre | Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
23 | Compromised Device | Incoming | Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
24 | Compromised Device | In-Country | Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
25 | Compromised Device | Outgoing | Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
26 | Compromised Device | Post | Exposes all communication with the compromised project contacts (partners, fixers, etc), pre-travel planning, and sensitive accounts. This makes the rest of this project useless. |
27 | Data requests from online services | Incoming | Both targeting of travler and ability to leverage legal data requests are likely limited until the traveler is headed into the country. |
28 | Data requests from online services | In-Country | |
29 | Data requests from online services | Outgoing | |
30 | Data requests from online services | Post | |
31 | Decryption Forced (Device) | Incoming | |
32 | Decryption Forced (Device) | In-Country | |
33 | Decryption Forced (Device) | Outgoing | |
34 | Decryption Forced (Service) | Incoming | |
35 | Decryption Forced (Service) | In-Country | |
36 | Decryption Forced (Service) | Outgoing | |
37 | Device Confiscation | Incoming | |
38 | Device Confiscation | In-Country | |
39 | Device Confiscation | Outgoing | |
40 | Encrypted Comms Regulated | Pre | Can hamper ability to securely communicate with project contacts (partners, fixers, etc) |
41 | Encrypted Comms Regulated | Incoming | |
42 | Encrypted Comms Regulated | In-Country | |
43 | Encryption Regulated | In-Country | |
44 | Encryption Regulated | Post | |
45 | Endpoint/Route Disabling | Pre | Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc) |
46 | Endpoint/Route Disabling | Incoming | |
47 | Endpoint/Route Disabling | In-Country | |
48 | Endpoint/Route Disabling | Outgoing | |
49 | Forced Disclosure of Travel Information | Incoming | |
50 | Forced Disclosure of Travel Information | In-Country | |
51 | Forced Disclosure of Travel Information | Outgoing | |
52 | Full Internet Shutdown | Pre | Can hamper ability to securely/anonymously communicate with project contacts (partners, fixers, etc) and make/confirm travel arrangements. |
53 | Full Internet Shutdown | In-Country | |
54 | Full Mobile Shutdown | In-Country | |
55 | Hotel Robbery & Theft | In-Country | |
56 | In-Country Activities Regulated | Pre | Communications with project partners that contains planning info can get travler flagged if exposed |
57 | In-Country Activities Regulated | In-Country | |
58 | In-Country Partners Targeted | Pre | Any communications with project partners can get travler flagged if exposed |
59 | In-Country Partners Targeted | In-Country | |
60 | In-Country Partners / Contacts Accounts and/or devices | Pre | Exposes all communication with the compromised project contacts (partners, fixers, etc) |
61 | In-Country Partners / Contacts Accounts and/or devices | Incoming | |
62 | In-Country Partners / Contacts Accounts and/or devices | In-Country | |
63 | In-Country Partners / Contacts Accounts and/or devices | Outgoing | |
64 | In-Transit Robbery & Theft | Incoming | |
65 | In-Transit Robbery & Theft | In-Country | |
66 | In-Transit Robbery & Theft | Outgoing | |
67 | Intermittent Connectivity | In-Country | |
68 | Lacking/Intermittent Access to Broadband | In-Country | |
69 | Limited/Throttled Connectivity | In-Country | |
70 | Login Forced (Device) | Incoming | |
71 | Login Forced (Device) | In-Country | |
72 | Login Forced (Device) | Outgoing | |
73 | Login Forced (Service) | Incoming | |
74 | Login Forced (Service) | In-Country | |
75 | Login Forced (Service) | Outgoing | |
76 | Mobile Data Shutdown | In-Country | |
77 | Passive Internet Surveillance | Pre | Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler. |
78 | Passive Internet Surveillance | In-Country | |
79 | Passive Mobile Comms Surveillance | Pre | Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler. |
80 | Passive Mobile Comms Surveillance | In-Country | |
81 | Passive Mobile Data Surveillance | Pre | Exposes all unsecured communication with in-country project contacts (partners, fixers, etc) which can flag travler. |
82 | Passive Mobile Data Surveillance | In-Country | |
83 | Passive Mobile Location Surveillance | In-Country | |
84 | Passive Social Media Surveillance | Pre | Exposes realationships and any public communication with in-country project contacts (partners, fixers, etc). If the target is being monitored this can get the traveler flagged. Also can expose any publicly posted travel plans and/or in-country activities which, if not disclosed when detained, could be used against the travler. |
85 | Passive Social Media Surveillance | Incoming | |
86 | Passive Social Media Surveillance | In-Country | |
87 | Passive Social Media Surveillance | Outgoing | |
88 | Passive Social Media Surveillance | Post | |
89 | Pharming | Incoming | |
90 | Pharming | In-Country | |
91 | Pharming | Outgoing | |
92 | Phishing | Pre | |
93 | Phishing | Incoming | |
94 | Phishing | In-Country | |
95 | Phishing | Outgoing | |
96 | Phishing | Post | |
97 | Physical Stalking | In-Country | |
98 | Power Outage | In-Country | |
99 | Principal Spoof | Pre | Can be used to elicit information from the traveler |
100 | Principal Spoof | Pre | Can be used to try to make traveler "confess" to sanctionable activities |
101 | Principal Spoof | Incoming | |
102 | Principal Spoof | In-Country | |
103 | Principal Spoof | Outgoing | |
104 | Principal Spoof | Post | |
105 | RF Jamming | In-Country | |
106 | RF Triangulation | In-Country | |
107 | Satellite Comms Jamming | In-Country | |
108 | Spoofed Access Point | Incoming | |
109 | Spoofed Access Point | In-Country | |
110 | Spoofed Access Point | Outgoing | |
111 | Targeted Workplace Raids | In-Country | |
112 | Topical/Information Censorship | Incoming | |
113 | Topical/Information Censorship | In-Country | |
114 | Topical/Information Censorship | Outgoing | |
115 | Traveler Circumvent Mitigations | Pre | |
116 | Traveler Circumvent Mitigations | Incoming | |
117 | Traveler Circumvent Mitigations | In-Country | |
118 | Traveler Circumvent Mitigations | Outgoing | |
119 | Traveler Circumvent Mitigations | Post | |
120 | Traveler Detained | Incoming | |
121 | Traveler Detained | In-Country | |
122 | Traveler Detained | Outgoing | |
123 | Traveler Mislead/Lie to Border Officials | Incoming | |
124 | Traveler Mislead/Lie to Border Officials | Outgoing | |
125 | Traveler Perceived to be Misleading/Lying to Border Officials | Incoming | |
126 | Traveler Perceived to be Misleading/Lying to Border Officials | Outgoing | |
127 | Traveler/Partner Association Regulated | Incoming | |
128 | Traveler/Partner Association Regulated | In-Country | |
129 | Traveler/Partner Association Regulated | Outgoing | |
130 | Usernames Exposed | Incoming | |
131 | Usernames Exposed | In-Country | |
132 | Usernames Exposed | Outgoing | |
133 | Destruction (Device) | Incoming | |
134 | Destruction (Device) | In-Country | |
135 | Destruction (Device) | Outgoing | |
136 | |||
137 | |||
138 | |||
139 | |||
140 | |||
141 | |||
142 | |||
143 | |||
144 | |||
145 | |||
146 | |||
147 | |||
148 | |||
149 | |||
150 | |||
151 | |||
152 | |||
153 | |||
154 | |||
155 | |||
156 | |||
157 | |||
158 | |||
159 | |||
160 | |||
161 | |||
162 | |||
163 | |||
164 | |||
165 | |||
166 | |||
167 | |||
168 | |||
169 | |||
170 | |||
171 | |||
172 | |||
173 | |||
174 | |||
175 | |||
176 | |||
177 | |||
178 | |||
179 | |||
180 | |||
181 | |||
182 | |||
183 | |||
184 | |||
185 | |||
186 | |||
187 | |||
188 | |||
189 | |||
190 | |||
191 | |||
192 | |||
193 | |||
194 | |||
195 | |||
196 | |||
197 | |||
198 | |||
199 | |||
200 | |||
201 | |||
202 | |||
203 | |||
204 | |||
205 | |||
206 | |||
207 | |||
208 | |||
209 | |||
210 | |||
211 | |||
212 | |||
213 | |||
214 | |||
215 | |||
216 | |||
217 | |||
218 | |||
219 | |||
220 | |||
221 | |||
222 | |||
223 | |||
224 | |||
225 | |||
226 | |||
227 | |||
228 | |||
229 | |||
230 | |||
231 | |||
232 | |||
233 | |||
234 | |||
235 | |||
236 | |||
237 | |||
238 | |||
239 | |||
240 | |||
241 | |||
242 | |||
243 | |||
244 | |||
245 | |||
246 | |||
247 | |||
248 | |||
249 | |||
250 | |||
251 | |||
252 | |||
253 | |||
254 | |||
255 | |||
256 | |||
257 | |||
258 | |||
259 | |||
260 | |||
261 | |||
262 | |||
263 | |||
264 | |||
265 | |||
266 | |||
267 | |||
268 | |||
269 | |||
270 | |||
271 | |||
272 | |||
273 | |||
274 | |||
275 | |||
276 | |||
277 | |||
278 | |||
279 | |||
280 | |||
281 | |||
282 | |||
283 | |||
284 | |||
285 | |||
286 | |||
287 | |||
288 | |||
289 | |||
290 | |||
291 | |||
292 | |||
293 | |||
294 | |||
295 | |||
296 | |||
297 | |||
298 | |||
299 | |||
300 | |||
301 | |||
302 | |||
303 | |||
304 | |||
305 | |||
306 | |||
307 | |||
308 | |||
309 | |||
310 | |||
311 | |||
312 | |||
313 | |||
314 | |||
315 | |||
316 | |||
317 | |||
318 | |||
319 | |||
320 | |||
321 | |||
322 | |||
323 | |||
324 | |||
325 | |||
326 | |||
327 | |||
328 | |||
329 | |||
330 | |||
331 | |||
332 | |||
333 | |||
334 | |||
335 | |||
336 | |||
337 | |||
338 | |||
339 | |||
340 | |||
341 | |||
342 | |||
343 | |||
344 | |||
345 | |||
346 | |||
347 | |||
348 | |||
349 | |||
350 | |||
351 | |||
352 | |||
353 | |||
354 | |||
355 | |||
356 | |||
357 | |||
358 | |||
359 | |||
360 | |||
361 | |||
362 | |||
363 | |||
364 | |||
365 | |||
366 | |||
367 | |||
368 | |||
369 | |||
370 | |||
371 | |||
372 | |||
373 | |||
374 | |||
375 | |||
376 | |||
377 | |||
378 | |||
379 | |||
380 | |||
381 | |||
382 | |||
383 | |||
384 | |||
385 | |||
386 | |||
387 | |||
388 | |||
389 | |||
390 | |||
391 | |||
392 | |||
393 | |||
394 | |||
395 | |||
396 | |||
397 | |||
398 | |||
399 | |||
400 | |||
401 | |||
402 | |||
403 | |||
404 | |||
405 | |||
406 | |||
407 | |||
408 | |||
409 | |||
410 | |||
411 | |||
412 | |||
413 | |||
414 | |||
415 | |||
416 | |||
417 | |||
418 | |||
419 | |||
420 | |||
421 | |||
422 | |||
423 | |||
424 | |||
425 | |||
426 | |||
427 | |||
428 | |||
429 | |||
430 | |||
431 | |||
432 | |||
433 | |||
434 | |||
435 | |||
436 | |||
437 | |||
438 | |||
439 | |||
440 | |||
441 | |||
442 | |||
443 | |||
444 | |||
445 | |||
446 | |||
447 | |||
448 | |||
449 | |||
450 | |||
451 | |||
452 | |||
453 | |||
454 | |||
455 | |||
456 | |||
457 | |||
458 | |||
459 | |||
460 | |||
461 | |||
462 | |||
463 | |||
464 | |||
465 | |||
466 | |||
467 | |||
468 | |||
469 | |||
470 | |||
471 | |||
472 | |||
473 | |||
474 | |||
475 | |||
476 | |||
477 | |||
478 | |||
479 | |||
480 | |||
481 | |||
482 | |||
483 | |||
484 | |||
485 | |||
486 | |||
487 | |||
488 | |||
489 | |||
490 | |||
491 | |||
492 | |||
493 | |||
494 | |||
495 | |||
496 | |||
497 | |||
498 | |||
499 | |||
500 | |||
501 | |||
502 | |||
503 | |||
504 | |||
505 | |||
506 | |||
507 | |||
508 | |||
509 | |||
510 | |||
511 | |||
512 | |||
513 | |||
514 | |||
515 | |||
516 | |||
517 | |||
518 | |||
519 | |||
520 | |||
521 | |||
522 | |||
523 | |||
524 | |||
525 | |||
526 | |||
527 | |||
528 | |||
529 | |||
530 | |||
531 | |||
532 | |||
533 | |||
534 | |||
535 | |||
536 | |||
537 | |||
538 | |||
539 | |||
540 | |||
541 | |||
542 | |||
543 | |||
544 | |||
545 | |||
546 | |||
547 | |||
548 | |||
549 | |||
550 | |||
551 | |||
552 | |||
553 | |||
554 | |||
555 | |||
556 | |||
557 | |||
558 | |||
559 | |||
560 | |||
561 | |||
562 | |||
563 | |||
564 | |||
565 | |||
566 | |||
567 | |||
568 | |||
569 | |||
570 | |||
571 | |||
572 | |||
573 | |||
574 | |||
575 | |||
576 | |||
577 | |||
578 | |||
579 | |||
580 | |||
581 | |||
582 | |||
583 | |||
584 | |||
585 | |||
586 | |||
587 | |||
588 | |||
589 | |||
590 | |||
591 | |||
592 | |||
593 | |||
594 | |||
595 | |||
596 | |||
597 | |||
598 | |||
599 | |||
600 | |||
601 | |||
602 | |||
603 | |||
604 | |||
605 | |||
606 | |||
607 | |||
608 | |||
609 | |||
610 | |||
611 | |||
612 | |||
613 | |||
614 | |||
615 | |||
616 | |||
617 | |||
618 | |||
619 | |||
620 | |||
621 | |||
622 | |||
623 | |||
624 | |||
625 | |||
626 | |||
627 | |||
628 | |||
629 | |||
630 | |||
631 | |||
632 | |||
633 | |||
634 | |||
635 | |||
636 | |||
637 | |||
638 | |||
639 | |||
640 | |||
641 | |||
642 | |||
643 | |||
644 | |||
645 | |||
646 | |||
647 | |||
648 | |||
649 | |||
650 | |||
651 | |||
652 | |||
653 | |||
654 | |||
655 | |||
656 | |||
657 | |||
658 | |||
659 | |||
660 | |||
661 | |||
662 | |||
663 | |||
664 | |||
665 | |||
666 | |||
667 | |||
668 | |||
669 | |||
670 | |||
671 | |||
672 | |||
673 | |||
674 | |||
675 | |||
676 | |||
677 | |||
678 | |||
679 | |||
680 | |||
681 | |||
682 | |||
683 | |||
684 | |||
685 | |||
686 | |||
687 | |||
688 | |||
689 | |||
690 | |||
691 | |||
692 | |||
693 | |||
694 | |||
695 | |||
696 | |||
697 | |||
698 | |||
699 | |||
700 | |||
701 | |||
702 | |||
703 | |||
704 | |||
705 | |||
706 | |||
707 | |||
708 | |||
709 | |||
710 | |||
711 | |||
712 | |||
713 | |||
714 | |||
715 | |||
716 | |||
717 | |||
718 | |||
719 | |||
720 | |||
721 | |||
722 | |||
723 | |||
724 | |||
725 | |||
726 | |||
727 | |||
728 | |||
729 | |||
730 | |||
731 | |||
732 | |||
733 | |||
734 | |||
735 | |||
736 | |||
737 | |||
738 | |||
739 | |||
740 | |||
741 | |||
742 | |||
743 | |||
744 | |||
745 | |||
746 | |||
747 | |||
748 | |||
749 | |||
750 | |||
751 | |||
752 | |||
753 | |||
754 | |||
755 | |||
756 | |||
757 | |||
758 | |||
759 | |||
760 | |||
761 | |||
762 | |||
763 | |||
764 | |||
765 | |||
766 | |||
767 | |||
768 | |||
769 | |||
770 | |||
771 | |||
772 | |||
773 | |||
774 | |||
775 | |||
776 | |||
777 | |||
778 | |||
779 | |||
780 | |||
781 | |||
782 | |||
783 | |||
784 | |||
785 | |||
786 | |||
787 | |||
788 | |||
789 | |||
790 | |||
791 | |||
792 | |||
793 | |||
794 | |||
795 | |||
796 | |||
797 | |||
798 | |||
799 | |||
800 | |||
801 | |||
802 | |||
803 | |||
804 | |||
805 | |||
806 | |||
807 | |||
808 | |||
809 | |||
810 | |||
811 | |||
812 | |||
813 | |||
814 | |||
815 | |||
816 | |||
817 | |||
818 | |||
819 | |||
820 | |||
821 | |||
822 | |||
823 | |||
824 | |||
825 | |||
826 | |||
827 | |||
828 | |||
829 | |||
830 | |||
831 | |||
832 | |||
833 | |||
834 | |||
835 | |||
836 | |||
837 | |||
838 | |||
839 | |||
840 | |||
841 | |||
842 | |||
843 | |||
844 | |||
845 | |||
846 | |||
847 | |||
848 | |||
849 | |||
850 | |||
851 | |||
852 | |||
853 | |||
854 | |||
855 | |||
856 | |||
857 | |||
858 | |||
859 | |||
860 | |||
861 | |||
862 | |||
863 | |||
864 | |||
865 | |||
866 | |||
867 | |||
868 | |||
869 | |||
870 | |||
871 | |||
872 | |||
873 | |||
874 | |||
875 | |||
876 | |||
877 | |||
878 | |||
879 | |||
880 | |||
881 | |||
882 | |||
883 | |||
884 | |||
885 | |||
886 | |||
887 | |||
888 | |||
889 | |||
890 | |||
891 | |||
892 | |||
893 | |||
894 | |||
895 | |||
896 | |||
897 | |||
898 | |||
899 | |||
900 | |||
901 | |||
902 | |||
903 | |||
904 | |||
905 | |||
906 | |||
907 | |||
908 | |||
909 | |||
910 | |||
911 | |||
912 | |||
913 | |||
914 | |||
915 | |||
916 | |||
917 | |||
918 | |||
919 | |||
920 | |||
921 | |||
922 | |||
923 | |||
924 | |||
925 | |||
926 | |||
927 | |||
928 | |||
929 | |||
930 | |||
931 | |||
932 | |||
933 | |||
934 | |||
935 | |||
936 | |||
937 | |||
938 | |||
939 | |||
940 | |||
941 | |||
942 | |||
943 | |||
944 | |||
945 | |||
946 | |||
947 | |||
948 | |||
949 | |||
950 | |||
951 | |||
952 | |||
953 | |||
954 | |||
955 | |||
956 | |||
957 | |||
958 | |||
959 | |||
960 | |||
961 | |||
962 | |||
963 | |||
964 | |||
965 | |||
966 | |||
967 | |||
968 | |||
969 | |||
970 | |||
971 | |||
972 | |||
973 | |||
974 | |||
975 | |||
976 | |||
977 | |||
978 | |||
979 | |||
980 | |||
981 | |||
982 | |||
983 | |||
984 | |||
985 | |||
986 | |||
987 | |||
988 | |||
989 | |||
990 | |||
991 | |||
992 | |||
993 | |||
994 | |||
995 | |||
996 | |||
997 |
1 | < Index | ||||
---|---|---|---|---|---|
2 | Threat | Can Lead To | Requires Additional Threat | Mitigation | Notes |
3 | Targeted Workplace Raids | Confiscation | |||
4 | In-Transit Robbery & Theft | Confiscation | |||
5 | Hotel Robbery & Theft | Confiscation | |||
6 | Device Confiscation | Decryption Forced (Device) | Traveler Detained | ||
7 | Device Confiscation | Decryption Forced (Service) | Traveler Detained | ||
8 | Device Confiscation | Login Forced | Traveler Detained | ||
9 | Phishing | Compromised Account | |||
10 | Phishing | Compromised Device | |||
11 | Phishing | Compromised Account | |||
12 | Phishing | Compromised Account | |||
13 | Phishing | Compromised Device | |||
14 | Phishing | Compromised Device | |||
15 | Phishing | Compromised Account | |||
16 | Phishing | Compromised Account | |||
17 | Pharming | Compromised Account | |||
18 | Pharming | Compromised Device | |||
19 | Pharming | Compromised Account | |||
20 | Pharming | Compromised Account | |||
21 | Pharming | Compromised Device | |||
22 | Pharming | Compromised Device | |||
23 | Pharming | Compromised Account | |||
24 | Pharming | Compromised Account | |||
25 | Spoofed Access Point | Compromised Account | |||
26 | Spoofed Access Point | Compromised Account | |||
27 | Spoofed Access Point | Compromised Account | |||
28 | Spoofed Access Point | Compromised Account | |||
29 | Spoofed Access Point | Compromised Account | |||
30 | Physical Stalking | Compromised Account | Shoulder Surfing | ||
31 | Physical Stalking | Compromised Device | Shoulder Surfing | ||
32 | Physical Stalking | Usernames Exposed | Shoulder Surfing |
1 | < Index | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
2 | Store | Physical | Electronic Device | Network Enabled | WiFi Connectivity | Cellular Connectivity | Encrypted | Login Required | Online Service | Communication Channel | Notes |
3 | Local volume (USB/SD/Device) | Yes | Yes | N/A | N/A | No | Yes | No | No | No | |
4 | Travel Laptop (Chromebook) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | |
5 | Travel/Local Mobile Phone | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | |
6 | Primary Personal Mobile Device | Yes | No | No | Yes | Yes | Yes | Yes | No | No | If brought see: device preparation |
7 | Physical Notes / Documents | Yes | No | N/A | N/A | No | No | No | No | No | |
8 | Identity Cards (Passports) | Yes | No | N/A | N/A | No | No | No | No | No | |
9 | Non-Phone Mobile Device(s) | Yes | Yes | Yes | Yes | No | Yes | Yes | No | No | Encryption is possible for most, but my experience has shown me that people treat tablets with far less care. (If brought see: device preparation.) |
10 | Personal Laptop | Yes | Yes | Yes | Yes | No | Yes | Yes | No | No | If brought see: device preparation & Seamus beating them about the head for circumventing all the security that the rest of this process provided. |
11 | Online Travel Archive | No | No | N/A | N/A | N/A | Yes | Yes | Yes | No | |
12 | No | No | N/A | N/A | N/A | Yes | Yes | Yes | Yes | ||
13 | Social Media | No | No | N/A | N/A | N/A | No | Yes | Yes | Yes | |
14 | Password Manager | No | No | N/A | N/A | N/A | Yes | Yes | Yes | No | |
15 | Team file store | No | No | N/A | N/A | N/A | No | Yes | Yes | No | |
16 | Team Admin Services (HR, Billing) | No | No | N/A | N/A | N/A | No | Yes | Yes | No | |
17 | Team Tech Admin Services | No | No | N/A | N/A | N/A | No | Yes | Yes | No | |
18 | Travel PGP Key | No | No | N/A | N/A | N/A | Yes | Yes | No | No | |
19 | Primary PGP Key | No | No | N/A | N/A | N/A | Yes | Yes | No | No | |
20 | Camera | Yes | Yes | No | No | No | No | No | No | No | |
21 | Video Recorder | Yes | Yes | No | No | No | No | No | No | No | |
22 | Encrypted Online Backups | No | No | Yes | No | No | Yes | Yes | Yes | No | |
23 | Unencrypted Online Backups | No | No | Yes | No | No | Yes | No | Yes | No |
1 | < Index | |||||
---|---|---|---|---|---|---|
2 | Threat | Possible Threat & Requirements | If [TARGET] is [CONDITION]. | Info Store Column Letter | ||
3 | App Store App Blocking/Restriction | Availability | Online Service | Yes | #VALUE! | |
4 | Application/Protocol Blocking | Availability | Online Service | Yes | #VALUE! | |
5 | Application/Protocol Blocking | Availability | Communication Channel | Yes | #VALUE! | |
6 | Certificate Spoofing | Integrity | Online Service | Yes | #VALUE! | |
7 | Certificate Spoofing | Integrity | Communication Channel | Yes | #VALUE! | |
8 | Circumvention Tech Regulated | Integrity | Physical | No | #VALUE! | |
9 | Circumvention Tech Regulated | Confidentiality | Physical | No | #VALUE! | |
10 | Circumvention Tech Regulated | Availability | Physical | No | #VALUE! | |
11 | Compromised Account | Integrity | Online Service | Yes | #VALUE! | |
12 | Compromised Account | Confidentiality | Online Service | Yes | #VALUE! | |
13 | Compromised Account | Availability | Online Service | Yes | #VALUE! | |
14 | Compromised Device | Confidentiality | Electronic Device | Yes | #VALUE! | |
15 | Compromised Device | Integrity | Electronic Device | Yes | #VALUE! | |
16 | Compromised Device | Availability | Electronic Device | Yes | #VALUE! | |
17 | Data requests from online services | Confidentiality | Online Service | Yes | #VALUE! | |
18 | Decryption Forced (Device) | Requires | Encrypted | Yes | #VALUE! | |
19 | Decryption Forced (Device) | Integrity | Encrypted | Yes | #VALUE! | |
20 | Decryption Forced (Service) | Requires | Physical | No | #VALUE! | |
21 | Decryption Forced (Service) | Integrity | Encrypted | Yes | #VALUE! | |
22 | Device Confiscation | Requires | Physical | Yes | B | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder |
23 | Device Confiscation | Availability | Physical | Yes | B | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder |
24 | Device Confiscation | Integrity | Encrypted | No | G | Physical Notes / Documents; Identity Cards (Passports); Social Media; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Camera; Video Recorder |
25 | Encrypted Comms Regulated | Requires | Communication Channel | Yes | J | Email; Social Media |
26 | Encrypted Comms Regulated | Availability | Encrypted | Yes | G | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups |
27 | Encrypted Comms Regulated | Availability | Communication Channel | Yes | J | Email; Social Media |
28 | Encrypted Comms Regulated | Confidentiality | Communication Channel | Yes | J | Email; Social Media |
29 | Encryption Regulated | Requires | Encrypted | Yes | G | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups |
30 | Encryption Regulated | Availability | Encrypted | Yes | G | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Password Manager; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups |
31 | Endpoint/Route Disabling | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
32 | Forced proof of travel plans | Confidentiality | #N/A | #N/A | ||
33 | Full Internet Shutdown | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
34 | Full Internet Shutdown | Availability | Communication Channel | Yes | J | Email; Social Media |
35 | Full Mobile Shutdown | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
36 | Full Mobile Shutdown | Availability | Communication Channel | Yes | J | Email; Social Media |
37 | In-Country Partners / Contacts Accounts and/or devices | Confidentiality | Communication Channel | Yes | J | Email; Social Media |
38 | Intermittent Connectivity | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
39 | Intermittent Connectivity | Availability | Communication Channel | Yes | J | Email; Social Media |
40 | Lacking/Intermittent Access to Broadband | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
41 | Lacking/Intermittent Access to Broadband | Availability | Communication Channel | Yes | J | Email; Social Media |
42 | Limited/Throttled Connectivity | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
43 | Limited/Throttled Connectivity | Availability | Communication Channel | Yes | J | Email; Social Media |
44 | Login Forced (Device) | Requires | Login Required | Yes | H | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups |
45 | Login Forced (Device) | Requires | Physical | Yes | B | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder |
46 | Login Forced (Device) | Confidentiality | Login Required | Yes | H | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups |
47 | Login Forced (Device) | Integrity | Login Required | Yes | H | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups |
48 | Login Forced (Service) | Requires | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
49 | Login Forced (Service) | Requires | Login Required | Yes | H | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups |
50 | Login Forced (Service) | Confidentiality | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
51 | Login Forced (Service) | Integrity | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
52 | Mobile Data Shutdown | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
53 | Mobile Data Shutdown | Availability | Communication Channel | Yes | J | Email; Social Media |
54 | Passive Internet Surveillance | Confidentiality | #N/A | #N/A | ||
55 | Passive Mobile Comms Surveillance | Confidentiality | #N/A | #N/A | ||
56 | Passive Mobile Data Surveillance | Confidentiality | #N/A | #N/A | ||
57 | Passive Mobile Location Surveillance | Confidentiality | #N/A | #N/A | ||
58 | Passive Social Media Surveillance | Confidentiality | #N/A | #N/A | ||
59 | Physical Stalking | Confidentiality | Login Required | Yes | H | Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Non-Phone Mobile Device(s); Personal Laptop; Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups |
60 | Physical Stalking | Confidentiality | Physical | Yes | B | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Primary Personal Mobile Device; Physical Notes / Documents; Identity Cards (Passports); Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder |
61 | Power Outage | Availability | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
62 | Power Outage | Availability | Communication Channel | Yes | J | Email; Social Media |
63 | Power Outage | Availability | Electronic Device | Yes | C | Local volume (USB/SD/Device); Travel Laptop (Chromebook); Travel/Local Mobile Phone; Non-Phone Mobile Device(s); Personal Laptop; Camera; Video Recorder |
64 | Principal Spoof | Integrity | Communication Channel | Yes | J | Email; Social Media |
65 | Spoofed Access Point | Confidentiality | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
66 | Spoofed Access Point | Confidentiality | Communication Channel | Yes | J | Email; Social Media |
67 | Spoofed Access Point | Integrity | Online Service | Yes | I | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Encrypted Online Backups; Unencrypted Online Backups |
68 | Spoofed Access Point | Integrity | Communication Channel | Yes | J | Email; Social Media |
69 | Usernames Exposed | Requires | Physical | No | B | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups |
70 | Usernames Exposed | Confidentiality | Physical | No | B | Online Travel Archive; Email; Social Media; Password Manager; Team file store; Team Admin Services (HR, Billing); Team Tech Admin Services ; Travel PGP Key; Primary PGP Key; Encrypted Online Backups; Unencrypted Online Backups |
71 | #N/A | #N/A | ||||
72 | #N/A | #N/A | ||||
73 | #N/A | #N/A | ||||
74 | #N/A | #N/A | ||||
75 | #N/A | #N/A | ||||
76 | #N/A | #N/A | ||||
77 | #N/A | #N/A | ||||
78 | #N/A | #N/A | ||||
79 | #N/A | #N/A | ||||
80 | #N/A | #N/A | ||||
81 | #N/A | #N/A | ||||
82 | #N/A | #N/A | ||||
83 | #N/A | #N/A | ||||
84 | #N/A | #N/A | ||||
85 | #N/A | #N/A | ||||
86 | #N/A | #N/A | ||||
87 | #N/A | #N/A | ||||
88 | #N/A | #N/A | ||||
89 | #N/A | #N/A | ||||
90 | #N/A | #N/A | ||||
91 | #N/A | #N/A | ||||
92 | #N/A | #N/A | ||||
93 | #N/A | #N/A | ||||
94 | #N/A | #N/A | ||||
95 | #N/A | #N/A | ||||
96 | #N/A | #N/A | ||||
97 | #N/A | #N/A | ||||
98 | #N/A | #N/A | ||||
99 | #N/A | #N/A | ||||
100 | #N/A | #N/A | ||||
101 | #N/A | #N/A | ||||
102 | #N/A | #N/A | ||||
103 | #N/A | #N/A | ||||
104 | #N/A | #N/A | ||||
105 | #N/A | #N/A | ||||
106 | #N/A | #N/A | ||||
107 | #N/A | #N/A | ||||
108 | #N/A | #N/A | ||||
109 | #N/A | #N/A | ||||
110 | #N/A | #N/A | ||||
111 | #N/A | #N/A | ||||
112 | #N/A | #N/A | ||||
113 | #N/A | #N/A | ||||
114 | #N/A | #N/A | ||||
115 | #N/A | #N/A | ||||
116 | #N/A | #N/A | ||||
117 | #N/A | #N/A | ||||
118 | #N/A | #N/A | ||||
119 | #N/A | #N/A | ||||
120 | #N/A | #N/A | ||||
121 | #N/A | #N/A | ||||
122 | #N/A | #N/A | ||||
123 | #N/A | #N/A | ||||
124 | #N/A | #N/A | ||||
125 | #N/A | #N/A | ||||
126 | #N/A | #N/A | ||||
127 | #N/A | #N/A | ||||
128 | #N/A | #N/A | ||||
129 | #N/A | #N/A | ||||
130 | #N/A | #N/A | ||||
131 | #N/A | #N/A | ||||
132 | #N/A | #N/A | ||||
133 | #N/A | #N/A | ||||
134 | #N/A | #N/A | ||||
135 | #N/A | #N/A | ||||
136 | #N/A | #N/A | ||||
137 | #N/A | #N/A | ||||
138 | #N/A | #N/A | ||||
139 | #N/A | #N/A | ||||
140 | #N/A | #N/A | ||||
141 | #N/A | #N/A | ||||
142 | #N/A | #N/A | ||||
143 | #N/A | #N/A | ||||
144 | #N/A | #N/A | ||||
145 | #N/A | #N/A | ||||
146 | #N/A | #N/A | ||||
147 | #N/A | #N/A | ||||
148 | #N/A | #N/A | ||||
149 | #N/A | #N/A | ||||
150 | #N/A | #N/A | ||||
151 | #N/A | #N/A | ||||
152 | #N/A | #N/A | ||||
153 | #N/A | #N/A | ||||
154 | #N/A | #N/A | ||||
155 | #N/A | #N/A | ||||
156 | #N/A | #N/A | ||||
157 | #N/A | #N/A | ||||
158 | #N/A | #N/A | ||||
159 | #N/A | #N/A | ||||
160 | #N/A | #N/A | ||||
161 | #N/A | #N/A | ||||
162 | #N/A | #N/A | ||||
163 | #N/A | #N/A | ||||
164 | #N/A | #N/A | ||||
165 | #N/A | #N/A | ||||
166 | #N/A | #N/A | ||||
167 | #N/A | #N/A | ||||
168 | #N/A | #N/A | ||||
169 | #N/A | #N/A | ||||
170 | #N/A | #N/A | ||||
171 | #N/A | #N/A | ||||
172 | #N/A | #N/A | ||||
173 | #N/A | #N/A | ||||
174 | #N/A | #N/A | ||||
175 | #N/A | #N/A | ||||
176 | #N/A | #N/A | ||||
177 | #N/A | #N/A | ||||
178 | #N/A | #N/A | ||||
179 | #N/A | #N/A | ||||
180 | #N/A | #N/A | ||||
181 | #N/A | #N/A |
1 | < Index | Settings Reccomendations | Mitigation | Modification to Threats | Requirements | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Category | Title | SubItem | Option(s) | Basic | High Risk | Supports | Inhibits | Requires | Likelihood ↧ | Impact ↧ | Likelihood ↥ | Impact ↥ | Supports | Inhibits | |
3 | Mobile | Chrome Mobile | Apply supported user settings to Chrome on Android | N/A | N/A | |||||||||||
4 | General | Avatar | Upload Avatar File | Yes | Yes | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
5 | General | Wallpaper | Upload Wallpaper File | Yes | Yes | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
6 | General | Smart Lock for Chrome | Allow Smart Lock for Chrome | No | No | Multi-Factor Authentication | Security Awareness and Training | Login Forced (Device) | ||||||||
7 | General | Smart Lock for Chrome | Do not allow Smart Lock for Chrome | Yes | Yes | Multi-Factor Authentication | ||||||||||
8 | Enrollment Controls | Device Enrollment | Keep Chrome device in current location | No | No | Account Monitoring and Control,Controlled Access Based On Need to Know | ||||||||||
9 | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | Yes | Yes | Controlled Access Based On Need to Know | Account Monitoring and Control | Self-Managed Considerations | Low Resourced Administrator | |||||||
10 | Enrollment Controls | Asset Identifier During Enrollment | Do not allow for team member's in this organization | Yes | Yes | Inventory of Authorized and Unauthorized devices | ||||||||||
11 | Enrollment Controls | Asset Identifier During Enrollment | team member's in this organization can provide asset ID and location during enrollment | Yes | Yes | Inventory of Authorized and Unauthorized devices | Self-Managed Considerations | |||||||||
12 | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | Varies | Varies | In-Country Device Swapping | Inventory of Authorized and Unauthorized devices | Enrollment Contact Policies | Compromised Account | Self-Managed Considerations,Self-Managed Considerations | ||||||
13 | Enrollment Controls | Enrollment Permissions | Do not allow team member's in this organization to enroll new or deprovisioned devices | Varies | Varies | Inventory of Authorized and Unauthorized devices | Low Resourced Administrator,Self-Managed Considerations | |||||||||
14 | Apps and Extensions | Allowed Types of Apps and Extensions | Extension | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
15 | Apps and Extensions | Allowed Types of Apps and Extensions | Theme | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
16 | Apps and Extensions | Allowed Types of Apps and Extensions | Google Apps Script | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
17 | Apps and Extensions | Allowed Types of Apps and Extensions | Hosted App | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
18 | Apps and Extensions | Allowed Types of Apps and Extensions | Legacy Packaged App | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
19 | Apps and Extensions | Allowed Types of Apps and Extensions | Chrome Packaged App | Yes | Yes | Inventory of Authorized and Unauthorized Software,Whitelist(s) | Compromised Device | |||||||||
20 | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | LongTerm | LongTerm | Inventory of Authorized and Unauthorized Software,Whitelist(s),Whitelist(s) | Compromised Device | |||||||||
21 | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | Yes | Yes | Cohesive Security Tool Adoption | Circumvention Tech Regulated,Encrypted Comms Regulated,Encryption Regulated | Low Resourced Administrator | ||||||||
22 | Apps and Extensions | Allow or Block All Apps and Extensions | Allow all apps and extensions except the ones I block | Varies | Varies | Inventory of Authorized and Unauthorized Software | Blacklist(s) | Compromised Device | ||||||||
23 | Apps and Extensions | Allow or Block All Apps and Extensions | Block all apps and extensions except the ones I allow | LongTerm | LongTerm | Inventory of Authorized and Unauthorized Software,Needs Assessment (Apps) | Compromised Device | |||||||||
24 | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | Yes | Yes | Security Awareness and Training | In-Country Activities Regulated,Traveler Detained,Traveler/Partner Association Regulated | Login Forced (Device) | Security must not make the traveler ineffective | |||||||
25 | Apps and Extensions | Task Manager | Allow user's to end processes with the Chrome task manager | Yes | Yes | External Enterprise Mobility Management Tool | Login Forced (Device) | |||||||||
26 | Apps and Extensions | Task Manager | Block team member's from ending processes with the Chrome task manager | No | No | External Enterprise Mobility Management Tool | ||||||||||
27 | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the default homepage | Yes | Yes | Custom Chrome Web Store Homepage | |||||||||
28 | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | Varies | Varies | Custom Chrome Web Store Homepage | In-Country Activities Regulated,Traveler/Partner Association Regulated | Login Forced (Device) | |||||||
29 | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | Varies | Varies | Cohesive Security Tool Adoption,Whitelist(s) | Custom Chrome Web Store Homepage,Security Awareness and Training | In-Country Activities Regulated,Traveler/Partner Association Regulated | Login Forced (Device) | Widely Dispersed Team | |||||
30 | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | Include all private apps and extensions from my domain. | Varies | Varies | Private Apps | Inventory of Authorized and Unauthorized Software | Compromised Account | Low Resourced Administrator | ||||||
31 | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | I will choose which private apps and extensions to include. | Varies | Varies | Inventory of Authorized and Unauthorized Software,Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | ||||||||
32 | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | Yes | Yes | Cohesive Security Tool Adoption | Security Awareness and Training | In-Country Activities Regulated,Traveler/Partner Association Regulated | Login Forced (Device) | |||||||
33 | Chrome Web Store | Recommended Apps and Extensions | Manage | Yes | Yes | |||||||||||
34 | Chrome Web Store | Chrome Web Store Permissions | Allow user's to publish private apps that are restricted to your domain on Chrome Web Store. | Varies | Varies | Inventory of Authorized and Unauthorized Software | Private Apps | Compromised Account | ||||||||
35 | Chrome Web Store | Chrome Web Store Permissions | Allow user's to skip verification for websites not owned | No | No | Inventory of Authorized and Unauthorized Software | Compromised Account | |||||||||
36 | Android applications | Android applications on Chrome devices | Do not allow | No | No | Cohesive Security Tool Adoption | ||||||||||
37 | Android applications | Android applications on Chrome devices | Allow | Yes | Yes | Cohesive Security Tool Adoption,Inventory of Authorized and Unauthorized Software | Inventory of Authorized and Unauthorized Software,Security Awareness and Training | Security must not make the traveler ineffective | ||||||||
38 | Android applications | Access to Android applications | Do not allow | LongTerm | LongTerm | Blacklist(s),Inventory of Authorized and Unauthorized Software | In-country alternative working software identification | |||||||||
39 | Android applications | Access to Android applications | Allow | ShortTerm | ShortTerm | In-country alternative working software identification,Whitelist(s) | Cohesive Security Tool Adoption | Needs Assessment (Apps),Security Awareness and Training | Application/Protocol Blocking,Endpoint/Route Disabling | Compromised Device | Receptive and Trusted Admin/Security Team | |||||
40 | Android applications | Account Management | Google account | Yes | Yes | Cohesive Security Tool Adoption,Inventory of Authorized and Unauthorized Software | Compromised Device | |||||||||
41 | Android applications | Unknown Sources | Allow install from unknown sources | Yes | Yes | In-country alternative working software identification | Security Awareness and Training | App Store App Blocking/Restriction,Circumvention Tech Regulated,Encrypted Comms Regulated,Endpoint/Route Disabling | Compromised Device,Compromised Device | Localizable & Internationalizable Practices | ||||||
42 | Android applications | Unknown Sources | Do not allow install from unknown sources | No | No | In-country alternative working software identification | Compromised Device | App Store App Blocking/Restriction,Circumvention Tech Regulated,Encrypted Comms Regulated,Endpoint/Route Disabling | Localizable & Internationalizable Practices | |||||||
43 | Android applications | Certificate Synchronization | Disable usage of Chrome OS CA Certificates in Android apps | |||||||||||||
44 | Android applications | Certificate Synchronization | Enable usage of Chrome OS CA Certificates in Android apps | |||||||||||||
45 | Security | Password Manager | Always allow use of password manager | No | No | Security Awareness and Training | Login Forced (Service) | Allow for Greater Security | ||||||||
46 | Security | Password Manager | Never allow use of password manager | No | Varies | Login Forced (Service) | ||||||||||
47 | Security | Password Manager | Allow user to configure | Yes | Varies | Security Awareness and Training | Login Forced (Service) | |||||||||
48 | Security | Lock Screen | Do not allow locking screen | Varies | Varies | Device Wiping | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | Traveler Circumvent Mitigations | ||||||||
49 | Security | Lock Screen | Allow locking screen | Varies | Varies | |||||||||||
50 | Security | Idle Settings | Idle time in minutes (leave empty for system default) | Default | Default | Security Awareness and Training | Traveler Circumvent Mitigations | |||||||||
51 | Security | Idle Settings | Action on idle | Sleep | Yes | Varies | Security Awareness and Training | |||||||||
52 | Security | Idle Settings | Action on idle | Logout | No | Varies | Device Wiping | Security Awareness and Training | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | |||||||
53 | Security | Idle Settings | Action on lid close | Sleep | Yes | Varies | Security Awareness and Training | |||||||||
54 | Security | Idle Settings | Action on lid close | Logout | No | Varies | Device Wiping | Security Awareness and Training | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | |||||||
55 | Security | Idle Settings | Lock screen on sleep | Allow user to configure | Varies | No | ||||||||||
56 | Security | Idle Settings | Lock screen on sleep | Lock Screen | Varies | Varies | Security Awareness and Training | |||||||||
57 | Security | Idle Settings | Lock screen on sleep | Don't Lock Screen | No | No | Security Awareness and Training | |||||||||
58 | Security | Incognito Mode | Allow incognito mode | Yes | Yes | Security Awareness and Training | Login Forced (Device) | Allow for Greater Security | ||||||||
59 | Security | Incognito Mode | Disallow incognito mode | No | No | Login Forced (Device) | Allow for Greater Security | |||||||||
60 | Security | Browser History | Always save browser history | Yes | Varies | Security Awareness and Training | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | |||||||||
61 | Security | Browser History | Never save browser history | No | Varies | Proof Of Inaccess | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | |||||||||
62 | Security | Clear Browser History | Do not allow clearing history in settings menu | Varies | Varies | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | ||||||||||
63 | Security | Clear Browser History | Allow clearing history in settings menu | Varies | Varies | Security Awareness and Training | Traveler Detained | |||||||||
64 | Security | Force Ephemeral Mode | Do not erase local team member data | |||||||||||||
65 | Security | Force Ephemeral Mode | Erase all local team member data | |||||||||||||
66 | Security | Online Revocation Checks | Perform online OCSP/CRL checks | No | No | Passive Internet Surveillance,Passive Mobile Data Surveillance | ||||||||||
67 | Security | Online Revocation Checks | Do not perform online OCSP/CRL checks | Yes | Yes | |||||||||||
68 | Security | Safe Browsing | Always enable Safe Browsing | Yes | Yes | Security Awareness and Training | Compromised Device | Pharming | ||||||||
69 | Security | Safe Browsing | Always disable Safe Browsing | No | No | Security Awareness and Training | Compromised Device | Pharming | ||||||||
70 | Security | Safe Browsing | Allow user to decide whether to use Safe Browsing | No | No | Security Awareness and Training | Compromised Device | Pharming | ||||||||
71 | Security | Malicious Sites | Allow user to proceed anyway to malicious sites | Varies | Varies | Security Awareness and Training | Pharming | |||||||||
72 | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | Varies | Varies | Desktop Virtualization,Traveler Sub-Organization(s) | Pharming | Traveler Circumvent Mitigations | ||||||||
73 | Security | Geolocation | Allow sites to detect team member's' geolocation | No | No | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Data requests from online services | Data requests from online services | Allow for Greater Security | |||||||
74 | Security | Geolocation | Do not allow sites to detect team member's' geolocation | No | No | Data requests from online services | Traveler Circumvent Mitigations | |||||||||
75 | Security | Geolocation | Always ask the team member if a site wants to detect their geolocation | Varies | Varies | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Data requests from online services | Data requests from online services | Allow for Greater Security | |||||||
76 | Security | Geolocation | Allow user to configure | Varies | Varies | Security Awareness and Training | Traveler Circumvent Mitigations | |||||||||
77 | Security | Remote access clients | Remote Access Host Client Domain - Configure the required domain name for remote access clients. | Yes | Yes | External Enterprise Mobility Management Tool,Remote Access Management | Compromised Device | |||||||||
78 | Security | Local Trust Anchors Certificates | Local Anchors Sha1 | Follow the publicly announced SHA-1 deprecation schedule | Yes | Yes | ||||||||||
79 | Security | Local Trust Anchors Certificates | Local Anchors Sha1 | Allow SHA-1 for local trust anchors | No | No | Certificate Spoofing | |||||||||
80 | Security | Local Trust Anchors Certificates | Local Anchors Common Name Fallback | Block | Yes | Yes | Certificate Spoofing | |||||||||
81 | Security | Local Trust Anchors Certificates | Local Anchors Common Name Fallback | Allow | No | No | Certificate Spoofing | |||||||||
82 | Session Settings | Show Logout Button in Tray | Does not show logout button in tray | No | No | Security Awareness and Training | Traveler Circumvent Mitigations | |||||||||
83 | Session Settings | Show Logout Button in Tray | Show logout button in tray | Yes | Yes | Security Awareness and Training | Traveler Circumvent Mitigations | |||||||||
84 | Network | Proxy Settings | Never use a proxy | Varies | Varies | Security Awareness and Training | Limited/Throttled Connectivity | |||||||||
85 | Network | Proxy Settings | Always auto detect the proxy | No | No | Passive Internet Surveillance,Spoofed Access Point | Allow for Greater Security | |||||||||
86 | Network | Proxy Settings | Always use the proxy specified below | Varies | Varies | Secure Traffic Tunneling | In-country alternative working software identification,In-country alternative working software identification | Passive Internet Surveillance,Passive Internet Surveillance | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Limited/Throttled Connectivity,Limited/Throttled Connectivity | ||||||
87 | Network | Proxy Settings | Always use the proxy auto-config specified below | Varies | Varies | Secure Traffic Tunneling | In-country alternative working software identification,In-country alternative working software identification | Passive Internet Surveillance,Passive Internet Surveillance | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Limited/Throttled Connectivity,Limited/Throttled Connectivity | ||||||
88 | Network | SSL Record Splitting | Enable SSL record splitting | |||||||||||||
89 | Network | SSL Record Splitting | Disable SSL record splitting | |||||||||||||
90 | Network | Data Compression Proxy | Allow user to decide whether to use data compression proxy | |||||||||||||
91 | Network | Data Compression Proxy | Always enable data compression proxy | |||||||||||||
92 | Network | Data Compression Proxy | Always disable data compression proxy | |||||||||||||
93 | Network | WebRTC UDP Ports | Minimum port (1024-65535) | Varies | Varies | Traveler Sub-Organization(s) | Application/Protocol Blocking | Traveler/Partner Association Regulated | Passive Internet Surveillance | |||||||
94 | Network | WebRTC UDP Ports | Maximum port (1024-65535) | Varies | Varies | Traveler Sub-Organization(s) | Application/Protocol Blocking | Traveler/Partner Association Regulated | Passive Internet Surveillance | |||||||
95 | Network | QUIC Protocol | Enabled | Yes | Yes | Application/Protocol Blocking,Limited/Throttled Connectivity | ||||||||||
96 | Network | QUIC Protocol | Disabled | No | No | Limited/Throttled Connectivity | ||||||||||
97 | Startup | Home Button | Always show 'Home' button | Varies | Yes | Proof Of Inaccess | Security Awareness and Training | Traveler Perceived to be Misleading/Lying to Border Officials | ||||||||
98 | Startup | Home Button | Never show 'Home' button | No | No | |||||||||||
99 | Startup | Home Button | Allow user to configure | Varies | No | Security Awareness and Training | ||||||||||
100 | Startup | Homepage | Allow user to configure | Varies | No | Security Awareness and Training | ||||||||||
101 | Startup | Homepage | Homepage is always the new tab page | Varies | No | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | Login Forced (Device) | Allow for Greater Security | |||||||
102 | Startup | Homepage | Homepage is always the Homepage URL, set below | Varies | Yes | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
103 | Startup | Pages to Load on Startup | Pages to Load on Startup | Yes | Yes | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
104 | Content | Safe Search and Restricted Mode | Google Safe Search for Google Web Search queries | Do not enforce Safe Search for Google Web Search queries | Yes | Yes | ||||||||||
105 | Content | Safe Search and Restricted Mode | Google Safe Search for Google Web Search queries | Always use Safe Search for Google Web Search queries | No | No | Traveler Circumvent Mitigations | |||||||||
106 | Content | Safe Search and Restricted Mode | Restricted Mode for YouTube | Do not enforce Restricted Mode on YouTube | Yes | Yes | ||||||||||
107 | Content | Safe Search and Restricted Mode | Restricted Mode for YouTube | Enforce at least Moderate Restricted Mode on YouTube | No | No | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | |||||||||
108 | Content | Safe Search and Restricted Mode | Restricted Mode for YouTube | Enforce Strict Restricted Mode for YouTube | No | No | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | |||||||||
109 | Content | Screenshot | Enable screenshot | Yes | Yes | |||||||||||
110 | Content | Screenshot | Disable screenshot | No | No | Traveler Circumvent Mitigations | ||||||||||
111 | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | Yes | Yes | Account Monitoring and Control,Proof Of Inaccess | In-Country Device Swapping | Multi-Factor Authentication | Traveler Perceived to be Misleading/Lying to Border Officials | Compromised Account,Compromised Account | ||||||
112 | Content | 3D Content | Always allow display of 3D content | Yes | Yes | |||||||||||
113 | Content | 3D Content | Never allow display of 3D content | No | No | |||||||||||
114 | Content | Cookies | Default Cookie Setting | Allow sites to set cookies | Varies | No | Passive Internet Surveillance | Allow for Greater Security | ||||||||
115 | Content | Cookies | Default Cookie Setting | Never allow sites to set cookies | No | No | Passive Internet Surveillance | Traveler Circumvent Mitigations | ||||||||
116 | Content | Cookies | Default Cookie Setting | Allow user to configure | Varies | Varies | Security Awareness and Training | Allow for Greater Security | ||||||||
117 | Content | Cookies | Default Cookie Setting | Keep cookies for the duration of the session | Varies | Varies | Device Wiping | Passive Internet Surveillance | Traveler Circumvent Mitigations | |||||||
118 | Content | Cookies | Allow Cookies for URL Patterns | No | No | Whitelist(s) | Whitelist(s) | Passive Internet Surveillance,Passive Internet Surveillance | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Low Resourced Administrator | ||||||
119 | Content | Cookies | Block Cookies for URL Patterns | Varies | Varies | Security Awareness and Training | ||||||||||
120 | Content | Cookies | Allow Session-Only Cookies for URL Patterns | Varies | Varies | Whitelist(s) | Whitelist(s) | Passive Internet Surveillance,Passive Internet Surveillance | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Low Resourced Administrator | ||||||
121 | Content | Third-Party Cookie Blocking | Allow third-party cookies | No | No | Security Awareness and Training | Passive Internet Surveillance | Allow for Greater Security | ||||||||
122 | Content | Third-Party Cookie Blocking | Disallow third-party cookies | Varies | Varies | Passive Internet Surveillance | ||||||||||
123 | Content | Third-Party Cookie Blocking | Allow user to decide whether to allow third-party cookies | Yes | Varies | Security Awareness and Training | Passive Internet Surveillance | Allow for Greater Security | ||||||||
124 | Content | Images | Images | Show images | Varies | Varies | ||||||||||
125 | Content | Images | Images | Do not show images | No | No | Traveler Circumvent Mitigations | |||||||||
126 | Content | Images | Images | Allow user to configure | Yes | Yes | Security Awareness and Training | Limited/Throttled Connectivity | ||||||||
127 | Content | Images | Show Images on These Sites | No | No | Whitelist(s) | ||||||||||
128 | Content | Images | Block Images on These Sites | No | No | Blacklist(s) | ||||||||||
129 | Content | JavaScript | JavaScript | Allow sites to run JavaScript | No | No | Security Awareness and Training | Pharming,Phishing | Allow for Greater Security | |||||||
130 | Content | JavaScript | JavaScript | Do not allow sites to run JavaScript | No | No | Pharming,Phishing | Traveler Circumvent Mitigations | ||||||||
131 | Content | JavaScript | JavaScript | Allow user to configure | Yes | Yes | Security Awareness and Training | |||||||||
132 | Content | JavaScript | Allow These Sites to Run JavaScript | No | No | Whitelist(s) | Pharming,Phishing,Traveler Circumvent Mitigations | |||||||||
133 | Content | JavaScript | Block JavaScript on These Sites | No | No | Blacklist(s) | ||||||||||
134 | Content | Notifications | Notifications | Allow sites to show desktop notifications | No | No | Security Awareness and Training,Security Awareness and Training | Traveler Circumvent Mitigations | Phishing | |||||||
135 | Content | Notifications | Notifications | Do not allow sites to show desktop notifications | Varies | Varies | Needs Assessment (Apps) | Phishing | Traveler Circumvent Mitigations | |||||||
136 | Content | Notifications | Notifications | Always ask the team member if a site can show desktop notifications | Varies | Varies | Security Awareness and Training,Security Awareness and Training | Traveler Circumvent Mitigations | Phishing | |||||||
137 | Content | Notifications | Notifications | Allow user to configure | Varies | Varies | Security Awareness and Training | |||||||||
138 | Content | Notifications | Allow These Sites to Show Desktop Notifications | Varies | Varies | Needs Assessment (Apps) | ||||||||||
139 | Content | Notifications | Block Desktop Notifications on These Sites | No | No | |||||||||||
140 | Content | Plug-ins | Plug-ins | Run plug-ins automatically | No | No | Pharming,Phishing | Allow for Greater Security | ||||||||
141 | Content | Plug-ins | Plug-ins | Block all plug-ins | Varies | Varies | Needs Assessment (Apps) | Pharming,Phishing | Traveler Circumvent Mitigations | |||||||
142 | Content | Plug-ins | Plug-ins | Allow user to configure | Varies | Varies | Security Awareness and Training | |||||||||
143 | Content | Plug-ins | Allow Plug-ins on These Sites | Varies | Varies | Needs Assessment (Apps),Whitelist(s) | Receptive and Trusted Admin/Security Team | |||||||||
144 | Content | Plug-ins | Block Plug-ins on These Sites | No | No | Blacklist(s) | ||||||||||
145 | Content | Enabled and Disabled Plug-ins | Enabled Plug-ins | No | No | |||||||||||
146 | Content | Enabled and Disabled Plug-ins | Disabled Plug-ins | No | No | |||||||||||
147 | Content | Enabled and Disabled Plug-ins | Exceptions to Disabled Plug-ins | No | No | |||||||||||
148 | Content | Plugin Finder | Enable automatic search and installation of missing plugins | No | No | |||||||||||
149 | Content | Plugin Finder | Disable automatic search and installation of missing plugins | Yes | Yes | Needs Assessment (Apps) | ||||||||||
150 | Content | Plugin Authorization | Always run plugins that require authorization | No | No | Pharming,Phishing | Allow for Greater Security | |||||||||
151 | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | Yes | Yes | Security Awareness and Training | Pharming,Phishing | Allow for Greater Security | ||||||||
152 | Content | Outdated Plugins | Allow outdated plugins to be used as normal plugins | No | No | Pharming,Phishing | Allow for Greater Security | |||||||||
153 | Content | Outdated Plugins | Disallow outdated plugins | Varies | Varies | Pharming,Phishing | Traveler Circumvent Mitigations | |||||||||
154 | Content | Outdated Plugins | Ask user for permission to run outdated plugins | Varies | Varies | Security Awareness and Training | ||||||||||
155 | Content | Pop-ups | Pop-ups | Allow all pop-ups | No | No | Allow for Greater Security | |||||||||
156 | Content | Pop-ups | Pop-ups | Block all pop-ups | No | No | Needs Assessment (Apps) | Traveler Circumvent Mitigations | ||||||||
157 | Content | Pop-ups | Pop-ups | Allow user to configure | Yes | Yes | Security Awareness and Training | |||||||||
158 | Content | Pop-ups | Allow Pop-ups on These Sites | Varies | Varies | Needs Assessment (Apps),Whitelist(s) | ||||||||||
159 | Content | Pop-ups | Block Pop-ups on These Sites | No | No | Blacklist(s) | ||||||||||
160 | Content | URL Blocking | URL Blacklist | Varies | Varies | Blacklist(s),Blacklist(s) | Pharming | |||||||||
161 | Content | URL Blacklist Exception | URL Blacklist Exception | No | No | |||||||||||
162 | Content | Google Drive Syncing | Enable Google Drive syncing | Varies | Varies | Security Awareness and Training | Traveler Circumvent Mitigations | Compromised Device,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids | Receptive and Trusted Admin/Security Team | Allow for Greater Security | ||||||
163 | Content | Google Drive Syncing | Disable Google Drive syncing | Varies | Varies | Compromised Device,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids | Traveler Circumvent Mitigations | |||||||||
164 | Content | Google Drive Syncing | Allow user to decide whether to use Google Drive syncing | Varies | Varies | Security Awareness and Training | Allow for Greater Security | |||||||||
165 | Content | Google Drive Syncing over Cellular | Enable Google Drive syncing over cellular connections | Varies | Varies | Lacking/Intermittent Access to Broadband | ||||||||||
166 | Content | Google Drive Syncing over Cellular | Disable Google Drive syncing over cellular connections | Varies | Varies | Lacking/Intermittent Access to Broadband | ||||||||||
167 | Content | Cast | Allow user's to Cast | Yes | Yes | |||||||||||
168 | Content | Cast | Do not allow team member's to Cast | No | No | Traveler Circumvent Mitigations | ||||||||||
169 | Printing | Printing | Enable printing | Yes | Yes | |||||||||||
170 | Printing | Printing | Disable printing | No | No | Traveler Circumvent Mitigations | ||||||||||
171 | Printing | Print Preview | Allow using print preview | Yes | Yes | |||||||||||
172 | Printing | Print Preview | Always use the system print dialog instead of print preview | No | No | |||||||||||
173 | Printing | Google Cloud Print Submission | Allow submission of documents to Google Cloud Print | Varies | Varies | Needs Assessment (Apps),Security Awareness and Training | ||||||||||
174 | Printing | Google Cloud Print Submission | Disallow submission of documents to Google Cloud Print | Varies | Varies | Needs Assessment (Apps) | ||||||||||
175 | Printing | Google Cloud Print Proxy | Allow using Chrome as a proxy for Google Cloud Print | N/A | N/A | Needs Assessment (Apps) | ||||||||||
176 | Printing | Google Cloud Print Proxy | Disallow using Chrome as a proxy for Google Cloud Print | N/A | N/A | |||||||||||
177 | Printing | Print Preview Default | Use default print behavior | |||||||||||||
178 | Printing | Print Preview Default | Define the default printer | |||||||||||||
179 | Printing | Print Preview Default | Cloud & Local printers | |||||||||||||
180 | Printing | Print Preview Default | Cloud only | |||||||||||||
181 | Printing | Print Preview Default | Local only | |||||||||||||
182 | Printing | Print Preview Default | Match by Name | |||||||||||||
183 | Printing | Print Preview Default | Match by ID | |||||||||||||
184 | Printing | Print Preview Default | ||||||||||||||
185 | Printing | Native Chrome OS Printing | [X] Chrome OS printers configured. | Manage | ||||||||||||
186 | User Experience | Managed Bookmarks | Managed Bookmarks Folder Name | Varies | Varies | Proof Of Inaccess | Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
187 | User Experience | Managed Bookmarks | Managed Bookmarks | Varies | Varies | Proof Of Inaccess | Appropriate Organizational Identifiers,Needs Assessment (Apps),Security Awareness and Training | Traveler Perceived to be Misleading/Lying to Border Officials | Pharming,Phishing | Login Forced (Device) | ||||||
188 | User Experience | Bookmark Bar | Enable bookmark bar | No | Varies | Traveler Circumvent Mitigations | Security must not make the traveler ineffective | |||||||||
189 | User Experience | Bookmark Bar | Disable bookmark bar | No | Varies | Traveler Circumvent Mitigations | ||||||||||
190 | User Experience | Bookmark Bar | Allow user to decide whether to enable bookmark bar | Yes | Varies | Security must not make the traveler ineffective | ||||||||||
191 | User Experience | Bookmark Editing | Enable bookmark editing | Yes | Varies | Security Awareness and Training | Login Forced (Device) | |||||||||
192 | User Experience | Bookmark Editing | Disable bookmark editing | No | Varies | Traveler Circumvent Mitigations | ||||||||||
193 | User Experience | Download Location | Set Google Drive as default, but allow team member to change | Varies | Varies | Security Awareness and Training | Traveler Circumvent Mitigations | Compromised Account | ||||||||
194 | User Experience | Download Location | Local Downloads folder, but allow team member to change | Varies | Varies | Security Awareness and Training | Traveler Circumvent Mitigations | |||||||||
195 | User Experience | Download Location | Force Google Drive | No | No | Traveler Circumvent Mitigations | Compromised Account,Intermittent Connectivity,Lacking/Intermittent Access to Broadband,Limited/Throttled Connectivity | Allow for Greater Security | ||||||||
196 | User Experience | Spell Check Service | Enable the spell checking web service | Varies | Varies | Allow for Greater Security | ||||||||||
197 | User Experience | Spell Check Service | Disable the spell checking web service | No | No | |||||||||||
198 | User Experience | Spell Check Service | Allow user to decide whether to use the spell checking web service | Varies | Varies | Security Awareness and Training | Allow for Greater Security | |||||||||
199 | User Experience | Google Translate | Always offer translation | No | No | Allow for Greater Security | ||||||||||
200 | User Experience | Google Translate | Never offer translation | No | Varies | Traveler Circumvent Mitigations | ||||||||||
201 | User Experience | Google Translate | Allow user to configure | Yes | Varies | Security Awareness and Training | Allow for Greater Security | |||||||||
202 | User Experience | Alternate Error Pages | Always use alternate error pages | No | No | |||||||||||
203 | User Experience | Alternate Error Pages | Never use alternate error pages | No | No | |||||||||||
204 | User Experience | Alternate Error Pages | Allow user to configure | Yes | Yes | |||||||||||
205 | User Experience | Developer Tools | Always allow use of built-in developer tools | Yes | Yes | |||||||||||
206 | User Experience | Developer Tools | Never allow use of built-in developer tools | No | No | Traveler Circumvent Mitigations | ||||||||||
207 | User Experience | Form Auto-fill | Never auto-fill forms | No | Varies | Pharming,Phishing | Traveler Circumvent Mitigations | |||||||||
208 | User Experience | Form Auto-fill | Allow user to configure | Yes | Varies | Security Awareness and Training | Allow for Greater Security | |||||||||
209 | User Experience | DNS Pre-fetching | Always pre-fetch DNS | No | No | Maintenance, Monitoring, and Analysis of Audit Logs | Topical/Information Censorship | Passive Internet Surveillance | Allow for Greater Security | |||||||
210 | User Experience | DNS Pre-fetching | Never pre-fetch DNS | Yes | Yes | Topical/Information Censorship | Passive Internet Surveillance | |||||||||
211 | User Experience | DNS Pre-fetching | Allow user to configure | Varies | No | Security Awareness and Training | Allow for Greater Security | |||||||||
212 | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | No | No | Boundary Defense,Proof Of Inaccess,Secure Traffic Tunneling | Needs Assessment (Apps) | Compromised Device,Traveler Circumvent Mitigations | Login Forced (Device) | |||||||
213 | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | No | No | Boundary Defense,Proof Of Inaccess,Secure Traffic Tunneling | Needs Assessment (Apps),Security Awareness and Training | Compromised Device,Traveler Circumvent Mitigations | Login Forced (Device) | |||||||
214 | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Yes | Yes | Proof Of Inaccess | Needs Assessment (Apps) | Compromised Device,Traveler Circumvent Mitigations,Traveler Perceived to be Misleading/Lying to Border Officials | ||||||||
215 | User Experience | Unified Desktop | Do not make Unified Desktop mode available to user | N/A | N/A | |||||||||||
216 | User Experience | Unified Desktop | Make Unified Desktop mode available to user | N/A | N/A | |||||||||||
217 | Omnibox Search Provider | Search Suggest | Always allow team member's to use Search Suggest | Varies | Varies | Allow for Greater Security | ||||||||||
218 | Omnibox Search Provider | Search Suggest | Never allow team member's to use Search Suggest | No | No | Traveler Circumvent Mitigations | ||||||||||
219 | Omnibox Search Provider | Search Suggest | Allow user to configure | Varies | Varies | Security Awareness and Training | ||||||||||
220 | Omnibox Search Provider | Omnibox Search Provider | Allow user to select the Omnibox Search Provider | Varies | Varies | Security Awareness and Training | Compromised Device | |||||||||
221 | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | Varies | Varies | Compromised Device | Traveler Circumvent Mitigations | Allow for Greater Security | ||||||||
222 | Hardware | External Storage devices | Allow external storage devices | Varies | Varies | In-Country Device Swapping | Compromised Device | |||||||||
223 | Hardware | External Storage devices | Allow external storage devices (read only) | Varies | Varies | Encrypted External Storage devices ,In-Country Device Swapping | Compromised Device,Traveler Circumvent Mitigations | |||||||||
224 | Hardware | External Storage devices | Disallow external storage devices | No | No | Encrypted External Storage devices ,In-Country Device Swapping | Traveler Circumvent Mitigations | Decryption Forced (Device),Device Confiscation,In-Transit Robbery & Theft,Login Forced (Device) | ||||||||
225 | Hardware | Audio Input | Prompt team member to allow each time | Varies | Varies | |||||||||||
226 | Hardware | Audio Input | Disable audio input | LongTerm | LongTerm | Compromised Device | Traveler Circumvent Mitigations | Support Personal Computing Needs | ||||||||
227 | Hardware | Audio Output | Enable audio output | Yes | Yes | |||||||||||
228 | Hardware | Audio Output | Disable audio output | No | No | Traveler Circumvent Mitigations | ||||||||||
229 | Hardware | Video Input | Enable video input | Yes | Yes | Webcam cover | ||||||||||
230 | Hardware | Video Input | Disable video input | No | No | Compromised Device | Traveler Circumvent Mitigations | Security must not make the traveler ineffective,Support Personal Computing Needs | ||||||||
231 | Hardware | Keyboard | Treat top-row keys as media keys, but allow team member to change | N/A | N/A | |||||||||||
232 | Hardware | Keyboard | Treat top-row keys as function keys, but allow team member to change | N/A | N/A | |||||||||||
233 | Verified Access | Verified Access | Disable for Enterprise Extensions | Varies | Varies | |||||||||||
234 | Verified Access | Verified Access | Enable for Enterprise Extensions | Varies | Varies | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Emergency Communication Practices,In-Country Device Swapping | Compromised Account | Traveler Circumvent Mitigations | |||||||
235 | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | No | No | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Compromised Device | ||||||||
236 | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | Yes | Yes | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Compromised Device | ||||||||
237 | User Verification | Verified Mode | Service accounts which are allowed to receive team member data | Varies | Varies | Data requests from online services | ||||||||||
238 | User Verification | Verified Mode | Service accounts which can verify team member's but do not receive team member data | Varies | Varies | Data requests from online services |
1 | < Index | The GSuite Device Settings menu can be found here. | Setting Reccomendation | Mitigation | Modification to Threats | Requirements | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Category | Title | SubItem | Option(s) | Basic | High Risk | Supports | Inhibits | Requires | Likelihood ↧ | Impact ↧ | Likelihood ↥ | Impact ↥ | Supports | Inhibits | |
3 | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | Varies | Varies | Inventory of Authorized and Unauthorized devices | Traveler Sub-Organization(s) | Traveler Circumvent Mitigations | In-Country Activities Regulated,Traveler/Partner Association Regulated | |||||||
4 | Enrollment & Access | Forced Re-enrollment | Device is not forced to re-enroll after wiping | Varies | Varies | Traveler Sub-Organization(s) | ||||||||||
5 | Enrollment & Access | Verified Access | Disable for Enterprise Extensions | |||||||||||||
6 | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | Varies | Varies | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Emergency Communication Practices,In-Country Device Swapping | Compromised Account | Traveler Circumvent Mitigations | |||||||
7 | Enrollment & Access | Verified Access | Disable for Content Protection | N/A | N/A | |||||||||||
8 | Enrollment & Access | Verified Access | Enable for Content Protection | N/A | N/A | Traveler Circumvent Mitigations | ||||||||||
9 | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | No | No | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Compromised Device | |||||||||
10 | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | Yes | Yes | Chrome Remote Desktop,Encrypted online archive,Inventory of Authorized and Unauthorized devices,Secure Traffic Tunneling | Compromised Device | |||||||||
11 | Enrollment & Access | Verified Mode | Service accounts which are allowed to receive device ID | Varies | Varies | Data requests from online services | ||||||||||
12 | Enrollment & Access | Verified Mode | Service accounts which can verify devices but do not receive device ID | Varies | Varies | Data requests from online services | ||||||||||
13 | Enrollment & Access | Disabled device return instructions | Custom text to display | Yes | Yes | Proof Of Inaccess | Security Awareness and Training | Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials | In-Transit Robbery & Theft | Compromised Device,Device Confiscation,In-Country Activities Regulated,Traveler/Partner Association Regulated | Security must not make the traveler ineffective | |||||
14 | Sign-in Settings | Guest Mode | Allow guest mode | Varies | Varies | Device Wiping,In-country alternative working software identification | Cohesive Security Tool Adoption,Secure Traffic Tunneling,Traveler Sub-Organization(s) | Security Awareness and Training | Compromised Account,Compromised Device,Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Login Forced (Device),Targeted Workplace Raids | Allow for Greater Security | ||||||
15 | Sign-in Settings | Guest Mode | Do not allow guest mode | Varies | Varies | Security Awareness and Training | Traveler Circumvent Mitigations | Traveler Circumvent Mitigations | Allow for Greater Security | |||||||
16 | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | Yes | Yes | Traveler Sub-Organization(s) | Device Confiscation,In-Country Activities Regulated,Login Forced (Service),Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials,Traveler/Partner Association Regulated | |||||||||
17 | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | No | No | Proof Of Inaccess | Account Monitoring and Control,App Pinning,Chrome Remote Desktop,Cohesive Security Tool Adoption,Custom Chrome Web Store Homepage,Desktop Virtualization,Private Apps,Project Specific GSuite Accounts,Secure Traffic Tunneling,Temporary G Suite Accounts,Traveler Sub-Organization(s),Whitelist(s) | Traveler Circumvent Mitigations | Allow for Greater Security,Security must not make the traveler ineffective | |||||||
18 | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | Varies | Varies | Traveler Sub-Organization(s) | Traveler Circumvent Mitigations | Device Confiscation,In-Country Activities Regulated,Login Forced (Service),Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials,Traveler/Partner Association Regulated | Traveler Circumvent Mitigations | |||||||
19 | Sign-in Settings | Autocomplete Domain | Do not display an autocomplete domain on the sign in page | Varies | Varies | |||||||||||
20 | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | Varies | Varies | Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials | Traveler Detained,Traveler Mislead/Lie to Border Officials,Traveler Perceived to be Misleading/Lying to Border Officials | |||||||||
21 | Sign-in Settings | Sign-in Screen | Always show team member names and photos | No | No | |||||||||||
22 | Sign-in Settings | Sign-in Screen | Never show team member names and photos | Yes | Yes | |||||||||||
23 | Sign-in Settings | team member Data | Erase all local team member data | Varies | Varies | Device Wiping | Cohesive Security Tool Adoption | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | Traveler Circumvent Mitigations | |||||||
24 | Sign-in Settings | team member Data | Do not erase all local team member data | Varies | Varies | Traveler Circumvent Mitigations | ||||||||||
25 | Sign-in Settings | Single Sign-On IdP Redirection | Default. Take team member's to the default Google login page | Varies | Varies | Account Monitoring and Control | ||||||||||
26 | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | Varies | Varies | Account Monitoring and Control | Traveler Perceived to be Misleading/Lying to Border Officials | Traveler Detained,Traveler Perceived to be Misleading/Lying to Border Officials | ||||||||
27 | Sign-in Settings | Single Sign-On Cookie Behavior | Disable transfer of SAML SSO Cookies into team member session during login | Varies | Varies | Account Monitoring and Control | Traveler Circumvent Mitigations | |||||||||
28 | Sign-in Settings | Single Sign-On Cookie Behavior | Enable transfer of SAML SSO Cookies into team member session during login | Varies | Varies | Account Monitoring and Control | Traveler Circumvent Mitigations | Compromised Account | ||||||||
29 | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | Varies | Varies | Account Monitoring and Control,Multi-Factor Authentication | Device Confiscation,Login Forced (Device) | |||||||||
30 | Sign-in Settings | Accessibility Control | Turn off accessibility settings on sign-in screen upon logout | N/A | N/A | Traveler Circumvent Mitigations | ||||||||||
31 | Sign-in Settings | Sign-in Language | Allow user to configure | Varies | Varies | |||||||||||
32 | Sign-in Settings | Sign-in Language | [All the Languages] | Varies | Varies | Traveler Circumvent Mitigations,Traveler/Partner Association Regulated | ||||||||||
33 | Sign-in Settings | Sign-in Keyboard | [All the Keyboards] | Varies | Varies | Traveler Circumvent Mitigations,Traveler/Partner Association Regulated | ||||||||||
34 | Device Update Settings | Auto Update Settings | Auto Update | Allow auto-updates | Varies | Varies | In-country alternative working software identification | Application/Protocol Blocking | ||||||||
35 | Device Update Settings | Auto Update Settings | Auto Update | Stop auto-updates | Varies | Varies | Application/Protocol Blocking | Allow for Greater Security | ||||||||
36 | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | None | Varies | Varies | Limited/Throttled Connectivity | Security must not make the traveler ineffective | ||||||||
37 | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | [1-14] Day(s) | Varies | Varies | Limited/Throttled Connectivity | Security must not make the traveler ineffective | ||||||||
38 | Device Update Settings | Auto Update Settings | Auto reboot after updates | Allow auto-reboots | Varies | Varies | Inventory of Authorized and Unauthorized devices | Traveler Circumvent Mitigations | ||||||||
39 | Device Update Settings | Auto Update Settings | Auto reboot after updates | Disallow auto-reboots | Varies | Varies | Inventory of Authorized and Unauthorized devices | |||||||||
40 | Device Update Settings | Release Channel | Allow user to configure | Varies | Varies | Traveler Circumvent Mitigations | Allow for Greater Security | |||||||||
41 | Device Update Settings | Release Channel | Move to Stable Channel | Varies | Varies | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team | |||||||||
42 | Device Update Settings | Release Channel | Move to Beta Channel | No | No | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team | |||||||||
43 | Device Update Settings | Release Channel | Move to Development Channel | No | No | Traveler Circumvent Mitigations,Traveler Circumvent Mitigations | Receptive and Trusted Admin/Security Team,Receptive and Trusted Admin/Security Team | |||||||||
44 | Kiosk Settings | Kiosk Settings | Public Session Kiosk | Allow Public Session Kiosk | ||||||||||||
45 | Kiosk Settings | Kiosk Settings | Public Session Kiosk | Do not allow Public Session Kiosk | ||||||||||||
46 | Kiosk Settings | Kiosk Settings | Public Session Kiosk | Manage Public Session settings | ||||||||||||
47 | Kiosk Settings | Kiosk Settings | Auto-Launch Public Session | No | ||||||||||||
48 | Kiosk Settings | Kiosk Settings | Auto-Launch Public Session | Yes | ||||||||||||
49 | Kiosk Settings | Kiosk Settings | Auto-Launch Public Session | Number of seconds before delaying auto-login; 0 means immediate auto-login | ||||||||||||
50 | Kiosk Settings | Kiosk Settings | Single App Kiosk | Allow Single App Kiosk | N/A | N/A | ||||||||||
51 | Kiosk Settings | Kiosk Settings | Single App Kiosk | Do not allow Single App Kiosk | N/A | N/A | ||||||||||
52 | Kiosk Settings | Kiosk Settings | Single App Kiosk | Manage Kiosk Applications | N/A | N/A | ||||||||||
53 | Kiosk Settings | Kiosk Settings | Single App Kiosk | Auto-Launch Kiosk App | N/A | N/A | ||||||||||
54 | Kiosk Settings | Kiosk Settings | Enable device health monitoring | Disable device health monitoring | N/A | N/A | ||||||||||
55 | Kiosk Settings | Kiosk Settings | Enable device health monitoring | Enable device health monitoring | N/A | N/A | ||||||||||
56 | Kiosk Settings | Kiosk Settings | Enable device system log upload | Disable device system log upload | N/A | N/A | ||||||||||
57 | Kiosk Settings | Kiosk Settings | Enable device system log upload | Enable device system log upload | N/A | N/A | ||||||||||
58 | Kiosk Settings | Kiosk Settings | Screen Rotation (Clockwise) | 0 Degree | N/A | N/A | ||||||||||
59 | Kiosk Settings | Kiosk Settings | Screen Rotation (Clockwise) | 90 Degrees | N/A | N/A | ||||||||||
60 | Kiosk Settings | Kiosk Settings | Screen Rotation (Clockwise) | 180 Degrees | N/A | N/A | ||||||||||
61 | Kiosk Settings | Kiosk Settings | Screen Rotation (Clockwise) | 270 Degrees | N/A | N/A | ||||||||||
62 | Kiosk Settings | Kiosk Settings | Allow Kiosk App to Control OS Version | Do not allow kiosk app to control OS version | N/A | N/A | ||||||||||
63 | Kiosk Settings | Kiosk Settings | Allow Kiosk App to Control OS Version | Allow kiosk app to control OS version | N/A | N/A | ||||||||||
64 | Kiosk Settings | Kiosk Apps | Manage Kiosk Applications | N/A | N/A | |||||||||||
65 | Kiosk Settings | Kiosk Device Status Alerting Delivery | Receive alert via email | N/A | N/A | |||||||||||
66 | Kiosk Settings | Kiosk Device Status Alerting Delivery | Receive alert via SMS | N/A | N/A | |||||||||||
67 | Kiosk Settings | Kiosk Device Status Alerting Contact Info | Kiosk Device Status Alerting Emails | N/A | N/A | |||||||||||
68 | Kiosk Settings | Kiosk Device Status Alerting Contact Info | Kiosk Device Status Alerting Mobile Phones | N/A | N/A | |||||||||||
69 | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Yes | Yes | Account Monitoring and Control,Inventory of Authorized and Unauthorized devices | Compromised Device,Traveler Circumvent Mitigations | Receptive and Trusted Admin/Security Team | |||||||
70 | User & Device Reporting | Device Reporting | Device State Reporting | Disable device state reporting | No | No | Inventory of Authorized and Unauthorized devices | |||||||||
71 | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Yes | Yes | Needs Assessment (Apps) | Traveler Circumvent Mitigations | Receptive and Trusted Admin/Security Team,Support Personal Computing Needs | |||||||
72 | User & Device Reporting | Device Reporting | Device team member Tracking | Disable tracking recent device user's | No | No | ||||||||||
73 | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Disable inactive device notifications | No | No | ||||||||||
74 | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Yes | Yes | Crisis Identification,Inventory of Authorized and Unauthorized devices | Full Internet Shutdown,Hotel Robbery & Theft,In-Transit Robbery & Theft,Traveler Circumvent Mitigations,Traveler Detained | Receptive and Trusted Admin/Security Team | |||||||
75 | User & Device Reporting | Inactive Device Notifications | Inactive Range (days) | Inactive Range (days) | Varies | Varies | Crisis Identification | |||||||||
76 | User & Device Reporting | Inactive Device Notifications | Notification Cadence (days) | Notification Cadence (days) | Varies | Varies | Crisis Identification | |||||||||
77 | User & Device Reporting | Inactive Device Notifications | Email addresses to receive notification reports | Email addresses to receive notification reports | Varies | Varies | Crisis Identification | Security Awareness and Training | ||||||||
78 | User & Device Reporting | Anonymous Metric Reporting | Always send metrics to Google | N/A | N/A | |||||||||||
79 | User & Device Reporting | Anonymous Metric Reporting | Never send metrics to Google | N/A | N/A | |||||||||||
80 | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | Varies | Varies | Device Wiping | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | Traveler Circumvent Mitigations | Security must not make the traveler ineffective | |||||||
81 | Power & Shutdown | Power Management | Do not allow device to sleep/shut down when idle on the sign-in screen | Varies | Varies | Security Awareness and Training | Power Outage | |||||||||
82 | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | N/A | N/A | Device Wiping | Security Awareness and Training | Device Confiscation,Hotel Robbery & Theft,In-Transit Robbery & Theft,Targeted Workplace Raids | Traveler Circumvent Mitigations | |||||||
83 | Power & Shutdown | Shut down | Allow user's to turn off the device via the Shut down icon on the screen, or the physical power button | Yes | Yes | |||||||||||
84 | Power & Shutdown | Shut down | Only allow team member's to turn off the device using the physical power button | No | No | |||||||||||
85 | Other | Cloud Print | Manage | |||||||||||||
86 | Other | Time Zone | Keep timezone as it is on device currently | Varies | Varies | Device Wiping | ||||||||||
87 | Other | Time Zone | [All the timezones] | Varies | Varies | |||||||||||
88 | Other | System timezone automatic detection | Let team member's decide | Varies | Varies | Security Awareness and Training | ||||||||||
89 | Other | System timezone automatic detection | Never auto-detect timezone | Varies | Varies | Security Awareness and Training | ||||||||||
90 | Other | System timezone automatic detection | Always use coarse timezone detection | Varies | Varies | Secure Traffic Tunneling | ||||||||||
91 | Other | System timezone automatic detection | Always send WiFi access-points to server while resolving timezone | Varies | Varies | Secure Traffic Tunneling | Data requests from online services | |||||||||
92 | Other | Mobile Data Roaming | Allow mobile data roaming | Varies | Varies | Lacking/Intermittent Access to Broadband | ||||||||||
93 | Other | Mobile Data Roaming | Do not allow mobile data roaming | Varies | Varies | Lacking/Intermittent Access to Broadband | ||||||||||
94 | Other | USB Detachable Whitelist | List of VID:PID pairs | Varies | Varies | Chrome Remote Desktop,Desktop Virtualization | Compromised Device | |||||||||
95 | Other | Bluetooth | Do not disable bluetooth | |||||||||||||
96 | Other | Bluetooth | Disable bluetooth | |||||||||||||
97 | Other | Throttle Device Bandwidth | Enable network throttling | No | No | |||||||||||
98 | Other | Throttle Device Bandwidth | Disable network throttling | Yes | Yes | |||||||||||
99 | Other | Throttle Device Bandwidth | Download speed in kbps | N/A | N/A | |||||||||||
100 | Other | Throttle Device Bandwidth | Upload speed in kbps | N/A | N/A | |||||||||||
101 | ||||||||||||||||
102 | ||||||||||||||||
103 | ||||||||||||||||
104 | ||||||||||||||||
105 | ||||||||||||||||
106 | ||||||||||||||||
107 | ||||||||||||||||
108 | ||||||||||||||||
109 | ||||||||||||||||
110 | ||||||||||||||||
111 | ||||||||||||||||
112 | ||||||||||||||||
113 | ||||||||||||||||
114 | ||||||||||||||||
115 | ||||||||||||||||
116 | ||||||||||||||||
117 | ||||||||||||||||
118 | ||||||||||||||||
119 | ||||||||||||||||
120 | ||||||||||||||||
121 | ||||||||||||||||
122 | ||||||||||||||||
123 | ||||||||||||||||
124 | ||||||||||||||||
125 | ||||||||||||||||
126 | ||||||||||||||||
127 | ||||||||||||||||
128 | ||||||||||||||||
129 | ||||||||||||||||
130 | ||||||||||||||||
131 | ||||||||||||||||
132 | ||||||||||||||||
133 | ||||||||||||||||
134 | ||||||||||||||||
135 | ||||||||||||||||
136 | ||||||||||||||||
137 | ||||||||||||||||
138 | ||||||||||||||||
139 | ||||||||||||||||
140 | ||||||||||||||||
141 | ||||||||||||||||
142 | ||||||||||||||||
143 | ||||||||||||||||
144 | ||||||||||||||||
145 | ||||||||||||||||
146 | ||||||||||||||||
147 | ||||||||||||||||
148 | ||||||||||||||||
149 | ||||||||||||||||
150 | ||||||||||||||||
151 | ||||||||||||||||
152 | ||||||||||||||||
153 | ||||||||||||||||
154 | ||||||||||||||||
155 | ||||||||||||||||
156 | ||||||||||||||||
157 | ||||||||||||||||
158 | ||||||||||||||||
159 | ||||||||||||||||
160 | ||||||||||||||||
161 | ||||||||||||||||
162 | ||||||||||||||||
163 | ||||||||||||||||
164 | ||||||||||||||||
165 | ||||||||||||||||
166 | ||||||||||||||||
167 | ||||||||||||||||
168 | ||||||||||||||||
169 | ||||||||||||||||
170 | ||||||||||||||||
171 | ||||||||||||||||
172 | ||||||||||||||||
173 | ||||||||||||||||
174 | ||||||||||||||||
175 | ||||||||||||||||
176 | ||||||||||||||||
177 | ||||||||||||||||
178 | ||||||||||||||||
179 | ||||||||||||||||
180 | ||||||||||||||||
181 | ||||||||||||||||
182 | ||||||||||||||||
183 | ||||||||||||||||
184 | ||||||||||||||||
185 | ||||||||||||||||
186 | ||||||||||||||||
187 | ||||||||||||||||
188 | ||||||||||||||||
189 | ||||||||||||||||
190 | ||||||||||||||||
191 | ||||||||||||||||
192 | ||||||||||||||||
193 | ||||||||||||||||
194 | ||||||||||||||||
195 | ||||||||||||||||
196 | ||||||||||||||||
197 | ||||||||||||||||
198 | ||||||||||||||||
199 | ||||||||||||||||
200 | ||||||||||||||||
201 | ||||||||||||||||
202 | ||||||||||||||||
203 | ||||||||||||||||
204 | ||||||||||||||||
205 | ||||||||||||||||
206 | ||||||||||||||||
207 | ||||||||||||||||
208 | ||||||||||||||||
209 | ||||||||||||||||
210 | ||||||||||||||||
211 | ||||||||||||||||
212 | ||||||||||||||||
213 | ||||||||||||||||
214 | ||||||||||||||||
215 | ||||||||||||||||
216 | ||||||||||||||||
217 | ||||||||||||||||
218 | ||||||||||||||||
219 | ||||||||||||||||
220 | ||||||||||||||||
221 | ||||||||||||||||
222 | ||||||||||||||||
223 | ||||||||||||||||
224 | ||||||||||||||||
225 | ||||||||||||||||
226 | ||||||||||||||||
227 | ||||||||||||||||
228 | ||||||||||||||||
229 | ||||||||||||||||
230 | ||||||||||||||||
231 | ||||||||||||||||
232 | ||||||||||||||||
233 | ||||||||||||||||
234 | ||||||||||||||||
235 | ||||||||||||||||
236 | ||||||||||||||||
237 | ||||||||||||||||
238 |
1 | < Index | Aggregated Comments on Configuration Options | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Category | Title | Option | Mitigations | Threats | Requirements | ||||||||||||||||||||
3 | Mobile | Chrome Mobile | Apply supported user settings to Chrome on Android | |||||||||||||||||||||||
4 | General | Avatar | Upload Avatar File | * Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content | * Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content | |||||||||||||||||||||
5 | General | Wallpaper | Upload Wallpaper File | * Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual. | * Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual. | |||||||||||||||||||||
6 | General | Smart Lock for Chrome | Allow Smart Lock for Chrome | * Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. * Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. If you are going to do this you will need a significant amount of user training. | * Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesireable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. | |||||||||||||||||||||
7 | General | Smart Lock for Chrome | Do not allow Smart Lock for Chrome | |||||||||||||||||||||||
8 | Enrollment Controls | Device Enrollment | Keep Chrome device in current location | |||||||||||||||||||||||
9 | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | * A user's organizational unit determines which services and features are available to that user. By putting all our temporary travel accounts into a specific team member organization designated for travel we can set our travel team member permissions in that organizational unit once, instead of every time we create a new user. This also applies to Solo team member's who want to increase the ease of device setup and refreshing. * This will make it far easier for self-managed groups to grow without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc. | ||||||||||||||||||||||
10 | Enrollment Controls | Asset Identifier During Enrollment | Do not allow for team member's in this organization | * Only on non-solo use cases. If you are an individual you don't need to track who has what hardware. | ||||||||||||||||||||||
11 | Enrollment Controls | Asset Identifier During Enrollment | team member's in this organization can provide asset ID and location during enrollment | * Only on non-solo use cases. If you are an individual you don't need to track who has what hardware. | * If you are an individual you don't need to track who has what hardware. | |||||||||||||||||||||
12 | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | * This allows team member's who are traveling to purchase and add new devices on the fly. If a team member needs a replacement phone or chromebook they can purchase it in country and enroll it without intervention by a organizational admin. * Allowing team member's to register devices will make it harder for admins to control which devices are authorized on the network. | * This allows anyone with a team member's credentials to register a new device as that user. An adversary who forces a team member to provide their credentials could then register a different device, provide the team member the original device, and keep this new device on, and registered, to surveil the team member's actions. | * It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment. * Self managed groups: This might makes it easier for self-managed groups to increase the number of chromebooks being used without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc. | ||||||||||||||||||||
13 | Enrollment Controls | Enrollment Permissions | Do not allow team member's in this organization to enroll new or deprovisioned devices | * This option provides a greater level of control over the devices that will be added to your domain. But, it also requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel. | * This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel. | |||||||||||||||||||||
14 | Apps and Extensions | Allowed Types of Apps and Extensions | Extension | |||||||||||||||||||||||
15 | Apps and Extensions | Allowed Types of Apps and Extensions | Theme | |||||||||||||||||||||||
16 | Apps and Extensions | Allowed Types of Apps and Extensions | Google Apps Script | |||||||||||||||||||||||
17 | Apps and Extensions | Allowed Types of Apps and Extensions | Hosted App | |||||||||||||||||||||||
18 | Apps and Extensions | Allowed Types of Apps and Extensions | Legacy Packaged App | |||||||||||||||||||||||
19 | Apps and Extensions | Allowed Types of Apps and Extensions | Chrome Packaged App | |||||||||||||||||||||||
20 | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | * A whitelist of apps can be valuable for preventing team member's from installing malicious apps and extensions that are masquerading as a team member's desired application. [We are already combatting this slightly by seeding the web-store with links to commonly used apps and extensions.] As stated elsewhere, Whitelisting requires a greater amount of administrator availability to ensure that the wait for new additions to the whitelist does not impede the team's ability to accomplish their work. * If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play.. | * A whitelist of app sources can be valuable for preventing team member's from installing malicious apps and extensions, or apps that are masquerading as a team member's desired application. There are a variety of app stores/sources that are far less managed than Google Play and are more likely to have malicious apps found in them. | * If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play.. | ||||||||||||||||||||
21 | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | * If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp * Force installing apps is a way to ensure that team member's have access to a consistent baseline set of applications that they have been trained to use. These "baseline apps" should be the same apps that team member's are trained on and should be the ones that are supporting security policies and practices that are put in place. | * If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member **cannot* uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal. | * The auto-installation of these apps will also decrease the number of steps an administrator needs to worry about during the device setup process. | ||||||||||||||||||||
22 | Apps and Extensions | Allow or Block All Apps and Extensions | Allow all apps and extensions except the ones I block | * Blacklist Problems | ||||||||||||||||||||||
23 | Apps and Extensions | Allow or Block All Apps and Extensions | Block all apps and extensions except the ones I allow | * One strategy is to start with "allow all except blocked" and use an initial period of active use by your team member's to develop a list of apps and extensions that are used / desired by your team member's. Once you have a list of all of these apps you can add them to a custom web-store homepage and implement "block all except whitelisted" restrictions. This way team member's will have access to a trusted source immediately upon enabling a travel device and administrators will only have to be available to approve the use of new apps and extensions within your team member community. | ||||||||||||||||||||||
24 | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | * Pinning baseline security apps will make them more visible and encourage use. | * See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.) * Pinning apps makes them more easily used but also makes them more visible during a casual search by a border patrol. It is worth considering this trade off when pinning apps that might raise an officials suspicions if the device is casually examined. | * Pinning apps that are common in team member's workflows will make it easier and quicker for a team member to adopt to the chromebook workflow. | ||||||||||||||||||||
25 | Apps and Extensions | Task Manager | Allow user's to end processes with the Chrome task manager | * This option is used to restrict a team member's ability to kill processes. It is commonly used by schools where the student is in an adversarial relationship with the system administrator. In our use-case we do not consider non-security focused restrictions. There is currently only one security focused reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access. | * There is currently only one possible security related reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access. | |||||||||||||||||||||
26 | Apps and Extensions | Task Manager | Block team member's from ending processes with the Chrome task manager | |||||||||||||||||||||||
27 | Chrome Web Store | Chrome Web Store Homepage | Use the default homepage | |||||||||||||||||||||||
28 | Chrome Web Store | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | * See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | ||||||||||||||||||||||
29 | Chrome Web Store | Chrome Web Store Homepage | Use a custom page, set below | * If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp * Use the url and title of the custom Chrome Web Store to help ensure team member's knows that this is the official recommendation of the administrators and/or security team. - By providing recommendations you can combat the tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. This is important for a sustainable security program because the more varied the application usage within your team, the more complex your admin/security team's risk assessments will have to be. * You will, of course, have to make sure you inform the team member about the web store or they won't know to look for it, and will likely not know to trust it when they do see it. * This initial setup and ongoing maintenance of the Chrome Web Store Recommendations will take effort, but it will help centralize secure app recommendations in one place. | * See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | * The Chrome Web Store Recommendations can be a valuable tool. In distributed and/or largely independent team's it provides a simple portal for app recommendations for commonly requested mitigations. As a team member perceives their threat landscape changing around them they may decide to incorporate additional technical mitigations (such as VPN's, password managers, encrypted communications tools, etc.). The security team and/or administrators can seed the recommendations section with the apps that have been previously used and evaluated. | ||||||||||||||||||||
30 | Chrome Web Store | Chrome Web Store Homepage | Include all private apps and extensions from my domain. | * If this option is selected AND team member's are given permission to publish private apps [See "Chrome Web Store Permissions"] this can increase our attack surface. | * Because we are restricting team member's to a "travel" sub-organization we can segment any "internal" private apps used in daily business from the apps that are available during travel. This allows administrators to manage what apps are available simply by adding and/or removing them from the organization. This would allow them to avoid the extra step of adding those apps in this menu. When team member's are given permission to publish private apps this can increase our attack surface. [See "Chrome Web Store Permissions"]. | |||||||||||||||||||||
31 | Chrome Web Store | Chrome Web Store Homepage | I will choose which private apps and extensions to include. | * This more restrictive option forces an additional administrative step when distributing web-apps to your travel devices. But, it does not increate the attack surface. If you do not have a team that is activly creating and sharing private web apps this is the easier and more secure option to choose. * A private apps could include a simple web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess." | * Private apps can be used to create organization specific web applications for a variety of purposes. You could, for instance, use it to add a pinned web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess." | |||||||||||||||||||||
32 | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | * Proper branding for your section will help guide team member's to look at these apps. * The Admin will need to also make sure that team member's are well informed about the existence of this recommended apps section. They will likely not find it on their own because they will not be looking for it. | * See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | |||||||||||||||||||||
33 | Chrome Web Store | Recommended Apps and Extensions | Manage | |||||||||||||||||||||||
34 | Chrome Web Store | Chrome Web Store Permissions | Allow user's to publish private apps that are restricted to your domain on Chrome Web Store. | * If you allow team member's to publish private apps then a malicious actor who gets a hold of one of the devices can privately publish a malicious app and deliver it to your other team member's. By leveraging a compromised account to publish a private app to others within the google apps domain a malicious team member can increase the team member trust in the app they are receiving. If the **team member account** of admin is compromised and used in this way it can gain even more weight because it can be masqueraded as a directive from the admin/security team.The adversary can even hide their private app from administrators and other team member's through Google's built in app targeting system. They can publish an app targeting a specific country or even specific device models. | ||||||||||||||||||||||
35 | Chrome Web Store | Chrome Web Store Permissions | Allow user's to skip verification for websites not owned | * This turns off the app verification feature that warns team member's when they are installing potentially harmful apps. This just amplifies the likelihood of a team member installing one of these apps if an adversary gains access to a team member account and begins spear phishing other team member's to install the private apps. | ||||||||||||||||||||||
36 | Android applications | Android applications on Chrome devices | Do not allow | |||||||||||||||||||||||
37 | Android applications | Android applications on Chrome devices | Allow | * This allows you to pick appropriate security tools for your team member's from a much larger, more secure, more function, and often more usable array of possible security tools. * If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624) * Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. As such, it will take security awareness building and hands on guidance to get the benefits from adding this. | * Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. When I considered this I decided that by increasing the utility of the device was more likely to build adoption and adherence to the security procedures. | |||||||||||||||||||||
38 | Android applications | Access to Android applications | Do not allow | * By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 | ||||||||||||||||||||||
39 | Android applications | Access to Android applications | Allow | * With greater access to the world of Android applications in the Google play store you are likely to see tool divergence when you have distributed and/or largely independent team's. You want to make sure you have solid adoption of your core security tool set when opening up the app store for travel devices. * Being able to search for alternatives in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. * By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 * You want to make sure that your team member's understand what security requirements they have and what the correct tools are for those use cases when opening up the app store for travel devices. A team member who decides to seek out a new app from the full app-store because the supported app stopped working (censorship, etc) or because someone told them of a new app with "military grade encryption" you want to make sure they are making smart choices. | * When communication apps are censored being able to search for alternative working secure communication apps in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. * Adding android applications opens up a range of possibilities for making the chromebook more useful & usable for your team member's and more secure. It can also considerably increase the attack surface you have to contend with. * When endpoints (websites, servers, services) are blocked being able to search for working circumvention tools in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. | * This may be useful for gaining initial adoption when you do not have the capacity to do an assessment of the app needs of all of your team member's. | ||||||||||||||||||||
40 | Android applications | Account Management | Google account | * By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device. | * By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device. | |||||||||||||||||||||
41 | Android applications | Unknown Sources | Allow install from unknown sources | * If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ * Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. Enabling this feature forces the team member to take more responsibility for the security of their devices. - They will need to be more careful about protecting access to their device. - They will have to be mindful about the possible security concerns with applications they install. To support this an administrator should make sure that they have a application submission pipeline built where team member's can submit links to applications they want to install for review by the administration/security team. | * If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ * This can considerably increase the attack surface you have to contend with. There are currently less controls in place for android applications than there are for apps and extensions. * Adding the ability to install untrusted apps does significantly increase the possible attack surface. Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. | * If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.) | ||||||||||||||||||||
42 | Android applications | Unknown Sources | Do not allow install from unknown sources | * If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.) | ||||||||||||||||||||||
43 | Android applications | Certificate Synchronization | Disable usage of Chrome OS CA Certificates in Android apps | |||||||||||||||||||||||
44 | Android applications | Certificate Synchronization | Enable usage of Chrome OS CA Certificates in Android apps | |||||||||||||||||||||||
45 | Security | Password Manager | Always allow use of password manager | * In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | * Since the third option allows a team member to configure this option I see no reason to prevent some team member's from enabling greater security by turning password manager usage off. If you are thinking about this option just use the "team member configuration" option instead. | |||||||||||||||||||||
46 | Security | Password Manager | Never allow use of password manager | * Choosing "never allow use" is an absolutist technical control that is appropriate for some high threat environments, but unnecessary and inconvenient in many others. It raises the question, "How does your team weigh the psycho-social value of being able to save a netflix password against their willingness to follow your instructions?" | ||||||||||||||||||||||
47 | Security | Password Manager | Allow user to configure | * In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | * In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | |||||||||||||||||||||
48 | Security | Lock Screen | Do not allow locking screen | * This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | * This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. * Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly. As such, this option should be saved for specific higher risk environments. | |||||||||||||||||||||
49 | Security | Lock Screen | Allow locking screen | |||||||||||||||||||||||
50 | Security | Idle Settings | Idle time in minutes (leave empty for system default) | * When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices). | * When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices). | |||||||||||||||||||||
51 | Security | Idle Settings | Sleep | * You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking. | ||||||||||||||||||||||
52 | Security | Idle Settings | Logout | * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | ||||||||||||||||||||||
53 | Security | Idle Settings | Sleep | * You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking. | ||||||||||||||||||||||
54 | Security | Idle Settings | Logout | * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) * This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | ||||||||||||||||||||||
55 | Security | Idle Settings | Allow user to configure | |||||||||||||||||||||||
56 | Security | Idle Settings | Lock Screen | |||||||||||||||||||||||
57 | Security | Idle Settings | Don't Lock Screen | |||||||||||||||||||||||
58 | Security | Incognito Mode | Allow incognito mode | * Teaching traveler's how not create histories with sensitive links and information using incognito mode means that they don't have to go about trying to erase it later. | * Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | * Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | ||||||||||||||||||||
59 | Security | Incognito Mode | Disallow incognito mode | * Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | ||||||||||||||||||||||
60 | Security | Browser History | Always save browser history | * Confiscation of the travel device | ||||||||||||||||||||||
61 | Security | Browser History | Never save browser history | * This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | * This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. (Confiscation of the travel device) * This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | |||||||||||||||||||||
62 | Security | Clear Browser History | Do not allow clearing history in settings menu | * Confiscation of the travel device | ||||||||||||||||||||||
63 | Security | Clear Browser History | Allow clearing history in settings menu | * The laws around the destruction of evidence differ by country. An rough assessment of the legal risks associated with team member's clearing their history, using incognito mode, and/or ephemeral mode should be done in the early phases of exploring how to deal with data retention/destruction during travel. | ||||||||||||||||||||||
64 | Security | Force Ephemeral Mode | Do not erase local team member data | |||||||||||||||||||||||
65 | Security | Force Ephemeral Mode | Erase all local team member data | |||||||||||||||||||||||
66 | Security | Online Revocation Checks | Perform online OCSP/CRL checks | * Online OCSP/CRL checks should not be enabled. It is bad in just about every sort of way. To quote the chromium policy list "In light of the fact that soft-fail, online revocation checks provide no effective security benefit..." This means that on a failure a revoked certificate will still be used. * https://bugs.chromium.org/p/chromium/issues/detail?id=361820 | ||||||||||||||||||||||
67 | Security | Online Revocation Checks | Do not perform online OCSP/CRL checks | |||||||||||||||||||||||
68 | Security | Safe Browsing | Always enable Safe Browsing | * "Safe Browsing also protects you from abusive extensions and malicious software. At start up of Chrome, Safe Browsing scans extensions installed in your browser against the Safe Browsing list. If an extension on the list is found, Chrome will temporarily disable the extension, offer you relevant information and provide an option for you to remove the extension or re-enable it." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#malware * Safe browsing helps protect team member's from websites that may contain malware and/or pharmed content. When a team member attempts to connect to a url safe browsing checks web pages against local copies of Google's "Safe Browsing lists." If the hash of a url the team member is attempting to visit matches one of the hashes of the items in the Safe Browsing Lists it will warn the user. [1] The privacy preserving implementation of safe browsing make enabling it the obvious choice. [1] https://github.com/scheib/chromium/blob/9ae6b4f4a8679c8598316544dccf378b86f99845/chrome/browser/safe_browsing/client_side_model_loader.cc | ||||||||||||||||||||||
69 | Security | Safe Browsing | Always disable Safe Browsing | |||||||||||||||||||||||
70 | Security | Safe Browsing | Allow user to decide whether to use Safe Browsing | * Providing privacy concerned team member's information about the actual implementation of this feature should ease any of their privacy worries about this feature. If it does not then a team member may be convinced once you explain to them the personal effort they will have to exert to gain the same level of security without safe browsing enabled. | ||||||||||||||||||||||
71 | Security | Malicious Sites | Allow user to proceed anyway to malicious sites | * "This should not be enabled until you have tested how often malicious site warnings appear for your team member base during a testing period. This is because there are reports of critical travel sites, like hotel portals, being flagged as malicious. [1] [1] https://twitter.com/brettmorrison/status/891804686579359745" | * If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook. | |||||||||||||||||||||
72 | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | * If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook. | ||||||||||||||||||||||
73 | Security | Geolocation | Allow sites to detect team member's' geolocation | * Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. | ||||||||||||||||||||||
74 | Security | Geolocation | Do not allow sites to detect team member's' geolocation | * Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. * Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps) | * Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps) | |||||||||||||||||||||
75 | Security | Geolocation | Always ask the team member if a site wants to detect their geolocation | * Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. * This might be annoying to some traveler's. But, the tradeoff is important. Proper security awareness training around why should be available for those who find it difficult. Having your team member's trust that you will be receptive to their difficulties enough to reach out to tell you that this is difficult is critical for seemingly small things, like geolocation, that actually can have significant security implications because of the information they leak. | ||||||||||||||||||||||
76 | Security | Geolocation | Allow user to configure | * Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. As such, I have chosen "always asking" over the team member configuration option. | * This is *unintentional* circumvention in many cases. Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. | |||||||||||||||||||||
77 | Security | Remote access clients | Remote Access Host Client Domain - Configure the required domain name for remote access clients. | * In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain. | * In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain. | |||||||||||||||||||||
78 | Security | Local Trust Anchors Certificates | Follow the publicly announced SHA-1 deprecation schedule | |||||||||||||||||||||||
79 | Security | Local Trust Anchors Certificates | Allow SHA-1 for local trust anchors | * Sometimes you just have to follow best practice - https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html | ||||||||||||||||||||||
80 | Security | Local Trust Anchors Certificates | Block | * Sometimes you just have to follow best practice | ||||||||||||||||||||||
81 | Security | Local Trust Anchors Certificates | Allow | * Setting this to allow can allow the name constraints certificate extension to be bypassed. Just follow best practice and block it. You will have to follow proper cert provisioning within your organization for private services. But, is that really too much to ask? - https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/ - https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx | ||||||||||||||||||||||
82 | Session Settings | Show Logout Button in Tray | Does not show logout button in tray | |||||||||||||||||||||||
83 | Session Settings | Show Logout Button in Tray | Show logout button in tray | * Make it easy for team member's to follow the appropriate logout practices. | * Make it easy for team member's to follow the appropriate logout practices. | |||||||||||||||||||||
84 | Network | Proxy Settings | Never use a proxy | * If you don't have a secure proxy set up then use this option and use forced apps to install a VPN. * They will have to know when, and how, to use a VPN. | * Proxies be inconvenient in low connectivity areas. | |||||||||||||||||||||
85 | Network | Proxy Settings | Always auto detect the proxy | * Are you kidding me. | ||||||||||||||||||||||
86 | Network | Proxy Settings | Always use the proxy specified below | * Proxies be inconvenient in low connectivity areas. * Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy. | ||||||||||||||||||||||
87 | Network | Proxy Settings | Always use the proxy auto-config specified below | * If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy" | * Proxies be inconvenient in low connectivity areas. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance without impacting connections that already have TLS. * Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy. | |||||||||||||||||||||
88 | Network | SSL Record Splitting | Enable SSL record splitting | |||||||||||||||||||||||
89 | Network | SSL Record Splitting | Disable SSL record splitting | |||||||||||||||||||||||
90 | Network | Data Compression Proxy | Allow user to decide whether to use data compression proxy | |||||||||||||||||||||||
91 | Network | Data Compression Proxy | Always enable data compression proxy | |||||||||||||||||||||||
92 | Network | Data Compression Proxy | Always disable data compression proxy | |||||||||||||||||||||||
93 | Network | WebRTC UDP Ports | Minimum port (1024-65535) | * Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | * Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. * One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | |||||||||||||||||||||
94 | Network | WebRTC UDP Ports | Maximum port (1024-65535) | * Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | * Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. * One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | |||||||||||||||||||||
95 | Network | QUIC Protocol | Enabled | * QUIC has the same security properties as HTTP/S. It also has the added perk of getting around basic HTTP/S protocol blocking. A device with QUIC enabled, connecting to a service that supports QUIC, will fallback to QUIC when HTTP/S is blocked. It is not a "real" circumvention protocol, but it does make connections just a small bit more resilient to HTTP/S blocking - https://twitter.com/seamustuohy/status/805474243509186561 * QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad. | ||||||||||||||||||||||
96 | Network | QUIC Protocol | Disabled | * QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad. | ||||||||||||||||||||||
97 | Startup | Home Button | Always show 'Home' button | * This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access. | * This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access. | |||||||||||||||||||||
98 | Startup | Home Button | Never show 'Home' button | |||||||||||||||||||||||
99 | Startup | Home Button | Allow user to configure | |||||||||||||||||||||||
100 | Startup | Homepage | Allow user to configure | |||||||||||||||||||||||
101 | Startup | Homepage | Homepage is always the new tab page | * This can't to be set for the "always show home button" option in [Startup > Home Button] to work. | * New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP * This can't be set for the "always show home button" option in [Startup > Home Button] to work. | * New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP | ||||||||||||||||||||
102 | Startup | Homepage | Homepage is always the Homepage URL, set below | * This has to be set for the "always show home button" option in [Startup > Home Button] to work. | * This has to be set for the "always show home button" option in [Startup > Home Button] to work. | |||||||||||||||||||||
103 | Startup | Pages to Load on Startup | Pages to Load on Startup | * For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies. | * For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies. | |||||||||||||||||||||
104 | Content | Safe Search and Restricted Mode | Do not enforce Safe Search for Google Web Search queries | |||||||||||||||||||||||
105 | Content | Safe Search and Restricted Mode | Always use Safe Search for Google Web Search queries | * All "Safe Search" does is filter explicit or pornographic images. Not relevant to our security model. And, if it gets in the way of researcher and/or personal device usage when traveling the team member is going to find a way to circumvent it. | ||||||||||||||||||||||
106 | Content | Safe Search and Restricted Mode | Do not enforce Restricted Mode on YouTube | |||||||||||||||||||||||
107 | Content | Safe Search and Restricted Mode | Enforce at least Moderate Restricted Mode on YouTube | * Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention. | ||||||||||||||||||||||
108 | Content | Safe Search and Restricted Mode | Enforce Strict Restricted Mode for YouTube | * Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention. | ||||||||||||||||||||||
109 | Content | Screenshot | Enable screenshot | |||||||||||||||||||||||
110 | Content | Screenshot | Disable screenshot | * I see no reason to disable screenshot. Especially if team member's are conducting research, etc. where they may need screenshots of websites or temporary communications they have on the chromebook. | ||||||||||||||||||||||
111 | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | * This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process. * You will have to put a side-channel process in place for installing the certificate on the team member's device if you are using in-country device swapping. * Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. | * Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. * Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed. * Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. Of course, this requires clear and absolutist language to be included in the border-guard facing documentation to make this clear. | |||||||||||||||||||||
112 | Content | 3D Content | Always allow display of 3D content | |||||||||||||||||||||||
113 | Content | 3D Content | Never allow display of 3D content | |||||||||||||||||||||||
114 | Content | Cookies | Allow sites to set cookies | * Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | * I would consider this the default. You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way. | |||||||||||||||||||||
115 | Content | Cookies | Never allow sites to set cookies | * Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | * You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way. | |||||||||||||||||||||
116 | Content | Cookies | Allow user to configure | * With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option. | * With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option. | |||||||||||||||||||||
117 | Content | Cookies | Keep cookies for the duration of the session | * Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | * Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | |||||||||||||||||||||
118 | Content | Cookies | Allow Cookies for URL Patterns | * If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | * If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | |||||||||||||||||||||
119 | Content | Cookies | Block Cookies for URL Patterns | * This is a way to enforce that the chromebook browser does not save persistent cookies for sites with sensitive data when using travel devices without having to remove cookies for all team member's server side. You can allow cookies globally so that the team member can save cookies and logins for convenience sites, but have the session cookies for pre-determined sensitive sites blocked (i.e. the secure data repository, organizaiton data logins, etc.) | ||||||||||||||||||||||
120 | Content | Cookies | Allow Session-Only Cookies for URL Patterns | * Whitelisting problems: You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | * You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | |||||||||||||||||||||
121 | Content | Third-Party Cookie Blocking | Allow third-party cookies | * This is another fingerprinting threat, and therefore not very relevant for most contexts. | * This is another fingerprinting threat, and therefore not relevant for this context. | |||||||||||||||||||||
122 | Content | Third-Party Cookie Blocking | Disallow third-party cookies | * This is another fingerprinting threat, and therefore not very relevant for most contexts. | ||||||||||||||||||||||
123 | Content | Third-Party Cookie Blocking | Allow user to decide whether to allow third-party cookies | * This is another fingerprinting threat, and therefore not relevant for this context. | ||||||||||||||||||||||
124 | Content | Images | Show images | |||||||||||||||||||||||
125 | Content | Images | Do not show images | * This is not relevant for security purposes and would cause any normal team member to be furious. | ||||||||||||||||||||||
126 | Content | Images | Allow user to configure | * You will want to inform team member's of the benefits of this option in low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. If you don't they are not going to find it themselves. | * There is the one case for low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. | |||||||||||||||||||||
127 | Content | Images | Show Images on These Sites | * Whitelisting problems | ||||||||||||||||||||||
128 | Content | Images | Block Images on These Sites | * See blacklisting problems under the blacklisting mitigation. | ||||||||||||||||||||||
129 | Content | JavaScript | Allow sites to run JavaScript | * They will have to be trained how to use the JS blocking extension. | * Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | |||||||||||||||||||||
130 | Content | JavaScript | Do not allow sites to run JavaScript | * Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | ||||||||||||||||||||||
131 | Content | JavaScript | Allow user to configure | |||||||||||||||||||||||
132 | Content | JavaScript | Allow These Sites to Run JavaScript | * Whitelisting problems | ||||||||||||||||||||||
133 | Content | JavaScript | Block JavaScript on These Sites | * See blacklisting problems under the blacklisting mitigation. | ||||||||||||||||||||||
134 | Content | Notifications | Allow sites to show desktop notifications | * "This is a complex one for me. It does fall under the basic guidelines for not destroying your team's workflow using security. But, I think desktop notifications are ripe for future phishing attacks (see below). As such, if after surveying my team member base I discover that notifications are not being used I would choose the option ""Do not allow notifications."" But, if there are team member's who do already use notifications I would just do some user-awareness training around the possible threats of notifications and allow them to show/block notifications as they see fit. I choose this over (allowing a team member to configure) because of how convinceing I beleive these attacks will be. I see desktop notifications as a likely future avenue for phishing and wateringhole attacks. I have not seen examples of this being abused. But, their feature set combined with their platform native look makes them especially likely to be used in this way. These alerts don't require the website to be open, can play sounds or cause the team member's device to vibrate, stay shown until a team member to interacts with them, and run javascript or take a team member to a URL when they click on events. This makes them a convinceing interface for fakeing legitimate platform security/anti-virus/etc. alerts. https://developers.google.com/web/fundamentals/engage-and-retain/push-notifications/notification-behaviour" | ||||||||||||||||||||||
135 | Content | Notifications | Do not allow sites to show desktop notifications | * It does fall under the basic guidelines for not destroying your team's workflow using security. | ||||||||||||||||||||||
136 | Content | Notifications | Always ask the team member if a site can show desktop notifications | * Because of the "exhausted Traveler 'just work!' problem" I think that initial acceptance of the initial phishing website to provide notifications will be hard to stop. After this the attacker can then send the notification based phishing attack at a later point. | ||||||||||||||||||||||
137 | Content | Notifications | Allow user to configure | |||||||||||||||||||||||
138 | Content | Notifications | Allow These Sites to Show Desktop Notifications | * Since I am, for once, willing to agree to the wholesale disabling of a feature it is only appropriate to note that once a needs assessment is done you can use a whitelist to add sites back in. If you survey your user base and they use notifications on a small number of specific websites this is an option that will allow you to support your team member's workflows without opening up this attack vector too widely. As with all the whitelist options this can get out of control and lead to team member frustration, so it should be done when there is low notification usage and/or a small team | ||||||||||||||||||||||
139 | Content | Notifications | Block Desktop Notifications on These Sites | |||||||||||||||||||||||
140 | Content | Plug-ins | Run plug-ins automatically | * Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | * Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | |||||||||||||||||||||
141 | Content | Plug-ins | Block all plug-ins | * Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | * Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | |||||||||||||||||||||
142 | Content | Plug-ins | Allow user to configure | |||||||||||||||||||||||
143 | Content | Plug-ins | Allow Plug-ins on These Sites | * if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator. * Whitelisting problems | * if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator. | |||||||||||||||||||||
144 | Content | Plug-ins | Block Plug-ins on These Sites | * See blacklisting problems under the blacklisting mitigation. | ||||||||||||||||||||||
145 | Content | Enabled and Disabled Plug-ins | Enabled Plug-ins | |||||||||||||||||||||||
146 | Content | Enabled and Disabled Plug-ins | Disabled Plug-ins | |||||||||||||||||||||||
147 | Content | Enabled and Disabled Plug-ins | Exceptions to Disabled Plug-ins | |||||||||||||||||||||||
148 | Content | Plugin Finder | Enable automatic search and installation of missing plugins | |||||||||||||||||||||||
149 | Content | Plugin Finder | Disable automatic search and installation of missing plugins | * Chrome only allows one plugin, flash. So, if they need flash make sure it is installed. | ||||||||||||||||||||||
150 | Content | Plugin Authorization | Always run plugins that require authorization | * Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | ||||||||||||||||||||||
151 | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | * Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | * Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | * Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | ||||||||||||||||||||
152 | Content | Outdated Plugins | Allow outdated plugins to be used as normal plugins | * Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | ||||||||||||||||||||||
153 | Content | Outdated Plugins | Disallow outdated plugins | * Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | ||||||||||||||||||||||
154 | Content | Outdated Plugins | Ask user for permission to run outdated plugins | |||||||||||||||||||||||
155 | Content | Pop-ups | Allow all pop-ups | * Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | ||||||||||||||||||||||
156 | Content | Pop-ups | Block all pop-ups | * Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | * Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | * Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | ||||||||||||||||||||
157 | Content | Pop-ups | Allow user to configure | * Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | ||||||||||||||||||||||
158 | Content | Pop-ups | Allow Pop-ups on These Sites | * If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting. * Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting. | ||||||||||||||||||||||
159 | Content | Pop-ups | Block Pop-ups on These Sites | * See blacklisting problems under the blacklisting mitigation. | ||||||||||||||||||||||
160 | Content | URL Blocking | URL Blacklist | * A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist * See blacklisting problems under the blacklisting mitigation. | * A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist | |||||||||||||||||||||
161 | Content | URL Blacklist Exception | URL Blacklist Exception | |||||||||||||||||||||||
162 | Content | Google Drive Syncing | Enable Google Drive syncing | * As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder. | * "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | * This, when used in the following travel document support use-case, can make the travel device far more useful for the Traveler than it would be otherwise. Offline access to required documents is a very useful thing. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | ||||||||||||||||||||
163 | Content | Google Drive Syncing | Disable Google Drive syncing | * "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | ||||||||||||||||||||||
164 | Content | Google Drive Syncing | Allow user to decide whether to use Google Drive syncing | * As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder. | ||||||||||||||||||||||
165 | Content | Google Drive Syncing over Cellular | Enable Google Drive syncing over cellular connections | * If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable | ||||||||||||||||||||||
166 | Content | Google Drive Syncing over Cellular | Disable Google Drive syncing over cellular connections | |||||||||||||||||||||||
167 | Content | Cast | Allow user's to Cast | |||||||||||||||||||||||
168 | Content | Cast | Do not allow team member's to Cast | |||||||||||||||||||||||
169 | Printing | Printing | Enable printing | |||||||||||||||||||||||
170 | Printing | Printing | Disable printing | * Don't destroy a team member's ability to use the device to get the work done! | ||||||||||||||||||||||
171 | Printing | Print Preview | Allow using print preview | |||||||||||||||||||||||
172 | Printing | Print Preview | Always use the system print dialog instead of print preview | |||||||||||||||||||||||
173 | Printing | Google Cloud Print Submission | Allow submission of documents to Google Cloud Print | * "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. " | ||||||||||||||||||||||
174 | Printing | Google Cloud Print Submission | Disallow submission of documents to Google Cloud Print | * "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. " | ||||||||||||||||||||||
175 | Printing | Google Cloud Print Proxy | Allow using Chrome as a proxy for Google Cloud Print | * This is only relevant for mac,windows,and linux. On chrome google cloud print should just work. | ||||||||||||||||||||||
176 | Printing | Google Cloud Print Proxy | Disallow using Chrome as a proxy for Google Cloud Print | |||||||||||||||||||||||
177 | Printing | Print Preview Default | Use default print behavior | |||||||||||||||||||||||
178 | Printing | Print Preview Default | Define the default printer | |||||||||||||||||||||||
179 | Printing | Print Preview Default | Cloud & Local printers | |||||||||||||||||||||||
180 | Printing | Print Preview Default | Cloud only | |||||||||||||||||||||||
181 | Printing | Print Preview Default | Local only | |||||||||||||||||||||||
182 | Printing | Print Preview Default | Match by Name | |||||||||||||||||||||||
183 | Printing | Print Preview Default | Match by ID | |||||||||||||||||||||||
184 | Printing | Print Preview Default | ||||||||||||||||||||||||
185 | Printing | Native Chrome OS Printing | Manage | |||||||||||||||||||||||
186 | User Experience | Managed Bookmarks | Managed Bookmarks Folder Name | * For proof of inaccess it could be valuable to name this something official. | * For proof of inaccess it could be valuable to name this something official. | |||||||||||||||||||||
187 | User Experience | Managed Bookmarks | Managed Bookmarks | * These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks. | * These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. * It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obfuscated account. * Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks. | |||||||||||||||||||||
188 | User Experience | Bookmark Bar | Enable bookmark bar | * Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | * Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | |||||||||||||||||||||
189 | User Experience | Bookmark Bar | Disable bookmark bar | * There is no security reason to disable this | ||||||||||||||||||||||
190 | User Experience | Bookmark Bar | Allow user to decide whether to enable bookmark bar | * Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | * Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | |||||||||||||||||||||
191 | User Experience | Bookmark Editing | Enable bookmark editing | * Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | * Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | |||||||||||||||||||||
192 | User Experience | Bookmark Editing | Disable bookmark editing | * Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | ||||||||||||||||||||||
193 | User Experience | Download Location | Set Google Drive as default, but allow team member to change | * By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | * By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | |||||||||||||||||||||
194 | User Experience | Download Location | Local Downloads folder, but allow team member to change | * By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | * By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | |||||||||||||||||||||
195 | User Experience | Download Location | Force Google Drive | * In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent. * In some instances a team member will want to have offline data. Esp. in cases where data is throttled/slow. * We don't want forced online storage. Likely lead to unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | * We don't want forced online storage. If a team member needs to keep their profile free of downloads for their own increased security forcing this will get in their way. | |||||||||||||||||||||
196 | User Experience | Spell Check Service | Enable the spell checking web service | * Chrome does come with a client-side spell checker. This option will enable the web-based spell checker that sends all a team member's typing to Google's servers. Note, that if the team member is using google docs it is already using this feature, just natively within google docs. | ||||||||||||||||||||||
197 | User Experience | Spell Check Service | Disable the spell checking web service | |||||||||||||||||||||||
198 | User Experience | Spell Check Service | Allow user to decide whether to use the spell checking web service | * Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others. | * Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others. | |||||||||||||||||||||
199 | User Experience | Google Translate | Always offer translation | * See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||||||||||||||||||||||
200 | User Experience | Google Translate | Never offer translation | * Don't break all the useful things on the internet. | ||||||||||||||||||||||
201 | User Experience | Google Translate | Allow user to configure | |||||||||||||||||||||||
202 | User Experience | Alternate Error Pages | Always use alternate error pages | |||||||||||||||||||||||
203 | User Experience | Alternate Error Pages | Never use alternate error pages | |||||||||||||||||||||||
204 | User Experience | Alternate Error Pages | Allow user to configure | |||||||||||||||||||||||
205 | User Experience | Developer Tools | Always allow use of built-in developer tools | |||||||||||||||||||||||
206 | User Experience | Developer Tools | Never allow use of built-in developer tools | * Don't dis empower team member's for no reason. | ||||||||||||||||||||||
207 | User Experience | Form Auto-fill | Never auto-fill forms | * Browser autofill phishing/pharming was just trending on the info-sec news circuit. * See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||||||||||||||||||||||
208 | User Experience | Form Auto-fill | Allow user to configure | * See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | * See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | |||||||||||||||||||||
209 | User Experience | DNS Pre-fetching | Always pre-fetch DNS | * If the team member is using a VPN into a network that I control and am logging DNS requests it will increase the noise on the network significantly. Even if they don't click on the URL I may spend my time tracking down DNS requests for possibly malicious sites. | * I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | |||||||||||||||||||||
210 | User Experience | DNS Pre-fetching | Never pre-fetch DNS | * I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | * I don't think that not pre-fetching will impact the team member in any meaningful way. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model. | |||||||||||||||||||||
211 | User Experience | DNS Pre-fetching | Allow user to configure | * I don't think that not pre-fetching will impact the team member significantly. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model. | ||||||||||||||||||||||
212 | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | * Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. * See "block multiple". With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." * With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. | * With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | |||||||||||||||||||||
213 | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | * Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. * "Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | * With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. * With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | |||||||||||||||||||||
214 | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | * Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user. | * Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user. | * Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. * I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | ||||||||||||||||||||
215 | User Experience | Unified Desktop | Do not make Unified Desktop mode available to user | |||||||||||||||||||||||
216 | User Experience | Unified Desktop | Make Unified Desktop mode available to user | |||||||||||||||||||||||
217 | Omnibox Search Provider | Search Suggest | Always allow team member's to use Search Suggest | * See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||||||||||||||||||||||
218 | Omnibox Search Provider | Search Suggest | Never allow team member's to use Search Suggest | |||||||||||||||||||||||
219 | Omnibox Search Provider | Search Suggest | Allow user to configure | |||||||||||||||||||||||
220 | Omnibox Search Provider | Omnibox Search Provider | Allow user to select the Omnibox Search Provider | * "The threat here is Omnibox (search) Hijacking. This type of malware can redirect a team member to further malicious and/or phishing pages and surveil a team member's searches. By locking the omnibox search provider to a specific subset you can make this type of malware useless. - If you encounter one of these check out this short guidance to get rid of the: https://productforums.google.com/forum/#!msg/websearch/6W1JbCZMjMU/qCm7oM8cIMQJ | ||||||||||||||||||||||
221 | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | * By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox. | * By locking to a search provider that is less secure than others you can disrupt the threat model of your travelers if they accidentally type an address wrong and it get's interpreted as a search. * By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox. | |||||||||||||||||||||
222 | Hardware | External Storage devices | Allow external storage devices | * External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | * External storage devices add another attack surface for local attempts at compromise. | |||||||||||||||||||||
223 | Hardware | External Storage devices | Allow external storage devices (read only) | * This will make it impossible for the Traveler to load sensitive information while they are in country. But, with access to, and proper use of, a secured archive they should be able to protect data when in transit without the use of external devices. * External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | * External storage devices add another attack surface for local attempts at compromise. * Don't break core functionality for security reasons. | |||||||||||||||||||||
224 | Hardware | External Storage devices | Disallow external storage devices | * External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | * USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. * Don't break core functionality for security reasons. | |||||||||||||||||||||
225 | Hardware | Audio Input | Prompt team member to allow each time | |||||||||||||||||||||||
226 | Hardware | Audio Input | Disable audio input | * "I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it." | * By disabling internal microphones you have greater assurances that the apps that your team member's are installing are not listening in on them at all times. This helps to lock down the device even if the team member installed a non-work-related app that attempts to listen to the environment. I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. | |||||||||||||||||||||
227 | Hardware | Audio Output | Enable audio output | |||||||||||||||||||||||
228 | Hardware | Audio Output | Disable audio output | |||||||||||||||||||||||
229 | Hardware | Video Input | Enable video input | |||||||||||||||||||||||
230 | Hardware | Video Input | Disable video input | * This makes me happy from a privacy perspective (except that you have to disable hangouts separately). But, the inability to whitelist anything except google hangouts could lead to it getting in the way of staff conducting their work. If you are only using google hangouts for video communications within your org, and among the possible partners your team will have to communicate with while traveling this could be a way to ensure that video based surveillance by apps cannot occur. The same considerations mentioned about the use of ephemeral devices still apply. | * Make sure that your traveler's do not need to use non-google video apps to communicate with their partners, etc when they are traveling. * This removed the traveler's ability to use a webcam to chat with their loved ones unless they are using google hangouts. Depending upon how you support this, this would get in the way of many traveler's personal needs. | |||||||||||||||||||||
231 | Hardware | Keyboard | Treat top-row keys as media keys, but allow team member to change | |||||||||||||||||||||||
232 | Hardware | Keyboard | Treat top-row keys as function keys, but allow team member to change | |||||||||||||||||||||||
233 | Verified Access | Verified Access | Disable for Enterprise Extensions | |||||||||||||||||||||||
234 | Verified Access | Verified Access | Enable for Enterprise Extensions | * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team members, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place. | * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security. | ||||||||||||||||||||
235 | User Verification | Verified Mode | Skip boot mode check for Verified Access | * Only if this is using verified access" | * If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used. | |||||||||||||||||||||
236 | User Verification | Verified Mode | Require verified mode boot for Verified Access | * Only if this is using verified access" | * See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot | |||||||||||||||||||||
237 | User Verification | Verified Mode | Service accounts which are allowed to receive team member data | |||||||||||||||||||||||
238 | User Verification | Verified Mode | Service accounts which can verify team member's but do not receive team member data | * If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is. | ||||||||||||||||||||||
239 | ||||||||||||||||||||||||||
240 | ||||||||||||||||||||||||||
241 | ||||||||||||||||||||||||||
242 | ||||||||||||||||||||||||||
243 | ||||||||||||||||||||||||||
244 | ||||||||||||||||||||||||||
245 | ||||||||||||||||||||||||||
246 | ||||||||||||||||||||||||||
247 | ||||||||||||||||||||||||||
248 | ||||||||||||||||||||||||||
249 | ||||||||||||||||||||||||||
250 | ||||||||||||||||||||||||||
251 | ||||||||||||||||||||||||||
252 | ||||||||||||||||||||||||||
253 | ||||||||||||||||||||||||||
254 | ||||||||||||||||||||||||||
255 | ||||||||||||||||||||||||||
256 | ||||||||||||||||||||||||||
257 | ||||||||||||||||||||||||||
258 | ||||||||||||||||||||||||||
259 | ||||||||||||||||||||||||||
260 | ||||||||||||||||||||||||||
261 | ||||||||||||||||||||||||||
262 | ||||||||||||||||||||||||||
263 | ||||||||||||||||||||||||||
264 | ||||||||||||||||||||||||||
265 | ||||||||||||||||||||||||||
266 | ||||||||||||||||||||||||||
267 | ||||||||||||||||||||||||||
268 | ||||||||||||||||||||||||||
269 | ||||||||||||||||||||||||||
270 | ||||||||||||||||||||||||||
271 | ||||||||||||||||||||||||||
272 | ||||||||||||||||||||||||||
273 | ||||||||||||||||||||||||||
274 | ||||||||||||||||||||||||||
275 | ||||||||||||||||||||||||||
276 | ||||||||||||||||||||||||||
277 | ||||||||||||||||||||||||||
278 | ||||||||||||||||||||||||||
279 | ||||||||||||||||||||||||||
280 | ||||||||||||||||||||||||||
281 | ||||||||||||||||||||||||||
282 | ||||||||||||||||||||||||||
283 | ||||||||||||||||||||||||||
284 | ||||||||||||||||||||||||||
285 | ||||||||||||||||||||||||||
286 | ||||||||||||||||||||||||||
287 | ||||||||||||||||||||||||||
288 | ||||||||||||||||||||||||||
289 | ||||||||||||||||||||||||||
290 | ||||||||||||||||||||||||||
291 | ||||||||||||||||||||||||||
292 | ||||||||||||||||||||||||||
293 | ||||||||||||||||||||||||||
294 | ||||||||||||||||||||||||||
295 | ||||||||||||||||||||||||||
296 | ||||||||||||||||||||||||||
297 | ||||||||||||||||||||||||||
298 | ||||||||||||||||||||||||||
299 | ||||||||||||||||||||||||||
300 | ||||||||||||||||||||||||||
301 | ||||||||||||||||||||||||||
302 | ||||||||||||||||||||||||||
303 | ||||||||||||||||||||||||||
304 | ||||||||||||||||||||||||||
305 | ||||||||||||||||||||||||||
306 | ||||||||||||||||||||||||||
307 | ||||||||||||||||||||||||||
308 | ||||||||||||||||||||||||||
309 | ||||||||||||||||||||||||||
310 | ||||||||||||||||||||||||||
311 | ||||||||||||||||||||||||||
312 | ||||||||||||||||||||||||||
313 | ||||||||||||||||||||||||||
314 | ||||||||||||||||||||||||||
315 | ||||||||||||||||||||||||||
316 | ||||||||||||||||||||||||||
317 | ||||||||||||||||||||||||||
318 | ||||||||||||||||||||||||||
319 | ||||||||||||||||||||||||||
320 | ||||||||||||||||||||||||||
321 | ||||||||||||||||||||||||||
322 | ||||||||||||||||||||||||||
323 | ||||||||||||||||||||||||||
324 | ||||||||||||||||||||||||||
325 | ||||||||||||||||||||||||||
326 | ||||||||||||||||||||||||||
327 | ||||||||||||||||||||||||||
328 | ||||||||||||||||||||||||||
329 | ||||||||||||||||||||||||||
330 | ||||||||||||||||||||||||||
331 | ||||||||||||||||||||||||||
332 | ||||||||||||||||||||||||||
333 | ||||||||||||||||||||||||||
334 | ||||||||||||||||||||||||||
335 | ||||||||||||||||||||||||||
336 | ||||||||||||||||||||||||||
337 | ||||||||||||||||||||||||||
338 | ||||||||||||||||||||||||||
339 | ||||||||||||||||||||||||||
340 | ||||||||||||||||||||||||||
341 | ||||||||||||||||||||||||||
342 | ||||||||||||||||||||||||||
343 | ||||||||||||||||||||||||||
344 | ||||||||||||||||||||||||||
345 | ||||||||||||||||||||||||||
346 | ||||||||||||||||||||||||||
347 | ||||||||||||||||||||||||||
348 | ||||||||||||||||||||||||||
349 | ||||||||||||||||||||||||||
350 | ||||||||||||||||||||||||||
351 | ||||||||||||||||||||||||||
352 | ||||||||||||||||||||||||||
353 | ||||||||||||||||||||||||||
354 | ||||||||||||||||||||||||||
355 | ||||||||||||||||||||||||||
356 | ||||||||||||||||||||||||||
357 | ||||||||||||||||||||||||||
358 | ||||||||||||||||||||||||||
359 | ||||||||||||||||||||||||||
360 | ||||||||||||||||||||||||||
361 | ||||||||||||||||||||||||||
362 | ||||||||||||||||||||||||||
363 | ||||||||||||||||||||||||||
364 | ||||||||||||||||||||||||||
365 | ||||||||||||||||||||||||||
366 | ||||||||||||||||||||||||||
367 | ||||||||||||||||||||||||||
368 | ||||||||||||||||||||||||||
369 | ||||||||||||||||||||||||||
370 | ||||||||||||||||||||||||||
371 | ||||||||||||||||||||||||||
372 | ||||||||||||||||||||||||||
373 | ||||||||||||||||||||||||||
374 | ||||||||||||||||||||||||||
375 | ||||||||||||||||||||||||||
376 | ||||||||||||||||||||||||||
377 | ||||||||||||||||||||||||||
378 | ||||||||||||||||||||||||||
379 | ||||||||||||||||||||||||||
380 | ||||||||||||||||||||||||||
381 | ||||||||||||||||||||||||||
382 | ||||||||||||||||||||||||||
383 | ||||||||||||||||||||||||||
384 | ||||||||||||||||||||||||||
385 | ||||||||||||||||||||||||||
386 | ||||||||||||||||||||||||||
387 | ||||||||||||||||||||||||||
388 | ||||||||||||||||||||||||||
389 | ||||||||||||||||||||||||||
390 | ||||||||||||||||||||||||||
391 | ||||||||||||||||||||||||||
392 | ||||||||||||||||||||||||||
393 | ||||||||||||||||||||||||||
394 | ||||||||||||||||||||||||||
395 | ||||||||||||||||||||||||||
396 | ||||||||||||||||||||||||||
397 | ||||||||||||||||||||||||||
398 | ||||||||||||||||||||||||||
399 | ||||||||||||||||||||||||||
400 | ||||||||||||||||||||||||||
401 | ||||||||||||||||||||||||||
402 | ||||||||||||||||||||||||||
403 | ||||||||||||||||||||||||||
404 | ||||||||||||||||||||||||||
405 | ||||||||||||||||||||||||||
406 | ||||||||||||||||||||||||||
407 | ||||||||||||||||||||||||||
408 | ||||||||||||||||||||||||||
409 | ||||||||||||||||||||||||||
410 | ||||||||||||||||||||||||||
411 | ||||||||||||||||||||||||||
412 | ||||||||||||||||||||||||||
413 | ||||||||||||||||||||||||||
414 | ||||||||||||||||||||||||||
415 | ||||||||||||||||||||||||||
416 | ||||||||||||||||||||||||||
417 | ||||||||||||||||||||||||||
418 | ||||||||||||||||||||||||||
419 | ||||||||||||||||||||||||||
420 | ||||||||||||||||||||||||||
421 | ||||||||||||||||||||||||||
422 | ||||||||||||||||||||||||||
423 | ||||||||||||||||||||||||||
424 | ||||||||||||||||||||||||||
425 | ||||||||||||||||||||||||||
426 | ||||||||||||||||||||||||||
427 | ||||||||||||||||||||||||||
428 | ||||||||||||||||||||||||||
429 | ||||||||||||||||||||||||||
430 | ||||||||||||||||||||||||||
431 | ||||||||||||||||||||||||||
432 | ||||||||||||||||||||||||||
433 | ||||||||||||||||||||||||||
434 | ||||||||||||||||||||||||||
435 | ||||||||||||||||||||||||||
436 | ||||||||||||||||||||||||||
437 | ||||||||||||||||||||||||||
438 | ||||||||||||||||||||||||||
439 | ||||||||||||||||||||||||||
440 | ||||||||||||||||||||||||||
441 | ||||||||||||||||||||||||||
442 | ||||||||||||||||||||||||||
443 | ||||||||||||||||||||||||||
444 | ||||||||||||||||||||||||||
445 | ||||||||||||||||||||||||||
446 | ||||||||||||||||||||||||||
447 | ||||||||||||||||||||||||||
448 | ||||||||||||||||||||||||||
449 | ||||||||||||||||||||||||||
450 | ||||||||||||||||||||||||||
451 | ||||||||||||||||||||||||||
452 | ||||||||||||||||||||||||||
453 | ||||||||||||||||||||||||||
454 | ||||||||||||||||||||||||||
455 | ||||||||||||||||||||||||||
456 | ||||||||||||||||||||||||||
457 | ||||||||||||||||||||||||||
458 | ||||||||||||||||||||||||||
459 | ||||||||||||||||||||||||||
460 | ||||||||||||||||||||||||||
461 | ||||||||||||||||||||||||||
462 | ||||||||||||||||||||||||||
463 | ||||||||||||||||||||||||||
464 | ||||||||||||||||||||||||||
465 | ||||||||||||||||||||||||||
466 | ||||||||||||||||||||||||||
467 | ||||||||||||||||||||||||||
468 | ||||||||||||||||||||||||||
469 | ||||||||||||||||||||||||||
470 | ||||||||||||||||||||||||||
471 | ||||||||||||||||||||||||||
472 | ||||||||||||||||||||||||||
473 | ||||||||||||||||||||||||||
474 | ||||||||||||||||||||||||||
475 | ||||||||||||||||||||||||||
476 | ||||||||||||||||||||||||||
477 | ||||||||||||||||||||||||||
478 | ||||||||||||||||||||||||||
479 | ||||||||||||||||||||||||||
480 | ||||||||||||||||||||||||||
481 | ||||||||||||||||||||||||||
482 | ||||||||||||||||||||||||||
483 | ||||||||||||||||||||||||||
484 | ||||||||||||||||||||||||||
485 | ||||||||||||||||||||||||||
486 | ||||||||||||||||||||||||||
487 | ||||||||||||||||||||||||||
488 | ||||||||||||||||||||||||||
489 | ||||||||||||||||||||||||||
490 | ||||||||||||||||||||||||||
491 | ||||||||||||||||||||||||||
492 | ||||||||||||||||||||||||||
493 | ||||||||||||||||||||||||||
494 | ||||||||||||||||||||||||||
495 | ||||||||||||||||||||||||||
496 | ||||||||||||||||||||||||||
497 | ||||||||||||||||||||||||||
498 | ||||||||||||||||||||||||||
499 | ||||||||||||||||||||||||||
500 | ||||||||||||||||||||||||||
501 | ||||||||||||||||||||||||||
502 | ||||||||||||||||||||||||||
503 | ||||||||||||||||||||||||||
504 | ||||||||||||||||||||||||||
505 | ||||||||||||||||||||||||||
506 | ||||||||||||||||||||||||||
507 | ||||||||||||||||||||||||||
508 | ||||||||||||||||||||||||||
509 | ||||||||||||||||||||||||||
510 | ||||||||||||||||||||||||||
511 | ||||||||||||||||||||||||||
512 | ||||||||||||||||||||||||||
513 | ||||||||||||||||||||||||||
514 | ||||||||||||||||||||||||||
515 | ||||||||||||||||||||||||||
516 | ||||||||||||||||||||||||||
517 | ||||||||||||||||||||||||||
518 | ||||||||||||||||||||||||||
519 | ||||||||||||||||||||||||||
520 | ||||||||||||||||||||||||||
521 | ||||||||||||||||||||||||||
522 | ||||||||||||||||||||||||||
523 | ||||||||||||||||||||||||||
524 | ||||||||||||||||||||||||||
525 | ||||||||||||||||||||||||||
526 | ||||||||||||||||||||||||||
527 | ||||||||||||||||||||||||||
528 | ||||||||||||||||||||||||||
529 | ||||||||||||||||||||||||||
530 | ||||||||||||||||||||||||||
531 | ||||||||||||||||||||||||||
532 | ||||||||||||||||||||||||||
533 | ||||||||||||||||||||||||||
534 | ||||||||||||||||||||||||||
535 | ||||||||||||||||||||||||||
536 | ||||||||||||||||||||||||||
537 | ||||||||||||||||||||||||||
538 | ||||||||||||||||||||||||||
539 | ||||||||||||||||||||||||||
540 | ||||||||||||||||||||||||||
541 | ||||||||||||||||||||||||||
542 | ||||||||||||||||||||||||||
543 | ||||||||||||||||||||||||||
544 | ||||||||||||||||||||||||||
545 | ||||||||||||||||||||||||||
546 | ||||||||||||||||||||||||||
547 | ||||||||||||||||||||||||||
548 | ||||||||||||||||||||||||||
549 | ||||||||||||||||||||||||||
550 | ||||||||||||||||||||||||||
551 | ||||||||||||||||||||||||||
552 | ||||||||||||||||||||||||||
553 | ||||||||||||||||||||||||||
554 | ||||||||||||||||||||||||||
555 | ||||||||||||||||||||||||||
556 | ||||||||||||||||||||||||||
557 | ||||||||||||||||||||||||||
558 | ||||||||||||||||||||||||||
559 | ||||||||||||||||||||||||||
560 | ||||||||||||||||||||||||||
561 | ||||||||||||||||||||||||||
562 | ||||||||||||||||||||||||||
563 | ||||||||||||||||||||||||||
564 | ||||||||||||||||||||||||||
565 | ||||||||||||||||||||||||||
566 | ||||||||||||||||||||||||||
567 | ||||||||||||||||||||||||||
568 | ||||||||||||||||||||||||||
569 | ||||||||||||||||||||||||||
570 | ||||||||||||||||||||||||||
571 | ||||||||||||||||||||||||||
572 | ||||||||||||||||||||||||||
573 | ||||||||||||||||||||||||||
574 | ||||||||||||||||||||||||||
575 | ||||||||||||||||||||||||||
576 | ||||||||||||||||||||||||||
577 | ||||||||||||||||||||||||||
578 | ||||||||||||||||||||||||||
579 | ||||||||||||||||||||||||||
580 | ||||||||||||||||||||||||||
581 | ||||||||||||||||||||||||||
582 | ||||||||||||||||||||||||||
583 | ||||||||||||||||||||||||||
584 | ||||||||||||||||||||||||||
585 | ||||||||||||||||||||||||||
586 | ||||||||||||||||||||||||||
587 | ||||||||||||||||||||||||||
588 | ||||||||||||||||||||||||||
589 | ||||||||||||||||||||||||||
590 | ||||||||||||||||||||||||||
591 | ||||||||||||||||||||||||||
592 | ||||||||||||||||||||||||||
593 | ||||||||||||||||||||||||||
594 | ||||||||||||||||||||||||||
595 | ||||||||||||||||||||||||||
596 | ||||||||||||||||||||||||||
597 | ||||||||||||||||||||||||||
598 | ||||||||||||||||||||||||||
599 | ||||||||||||||||||||||||||
600 | ||||||||||||||||||||||||||
601 | ||||||||||||||||||||||||||
602 | ||||||||||||||||||||||||||
603 | ||||||||||||||||||||||||||
604 | ||||||||||||||||||||||||||
605 | ||||||||||||||||||||||||||
606 | ||||||||||||||||||||||||||
607 | ||||||||||||||||||||||||||
608 | ||||||||||||||||||||||||||
609 | ||||||||||||||||||||||||||
610 | ||||||||||||||||||||||||||
611 | ||||||||||||||||||||||||||
612 | ||||||||||||||||||||||||||
613 | ||||||||||||||||||||||||||
614 | ||||||||||||||||||||||||||
615 | ||||||||||||||||||||||||||
616 | ||||||||||||||||||||||||||
617 | ||||||||||||||||||||||||||
618 | ||||||||||||||||||||||||||
619 | ||||||||||||||||||||||||||
620 | ||||||||||||||||||||||||||
621 | ||||||||||||||||||||||||||
622 | ||||||||||||||||||||||||||
623 | ||||||||||||||||||||||||||
624 | ||||||||||||||||||||||||||
625 | ||||||||||||||||||||||||||
626 | ||||||||||||||||||||||||||
627 | ||||||||||||||||||||||||||
628 | ||||||||||||||||||||||||||
629 | ||||||||||||||||||||||||||
630 | ||||||||||||||||||||||||||
631 | ||||||||||||||||||||||||||
632 | ||||||||||||||||||||||||||
633 | ||||||||||||||||||||||||||
634 | ||||||||||||||||||||||||||
635 | ||||||||||||||||||||||||||
636 | ||||||||||||||||||||||||||
637 | ||||||||||||||||||||||||||
638 | ||||||||||||||||||||||||||
639 | ||||||||||||||||||||||||||
640 | ||||||||||||||||||||||||||
641 | ||||||||||||||||||||||||||
642 | ||||||||||||||||||||||||||
643 | ||||||||||||||||||||||||||
644 | ||||||||||||||||||||||||||
645 | ||||||||||||||||||||||||||
646 | ||||||||||||||||||||||||||
647 | ||||||||||||||||||||||||||
648 | ||||||||||||||||||||||||||
649 | ||||||||||||||||||||||||||
650 | ||||||||||||||||||||||||||
651 | ||||||||||||||||||||||||||
652 | ||||||||||||||||||||||||||
653 | ||||||||||||||||||||||||||
654 | ||||||||||||||||||||||||||
655 | ||||||||||||||||||||||||||
656 | ||||||||||||||||||||||||||
657 | ||||||||||||||||||||||||||
658 | ||||||||||||||||||||||||||
659 | ||||||||||||||||||||||||||
660 | ||||||||||||||||||||||||||
661 | ||||||||||||||||||||||||||
662 | ||||||||||||||||||||||||||
663 | ||||||||||||||||||||||||||
664 | ||||||||||||||||||||||||||
665 | ||||||||||||||||||||||||||
666 | ||||||||||||||||||||||||||
667 | ||||||||||||||||||||||||||
668 | ||||||||||||||||||||||||||
669 | ||||||||||||||||||||||||||
670 | ||||||||||||||||||||||||||
671 | ||||||||||||||||||||||||||
672 | ||||||||||||||||||||||||||
673 | ||||||||||||||||||||||||||
674 | ||||||||||||||||||||||||||
675 | ||||||||||||||||||||||||||
676 | ||||||||||||||||||||||||||
677 | ||||||||||||||||||||||||||
678 | ||||||||||||||||||||||||||
679 | ||||||||||||||||||||||||||
680 | ||||||||||||||||||||||||||
681 | ||||||||||||||||||||||||||
682 | ||||||||||||||||||||||||||
683 | ||||||||||||||||||||||||||
684 | ||||||||||||||||||||||||||
685 | ||||||||||||||||||||||||||
686 | ||||||||||||||||||||||||||
687 | ||||||||||||||||||||||||||
688 | ||||||||||||||||||||||||||
689 | ||||||||||||||||||||||||||
690 | ||||||||||||||||||||||||||
691 | ||||||||||||||||||||||||||
692 | ||||||||||||||||||||||||||
693 | ||||||||||||||||||||||||||
694 | ||||||||||||||||||||||||||
695 | ||||||||||||||||||||||||||
696 | ||||||||||||||||||||||||||
697 | ||||||||||||||||||||||||||
698 | ||||||||||||||||||||||||||
699 | ||||||||||||||||||||||||||
700 | ||||||||||||||||||||||||||
701 | ||||||||||||||||||||||||||
702 | ||||||||||||||||||||||||||
703 | ||||||||||||||||||||||||||
704 | ||||||||||||||||||||||||||
705 | ||||||||||||||||||||||||||
706 | ||||||||||||||||||||||||||
707 | ||||||||||||||||||||||||||
708 | ||||||||||||||||||||||||||
709 | ||||||||||||||||||||||||||
710 | ||||||||||||||||||||||||||
711 | ||||||||||||||||||||||||||
712 | ||||||||||||||||||||||||||
713 | ||||||||||||||||||||||||||
714 | ||||||||||||||||||||||||||
715 | ||||||||||||||||||||||||||
716 | ||||||||||||||||||||||||||
717 | ||||||||||||||||||||||||||
718 | ||||||||||||||||||||||||||
719 | ||||||||||||||||||||||||||
720 | ||||||||||||||||||||||||||
721 | ||||||||||||||||||||||||||
722 | ||||||||||||||||||||||||||
723 | ||||||||||||||||||||||||||
724 | ||||||||||||||||||||||||||
725 | ||||||||||||||||||||||||||
726 | ||||||||||||||||||||||||||
727 | ||||||||||||||||||||||||||
728 | ||||||||||||||||||||||||||
729 | ||||||||||||||||||||||||||
730 | ||||||||||||||||||||||||||
731 | ||||||||||||||||||||||||||
732 | ||||||||||||||||||||||||||
733 | ||||||||||||||||||||||||||
734 | ||||||||||||||||||||||||||
735 | ||||||||||||||||||||||||||
736 | ||||||||||||||||||||||||||
737 | ||||||||||||||||||||||||||
738 | ||||||||||||||||||||||||||
739 | ||||||||||||||||||||||||||
740 | ||||||||||||||||||||||||||
741 | ||||||||||||||||||||||||||
742 | ||||||||||||||||||||||||||
743 | ||||||||||||||||||||||||||
744 | ||||||||||||||||||||||||||
745 | ||||||||||||||||||||||||||
746 | ||||||||||||||||||||||||||
747 | ||||||||||||||||||||||||||
748 | ||||||||||||||||||||||||||
749 | ||||||||||||||||||||||||||
750 | ||||||||||||||||||||||||||
751 | ||||||||||||||||||||||||||
752 | ||||||||||||||||||||||||||
753 | ||||||||||||||||||||||||||
754 | ||||||||||||||||||||||||||
755 | ||||||||||||||||||||||||||
756 | ||||||||||||||||||||||||||
757 | ||||||||||||||||||||||||||
758 | ||||||||||||||||||||||||||
759 | ||||||||||||||||||||||||||
760 | ||||||||||||||||||||||||||
761 | ||||||||||||||||||||||||||
762 | ||||||||||||||||||||||||||
763 | ||||||||||||||||||||||||||
764 | ||||||||||||||||||||||||||
765 | ||||||||||||||||||||||||||
766 | ||||||||||||||||||||||||||
767 | ||||||||||||||||||||||||||
768 | ||||||||||||||||||||||||||
769 | ||||||||||||||||||||||||||
770 | ||||||||||||||||||||||||||
771 | ||||||||||||||||||||||||||
772 | ||||||||||||||||||||||||||
773 | ||||||||||||||||||||||||||
774 | ||||||||||||||||||||||||||
775 | ||||||||||||||||||||||||||
776 | ||||||||||||||||||||||||||
777 | ||||||||||||||||||||||||||
778 | ||||||||||||||||||||||||||
779 | ||||||||||||||||||||||||||
780 | ||||||||||||||||||||||||||
781 | ||||||||||||||||||||||||||
782 | ||||||||||||||||||||||||||
783 | ||||||||||||||||||||||||||
784 | ||||||||||||||||||||||||||
785 | ||||||||||||||||||||||||||
786 | ||||||||||||||||||||||||||
787 | ||||||||||||||||||||||||||
788 | ||||||||||||||||||||||||||
789 | ||||||||||||||||||||||||||
790 | ||||||||||||||||||||||||||
791 | ||||||||||||||||||||||||||
792 | ||||||||||||||||||||||||||
793 | ||||||||||||||||||||||||||
794 | ||||||||||||||||||||||||||
795 | ||||||||||||||||||||||||||
796 | ||||||||||||||||||||||||||
797 | ||||||||||||||||||||||||||
798 | ||||||||||||||||||||||||||
799 | ||||||||||||||||||||||||||
800 | ||||||||||||||||||||||||||
801 | ||||||||||||||||||||||||||
802 | ||||||||||||||||||||||||||
803 | ||||||||||||||||||||||||||
804 | ||||||||||||||||||||||||||
805 | ||||||||||||||||||||||||||
806 | ||||||||||||||||||||||||||
807 | ||||||||||||||||||||||||||
808 | ||||||||||||||||||||||||||
809 | ||||||||||||||||||||||||||
810 | ||||||||||||||||||||||||||
811 | ||||||||||||||||||||||||||
812 | ||||||||||||||||||||||||||
813 | ||||||||||||||||||||||||||
814 | ||||||||||||||||||||||||||
815 | ||||||||||||||||||||||||||
816 | ||||||||||||||||||||||||||
817 | ||||||||||||||||||||||||||
818 | ||||||||||||||||||||||||||
819 | ||||||||||||||||||||||||||
820 | ||||||||||||||||||||||||||
821 | ||||||||||||||||||||||||||
822 | ||||||||||||||||||||||||||
823 | ||||||||||||||||||||||||||
824 | ||||||||||||||||||||||||||
825 | ||||||||||||||||||||||||||
826 | ||||||||||||||||||||||||||
827 | ||||||||||||||||||||||||||
828 | ||||||||||||||||||||||||||
829 | ||||||||||||||||||||||||||
830 | ||||||||||||||||||||||||||
831 | ||||||||||||||||||||||||||
832 | ||||||||||||||||||||||||||
833 | ||||||||||||||||||||||||||
834 | ||||||||||||||||||||||||||
835 | ||||||||||||||||||||||||||
836 | ||||||||||||||||||||||||||
837 | ||||||||||||||||||||||||||
838 | ||||||||||||||||||||||||||
839 | ||||||||||||||||||||||||||
840 | ||||||||||||||||||||||||||
841 | ||||||||||||||||||||||||||
842 | ||||||||||||||||||||||||||
843 | ||||||||||||||||||||||||||
844 | ||||||||||||||||||||||||||
845 | ||||||||||||||||||||||||||
846 | ||||||||||||||||||||||||||
847 | ||||||||||||||||||||||||||
848 | ||||||||||||||||||||||||||
849 | ||||||||||||||||||||||||||
850 | ||||||||||||||||||||||||||
851 | ||||||||||||||||||||||||||
852 | ||||||||||||||||||||||||||
853 | ||||||||||||||||||||||||||
854 | ||||||||||||||||||||||||||
855 | ||||||||||||||||||||||||||
856 | ||||||||||||||||||||||||||
857 | ||||||||||||||||||||||||||
858 | ||||||||||||||||||||||||||
859 | ||||||||||||||||||||||||||
860 | ||||||||||||||||||||||||||
861 | ||||||||||||||||||||||||||
862 | ||||||||||||||||||||||||||
863 | ||||||||||||||||||||||||||
864 | ||||||||||||||||||||||||||
865 | ||||||||||||||||||||||||||
866 | ||||||||||||||||||||||||||
867 | ||||||||||||||||||||||||||
868 | ||||||||||||||||||||||||||
869 | ||||||||||||||||||||||||||
870 | ||||||||||||||||||||||||||
871 | ||||||||||||||||||||||||||
872 | ||||||||||||||||||||||||||
873 | ||||||||||||||||||||||||||
874 | ||||||||||||||||||||||||||
875 | ||||||||||||||||||||||||||
876 | ||||||||||||||||||||||||||
877 | ||||||||||||||||||||||||||
878 | ||||||||||||||||||||||||||
879 | ||||||||||||||||||||||||||
880 | ||||||||||||||||||||||||||
881 | ||||||||||||||||||||||||||
882 | ||||||||||||||||||||||||||
883 | ||||||||||||||||||||||||||
884 | ||||||||||||||||||||||||||
885 | ||||||||||||||||||||||||||
886 | ||||||||||||||||||||||||||
887 | ||||||||||||||||||||||||||
888 | ||||||||||||||||||||||||||
889 | ||||||||||||||||||||||||||
890 | ||||||||||||||||||||||||||
891 | ||||||||||||||||||||||||||
892 | ||||||||||||||||||||||||||
893 | ||||||||||||||||||||||||||
894 | ||||||||||||||||||||||||||
895 | ||||||||||||||||||||||||||
896 | ||||||||||||||||||||||||||
897 | ||||||||||||||||||||||||||
898 | ||||||||||||||||||||||||||
899 | ||||||||||||||||||||||||||
900 | ||||||||||||||||||||||||||
901 | ||||||||||||||||||||||||||
902 | ||||||||||||||||||||||||||
903 | ||||||||||||||||||||||||||
904 | ||||||||||||||||||||||||||
905 | ||||||||||||||||||||||||||
906 | ||||||||||||||||||||||||||
907 | ||||||||||||||||||||||||||
908 | ||||||||||||||||||||||||||
909 | ||||||||||||||||||||||||||
910 | ||||||||||||||||||||||||||
911 | ||||||||||||||||||||||||||
912 | ||||||||||||||||||||||||||
913 | ||||||||||||||||||||||||||
914 | ||||||||||||||||||||||||||
915 | ||||||||||||||||||||||||||
916 | ||||||||||||||||||||||||||
917 | ||||||||||||||||||||||||||
918 | ||||||||||||||||||||||||||
919 | ||||||||||||||||||||||||||
920 | ||||||||||||||||||||||||||
921 | ||||||||||||||||||||||||||
922 | ||||||||||||||||||||||||||
923 | ||||||||||||||||||||||||||
924 | ||||||||||||||||||||||||||
925 | ||||||||||||||||||||||||||
926 | ||||||||||||||||||||||||||
927 | ||||||||||||||||||||||||||
928 | ||||||||||||||||||||||||||
929 | ||||||||||||||||||||||||||
930 | ||||||||||||||||||||||||||
931 | ||||||||||||||||||||||||||
932 | ||||||||||||||||||||||||||
933 | ||||||||||||||||||||||||||
934 | ||||||||||||||||||||||||||
935 | ||||||||||||||||||||||||||
936 | ||||||||||||||||||||||||||
937 | ||||||||||||||||||||||||||
938 | ||||||||||||||||||||||||||
939 | ||||||||||||||||||||||||||
940 | ||||||||||||||||||||||||||
941 | ||||||||||||||||||||||||||
942 | ||||||||||||||||||||||||||
943 | ||||||||||||||||||||||||||
944 | ||||||||||||||||||||||||||
945 | ||||||||||||||||||||||||||
946 | ||||||||||||||||||||||||||
947 | ||||||||||||||||||||||||||
948 | ||||||||||||||||||||||||||
949 | ||||||||||||||||||||||||||
950 | ||||||||||||||||||||||||||
951 | ||||||||||||||||||||||||||
952 | ||||||||||||||||||||||||||
953 | ||||||||||||||||||||||||||
954 | ||||||||||||||||||||||||||
955 | ||||||||||||||||||||||||||
956 | ||||||||||||||||||||||||||
957 | ||||||||||||||||||||||||||
958 | ||||||||||||||||||||||||||
959 | ||||||||||||||||||||||||||
960 | ||||||||||||||||||||||||||
961 | ||||||||||||||||||||||||||
962 | ||||||||||||||||||||||||||
963 | ||||||||||||||||||||||||||
964 | ||||||||||||||||||||||||||
965 | ||||||||||||||||||||||||||
966 | ||||||||||||||||||||||||||
967 | ||||||||||||||||||||||||||
968 | ||||||||||||||||||||||||||
969 | ||||||||||||||||||||||||||
970 | ||||||||||||||||||||||||||
971 | ||||||||||||||||||||||||||
972 | ||||||||||||||||||||||||||
973 | ||||||||||||||||||||||||||
974 | ||||||||||||||||||||||||||
975 | ||||||||||||||||||||||||||
976 | ||||||||||||||||||||||||||
977 | ||||||||||||||||||||||||||
978 | ||||||||||||||||||||||||||
979 | ||||||||||||||||||||||||||
980 | ||||||||||||||||||||||||||
981 | ||||||||||||||||||||||||||
982 | ||||||||||||||||||||||||||
983 | ||||||||||||||||||||||||||
984 | ||||||||||||||||||||||||||
985 | ||||||||||||||||||||||||||
986 | ||||||||||||||||||||||||||
987 | ||||||||||||||||||||||||||
988 | ||||||||||||||||||||||||||
989 | ||||||||||||||||||||||||||
990 | ||||||||||||||||||||||||||
991 | ||||||||||||||||||||||||||
992 | ||||||||||||||||||||||||||
993 | ||||||||||||||||||||||||||
994 | ||||||||||||||||||||||||||
995 | ||||||||||||||||||||||||||
996 | ||||||||||||||||||||||||||
997 | ||||||||||||||||||||||||||
998 | ||||||||||||||||||||||||||
999 | ||||||||||||||||||||||||||
1000 | ||||||||||||||||||||||||||
1001 | ||||||||||||||||||||||||||
1002 |
1 | < Index | Aggregated Comments on Configuration Options | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Category | Title | Option | Mitigations | Threats | Requirements | ||||||||||||||||||||
3 | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | * This will allow you to enforce specific devices for specific types of domains * If a team member needs to switch over to another sub-organization mid-trip while using the same device this would prohibit that switch. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country. | * If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so. * This will allow you to enforce specific devices for specific types of domains. If a team member tries to reset their device to use it with a regular account this will not work. | |||||||||||||||||||||
4 | Enrollment & Access | Forced Re-enrollment | Device is not forced to re-enroll after wiping | * This will allow a team member to switch over to another sub-organization mid-trip while using the same device. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country. | ||||||||||||||||||||||
5 | Enrollment & Access | Verified Access | Disable for Enterprise Extensions | |||||||||||||||||||||||
6 | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | * If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place. | * With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security. | ||||||||||||||||||||
7 | Enrollment & Access | Verified Access | Disable for Content Protection | |||||||||||||||||||||||
8 | Enrollment & Access | Verified Access | Enable for Content Protection | * Ahhh, built in copyright protections. I don't care about you at all for this context. But, possibly in the future your team member's will want to buy protected media from YouTube or others that use this. Who knows. | ||||||||||||||||||||||
9 | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | * Only if this is using verified access" | * If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used. | |||||||||||||||||||||
10 | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | * Only if this is using verified access" | * See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot | |||||||||||||||||||||
11 | Enrollment & Access | Verified Mode | Service accounts which are allowed to receive device ID | |||||||||||||||||||||||
12 | Enrollment & Access | Verified Mode | Service accounts which can verify devices but do not receive device ID | * If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is. | ||||||||||||||||||||||
13 | Enrollment & Access | Disabled device return instructions | Custom text to display | * The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | * Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. * This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | * This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | ||||||||||||||||||||
14 | Sign-in Settings | Guest Mode | Allow guest mode | * With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. * Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | * Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | * With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||||||||||||||||||||
15 | Sign-in Settings | Guest Mode | Do not allow guest mode | * Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. | * Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. * With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | * Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. | ||||||||||||||||||||
16 | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | * If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | * If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) * If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. | * This will allow you to limit the ability for personal accounts to be used with these chromebooks. As with all other restrictions on team member capabilities this should be done after working with your team member's to identify an appropriate solution for meeting their personal computing needs during travel. | ||||||||||||||||||||
17 | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | * This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | * If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues. | * This would limit a significant amount of the controls we have put in place. So, no. Don't use this. * If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues. | ||||||||||||||||||||
18 | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | * If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | * If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) * If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. * If accounts other than the sub-org accounts can access device team member's might log in with their personal accounts * If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | * You can use *.YOURDOMAIN domain to limit across the board. Also important to take into consideration possible secondary google apps domains that your team member's might need to access, and keep separate from their current device, on their account. | ||||||||||||||||||||
19 | Sign-in Settings | Autocomplete Domain | Do not display an autocomplete domain on the sign in page | |||||||||||||||||||||||
20 | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | * If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. * If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection" | * If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. * If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] * If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection" | |||||||||||||||||||||
21 | Sign-in Settings | Sign-in Screen | Always show team member names and photos | * There is no reason to go advertising a person's name and identity on a publicly facing surface of their device. | ||||||||||||||||||||||
22 | Sign-in Settings | Sign-in Screen | Never show team member names and photos | |||||||||||||||||||||||
23 | Sign-in Settings | team member Data | Erase all local team member data | * This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | * This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | * This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | ||||||||||||||||||||
24 | Sign-in Settings | team member Data | Do not erase all local team member data | * This is the opposite of the ephemeral mode we have been talking about. And for good reason. It does not delete all team member state between logins. This way any settings and/or configurations do not have to be re-entered every login. This is a lot less of a pain than the other option. | ||||||||||||||||||||||
25 | Sign-in Settings | Single Sign-On IdP Redirection | Default. Take team member's to the default Google login page | * This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | ||||||||||||||||||||||
26 | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | * This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | * This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | |||||||||||||||||||||
27 | Sign-in Settings | Single Sign-On Cookie Behavior | Disable transfer of SAML SSO Cookies into team member session during login | * It can be annoying to have to log into multiple services each time you login | ||||||||||||||||||||||
28 | Sign-in Settings | Single Sign-On Cookie Behavior | Enable transfer of SAML SSO Cookies into team member session during login | * This allows your single sign on credentials to be saved across different logins. It ties the security of your internal services to the security of the chrome login. Which, if you are this far into this document is likely to be fine. But, it does mean that if the chrome travel account credentials are identified, but the SSO credentials are not, an adversary can't get past the chrome login to access your internal systems. * It can be annoying to have to log into multiple services each time you login | ||||||||||||||||||||||
29 | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | * I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges | * You could remotely get a picture of everyone who tries to login! Wouldn't that be a fun way to see if folks are trying to access your devices behind your team member's back. * I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the device's camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges (QR codes for kids to login to stuff) | |||||||||||||||||||||
30 | Sign-in Settings | Accessibility Control | Turn off accessibility settings on sign-in screen upon logout | * Don't be evil. If a team member needs accessibility settings have them be saved between logins. You can always hard reset the device when you get it back to remove this. But, don't force the team member to keep reconfiguring their accessibility controls. | ||||||||||||||||||||||
31 | Sign-in Settings | Sign-in Language | Allow user to configure | |||||||||||||||||||||||
32 | Sign-in Settings | Sign-in Language | [All the Languages] | * Useful if all your team member's are of a non-english (the default) language. * Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world. | ||||||||||||||||||||||
33 | Sign-in Settings | Sign-in Keyboard | [All the Keyboards] | * Useful if all your team member's are of a non-english (the default) keyboard setup. * Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world. | ||||||||||||||||||||||
34 | Device Update Settings | Auto Update Settings | Allow auto-updates | * Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | * Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | |||||||||||||||||||||
35 | Device Update Settings | Auto Update Settings | Stop auto-updates | * Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | * If you don't have an admin with this capability and capacity to quickly check and release updates then this will require allowing updates and building staff capacity at finding alternate solutions when things break. Because updates are critical for security. Don't let an admin's fear of things breaking combined with a lack of time get in the way of real security. | |||||||||||||||||||||
36 | Device Update Settings | Auto Update Settings | None | * If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | * If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | |||||||||||||||||||||
37 | Device Update Settings | Auto Update Settings | [1-14] Day(s) | * If you have multiple team members traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | * If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | |||||||||||||||||||||
38 | Device Update Settings | Auto Update Settings | Allow auto-reboots | * This can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying. | * Auto-Reboots can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying. | |||||||||||||||||||||
39 | Device Update Settings | Auto Update Settings | Disallow auto-reboots | * If team member's are missing device updates that contain security updates because they avoid turning their devices off at all costs it can open up new attack vectors for fast moving advanced persistent adversaries. | ||||||||||||||||||||||
40 | Device Update Settings | Release Channel | Allow user to configure | * The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. They will end up having to use other devices that work. | * The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. It's just not cool. | |||||||||||||||||||||
41 | Device Update Settings | Release Channel | Move to Stable Channel | |||||||||||||||||||||||
42 | Device Update Settings | Release Channel | Move to Beta Channel | * Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | * Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | |||||||||||||||||||||
43 | Device Update Settings | Release Channel | Move to Development Channel | * Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | * Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | |||||||||||||||||||||
44 | Kiosk Settings | Kiosk Settings | Allow Public Session Kiosk | |||||||||||||||||||||||
45 | Kiosk Settings | Kiosk Settings | Do not allow Public Session Kiosk | |||||||||||||||||||||||
46 | Kiosk Settings | Kiosk Settings | Manage Public Session settings | |||||||||||||||||||||||
47 | Kiosk Settings | Kiosk Settings | No | |||||||||||||||||||||||
48 | Kiosk Settings | Kiosk Settings | Yes | |||||||||||||||||||||||
49 | Kiosk Settings | Kiosk Settings | Number of seconds before delaying auto-login; 0 means immediate auto-login | |||||||||||||||||||||||
50 | Kiosk Settings | Kiosk Settings | Allow Single App Kiosk | |||||||||||||||||||||||
51 | Kiosk Settings | Kiosk Settings | Do not allow Single App Kiosk | |||||||||||||||||||||||
52 | Kiosk Settings | Kiosk Settings | Manage Kiosk Applications | |||||||||||||||||||||||
53 | Kiosk Settings | Kiosk Settings | Auto-Launch Kiosk App | |||||||||||||||||||||||
54 | Kiosk Settings | Kiosk Settings | Disable device health monitoring | |||||||||||||||||||||||
55 | Kiosk Settings | Kiosk Settings | Enable device health monitoring | |||||||||||||||||||||||
56 | Kiosk Settings | Kiosk Settings | Disable device system log upload | |||||||||||||||||||||||
57 | Kiosk Settings | Kiosk Settings | Enable device system log upload | |||||||||||||||||||||||
58 | Kiosk Settings | Kiosk Settings | 0 Degree | |||||||||||||||||||||||
59 | Kiosk Settings | Kiosk Settings | 90 Degrees | |||||||||||||||||||||||
60 | Kiosk Settings | Kiosk Settings | 180 Degrees | |||||||||||||||||||||||
61 | Kiosk Settings | Kiosk Settings | 270 Degrees | |||||||||||||||||||||||
62 | Kiosk Settings | Kiosk Settings | Do not allow kiosk app to control OS version | |||||||||||||||||||||||
63 | Kiosk Settings | Kiosk Settings | Allow kiosk app to control OS version | |||||||||||||||||||||||
64 | Kiosk Settings | Kiosk Apps | Manage Kiosk Applications | |||||||||||||||||||||||
65 | Kiosk Settings | Kiosk Device Status Alerting Delivery | Receive alert via email | |||||||||||||||||||||||
66 | Kiosk Settings | Kiosk Device Status Alerting Delivery | Receive alert via SMS | |||||||||||||||||||||||
67 | Kiosk Settings | Kiosk Device Status Alerting Contact Info | Kiosk Device Status Alerting Emails | |||||||||||||||||||||||
68 | Kiosk Settings | Kiosk Device Status Alerting Contact Info | Kiosk Device Status Alerting Mobile Phones | |||||||||||||||||||||||
69 | User & Device Reporting | Device Reporting | Enable device state reporting | * Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | * Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | * Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | ||||||||||||||||||||
70 | User & Device Reporting | Device Reporting | Disable device state reporting | |||||||||||||||||||||||
71 | User & Device Reporting | Device Reporting | Enable tracking recent device user's | * Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | * Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | * Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | ||||||||||||||||||||
72 | User & Device Reporting | Device Reporting | Disable tracking recent device user's | |||||||||||||||||||||||
73 | User & Device Reporting | Inactive Device Notifications | Disable inactive device notifications | |||||||||||||||||||||||
74 | User & Device Reporting | Inactive Device Notifications | Enable inactive device notifications | * Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | * Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | * Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | ||||||||||||||||||||
75 | User & Device Reporting | Inactive Device Notifications | Inactive Range (days) | * A shorter number of days gives you a quicker response, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value you can take action on. | ||||||||||||||||||||||
76 | User & Device Reporting | Inactive Device Notifications | Notification Cadence (days) | * A shorter re-alert time shows chronic behavior, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value that you can take action on. | ||||||||||||||||||||||
77 | User & Device Reporting | Inactive Device Notifications | Email addresses to receive notification reports | * Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed. | * Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed. | |||||||||||||||||||||
78 | User & Device Reporting | Anonymous Metric Reporting | Always send metrics to Google | |||||||||||||||||||||||
79 | User & Device Reporting | Anonymous Metric Reporting | Never send metrics to Google | |||||||||||||||||||||||
80 | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | * This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | * This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | * This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | ||||||||||||||||||||
81 | Power & Shutdown | Power Management | Do not allow device to sleep/shut down when idle on the sign-in screen | * Power down on idle is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | * The device will still draw power with idle. It's not a huge amount. But, if they are dealing with limited power it might be nice to know that their device will conserve power as much as possible. | |||||||||||||||||||||
82 | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | * In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | * In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | * In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | ||||||||||||||||||||
83 | Power & Shutdown | Shut down | Allow user's to turn off the device via the Shut down icon on the screen, or the physical power button | |||||||||||||||||||||||
84 | Power & Shutdown | Shut down | Only allow team member's to turn off the device using the physical power button | |||||||||||||||||||||||
85 | Other | Cloud Print | Manage | |||||||||||||||||||||||
86 | Other | Time Zone | Keep timezone as it is on device currently | * This should default to the timezone that the device was reset at so this is the correct answer. traveler's should not be using devices that have not been fully reset to wipe all team member data and sessions from them in-between team member's. | ||||||||||||||||||||||
87 | Other | Time Zone | [All the timezones] | * If you have a specific timezone that your team member's want as a default and the devices are being reset from some other location this might make sense. I don't really see it though. | ||||||||||||||||||||||
88 | Other | System timezone automatic detection | Let team member's decide | * The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||||||||||||||||||||||
89 | Other | System timezone automatic detection | Never auto-detect timezone | * The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | * The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | |||||||||||||||||||||
90 | Other | System timezone automatic detection | Always use coarse timezone detection | * This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | * This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | |||||||||||||||||||||
91 | Other | System timezone automatic detection | Always send WiFi access-points to server while resolving timezone | * This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect | * This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect | |||||||||||||||||||||
92 | Other | Mobile Data Roaming | Allow mobile data roaming | * If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable | ||||||||||||||||||||||
93 | Other | Mobile Data Roaming | Do not allow mobile data roaming | |||||||||||||||||||||||
94 | Other | USB Detachable Whitelist | List of VID:PID pairs | * This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here. | * This limits the ability of devices from accessing your applications. Therefore limiting the possibility of malicious apps and/or malicious devices compromising the other. | * This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here. | ||||||||||||||||||||
95 | Other | Bluetooth | Do not disable bluetooth | |||||||||||||||||||||||
96 | Other | Bluetooth | Disable bluetooth | |||||||||||||||||||||||
97 | Other | Throttle Device Bandwidth | Enable network throttling | |||||||||||||||||||||||
98 | Other | Throttle Device Bandwidth | Disable network throttling | |||||||||||||||||||||||
99 | Other | Throttle Device Bandwidth | Download speed in kbps | |||||||||||||||||||||||
100 | Other | Throttle Device Bandwidth | Upload speed in kbps | |||||||||||||||||||||||
101 | ||||||||||||||||||||||||||
102 | ||||||||||||||||||||||||||
103 | ||||||||||||||||||||||||||
104 | ||||||||||||||||||||||||||
105 | ||||||||||||||||||||||||||
106 | ||||||||||||||||||||||||||
107 | ||||||||||||||||||||||||||
108 | ||||||||||||||||||||||||||
109 | ||||||||||||||||||||||||||
110 | ||||||||||||||||||||||||||
111 | ||||||||||||||||||||||||||
112 | ||||||||||||||||||||||||||
113 | ||||||||||||||||||||||||||
114 | ||||||||||||||||||||||||||
115 | ||||||||||||||||||||||||||
116 | ||||||||||||||||||||||||||
117 | ||||||||||||||||||||||||||
118 | ||||||||||||||||||||||||||
119 | ||||||||||||||||||||||||||
120 | ||||||||||||||||||||||||||
121 | ||||||||||||||||||||||||||
122 | ||||||||||||||||||||||||||
123 | ||||||||||||||||||||||||||
124 | ||||||||||||||||||||||||||
125 | ||||||||||||||||||||||||||
126 | ||||||||||||||||||||||||||
127 | ||||||||||||||||||||||||||
128 | ||||||||||||||||||||||||||
129 | ||||||||||||||||||||||||||
130 | ||||||||||||||||||||||||||
131 | ||||||||||||||||||||||||||
132 | ||||||||||||||||||||||||||
133 | ||||||||||||||||||||||||||
134 | ||||||||||||||||||||||||||
135 | ||||||||||||||||||||||||||
136 | ||||||||||||||||||||||||||
137 | ||||||||||||||||||||||||||
138 | ||||||||||||||||||||||||||
139 | ||||||||||||||||||||||||||
140 | ||||||||||||||||||||||||||
141 | ||||||||||||||||||||||||||
142 | ||||||||||||||||||||||||||
143 | ||||||||||||||||||||||||||
144 | ||||||||||||||||||||||||||
145 | ||||||||||||||||||||||||||
146 | ||||||||||||||||||||||||||
147 | ||||||||||||||||||||||||||
148 | ||||||||||||||||||||||||||
149 | ||||||||||||||||||||||||||
150 | ||||||||||||||||||||||||||
151 | ||||||||||||||||||||||||||
152 | ||||||||||||||||||||||||||
153 | ||||||||||||||||||||||||||
154 | ||||||||||||||||||||||||||
155 | ||||||||||||||||||||||||||
156 | ||||||||||||||||||||||||||
157 | ||||||||||||||||||||||||||
158 | ||||||||||||||||||||||||||
159 | ||||||||||||||||||||||||||
160 | ||||||||||||||||||||||||||
161 | ||||||||||||||||||||||||||
162 | ||||||||||||||||||||||||||
163 | ||||||||||||||||||||||||||
164 | ||||||||||||||||||||||||||
165 | ||||||||||||||||||||||||||
166 | ||||||||||||||||||||||||||
167 | ||||||||||||||||||||||||||
168 | ||||||||||||||||||||||||||
169 | ||||||||||||||||||||||||||
170 | ||||||||||||||||||||||||||
171 | ||||||||||||||||||||||||||
172 | ||||||||||||||||||||||||||
173 | ||||||||||||||||||||||||||
174 | ||||||||||||||||||||||||||
175 | ||||||||||||||||||||||||||
176 | ||||||||||||||||||||||||||
177 | ||||||||||||||||||||||||||
178 | ||||||||||||||||||||||||||
179 | ||||||||||||||||||||||||||
180 | ||||||||||||||||||||||||||
181 | ||||||||||||||||||||||||||
182 | ||||||||||||||||||||||||||
183 | ||||||||||||||||||||||||||
184 | ||||||||||||||||||||||||||
185 | ||||||||||||||||||||||||||
186 | ||||||||||||||||||||||||||
187 | ||||||||||||||||||||||||||
188 | ||||||||||||||||||||||||||
189 | ||||||||||||||||||||||||||
190 | ||||||||||||||||||||||||||
191 | ||||||||||||||||||||||||||
192 | ||||||||||||||||||||||||||
193 | ||||||||||||||||||||||||||
194 | ||||||||||||||||||||||||||
195 | ||||||||||||||||||||||||||
196 | ||||||||||||||||||||||||||
197 | ||||||||||||||||||||||||||
198 | ||||||||||||||||||||||||||
199 | ||||||||||||||||||||||||||
200 | ||||||||||||||||||||||||||
201 | ||||||||||||||||||||||||||
202 | ||||||||||||||||||||||||||
203 | ||||||||||||||||||||||||||
204 | ||||||||||||||||||||||||||
205 | ||||||||||||||||||||||||||
206 | ||||||||||||||||||||||||||
207 | ||||||||||||||||||||||||||
208 | ||||||||||||||||||||||||||
209 | ||||||||||||||||||||||||||
210 | ||||||||||||||||||||||||||
211 | ||||||||||||||||||||||||||
212 | ||||||||||||||||||||||||||
213 | ||||||||||||||||||||||||||
214 | ||||||||||||||||||||||||||
215 | ||||||||||||||||||||||||||
216 | ||||||||||||||||||||||||||
217 | ||||||||||||||||||||||||||
218 | ||||||||||||||||||||||||||
219 | ||||||||||||||||||||||||||
220 | ||||||||||||||||||||||||||
221 | ||||||||||||||||||||||||||
222 | ||||||||||||||||||||||||||
223 | ||||||||||||||||||||||||||
224 | ||||||||||||||||||||||||||
225 | ||||||||||||||||||||||||||
226 | ||||||||||||||||||||||||||
227 | ||||||||||||||||||||||||||
228 | ||||||||||||||||||||||||||
229 | ||||||||||||||||||||||||||
230 | ||||||||||||||||||||||||||
231 | ||||||||||||||||||||||||||
232 | ||||||||||||||||||||||||||
233 | ||||||||||||||||||||||||||
234 | ||||||||||||||||||||||||||
235 | ||||||||||||||||||||||||||
236 | ||||||||||||||||||||||||||
237 | ||||||||||||||||||||||||||
238 | ||||||||||||||||||||||||||
239 | ||||||||||||||||||||||||||
240 | ||||||||||||||||||||||||||
241 | ||||||||||||||||||||||||||
242 | ||||||||||||||||||||||||||
243 | ||||||||||||||||||||||||||
244 | ||||||||||||||||||||||||||
245 | ||||||||||||||||||||||||||
246 | ||||||||||||||||||||||||||
247 | ||||||||||||||||||||||||||
248 | ||||||||||||||||||||||||||
249 | ||||||||||||||||||||||||||
250 | ||||||||||||||||||||||||||
251 | ||||||||||||||||||||||||||
252 | ||||||||||||||||||||||||||
253 | ||||||||||||||||||||||||||
254 | ||||||||||||||||||||||||||
255 | ||||||||||||||||||||||||||
256 | ||||||||||||||||||||||||||
257 | ||||||||||||||||||||||||||
258 | ||||||||||||||||||||||||||
259 | ||||||||||||||||||||||||||
260 | ||||||||||||||||||||||||||
261 | ||||||||||||||||||||||||||
262 | ||||||||||||||||||||||||||
263 | ||||||||||||||||||||||||||
264 | ||||||||||||||||||||||||||
265 | ||||||||||||||||||||||||||
266 | ||||||||||||||||||||||||||
267 | ||||||||||||||||||||||||||
268 | ||||||||||||||||||||||||||
269 | ||||||||||||||||||||||||||
270 | ||||||||||||||||||||||||||
271 | ||||||||||||||||||||||||||
272 | ||||||||||||||||||||||||||
273 | ||||||||||||||||||||||||||
274 | ||||||||||||||||||||||||||
275 | ||||||||||||||||||||||||||
276 | ||||||||||||||||||||||||||
277 | ||||||||||||||||||||||||||
278 | ||||||||||||||||||||||||||
279 | ||||||||||||||||||||||||||
280 | ||||||||||||||||||||||||||
281 | ||||||||||||||||||||||||||
282 | ||||||||||||||||||||||||||
283 | ||||||||||||||||||||||||||
284 | ||||||||||||||||||||||||||
285 | ||||||||||||||||||||||||||
286 | ||||||||||||||||||||||||||
287 | ||||||||||||||||||||||||||
288 | ||||||||||||||||||||||||||
289 | ||||||||||||||||||||||||||
290 | ||||||||||||||||||||||||||
291 | ||||||||||||||||||||||||||
292 | ||||||||||||||||||||||||||
293 | ||||||||||||||||||||||||||
294 | ||||||||||||||||||||||||||
295 | ||||||||||||||||||||||||||
296 | ||||||||||||||||||||||||||
297 | ||||||||||||||||||||||||||
298 | ||||||||||||||||||||||||||
299 | ||||||||||||||||||||||||||
300 | ||||||||||||||||||||||||||
301 | ||||||||||||||||||||||||||
302 | ||||||||||||||||||||||||||
303 | ||||||||||||||||||||||||||
304 | ||||||||||||||||||||||||||
305 | ||||||||||||||||||||||||||
306 | ||||||||||||||||||||||||||
307 | ||||||||||||||||||||||||||
308 | ||||||||||||||||||||||||||
309 | ||||||||||||||||||||||||||
310 | ||||||||||||||||||||||||||
311 | ||||||||||||||||||||||||||
312 | ||||||||||||||||||||||||||
313 | ||||||||||||||||||||||||||
314 | ||||||||||||||||||||||||||
315 | ||||||||||||||||||||||||||
316 | ||||||||||||||||||||||||||
317 | ||||||||||||||||||||||||||
318 | ||||||||||||||||||||||||||
319 | ||||||||||||||||||||||||||
320 | ||||||||||||||||||||||||||
321 | ||||||||||||||||||||||||||
322 | ||||||||||||||||||||||||||
323 | ||||||||||||||||||||||||||
324 | ||||||||||||||||||||||||||
325 | ||||||||||||||||||||||||||
326 | ||||||||||||||||||||||||||
327 | ||||||||||||||||||||||||||
328 | ||||||||||||||||||||||||||
329 | ||||||||||||||||||||||||||
330 | ||||||||||||||||||||||||||
331 | ||||||||||||||||||||||||||
332 | ||||||||||||||||||||||||||
333 | ||||||||||||||||||||||||||
334 | ||||||||||||||||||||||||||
335 | ||||||||||||||||||||||||||
336 | ||||||||||||||||||||||||||
337 | ||||||||||||||||||||||||||
338 | ||||||||||||||||||||||||||
339 | ||||||||||||||||||||||||||
340 | ||||||||||||||||||||||||||
341 | ||||||||||||||||||||||||||
342 | ||||||||||||||||||||||||||
343 | ||||||||||||||||||||||||||
344 | ||||||||||||||||||||||||||
345 | ||||||||||||||||||||||||||
346 | ||||||||||||||||||||||||||
347 | ||||||||||||||||||||||||||
348 | ||||||||||||||||||||||||||
349 | ||||||||||||||||||||||||||
350 | ||||||||||||||||||||||||||
351 | ||||||||||||||||||||||||||
352 | ||||||||||||||||||||||||||
353 | ||||||||||||||||||||||||||
354 | ||||||||||||||||||||||||||
355 | ||||||||||||||||||||||||||
356 | ||||||||||||||||||||||||||
357 | ||||||||||||||||||||||||||
358 | ||||||||||||||||||||||||||
359 | ||||||||||||||||||||||||||
360 | ||||||||||||||||||||||||||
361 | ||||||||||||||||||||||||||
362 | ||||||||||||||||||||||||||
363 | ||||||||||||||||||||||||||
364 | ||||||||||||||||||||||||||
365 | ||||||||||||||||||||||||||
366 | ||||||||||||||||||||||||||
367 | ||||||||||||||||||||||||||
368 | ||||||||||||||||||||||||||
369 | ||||||||||||||||||||||||||
370 | ||||||||||||||||||||||||||
371 | ||||||||||||||||||||||||||
372 | ||||||||||||||||||||||||||
373 | ||||||||||||||||||||||||||
374 | ||||||||||||||||||||||||||
375 | ||||||||||||||||||||||||||
376 | ||||||||||||||||||||||||||
377 | ||||||||||||||||||||||||||
378 | ||||||||||||||||||||||||||
379 | ||||||||||||||||||||||||||
380 | ||||||||||||||||||||||||||
381 | ||||||||||||||||||||||||||
382 | ||||||||||||||||||||||||||
383 | ||||||||||||||||||||||||||
384 | ||||||||||||||||||||||||||
385 | ||||||||||||||||||||||||||
386 | ||||||||||||||||||||||||||
387 | ||||||||||||||||||||||||||
388 | ||||||||||||||||||||||||||
389 | ||||||||||||||||||||||||||
390 | ||||||||||||||||||||||||||
391 | ||||||||||||||||||||||||||
392 | ||||||||||||||||||||||||||
393 | ||||||||||||||||||||||||||
394 | ||||||||||||||||||||||||||
395 | ||||||||||||||||||||||||||
396 | ||||||||||||||||||||||||||
397 | ||||||||||||||||||||||||||
398 | ||||||||||||||||||||||||||
399 | ||||||||||||||||||||||||||
400 | ||||||||||||||||||||||||||
401 | ||||||||||||||||||||||||||
402 | ||||||||||||||||||||||||||
403 | ||||||||||||||||||||||||||
404 | ||||||||||||||||||||||||||
405 | ||||||||||||||||||||||||||
406 | ||||||||||||||||||||||||||
407 | ||||||||||||||||||||||||||
408 | ||||||||||||||||||||||||||
409 | ||||||||||||||||||||||||||
410 | ||||||||||||||||||||||||||
411 | ||||||||||||||||||||||||||
412 | ||||||||||||||||||||||||||
413 | ||||||||||||||||||||||||||
414 | ||||||||||||||||||||||||||
415 | ||||||||||||||||||||||||||
416 | ||||||||||||||||||||||||||
417 | ||||||||||||||||||||||||||
418 | ||||||||||||||||||||||||||
419 | ||||||||||||||||||||||||||
420 | ||||||||||||||||||||||||||
421 | ||||||||||||||||||||||||||
422 | ||||||||||||||||||||||||||
423 | ||||||||||||||||||||||||||
424 | ||||||||||||||||||||||||||
425 | ||||||||||||||||||||||||||
426 | ||||||||||||||||||||||||||
427 | ||||||||||||||||||||||||||
428 | ||||||||||||||||||||||||||
429 | ||||||||||||||||||||||||||
430 | ||||||||||||||||||||||||||
431 | ||||||||||||||||||||||||||
432 | ||||||||||||||||||||||||||
433 | ||||||||||||||||||||||||||
434 | ||||||||||||||||||||||||||
435 | ||||||||||||||||||||||||||
436 | ||||||||||||||||||||||||||
437 | ||||||||||||||||||||||||||
438 | ||||||||||||||||||||||||||
439 | ||||||||||||||||||||||||||
440 | ||||||||||||||||||||||||||
441 | ||||||||||||||||||||||||||
442 | ||||||||||||||||||||||||||
443 | ||||||||||||||||||||||||||
444 | ||||||||||||||||||||||||||
445 | ||||||||||||||||||||||||||
446 | ||||||||||||||||||||||||||
447 | ||||||||||||||||||||||||||
448 | ||||||||||||||||||||||||||
449 | ||||||||||||||||||||||||||
450 | ||||||||||||||||||||||||||
451 | ||||||||||||||||||||||||||
452 | ||||||||||||||||||||||||||
453 | ||||||||||||||||||||||||||
454 | ||||||||||||||||||||||||||
455 | ||||||||||||||||||||||||||
456 | ||||||||||||||||||||||||||
457 | ||||||||||||||||||||||||||
458 | ||||||||||||||||||||||||||
459 | ||||||||||||||||||||||||||
460 | ||||||||||||||||||||||||||
461 | ||||||||||||||||||||||||||
462 | ||||||||||||||||||||||||||
463 | ||||||||||||||||||||||||||
464 | ||||||||||||||||||||||||||
465 | ||||||||||||||||||||||||||
466 | ||||||||||||||||||||||||||
467 | ||||||||||||||||||||||||||
468 | ||||||||||||||||||||||||||
469 | ||||||||||||||||||||||||||
470 | ||||||||||||||||||||||||||
471 | ||||||||||||||||||||||||||
472 | ||||||||||||||||||||||||||
473 | ||||||||||||||||||||||||||
474 | ||||||||||||||||||||||||||
475 | ||||||||||||||||||||||||||
476 | ||||||||||||||||||||||||||
477 | ||||||||||||||||||||||||||
478 | ||||||||||||||||||||||||||
479 | ||||||||||||||||||||||||||
480 | ||||||||||||||||||||||||||
481 | ||||||||||||||||||||||||||
482 | ||||||||||||||||||||||||||
483 | ||||||||||||||||||||||||||
484 | ||||||||||||||||||||||||||
485 | ||||||||||||||||||||||||||
486 | ||||||||||||||||||||||||||
487 | ||||||||||||||||||||||||||
488 | ||||||||||||||||||||||||||
489 | ||||||||||||||||||||||||||
490 | ||||||||||||||||||||||||||
491 | ||||||||||||||||||||||||||
492 | ||||||||||||||||||||||||||
493 | ||||||||||||||||||||||||||
494 | ||||||||||||||||||||||||||
495 | ||||||||||||||||||||||||||
496 | ||||||||||||||||||||||||||
497 | ||||||||||||||||||||||||||
498 | ||||||||||||||||||||||||||
499 | ||||||||||||||||||||||||||
500 | ||||||||||||||||||||||||||
501 | ||||||||||||||||||||||||||
502 | ||||||||||||||||||||||||||
503 | ||||||||||||||||||||||||||
504 | ||||||||||||||||||||||||||
505 | ||||||||||||||||||||||||||
506 | ||||||||||||||||||||||||||
507 | ||||||||||||||||||||||||||
508 | ||||||||||||||||||||||||||
509 | ||||||||||||||||||||||||||
510 | ||||||||||||||||||||||||||
511 | ||||||||||||||||||||||||||
512 | ||||||||||||||||||||||||||
513 | ||||||||||||||||||||||||||
514 | ||||||||||||||||||||||||||
515 | ||||||||||||||||||||||||||
516 | ||||||||||||||||||||||||||
517 | ||||||||||||||||||||||||||
518 | ||||||||||||||||||||||||||
519 | ||||||||||||||||||||||||||
520 | ||||||||||||||||||||||||||
521 | ||||||||||||||||||||||||||
522 | ||||||||||||||||||||||||||
523 | ||||||||||||||||||||||||||
524 | ||||||||||||||||||||||||||
525 | ||||||||||||||||||||||||||
526 | ||||||||||||||||||||||||||
527 | ||||||||||||||||||||||||||
528 | ||||||||||||||||||||||||||
529 | ||||||||||||||||||||||||||
530 | ||||||||||||||||||||||||||
531 | ||||||||||||||||||||||||||
532 | ||||||||||||||||||||||||||
533 | ||||||||||||||||||||||||||
534 | ||||||||||||||||||||||||||
535 | ||||||||||||||||||||||||||
536 | ||||||||||||||||||||||||||
537 | ||||||||||||||||||||||||||
538 | ||||||||||||||||||||||||||
539 | ||||||||||||||||||||||||||
540 | ||||||||||||||||||||||||||
541 | ||||||||||||||||||||||||||
542 | ||||||||||||||||||||||||||
543 | ||||||||||||||||||||||||||
544 | ||||||||||||||||||||||||||
545 | ||||||||||||||||||||||||||
546 | ||||||||||||||||||||||||||
547 | ||||||||||||||||||||||||||
548 | ||||||||||||||||||||||||||
549 | ||||||||||||||||||||||||||
550 | ||||||||||||||||||||||||||
551 | ||||||||||||||||||||||||||
552 | ||||||||||||||||||||||||||
553 | ||||||||||||||||||||||||||
554 | ||||||||||||||||||||||||||
555 | ||||||||||||||||||||||||||
556 | ||||||||||||||||||||||||||
557 | ||||||||||||||||||||||||||
558 | ||||||||||||||||||||||||||
559 | ||||||||||||||||||||||||||
560 | ||||||||||||||||||||||||||
561 | ||||||||||||||||||||||||||
562 | ||||||||||||||||||||||||||
563 | ||||||||||||||||||||||||||
564 | ||||||||||||||||||||||||||
565 | ||||||||||||||||||||||||||
566 | ||||||||||||||||||||||||||
567 | ||||||||||||||||||||||||||
568 | ||||||||||||||||||||||||||
569 | ||||||||||||||||||||||||||
570 | ||||||||||||||||||||||||||
571 | ||||||||||||||||||||||||||
572 | ||||||||||||||||||||||||||
573 | ||||||||||||||||||||||||||
574 | ||||||||||||||||||||||||||
575 | ||||||||||||||||||||||||||
576 | ||||||||||||||||||||||||||
577 | ||||||||||||||||||||||||||
578 | ||||||||||||||||||||||||||
579 | ||||||||||||||||||||||||||
580 | ||||||||||||||||||||||||||
581 | ||||||||||||||||||||||||||
582 | ||||||||||||||||||||||||||
583 | ||||||||||||||||||||||||||
584 | ||||||||||||||||||||||||||
585 | ||||||||||||||||||||||||||
586 | ||||||||||||||||||||||||||
587 | ||||||||||||||||||||||||||
588 | ||||||||||||||||||||||||||
589 | ||||||||||||||||||||||||||
590 | ||||||||||||||||||||||||||
591 | ||||||||||||||||||||||||||
592 | ||||||||||||||||||||||||||
593 | ||||||||||||||||||||||||||
594 | ||||||||||||||||||||||||||
595 | ||||||||||||||||||||||||||
596 | ||||||||||||||||||||||||||
597 | ||||||||||||||||||||||||||
598 | ||||||||||||||||||||||||||
599 | ||||||||||||||||||||||||||
600 | ||||||||||||||||||||||||||
601 | ||||||||||||||||||||||||||
602 | ||||||||||||||||||||||||||
603 | ||||||||||||||||||||||||||
604 | ||||||||||||||||||||||||||
605 | ||||||||||||||||||||||||||
606 | ||||||||||||||||||||||||||
607 | ||||||||||||||||||||||||||
608 | ||||||||||||||||||||||||||
609 | ||||||||||||||||||||||||||
610 | ||||||||||||||||||||||||||
611 | ||||||||||||||||||||||||||
612 | ||||||||||||||||||||||||||
613 | ||||||||||||||||||||||||||
614 | ||||||||||||||||||||||||||
615 | ||||||||||||||||||||||||||
616 | ||||||||||||||||||||||||||
617 | ||||||||||||||||||||||||||
618 | ||||||||||||||||||||||||||
619 | ||||||||||||||||||||||||||
620 | ||||||||||||||||||||||||||
621 | ||||||||||||||||||||||||||
622 | ||||||||||||||||||||||||||
623 | ||||||||||||||||||||||||||
624 | ||||||||||||||||||||||||||
625 | ||||||||||||||||||||||||||
626 | ||||||||||||||||||||||||||
627 | ||||||||||||||||||||||||||
628 | ||||||||||||||||||||||||||
629 | ||||||||||||||||||||||||||
630 | ||||||||||||||||||||||||||
631 | ||||||||||||||||||||||||||
632 | ||||||||||||||||||||||||||
633 | ||||||||||||||||||||||||||
634 | ||||||||||||||||||||||||||
635 | ||||||||||||||||||||||||||
636 | ||||||||||||||||||||||||||
637 | ||||||||||||||||||||||||||
638 | ||||||||||||||||||||||||||
639 | ||||||||||||||||||||||||||
640 | ||||||||||||||||||||||||||
641 | ||||||||||||||||||||||||||
642 | ||||||||||||||||||||||||||
643 | ||||||||||||||||||||||||||
644 | ||||||||||||||||||||||||||
645 | ||||||||||||||||||||||||||
646 | ||||||||||||||||||||||||||
647 | ||||||||||||||||||||||||||
648 | ||||||||||||||||||||||||||
649 | ||||||||||||||||||||||||||
650 | ||||||||||||||||||||||||||
651 | ||||||||||||||||||||||||||
652 | ||||||||||||||||||||||||||
653 | ||||||||||||||||||||||||||
654 | ||||||||||||||||||||||||||
655 | ||||||||||||||||||||||||||
656 | ||||||||||||||||||||||||||
657 | ||||||||||||||||||||||||||
658 | ||||||||||||||||||||||||||
659 | ||||||||||||||||||||||||||
660 | ||||||||||||||||||||||||||
661 | ||||||||||||||||||||||||||
662 | ||||||||||||||||||||||||||
663 | ||||||||||||||||||||||||||
664 | ||||||||||||||||||||||||||
665 | ||||||||||||||||||||||||||
666 | ||||||||||||||||||||||||||
667 | ||||||||||||||||||||||||||
668 | ||||||||||||||||||||||||||
669 | ||||||||||||||||||||||||||
670 | ||||||||||||||||||||||||||
671 | ||||||||||||||||||||||||||
672 | ||||||||||||||||||||||||||
673 | ||||||||||||||||||||||||||
674 | ||||||||||||||||||||||||||
675 | ||||||||||||||||||||||||||
676 | ||||||||||||||||||||||||||
677 | ||||||||||||||||||||||||||
678 | ||||||||||||||||||||||||||
679 | ||||||||||||||||||||||||||
680 | ||||||||||||||||||||||||||
681 | ||||||||||||||||||||||||||
682 | ||||||||||||||||||||||||||
683 | ||||||||||||||||||||||||||
684 | ||||||||||||||||||||||||||
685 | ||||||||||||||||||||||||||
686 | ||||||||||||||||||||||||||
687 | ||||||||||||||||||||||||||
688 | ||||||||||||||||||||||||||
689 | ||||||||||||||||||||||||||
690 | ||||||||||||||||||||||||||
691 | ||||||||||||||||||||||||||
692 | ||||||||||||||||||||||||||
693 | ||||||||||||||||||||||||||
694 | ||||||||||||||||||||||||||
695 | ||||||||||||||||||||||||||
696 | ||||||||||||||||||||||||||
697 | ||||||||||||||||||||||||||
698 | ||||||||||||||||||||||||||
699 | ||||||||||||||||||||||||||
700 | ||||||||||||||||||||||||||
701 | ||||||||||||||||||||||||||
702 | ||||||||||||||||||||||||||
703 | ||||||||||||||||||||||||||
704 | ||||||||||||||||||||||||||
705 | ||||||||||||||||||||||||||
706 | ||||||||||||||||||||||||||
707 | ||||||||||||||||||||||||||
708 | ||||||||||||||||||||||||||
709 | ||||||||||||||||||||||||||
710 | ||||||||||||||||||||||||||
711 | ||||||||||||||||||||||||||
712 | ||||||||||||||||||||||||||
713 | ||||||||||||||||||||||||||
714 | ||||||||||||||||||||||||||
715 | ||||||||||||||||||||||||||
716 | ||||||||||||||||||||||||||
717 | ||||||||||||||||||||||||||
718 | ||||||||||||||||||||||||||
719 | ||||||||||||||||||||||||||
720 | ||||||||||||||||||||||||||
721 | ||||||||||||||||||||||||||
722 | ||||||||||||||||||||||||||
723 | ||||||||||||||||||||||||||
724 | ||||||||||||||||||||||||||
725 | ||||||||||||||||||||||||||
726 | ||||||||||||||||||||||||||
727 | ||||||||||||||||||||||||||
728 | ||||||||||||||||||||||||||
729 | ||||||||||||||||||||||||||
730 | ||||||||||||||||||||||||||
731 | ||||||||||||||||||||||||||
732 | ||||||||||||||||||||||||||
733 | ||||||||||||||||||||||||||
734 | ||||||||||||||||||||||||||
735 | ||||||||||||||||||||||||||
736 | ||||||||||||||||||||||||||
737 | ||||||||||||||||||||||||||
738 | ||||||||||||||||||||||||||
739 | ||||||||||||||||||||||||||
740 | ||||||||||||||||||||||||||
741 | ||||||||||||||||||||||||||
742 | ||||||||||||||||||||||||||
743 | ||||||||||||||||||||||||||
744 | ||||||||||||||||||||||||||
745 | ||||||||||||||||||||||||||
746 | ||||||||||||||||||||||||||
747 | ||||||||||||||||||||||||||
748 | ||||||||||||||||||||||||||
749 | ||||||||||||||||||||||||||
750 | ||||||||||||||||||||||||||
751 | ||||||||||||||||||||||||||
752 | ||||||||||||||||||||||||||
753 | ||||||||||||||||||||||||||
754 | ||||||||||||||||||||||||||
755 | ||||||||||||||||||||||||||
756 | ||||||||||||||||||||||||||
757 | ||||||||||||||||||||||||||
758 | ||||||||||||||||||||||||||
759 | ||||||||||||||||||||||||||
760 | ||||||||||||||||||||||||||
761 | ||||||||||||||||||||||||||
762 | ||||||||||||||||||||||||||
763 | ||||||||||||||||||||||||||
764 | ||||||||||||||||||||||||||
765 | ||||||||||||||||||||||||||
766 | ||||||||||||||||||||||||||
767 | ||||||||||||||||||||||||||
768 | ||||||||||||||||||||||||||
769 | ||||||||||||||||||||||||||
770 | ||||||||||||||||||||||||||
771 | ||||||||||||||||||||||||||
772 | ||||||||||||||||||||||||||
773 | ||||||||||||||||||||||||||
774 | ||||||||||||||||||||||||||
775 | ||||||||||||||||||||||||||
776 | ||||||||||||||||||||||||||
777 | ||||||||||||||||||||||||||
778 | ||||||||||||||||||||||||||
779 | ||||||||||||||||||||||||||
780 | ||||||||||||||||||||||||||
781 | ||||||||||||||||||||||||||
782 | ||||||||||||||||||||||||||
783 | ||||||||||||||||||||||||||
784 | ||||||||||||||||||||||||||
785 | ||||||||||||||||||||||||||
786 | ||||||||||||||||||||||||||
787 | ||||||||||||||||||||||||||
788 | ||||||||||||||||||||||||||
789 | ||||||||||||||||||||||||||
790 | ||||||||||||||||||||||||||
791 | ||||||||||||||||||||||||||
792 | ||||||||||||||||||||||||||
793 | ||||||||||||||||||||||||||
794 | ||||||||||||||||||||||||||
795 | ||||||||||||||||||||||||||
796 | ||||||||||||||||||||||||||
797 | ||||||||||||||||||||||||||
798 | ||||||||||||||||||||||||||
799 | ||||||||||||||||||||||||||
800 | ||||||||||||||||||||||||||
801 | ||||||||||||||||||||||||||
802 | ||||||||||||||||||||||||||
803 | ||||||||||||||||||||||||||
804 | ||||||||||||||||||||||||||
805 | ||||||||||||||||||||||||||
806 | ||||||||||||||||||||||||||
807 | ||||||||||||||||||||||||||
808 | ||||||||||||||||||||||||||
809 | ||||||||||||||||||||||||||
810 | ||||||||||||||||||||||||||
811 | ||||||||||||||||||||||||||
812 | ||||||||||||||||||||||||||
813 | ||||||||||||||||||||||||||
814 | ||||||||||||||||||||||||||
815 | ||||||||||||||||||||||||||
816 | ||||||||||||||||||||||||||
817 | ||||||||||||||||||||||||||
818 | ||||||||||||||||||||||||||
819 | ||||||||||||||||||||||||||
820 | ||||||||||||||||||||||||||
821 | ||||||||||||||||||||||||||
822 | ||||||||||||||||||||||||||
823 | ||||||||||||||||||||||||||
824 | ||||||||||||||||||||||||||
825 | ||||||||||||||||||||||||||
826 | ||||||||||||||||||||||||||
827 | ||||||||||||||||||||||||||
828 | ||||||||||||||||||||||||||
829 | ||||||||||||||||||||||||||
830 | ||||||||||||||||||||||||||
831 | ||||||||||||||||||||||||||
832 | ||||||||||||||||||||||||||
833 | ||||||||||||||||||||||||||
834 | ||||||||||||||||||||||||||
835 | ||||||||||||||||||||||||||
836 | ||||||||||||||||||||||||||
837 | ||||||||||||||||||||||||||
838 | ||||||||||||||||||||||||||
839 | ||||||||||||||||||||||||||
840 | ||||||||||||||||||||||||||
841 | ||||||||||||||||||||||||||
842 | ||||||||||||||||||||||||||
843 | ||||||||||||||||||||||||||
844 | ||||||||||||||||||||||||||
845 | ||||||||||||||||||||||||||
846 | ||||||||||||||||||||||||||
847 | ||||||||||||||||||||||||||
848 | ||||||||||||||||||||||||||
849 | ||||||||||||||||||||||||||
850 | ||||||||||||||||||||||||||
851 | ||||||||||||||||||||||||||
852 | ||||||||||||||||||||||||||
853 | ||||||||||||||||||||||||||
854 | ||||||||||||||||||||||||||
855 | ||||||||||||||||||||||||||
856 | ||||||||||||||||||||||||||
857 | ||||||||||||||||||||||||||
858 | ||||||||||||||||||||||||||
859 | ||||||||||||||||||||||||||
860 | ||||||||||||||||||||||||||
861 | ||||||||||||||||||||||||||
862 | ||||||||||||||||||||||||||
863 | ||||||||||||||||||||||||||
864 | ||||||||||||||||||||||||||
865 | ||||||||||||||||||||||||||
866 | ||||||||||||||||||||||||||
867 | ||||||||||||||||||||||||||
868 | ||||||||||||||||||||||||||
869 | ||||||||||||||||||||||||||
870 | ||||||||||||||||||||||||||
871 | ||||||||||||||||||||||||||
872 | ||||||||||||||||||||||||||
873 | ||||||||||||||||||||||||||
874 | ||||||||||||||||||||||||||
875 | ||||||||||||||||||||||||||
876 | ||||||||||||||||||||||||||
877 | ||||||||||||||||||||||||||
878 | ||||||||||||||||||||||||||
879 | ||||||||||||||||||||||||||
880 | ||||||||||||||||||||||||||
881 | ||||||||||||||||||||||||||
882 | ||||||||||||||||||||||||||
883 | ||||||||||||||||||||||||||
884 | ||||||||||||||||||||||||||
885 | ||||||||||||||||||||||||||
886 | ||||||||||||||||||||||||||
887 | ||||||||||||||||||||||||||
888 | ||||||||||||||||||||||||||
889 | ||||||||||||||||||||||||||
890 | ||||||||||||||||||||||||||
891 | ||||||||||||||||||||||||||
892 | ||||||||||||||||||||||||||
893 | ||||||||||||||||||||||||||
894 | ||||||||||||||||||||||||||
895 | ||||||||||||||||||||||||||
896 | ||||||||||||||||||||||||||
897 | ||||||||||||||||||||||||||
898 | ||||||||||||||||||||||||||
899 | ||||||||||||||||||||||||||
900 | ||||||||||||||||||||||||||
901 | ||||||||||||||||||||||||||
902 | ||||||||||||||||||||||||||
903 | ||||||||||||||||||||||||||
904 | ||||||||||||||||||||||||||
905 | ||||||||||||||||||||||||||
906 | ||||||||||||||||||||||||||
907 | ||||||||||||||||||||||||||
908 | ||||||||||||||||||||||||||
909 | ||||||||||||||||||||||||||
910 | ||||||||||||||||||||||||||
911 | ||||||||||||||||||||||||||
912 | ||||||||||||||||||||||||||
913 | ||||||||||||||||||||||||||
914 | ||||||||||||||||||||||||||
915 | ||||||||||||||||||||||||||
916 | ||||||||||||||||||||||||||
917 | ||||||||||||||||||||||||||
918 | ||||||||||||||||||||||||||
919 | ||||||||||||||||||||||||||
920 | ||||||||||||||||||||||||||
921 | ||||||||||||||||||||||||||
922 | ||||||||||||||||||||||||||
923 | ||||||||||||||||||||||||||
924 | ||||||||||||||||||||||||||
925 | ||||||||||||||||||||||||||
926 | ||||||||||||||||||||||||||
927 | ||||||||||||||||||||||||||
928 | ||||||||||||||||||||||||||
929 | ||||||||||||||||||||||||||
930 | ||||||||||||||||||||||||||
931 | ||||||||||||||||||||||||||
932 | ||||||||||||||||||||||||||
933 | ||||||||||||||||||||||||||
934 | ||||||||||||||||||||||||||
935 | ||||||||||||||||||||||||||
936 | ||||||||||||||||||||||||||
937 | ||||||||||||||||||||||||||
938 | ||||||||||||||||||||||||||
939 | ||||||||||||||||||||||||||
940 | ||||||||||||||||||||||||||
941 | ||||||||||||||||||||||||||
942 | ||||||||||||||||||||||||||
943 | ||||||||||||||||||||||||||
944 | ||||||||||||||||||||||||||
945 | ||||||||||||||||||||||||||
946 | ||||||||||||||||||||||||||
947 | ||||||||||||||||||||||||||
948 | ||||||||||||||||||||||||||
949 | ||||||||||||||||||||||||||
950 | ||||||||||||||||||||||||||
951 | ||||||||||||||||||||||||||
952 | ||||||||||||||||||||||||||
953 | ||||||||||||||||||||||||||
954 | ||||||||||||||||||||||||||
955 | ||||||||||||||||||||||||||
956 | ||||||||||||||||||||||||||
957 | ||||||||||||||||||||||||||
958 | ||||||||||||||||||||||||||
959 | ||||||||||||||||||||||||||
960 | ||||||||||||||||||||||||||
961 | ||||||||||||||||||||||||||
962 | ||||||||||||||||||||||||||
963 | ||||||||||||||||||||||||||
964 | ||||||||||||||||||||||||||
965 | ||||||||||||||||||||||||||
966 | ||||||||||||||||||||||||||
967 | ||||||||||||||||||||||||||
968 | ||||||||||||||||||||||||||
969 | ||||||||||||||||||||||||||
970 | ||||||||||||||||||||||||||
971 | ||||||||||||||||||||||||||
972 | ||||||||||||||||||||||||||
973 | ||||||||||||||||||||||||||
974 | ||||||||||||||||||||||||||
975 | ||||||||||||||||||||||||||
976 | ||||||||||||||||||||||||||
977 | ||||||||||||||||||||||||||
978 | ||||||||||||||||||||||||||
979 | ||||||||||||||||||||||||||
980 | ||||||||||||||||||||||||||
981 | ||||||||||||||||||||||||||
982 | ||||||||||||||||||||||||||
983 | ||||||||||||||||||||||||||
984 | ||||||||||||||||||||||||||
985 | ||||||||||||||||||||||||||
986 | ||||||||||||||||||||||||||
987 | ||||||||||||||||||||||||||
988 | ||||||||||||||||||||||||||
989 | ||||||||||||||||||||||||||
990 | ||||||||||||||||||||||||||
991 | ||||||||||||||||||||||||||
992 | ||||||||||||||||||||||||||
993 | ||||||||||||||||||||||||||
994 | ||||||||||||||||||||||||||
995 | ||||||||||||||||||||||||||
996 | ||||||||||||||||||||||||||
997 | ||||||||||||||||||||||||||
998 | ||||||||||||||||||||||||||
999 | ||||||||||||||||||||||||||
1000 | ||||||||||||||||||||||||||
1001 | ||||||||||||||||||||||||||
1002 |
1 | < Index | Mitigation | Modification to Threats (Only direct modifications. Not cascading.) | Requirements | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Category | Title | Description | SubItem | Option(s) | Basic | High Risk | Supports | Inhibits | Requires | Likelihood ↧ | Impact ↧ | Likelihood ↥ | Impact ↥ | Supports | Inhibits | |
3 | General | Session Display Name | |||||||||||||||
4 | General | Maximum User Session Length | 1 - 1440 minutes; leave empty for unlimited sessions | ||||||||||||||
5 | General | Terms of Service | Custom Terms of Service Agreement. | Upload terms of service file | |||||||||||||
6 | General | Avatar | Custom Avatar. | Upload avatar file | |||||||||||||
7 | General | Wallpaper | Custom Wallpaper | Upload wallpaper file | |||||||||||||
8 | General | Policy Refresh Rate | The number of minutes between client policy refreshes. | minutes | |||||||||||||
9 | Apps and Extensions | Force-installed Apps and Extensions | Bulk install the Apps pack for Business for your organization. (Note: To ensure force-installed apps and extensions can't be tampered with, we recommend you disallow developer tools access.) | Manage force-installed apps | |||||||||||||
10 | Apps and Extensions | Allow or Block All Apps and Extensions | Choose which Chrome apps and extensions to allow. | Allow all apps and extensions except the ones I block | |||||||||||||
11 | Apps and Extensions | Block all apps and extensions except the ones I allow | |||||||||||||||
12 | Apps and Extensions | Allowed Apps and Extensions | apps or extensions are blocked. | Manage | |||||||||||||
13 | Apps and Extensions | Pinned Apps and Extensions | apps or extensions will be pinned to the Chrome launcher if they are installed. | Manage pinned apps | |||||||||||||
14 | Security | Logout on Idle after | 1 - 1440 minutes; leave empty to never logout | ||||||||||||||
15 | Security | Incognito Mode | Allow incognito mode | ||||||||||||||
16 | Security | Incognito Mode | Disallow incognito mode | ||||||||||||||
17 | Security | Browser History | Always save browser history | ||||||||||||||
18 | Security | Browser History | Never save browser history | ||||||||||||||
19 | Security | Safe Browsing | Always enable Safe Browsing | ||||||||||||||
20 | Security | Safe Browsing | Always disable Safe Browsing | ||||||||||||||
21 | Security | Safe Browsing | Allow user to decide whether to use Safe Browsing | ||||||||||||||
22 | Security | Remote access clients | Configure the required domain name for remote access clients. | Remote Access Host Client Domain | |||||||||||||
23 | Network | Proxy Settings | Proxy Mode | Allow user to configure | |||||||||||||
24 | Network | Proxy Settings | Proxy Mode | Never use a proxy | |||||||||||||
25 | Network | Proxy Settings | Proxy Mode | Always auto detect the proxy | |||||||||||||
26 | Network | Proxy Settings | Proxy Mode | Always use the proxy specified below | |||||||||||||
27 | Network | Proxy Settings | Proxy Mode | Always use the proxy auto-config specified below | |||||||||||||
28 | Network | Proxy Settings | Proxy Mode | Always use the proxy specified below | Proxy Server URL | ||||||||||||
29 | Network | Proxy Settings | Enter a list of URLs that should bypass specified proxy. Put each URL on its own line. | Always use the proxy specified below | Proxy Bypass List | ||||||||||||
30 | Network | Proxy Settings | URL of the .pac file that should be used for network connections. | Always use the proxy auto-config specified below | Proxy Server Auto Configuration File URL | ||||||||||||
31 | Network | QUIC Protocol | QUIC Protocol | Enabled | |||||||||||||
32 | Network | QUIC Protocol | QUIC Protocol | Disabled | |||||||||||||
33 | Startup | Home Button | Always show "Home" button | ||||||||||||||
34 | Startup | Home Button | Never show "Home" button | ||||||||||||||
35 | Startup | Home Button | Allow user to configure | ||||||||||||||
36 | Startup | Homepage | Homepage is New Tab Page | Allow user to configure | |||||||||||||
37 | Startup | Homepage | Homepage is New Tab Page | Homepage is always the new tab page | |||||||||||||
38 | Startup | Homepage | Homepage is New Tab Page | Homepage is always the Homepage URL, set below | |||||||||||||
39 | Startup | Homepage | Homepage is New Tab Page | Homepage is always the Homepage URL, set below | Homepage URL | ||||||||||||
40 | Startup | Pages to Load on Startup | Put each URL on its own line. | ||||||||||||||
41 | Content | Safe Search and Restricted Mode | Google Safe Search for Google Web Search queries | Do not enforce Safe Search for Google Web Search queries | |||||||||||||
42 | Content | Safe Search and Restricted Mode | Google Safe Search for Google Web Search queries | Always use Safe Search for Google Web Search queries | |||||||||||||
43 | Content | Restricted Mode for YouTube | Do not enforce Restricted Mode on YouTube | ||||||||||||||
44 | Content | Restricted Mode for YouTube | Enforce at least Moderate Restricted Mode on YouTube | ||||||||||||||
45 | Content | Restricted Mode for YouTube | Enforce Strict Restricted Mode for YouTube | ||||||||||||||
46 | Content | Screenshot | Enable screenshot | ||||||||||||||
47 | Content | Screenshot | Disable screenshot | ||||||||||||||
48 | Content | Plug-ins | Run plug-ins automatically | ||||||||||||||
49 | Content | Plug-ins | Block all plug-ins | ||||||||||||||
50 | Content | Plug-ins | Allow user to configure | ||||||||||||||
51 | Content | Plug-ins | Put one pattern on each line. | Allow Plug-ins on These Sites | |||||||||||||
52 | Content | Plug-ins | Put one pattern on each line. | Block Plug-ins on These Sites | |||||||||||||
53 | Content | Pop-ups | Allow all pop-ups | ||||||||||||||
54 | Content | Pop-ups | Block all pop-ups | ||||||||||||||
55 | Content | Pop-ups | Allow user to configure | ||||||||||||||
56 | Content | Pop-ups | Put one pattern on each line. | Allow Pop-ups on These Sites | |||||||||||||
57 | Content | Pop-ups | Put one pattern on each line. | Block Pop-ups on These Sites | |||||||||||||
58 | Content | URL Blocking | Any URL in the URL blacklist will be blocked, unless it also appears in the URL blacklist exception list. | URL Blacklist | |||||||||||||
59 | Content | URL Blocking | Any URL in the blacklist exception list will be allowed, even if it appears in the URL blacklist. | URL Blacklist Exception | |||||||||||||
60 | Content | Cast | Allow users to Cast from Chrome | Allow users to Cast | |||||||||||||
61 | Content | Cast | Allow users to Cast from Chrome | Do not allow users to Cast | |||||||||||||
62 | Printing | Printing | Enable printing | ||||||||||||||
63 | Printing | Printing | Disable printing | ||||||||||||||
64 | Printing | Print Preview Default | Default printer selection | Use default print behavior | |||||||||||||
65 | Printing | Print Preview Default | Default printer selection | Define the default printer | |||||||||||||
66 | Printing | Print Preview Default | Printer Types | Cloud & Local printers | |||||||||||||
67 | Printing | Print Preview Default | Printer Types | Cloud only | |||||||||||||
68 | Printing | Print Preview Default | Printer Types | Local only | |||||||||||||
69 | Printing | Print Preview Default | Printer Matching | Match by Name | |||||||||||||
70 | Printing | Print Preview Default | Printer Matching | Match by ID | |||||||||||||
71 | Printing | Print Preview Default | Enter a regular expression that matches the desired default printer selection. The print preview will default to the first printer to match the regular expression. | Default Printer | regular expression | ||||||||||||
72 | Printing | Native Chrome OS Printing | Native Chrome OS Printers | Manage | |||||||||||||
73 | User Experience | Managed Bookmarks | Managed Bookmarks Folder Name | ||||||||||||||
74 | User Experience | Managed Bookmarks | URL/Name | ||||||||||||||
75 | User Experience | Bookmark Bar | Enable bookmark bar | ||||||||||||||
76 | User Experience | Bookmark Bar | Disable bookmark bar | ||||||||||||||
77 | User Experience | Bookmark Bar | Allow user to decide whether to enable bookmark bar | ||||||||||||||
78 | User Experience | Spell Check Service | Enable the spell checking web service | ||||||||||||||
79 | User Experience | Spell Check Service | Disable the spell checking web service | ||||||||||||||
80 | User Experience | Spell Check Service | Allow user to decide whether to use the spell checking web service | ||||||||||||||
81 | User Experience | Google Translate | Always offer translation | ||||||||||||||
82 | User Experience | Google Translate | Never offer translation | ||||||||||||||
83 | User Experience | Google Translate | Allow user to configure | ||||||||||||||
84 | User Experience | Developer Tools | Developer Tools | Always allow use of built-in developer tools | |||||||||||||
85 | User Experience | Developer Tools | Developer Tools | Never allow use of built-in developer tools | |||||||||||||
86 | User Experience | Form Auto-fill | Never auto-fill forms | ||||||||||||||
87 | User Experience | Form Auto-fill | Allow user to configure | ||||||||||||||
88 | User Experience | Session Locale | Create an ordered shortlist of locales recommended for a Public Session | Language and Keyboard | Recommended languages | ||||||||||||
89 | User Experience | Unified Desktop (BETA) | Unified Desktop mode allows applications to span multiple displays. | Do not make Unified Desktop mode available to user | |||||||||||||
90 | User Experience | Unified Desktop (BETA) | Unified Desktop mode allows applications to span multiple displays. | Make Unified Desktop mode available to user | |||||||||||||
91 | Omnibox Search Provider | Search Suggest | Always allow users to use Search Suggest | ||||||||||||||
92 | Omnibox Search Provider | Search Suggest | Never allow users to use Search Suggest | ||||||||||||||
93 | Omnibox Search Provider | Search Suggest | Allow user to configure | ||||||||||||||
94 | Omnibox Search Provider | Omnibox Search Provider | Allow user to select the Omnibox Search Provider | ||||||||||||||
95 | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | ||||||||||||||
96 | Hardware | External Storage Devices | Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices | Allow external storage devices | |||||||||||||
97 | Hardware | External Storage Devices | Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices | Allow external storage devices (read only) | |||||||||||||
98 | Hardware | External Storage Devices | Secure Digital (SD) Cards, USB Flash Drive Devices, and MTP devices | Disallow external storage devices | |||||||||||||
99 | Hardware | Audio Input | Microphone and Audio Input | ||||||||||||||
100 | Hardware | Audio Input | Prompt user to allow each time | ||||||||||||||
101 | Hardware | Audio Input | Disable audio input | ||||||||||||||
102 | Hardware | Audio Output | Speakers and Audio Output | ||||||||||||||
103 | Hardware | Audio Output | Enable audio output | ||||||||||||||
104 | Hardware | Audio Output | Disable audio output | ||||||||||||||
105 | Hardware | Video Input | Video Input | ||||||||||||||
106 | Hardware | Video Input | Enable video input | ||||||||||||||
107 | Hardware | Video Input | Disable video input | ||||||||||||||
108 | Hardware | Keyboard | Set default top-row key behavior | Treat top-row keys as media keys, but allow user to change | |||||||||||||
109 | Hardware | Keyboard | Set default top-row key behavior | Treat top-row keys as function keys, but allow user to change | |||||||||||||
110 | |||||||||||||||||
111 | |||||||||||||||||
112 | |||||||||||||||||
113 | |||||||||||||||||
114 |
1 | < Index | ||||||||
---|---|---|---|---|---|---|---|---|---|
2 | Setting | Impact | Mitigation | Category | Title | Sub Item | Option | Comments | |
3 | Device | Inhibits | Account Monitoring and Control | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
4 | Device | Supports | Account Monitoring and Control | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges | ||
5 | Device | Supports | Account Monitoring and Control | Sign-in Settings | Single Sign-On Cookie Behavior | Disable transfer of SAML SSO Cookies into team member session during login | |||
6 | Device | Supports | Account Monitoring and Control | Sign-in Settings | Single Sign-On Cookie Behavior | Enable transfer of SAML SSO Cookies into team member session during login | |||
7 | Device | Supports | Account Monitoring and Control | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | ||
8 | Device | Supports | Account Monitoring and Control | Sign-in Settings | Single Sign-On IdP Redirection | Default. Take team member's to the default Google login page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | ||
9 | Device | Supports | Account Monitoring and Control | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | |
10 | User | Supports | Account Monitoring and Control | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process. | ||
11 | User | Inhibits | Account Monitoring and Control | Enrollment Controls | Device Enrollment | Keep Chrome device in current location | |||
12 | User | Requires | Account Monitoring and Control | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | |||
13 | Device | Inhibits | App Pinning | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
14 | User | Requires | Blacklist(s) | Apps and Extensions | Allow or Block All Apps and Extensions | Allow all apps and extensions except the ones I block | Blacklist Problems | ||
15 | User | Requires | Blacklist(s) | Content | Images | Block Images on These Sites | See blacklisting problems under the blacklisting mitigation. | ||
16 | User | Requires | Blacklist(s) | Content | JavaScript | Block JavaScript on These Sites | See blacklisting problems under the blacklisting mitigation. | ||
17 | User | Requires | Blacklist(s) | Content | Plug-ins | Block Plug-ins on These Sites | See blacklisting problems under the blacklisting mitigation. | ||
18 | User | Requires | Blacklist(s) | Content | Pop-ups | Block Pop-ups on These Sites | See blacklisting problems under the blacklisting mitigation. | ||
19 | User | Requires | Blacklist(s) | Content | URL Blocking | URL Blacklist | A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist | ||
20 | User | Requires | Blacklist(s) | Content | URL Blocking | URL Blacklist | See blacklisting problems under the blacklisting mitigation. | ||
21 | User | Supports | Blacklist(s) | Android applications | Access to Android applications | Do not allow | By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 | ||
22 | User | Inhibits | Boundary Defense | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. | ||
23 | User | Inhibits | Boundary Defense | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. | ||
24 | Device | Supports | Chrome Remote Desktop | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
25 | Device | Supports | Chrome Remote Desktop | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | Only if this is using verified access" | ||
26 | Device | Inhibits | Chrome Remote Desktop | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | Only if this is using verified access" | ||
27 | Device | Supports | Chrome Remote Desktop | Other | USB Detachable Whitelist | List of VID:PID pairs | This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here. | ||
28 | Device | Inhibits | Chrome Remote Desktop | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
29 | User | Supports | Chrome Remote Desktop | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | Only if this is using verified access" | |
30 | User | Inhibits | Chrome Remote Desktop | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | Only if this is using verified access" | |
31 | User | Supports | Chrome Remote Desktop | Verified Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
32 | User | Supports | Chrome Remote Desktop | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | ||
33 | User | Supports | Chrome Remote Desktop | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | |
34 | User | Inhibits | Cohesive Security Tool Adoption | Android applications | Access to Android applications | Allow | With greater access to the world of Android applications in the Google play store you are likely to see tool divergence when you have distributed and/or largely independent team's. You want to make sure you have solid adoption of your core security tool set when opening up the app store for travel devices. | ||
35 | User | Inhibits | Cohesive Security Tool Adoption | Android applications | Account Management | Google account | By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device. | ||
36 | User | Supports | Cohesive Security Tool Adoption | Android applications | Android applications on Chrome devices | Allow | This allows you to pick appropriate security tools for your team member's from a much larger, more secure, more function, and often more usable array of possible security tools. | ||
37 | User | Inhibits | Cohesive Security Tool Adoption | Android applications | Android applications on Chrome devices | Do not allow | |||
38 | User | Supports | Cohesive Security Tool Adoption | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | Force installing apps is a way to ensure that team member's have access to a consistent baseline set of applications that they have been trained to use. These "baseline apps" should be the same apps that team member's are trained on and should be the ones that are supporting security policies and practices that are put in place. | ||
39 | User | Supports | Cohesive Security Tool Adoption | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | Use the url and title of the custom Chrome Web Store to help ensure team member's knows that this is the official recommendation of the administrators and/or security team. - By providing recommendations you can combat the tendency for splits in tool usage that are often caused by ad-hoc adoption of security tools by staff. This is important for a sustainable security program because the more varied the application usage within your team, the more complex your admin/security team's risk assessments will have to be. | |
40 | User | Supports | Cohesive Security Tool Adoption | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | Proper branding for your section will help guide team member's to look at these apps. | ||
41 | Device | Inhibits | Cohesive Security Tool Adoption | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
42 | Device | Inhibits | Cohesive Security Tool Adoption | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
43 | Device | Inhibits | Cohesive Security Tool Adoption | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | ||
44 | User | Inhibits | Controlled Access Based On Need to Know | Enrollment Controls | Device Enrollment | Keep Chrome device in current location | |||
45 | User | Supports | Controlled Access Based On Need to Know | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | |||
46 | Device | Supports | Crisis Identification | User & Device Reporting | Inactive Device Notifications | Email addresses to receive notification reports | Email addresses to receive notification reports | Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed. | |
47 | Device | Supports | Crisis Identification | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | |
48 | Device | Supports | Crisis Identification | User & Device Reporting | Inactive Device Notifications | Inactive Range (days) | Inactive Range (days) | A shorter number of days gives you a quicker response, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value you can take action on. | |
49 | Device | Supports | Crisis Identification | User & Device Reporting | Inactive Device Notifications | Notification Cadence (days) | Notification Cadence (days) | A shorter re-alert time shows chronic behavior, but it also creates a lot of noise. You should start low and build up a baseline you can use to set this to an appropriate value that you can take action on. | |
50 | Device | Inhibits | Custom Chrome Web Store Homepage | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
51 | User | Requires | Custom Chrome Web Store Homepage | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | ||
52 | User | Requires | Custom Chrome Web Store Homepage | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | ||
53 | User | Requires | Custom Chrome Web Store Homepage | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the default homepage | ||
54 | Device | Supports | Desktop Virtualization | Other | USB Detachable Whitelist | List of VID:PID pairs | This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here. | ||
55 | Device | Inhibits | Desktop Virtualization | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
56 | User | Requires | Desktop Virtualization | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook. | ||
57 | Device | Supports | Device Wiping | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | ||
58 | Device | Supports | Device Wiping | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | ||
59 | Device | Supports | Device Wiping | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | ||
60 | Device | Supports | Device Wiping | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | ||
61 | User | Supports | Device Wiping | Content | Cookies | Default Cookie Setting | Keep cookies for the duration of the session | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | |
62 | User | Supports | Device Wiping | Security | Idle Settings | Action on idle | Logout | ||
63 | User | Supports | Device Wiping | Security | Idle Settings | Action on lid close | Logout | ||
64 | User | Supports | Device Wiping | Security | Lock Screen | Do not allow locking screen | This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | ||
65 | Device | Supports | Device Wiping | Other | Time Zone | Keep timezone as it is on device currently | This should default to the timezone that the device was reset at so this is the correct answer. traveler's should not be using devices that have not been fully reset to wipe all team member data and sessions from them in-between team member's. | ||
66 | Device | Inhibits | Emergency Communication Practices | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | ||
67 | User | Inhibits | Emergency Communication Practices | Verified Access | Verified Access | Enable for Enterprise Extensions | If you are doing this make sure that you don't over-secure to the point where a team member cannot contact you in an emergency i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | ||
68 | User | Supports | Encrypted External Storage devices | Hardware | External Storage devices | Allow external storage devices (read only) | |||
69 | User | Both | Encrypted External Storage devices | Hardware | External Storage devices | Allow external storage devices (read only) | This will make it impossible for the Traveler to load sensitive information while they are in country. But, with access to, and proper use of, a secured archive they should be able to protect data when in transit without the use of external devices. | ||
70 | User | Inhibits | Encrypted External Storage devices | Hardware | External Storage devices | Disallow external storage devices | |||
71 | Device | Supports | Encrypted online archive | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
72 | Device | Supports | Encrypted online archive | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | Only if this is using verified access" | ||
73 | Device | Inhibits | Encrypted online archive | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | Only if this is using verified access" | ||
74 | User | Supports | Encrypted online archive | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | Only if this is using verified access" | |
75 | User | Inhibits | Encrypted online archive | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | Only if this is using verified access" | |
76 | User | Supports | Encrypted online archive | Verified Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
77 | User | Requires | Enrollment Contact Policies | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | |||
78 | User | Inhibits | External Enterprise Mobility Management Tool | Apps and Extensions | Task Manager | Allow user's to end processes with the Chrome task manager | This option is used to restrict a team member's ability to kill processes. It is commonly used by schools where the student is in an adversarial relationship with the system administrator. In our use-case we do not consider non-security focused restrictions. There is currently only one security focused reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access. | ||
79 | User | Supports | External Enterprise Mobility Management Tool | Apps and Extensions | Task Manager | Block team member's from ending processes with the Chrome task manager | |||
80 | User | Supports | External Enterprise Mobility Management Tool | Security | Remote access clients | Remote Access Host Client Domain - Configure the required domain name for remote access clients. | In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain. | ||
81 | Device | Requires | In-country alternative working software identification | Device Update Settings | Auto Update Settings | Auto Update | Allow auto-updates | Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | |
82 | Device | Supports | In-country alternative working software identification | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
83 | User | Supports | In-country alternative working software identification | Android applications | Access to Android applications | Allow | Being able to search for alternatives in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. | ||
84 | User | Inhibits | In-country alternative working software identification | Android applications | Access to Android applications | Do not allow | |||
85 | User | Supports | In-country alternative working software identification | Android applications | Unknown Sources | Allow install from unknown sources | If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ | ||
86 | User | Inhibits | In-country alternative working software identification | Android applications | Unknown Sources | Do not allow install from unknown sources | |||
87 | User | Inhibits | In-country alternative working software identification | Network | Proxy Settings | Always use the proxy auto-config specified below | |||
88 | User | Inhibits | In-country alternative working software identification | Network | Proxy Settings | Always use the proxy specified below | |||
89 | Device | Inhibits | In-Country Device Swapping | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | ||
90 | User | Inhibits | In-Country Device Swapping | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | You will have to put a side-channel process in place for installing the certificate on the team member's device if you are using in-country device swapping. | ||
91 | User | Supports | In-Country Device Swapping | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | This allows team member's who are traveling to purchase and add new devices on the fly. If a team member needs a replacement phone or chromebook they can purchase it in country and enroll it without intervention by a organizational admin. | ||
92 | User | Supports | In-Country Device Swapping | Hardware | External Storage devices | Allow external storage devices | External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | ||
93 | User | Supports | In-Country Device Swapping | Hardware | External Storage devices | Allow external storage devices (read only) | External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | ||
94 | User | Inhibits | In-Country Device Swapping | Hardware | External Storage devices | Disallow external storage devices | External storage devices can be used to store and, upon getting a new device, side-load the credentials required to reconnect to locked-down services (i.e. team member certs, etc.) | ||
95 | User | Inhibits | In-Country Device Swapping | Verified Access | Verified Access | Enable for Enterprise Extensions | If you are doing this make sure that you don't over-secure to the point where a team member cannot get them set-up on another device if needed. i.e. do greater contingency planning around stronger security like this if your team member's will have time-sensitive tasks that require access to data and services in complex environments. | ||
96 | Device | Supports | Inventory of Authorized and Unauthorized devices | Device Update Settings | Auto Update Settings | Auto reboot after updates | Allow auto-reboots | ||
97 | Device | Inhibits | Inventory of Authorized and Unauthorized devices | Device Update Settings | Auto Update Settings | Auto reboot after updates | Disallow auto-reboots | If team member's are missing device updates that contain security updates because they avoid turning their devices off at all costs it can open up new attack vectors for fast moving advanced persistent adversaries. | |
98 | Device | Supports | Inventory of Authorized and Unauthorized devices | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | This will allow you to enforce specific devices for specific types of domains | ||
99 | Device | Supports | Inventory of Authorized and Unauthorized devices | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
100 | Device | Supports | Inventory of Authorized and Unauthorized devices | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | Only if this is using verified access" | ||
101 | Device | Inhibits | Inventory of Authorized and Unauthorized devices | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | Only if this is using verified access" | ||
102 | Device | Inhibits | Inventory of Authorized and Unauthorized devices | User & Device Reporting | Device Reporting | Device State Reporting | Disable device state reporting | ||
103 | Device | Supports | Inventory of Authorized and Unauthorized devices | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | |
104 | Device | Supports | Inventory of Authorized and Unauthorized devices | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | |
105 | User | Inhibits | Inventory of Authorized and Unauthorized devices | Enrollment Controls | Asset Identifier During Enrollment | Do not allow for team member's in this organization | Only on non-solo use cases. If you are an individual you don't need to track who has what hardware. | ||
106 | User | Supports | Inventory of Authorized and Unauthorized devices | Enrollment Controls | Asset Identifier During Enrollment | team member's in this organization can provide asset ID and location during enrollment | Only on non-solo use cases. If you are an individual you don't need to track who has what hardware. | ||
107 | User | Inhibits | Inventory of Authorized and Unauthorized devices | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | Allowing team member's to register devices will make it harder for admins to control which devices are authorized on the network. | ||
108 | User | Supports | Inventory of Authorized and Unauthorized devices | Enrollment Controls | Enrollment Permissions | Do not allow team member's in this organization to enroll new or deprovisioned devices | This option provides a greater level of control over the devices that will be added to your domain. But, it also requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel. | ||
109 | User | Supports | Inventory of Authorized and Unauthorized devices | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | Only if this is using verified access" | |
110 | User | Inhibits | Inventory of Authorized and Unauthorized devices | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | Only if this is using verified access" | |
111 | User | Supports | Inventory of Authorized and Unauthorized devices | Verified Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
112 | User | Supports | Inventory of Authorized and Unauthorized Software | Android applications | Access to Android applications | Do not allow | |||
113 | User | Inhibits | Inventory of Authorized and Unauthorized Software | Android applications | Account Management | Google account | By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device. | ||
114 | User | Supports | Inventory of Authorized and Unauthorized Software | Android applications | Android applications on Chrome devices | Allow | If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624) | ||
115 | User | Requires | Inventory of Authorized and Unauthorized Software | Android applications | Android applications on Chrome devices | Allow | If you are restricting access to the google app store the same considerations found under apps and extensions apply here. While the documentation in this menu is not very clear about this fact, Android apps on chromebooks use a whitelist only model by default. (https://support.google.com/chrome/a/answer/7131624) | ||
116 | User | Inhibits | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allow or Block All Apps and Extensions | Allow all apps and extensions except the ones I block | |||
117 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allow or Block All Apps and Extensions | Block all apps and extensions except the ones I allow | |||
118 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Chrome Packaged App | |||
119 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Extension | |||
120 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Google Apps Script | |||
121 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Hosted App | |||
122 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Legacy Packaged App | |||
123 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | Allowed Types of Apps and Extensions | Theme | |||
124 | User | Requires | Inventory of Authorized and Unauthorized Software | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | |||
125 | User | Supports | Inventory of Authorized and Unauthorized Software | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | I will choose which private apps and extensions to include. | This more restrictive option forces an additional administrative step when distributing web-apps to your travel devices. But, it does not increate the attack surface. If you do not have a team that is activly creating and sharing private web apps this is the easier and more secure option to choose. | |
126 | User | Requires | Inventory of Authorized and Unauthorized Software | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | Include all private apps and extensions from my domain. | ||
127 | User | Inhibits | Inventory of Authorized and Unauthorized Software | Chrome Web Store | Chrome Web Store Permissions | Allow user's to publish private apps that are restricted to your domain on Chrome Web Store. | |||
128 | User | Inhibits | Inventory of Authorized and Unauthorized Software | Chrome Web Store | Chrome Web Store Permissions | Allow user's to skip verification for websites not owned | |||
129 | User | Inhibits | Maintenance, Monitoring, and Analysis of Audit Logs | User Experience | DNS Pre-fetching | Always pre-fetch DNS | If the team member is using a VPN into a network that I control and am logging DNS requests it will increase the noise on the network significantly. Even if they don't click on the URL I may spend my time tracking down DNS requests for possibly malicious sites. | ||
130 | Device | Both | Appropriate Organizational Identifiers | Enrollment & Access | Disabled device return instructions | Custom text to display | The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | ||
131 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Autocomplete Domain | Do not display an autocomplete domain on the sign in page | |||
132 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. | ||
133 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection" | ||
134 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Sign-in Screen | Always show team member names and photos | There is no reason to go advertising a person's name and identity on a publicly facing surface of their device. | ||
135 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Sign-in Screen | Never show team member names and photos | |||
136 | Device | Both | Appropriate Organizational Identifiers | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | ||
137 | User | Both | Appropriate Organizational Identifiers | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | ||
138 | User | Both | Appropriate Organizational Identifiers | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | |||
139 | User | Requires | Appropriate Organizational Identifiers | User Experience | Managed Bookmarks | Managed Bookmarks | These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. | ||
140 | Device | Supports | Multi-Factor Authentication | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the devices camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges | ||
141 | User | Requires | Multi-Factor Authentication | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | This option only makes the process easier. You still need to implement client side certificate checking on your services, and certificate management in your device provisioning process. | ||
142 | User | Inhibits | Multi-Factor Authentication | General | Smart Lock for Chrome | Allow Smart Lock for Chrome | Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. | ||
143 | User | Supports | Multi-Factor Authentication | General | Smart Lock for Chrome | Do not allow Smart Lock for Chrome | |||
144 | Device | Supports | Needs Assessment (Apps) | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | |
145 | User | Requires | Needs Assessment (Apps) | Content | Notifications | Allow These Sites to Show Desktop Notifications | Since I am, for once, willing to agree to the wholesale disabling of a feature it is only appropriate to note that once a needs assessment is done you can use a whitelist to add sites back in. If you survey your user base and they use notifications on a small number of specific websites this is an option that will allow you to support your team member's workflows without opening up this attack vector too widely. As with all the whitelist options this can get out of control and lead to team member frustration, so it should be done when there is low notification usage and/or a small team | ||
146 | User | Requires | Needs Assessment (Apps) | Content | Notifications | Notifications | Do not allow sites to show desktop notifications | ||
147 | User | Requires | Needs Assessment (Apps) | Content | Plug-ins | Allow Plug-ins on These Sites | if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator. | ||
148 | User | Requires | Needs Assessment (Apps) | Content | Plug-ins | Plug-ins | Block all plug-ins | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | |
149 | User | Requires | Needs Assessment (Apps) | Content | Plugin Finder | Disable automatic search and installation of missing plugins | Chrome only allows one plugin, flash. So, if they need flash make sure it is installed. | ||
150 | User | Requires | Needs Assessment (Apps) | Content | Pop-ups | Allow Pop-ups on These Sites | If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting. | ||
151 | User | Requires | Needs Assessment (Apps) | Content | Pop-ups | Pop-ups | Block all pop-ups | Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | |
152 | User | Requires | Needs Assessment (Apps) | Printing | Google Cloud Print Proxy | Allow using Chrome as a proxy for Google Cloud Print | This is only relevant for mac,windows,and linux. On chrome google cloud print should just work. | ||
153 | User | Requires | Needs Assessment (Apps) | Printing | Google Cloud Print Submission | Allow submission of documents to Google Cloud Print | |||
154 | User | Requires | Needs Assessment (Apps) | Printing | Google Cloud Print Submission | Disallow submission of documents to Google Cloud Print | "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. " | ||
155 | User | Requires | Needs Assessment (Apps) | User Experience | Managed Bookmarks | Managed Bookmarks | It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. | ||
156 | User | Requires | Needs Assessment (Apps) | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. | ||
157 | User | Requires | Needs Assessment (Apps) | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | See "block multiple". With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. | ||
158 | User | Requires | Needs Assessment (Apps) | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | "Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. | ||
159 | User | Requires | Needs Assessment (Apps) | Android applications | Access to Android applications | Allow | By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 | ||
160 | User | Requires | Needs Assessment (Apps) | Apps and Extensions | Allow or Block All Apps and Extensions | Block all apps and extensions except the ones I allow | One strategy is to start with "allow all except blocked" and use an initial period of active use by your team member's to develop a list of apps and extensions that are used / desired by your team member's. Once you have a list of all of these apps you can add them to a custom web-store homepage and implement "block all except whitelisted" restrictions. This way team member's will have access to a trusted source immediately upon enabling a travel device and administrators will only have to be available to approve the use of new apps and extensions within your team member community. | ||
161 | Device | Inhibits | Private Apps | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
162 | User | Inhibits | Private Apps | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | Include all private apps and extensions from my domain. | ||
163 | User | Requires | Private Apps | Chrome Web Store | Chrome Web Store Permissions | Allow user's to publish private apps that are restricted to your domain on Chrome Web Store. | |||
164 | Device | Inhibits | Project Specific GSuite Accounts | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
165 | Device | Supports | Proof Of Inaccess | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | ||
166 | Device | Both | Proof Of Inaccess | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. | ||
167 | Device | Both | Proof Of Inaccess | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | ||
168 | Device | Supports | Proof Of Inaccess | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
169 | Device | Both | Proof Of Inaccess | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. | ||
170 | Device | Both | Proof Of Inaccess | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | ||
171 | User | Supports | Proof Of Inaccess | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | I will choose which private apps and extensions to include. | A private apps could include a simple web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess." | |
172 | User | Supports | Proof Of Inaccess | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. | ||
173 | User | Supports | Proof Of Inaccess | General | Avatar | Upload Avatar File | Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content | ||
174 | User | Supports | Proof Of Inaccess | General | Wallpaper | Upload Wallpaper File | Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual. | ||
175 | User | Requires | Proof Of Inaccess | Security | Browser History | Never save browser history | This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | ||
176 | User | Supports | Proof Of Inaccess | Startup | Home Button | Always show 'Home' button | This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access. | ||
177 | User | Supports | Proof Of Inaccess | Startup | Homepage | Homepage is always the Homepage URL, set below | This has to be set for the "always show home button" option in [Startup > Home Button] to work. | ||
178 | User | Inhibits | Proof Of Inaccess | Startup | Homepage | Homepage is always the new tab page | This can't to be set for the "always show home button" option in [Startup > Home Button] to work. | ||
179 | User | Supports | Proof Of Inaccess | Startup | Pages to Load on Startup | Pages to Load on Startup | For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies. | ||
180 | User | Both | Proof Of Inaccess | User Experience | Bookmark Bar | Allow user to decide whether to enable bookmark bar | Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | ||
181 | User | Supports | Proof Of Inaccess | User Experience | Managed Bookmarks | Managed Bookmarks | Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks. | ||
182 | User | Supports | Proof Of Inaccess | User Experience | Managed Bookmarks | Managed Bookmarks Folder Name | For proof of inaccess it could be valuable to name this something official. | ||
183 | User | Inhibits | Proof Of Inaccess | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user. | ||
184 | User | Inhibits | Proof Of Inaccess | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." | ||
185 | User | Inhibits | Proof Of Inaccess | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | Multiple accounts logged in on a device also raises questions about the legitimacy of proof of inaccess provided by a user." | ||
186 | User | Supports | Remote Access Management | Security | Remote access clients | Remote Access Host Client Domain - Configure the required domain name for remote access clients. | In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain. | ||
187 | User | Supports | Remote Access Management | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | ||
188 | User | Supports | Remote Access Management | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | If you want to be able to provide remote support using remote desktop with your travlers you will want to add Chrome Remote Desktop [1] to the apps available on the chromebook. This can be done in the recommended apps or through forces install. [1] https://support.google.com/chrome/answer/1649523 [2] https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp | |
189 | Device | Supports | Secure Traffic Tunneling | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
190 | Device | Supports | Secure Traffic Tunneling | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | Only if this is using verified access" | ||
191 | Device | Inhibits | Secure Traffic Tunneling | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | Only if this is using verified access" | ||
192 | Device | Supports | Secure Traffic Tunneling | Other | System timezone automatic detection | Always send WiFi access-points to server while resolving timezone | This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect | ||
193 | Device | Inhibits | Secure Traffic Tunneling | Other | System timezone automatic detection | Always use coarse timezone detection | This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||
194 | Device | Inhibits | Secure Traffic Tunneling | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
195 | Device | Inhibits | Secure Traffic Tunneling | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
196 | User | Supports | Secure Traffic Tunneling | Network | Proxy Settings | Always use the proxy auto-config specified below | If you are using a PAC file make sure that you are using a secure connection to your proxy. https://www.chromium.org/developers/design-documents/secure-web-proxy" | ||
197 | User | Both | Secure Traffic Tunneling | Network | Proxy Settings | Never use a proxy | If you don't have a secure proxy set up then use this option and use forced apps to install a VPN. | ||
198 | User | Inhibits | Secure Traffic Tunneling | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. | ||
199 | User | Inhibits | Secure Traffic Tunneling | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | Secondary accounts have access to policy-defined networks. This means you have accounts that are not entirely controlled with access to any internal networks that are defined. That's not cool. | ||
200 | User | Supports | Secure Traffic Tunneling | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | Only if this is using verified access" | |
201 | User | Inhibits | Secure Traffic Tunneling | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | Only if this is using verified access" | |
202 | User | Supports | Secure Traffic Tunneling | Verified Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | ||
203 | Device | Requires | Security Awareness and Training | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | ||
204 | Device | Requires | Security Awareness and Training | Other | System timezone automatic detection | Let team member's decide | The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||
205 | Device | Requires | Security Awareness and Training | Other | System timezone automatic detection | Never auto-detect timezone | The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||
206 | Device | Requires | Security Awareness and Training | Power & Shutdown | Power Management | Do not allow device to sleep/shut down when idle on the sign-in screen | Power down on idle is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | ||
207 | Device | Requires | Security Awareness and Training | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | ||
208 | Device | Requires | Security Awareness and Training | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
209 | Device | Requires | Security Awareness and Training | Sign-in Settings | Guest Mode | Do not allow guest mode | Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. | ||
210 | Device | Requires | Security Awareness and Training | User & Device Reporting | Inactive Device Notifications | Email addresses to receive notification reports | Email addresses to receive notification reports | Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed. | |
211 | User | Requires | Security Awareness and Training | Android applications | Access to Android applications | Allow | You want to make sure that your team member's understand what security requirements they have and what the correct tools are for those use cases when opening up the app store for travel devices. A team member who decides to seek out a new app from the full app-store because the supported app stopped working (censorship, etc) or because someone told them of a new app with "military grade encryption" you want to make sure they are making smart choices. | ||
212 | User | Requires | Security Awareness and Training | Android applications | Android applications on Chrome devices | Allow | Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. As such, it will take security awareness building and hands on guidance to get the benefits from adding this. | ||
213 | User | Requires | Security Awareness and Training | Android applications | Unknown Sources | Allow install from unknown sources | Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. Enabling this feature forces the team member to take more responsibility for the security of their devices. - They will need to be more careful about protecting access to their device. - They will have to be mindful about the possible security concerns with applications they install. To support this an administrator should make sure that they have a application submission pipeline built where team member's can submit links to applications they want to install for review by the administration/security team. | ||
214 | User | Supports | Security Awareness and Training | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | Pinning baseline security apps will make them more visible and encourage use. | ||
215 | User | Requires | Security Awareness and Training | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | You will, of course, have to make sure you inform the team member about the web store or they won't know to look for it, and will likely not know to trust it when they do see it. | |
216 | User | Requires | Security Awareness and Training | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | The Admin will need to also make sure that team member's are well informed about the existence of this recommended apps section. They will likely not find it on their own because they will not be looking for it. | ||
217 | User | Requires | Security Awareness and Training | Content | Cookies | Default Cookie Setting | Allow user to configure | With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option. | |
218 | User | Requires | Security Awareness and Training | Content | Cookies | Block Cookies for URL Patterns | This is a way to enforce that the chromebook browser does not save persistent cookies for sites with sensitive data when using travel devices without having to remove cookies for all team member's server side. You can allow cookies globally so that the team member can save cookies and logins for convenience sites, but have the session cookies for pre-determined sensitive sites blocked (i.e. the secure data repository, organizaiton data logins, etc.) | ||
219 | User | Requires | Security Awareness and Training | Content | Google Drive Syncing | Allow user to decide whether to use Google Drive syncing | As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder. | ||
220 | User | Requires | Security Awareness and Training | Content | Google Drive Syncing | Enable Google Drive syncing | As with other team member controlled interventions this requires building the team member's security awareness to the point where they don't store sensitive documents within this folder. | ||
221 | User | Requires | Security Awareness and Training | Content | Images | Images | Allow user to configure | You will want to inform team member's of the benefits of this option in low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. If you don't they are not going to find it themselves. | |
222 | User | Requires | Security Awareness and Training | Content | JavaScript | JavaScript | Allow sites to run JavaScript | They will have to be trained how to use the JS blocking extension. | |
223 | User | Requires | Security Awareness and Training | Content | JavaScript | JavaScript | Allow user to configure | ||
224 | User | Requires | Security Awareness and Training | Content | Notifications | Notifications | Allow sites to show desktop notifications | ||
225 | User | Requires | Security Awareness and Training | Content | Notifications | Notifications | Allow user to configure | ||
226 | User | Requires | Security Awareness and Training | Content | Notifications | Notifications | Always ask the team member if a site can show desktop notifications | ||
227 | User | Requires | Security Awareness and Training | Content | Outdated Plugins | Ask user for permission to run outdated plugins | |||
228 | User | Requires | Security Awareness and Training | Content | Plug-ins | Plug-ins | Allow user to configure | ||
229 | User | Requires | Security Awareness and Training | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | ||
230 | User | Requires | Security Awareness and Training | Content | Pop-ups | Pop-ups | Allow user to configure | Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | |
231 | User | Requires | Security Awareness and Training | Content | Third-Party Cookie Blocking | Allow user to decide whether to allow third-party cookies | This is another fingerprinting threat, and therefore not relevant for this context. | ||
232 | User | Requires | Security Awareness and Training | General | Smart Lock for Chrome | Allow Smart Lock for Chrome | Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesirable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. If you are going to do this you will need a significant amount of user training. | ||
233 | User | Requires | Security Awareness and Training | Network | Proxy Settings | Never use a proxy | They will have to know when, and how, to use a VPN. | ||
234 | User | Requires | Security Awareness and Training | Omnibox Search Provider | Omnibox Search Provider | Allow user to select the Omnibox Search Provider | |||
235 | User | Requires | Security Awareness and Training | Omnibox Search Provider | Search Suggest | Allow user to configure | |||
236 | User | Requires | Security Awareness and Training | Printing | Google Cloud Print Submission | Allow submission of documents to Google Cloud Print | "I was surprised to have something to consider in this section. Google cloud print offers a way to send a single hard-copy of a document to a remote location. Is there a use case for this as opposed to sending the digital file to a secure remote location that you don't have access to? This should be considered an equivalent level of security & privacy as other google services. " | ||
237 | User | Requires | Security Awareness and Training | Security | Browser History | Always save browser history | |||
238 | User | Requires | Security Awareness and Training | Security | Clear Browser History | Allow clearing history in settings menu | |||
239 | User | Requires | Security Awareness and Training | Security | Geolocation | Allow user to configure | Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. As such, I have chosen "always asking" over the team member configuration option. | ||
240 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Lock screen on sleep | Don't Lock Screen | ||
241 | User | Requires | Security Awareness and Training | Security | Idle Settings | Idle time in minutes (leave empty for system default) | When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices). | ||
242 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Lock screen on sleep | Lock Screen | ||
243 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Action on idle | Logout | ||
244 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Action on lid close | Logout | ||
245 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Action on idle | Sleep | You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking. | |
246 | User | Inhibits | Security Awareness and Training | Security | Idle Settings | Action on lid close | Sleep | You should not use the sleep action on idle unless it also locks the screen. It gives the appearance of a countermeasure without providing a countermeasure. With an appropriately long idle time and good logout security practices being used by your team member's there is no reason to have devices sleep on idle without locking. | |
247 | User | Supports | Security Awareness and Training | Security | Incognito Mode | Allow incognito mode | Teaching traveler's how not create histories with sensitive links and information using incognito mode means that they don't have to go about trying to erase it later. | ||
248 | User | Requires | Security Awareness and Training | Security | Malicious Sites | Allow user to proceed anyway to malicious sites | "This should not be enabled until you have tested how often malicious site warnings appear for your team member base during a testing period. This is because there are reports of critical travel sites, like hotel portals, being flagged as malicious. [1] [1] https://twitter.com/brettmorrison/status/891804686579359745" | ||
249 | User | Requires | Security Awareness and Training | Security | Password Manager | Allow user to configure | In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | ||
250 | User | Requires | Security Awareness and Training | Security | Password Manager | Always allow use of password manager | In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | ||
251 | User | Requires | Security Awareness and Training | Security | Safe Browsing | Allow user to decide whether to use Safe Browsing | Providing privacy concerned team member's information about the actual implementation of this feature should ease any of their privacy worries about this feature. If it does not then a team member may be convinced once you explain to them the personal effort they will have to exert to gain the same level of security without safe browsing enabled. | ||
252 | User | Inhibits | Security Awareness and Training | Session Settings | Show Logout Button in Tray | Does not show logout button in tray | |||
253 | User | Supports | Security Awareness and Training | Session Settings | Show Logout Button in Tray | Show logout button in tray | Make it easy for team member's to follow the appropriate logout practices. | ||
254 | User | Requires | Security Awareness and Training | Startup | Home Button | Allow user to configure | |||
255 | User | Requires | Security Awareness and Training | Startup | Home Button | Always show 'Home' button | This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access. | ||
256 | User | Requires | Security Awareness and Training | Startup | Homepage | Allow user to configure | |||
257 | User | Requires | Security Awareness and Training | User Experience | Bookmark Editing | Enable bookmark editing | Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | ||
258 | User | Requires | Security Awareness and Training | User Experience | DNS Pre-fetching | Allow user to configure | |||
259 | User | Requires | Security Awareness and Training | User Experience | Download Location | Local Downloads folder, but allow team member to change | By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | ||
260 | User | Requires | Security Awareness and Training | User Experience | Download Location | Set Google Drive as default, but allow team member to change | By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | ||
261 | User | Requires | Security Awareness and Training | User Experience | Form Auto-fill | Allow user to configure | See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||
262 | User | Requires | Security Awareness and Training | User Experience | Google Translate | Allow user to configure | |||
263 | User | Requires | Security Awareness and Training | User Experience | Managed Bookmarks | Managed Bookmarks | It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phsihing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. | ||
264 | User | Requires | Security Awareness and Training | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | ||
265 | User | Requires | Security Awareness and Training | User Experience | Spell Check Service | Allow user to decide whether to use the spell checking web service | Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others. | ||
266 | Device | Inhibits | Temporary G Suite Accounts | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
267 | Device | Supports | Traveler Sub-Organization(s) | Enrollment & Access | Forced Re-enrollment | Device is not forced to re-enroll after wiping | This will allow a team member to switch over to another sub-organization mid-trip while using the same device. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country. | ||
268 | Device | Inhibits | Traveler Sub-Organization(s) | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | If a team member needs to switch over to another sub-organization mid-trip while using the same device this would prohibit that switch. An example would be switching from a low threat to a high threat environment mid trip. The team member may want greater functionality early on, and then want to lock down their device before going into the next country. | ||
269 | Device | Inhibits | Traveler Sub-Organization(s) | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
270 | Device | Requires | Traveler Sub-Organization(s) | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. | ||
271 | Device | Inhibits | Traveler Sub-Organization(s) | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
272 | Device | Requires | Traveler Sub-Organization(s) | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If a team member can only login to a travel account on this device it might help reenforce the level of lockdown that is done for traveler's. Requires that a google sub-organization uses a separate sub-domain. | ||
273 | User | Inhibits | Traveler Sub-Organization(s) | Network | WebRTC UDP Ports | Maximum port (1024-65535) | Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | ||
274 | User | Inhibits | Traveler Sub-Organization(s) | Network | WebRTC UDP Ports | Minimum port (1024-65535) | Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | ||
275 | User | Requires | Traveler Sub-Organization(s) | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook. | ||
276 | User | Requires | Webcam cover | Hardware | Video Input | Enable video input | |||
277 | Device | Inhibits | Whitelist(s) | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
278 | User | Requires | Whitelist(s) | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | A whitelist of apps can be valuable for preventing team member's from installing malicious apps and extensions that are masquerading as a team member's desired application. [We are already combatting this slightly by seeding the web-store with links to commonly used apps and extensions.] As stated elsewhere, Whitelisting requires a greater amount of administrator availability to ensure that the wait for new additions to the whitelist does not impede the team's ability to accomplish their work. | ||
279 | User | Requires | Whitelist(s) | Content | Cookies | Allow Session-Only Cookies for URL Patterns | Whitelisting problems: You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | ||
280 | User | Requires | Whitelist(s) | Content | Images | Show Images on These Sites | Whitelisting problems | ||
281 | User | Requires | Whitelist(s) | Content | JavaScript | Allow These Sites to Run JavaScript | Whitelisting problems | ||
282 | User | Requires | Whitelist(s) | Content | Plug-ins | Allow Plug-ins on These Sites | Whitelisting problems | ||
283 | User | Requires | Whitelist(s) | Content | Pop-ups | Allow Pop-ups on These Sites | Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. If you have a small team and the admin team is very responsive when things are not working, and they are happy to take a midnight page about how someone's [bank, taxes, student loan] site is not working then you can do whitelisting. | ||
284 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Chrome Packaged App | |||
285 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Extension | |||
286 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Google Apps Script | |||
287 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Hosted App | |||
288 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Legacy Packaged App | |||
289 | User | Requires | Whitelist(s) | Apps and Extensions | Allowed Types of Apps and Extensions | Theme | |||
290 | User | Supports | Whitelist(s) | Android applications | Access to Android applications | Allow | By allowing search initially you can implement a process where you collect the apps that are commonly used from your team member's to build out a whitelist. Then, you have a solid understanding of the full suite of apps that team member's want you can remove the ability to search and use a similar forced install & allowed installation candidate model as the one described in apps and extensions. [1] https://support.google.com/chrome/a/answer/7131624 | ||
291 | User | Supports | Whitelist(s) | Content | Cookies | Allow Cookies for URL Patterns | If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | ||
292 | User | Requires | Whitelist(s) | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play.. | ||
293 | Device | Supports | Whitelist(s) | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | This initial setup and ongoing maintenance of the Chrome Web Store Recommendations will take effort, but it will help centralize secure app recommendations in one place. | |
294 | |||||||||
295 | |||||||||
296 | |||||||||
297 | |||||||||
298 | |||||||||
299 | |||||||||
300 | |||||||||
301 | |||||||||
302 | |||||||||
303 | |||||||||
304 | |||||||||
305 | |||||||||
306 | |||||||||
307 | |||||||||
308 | |||||||||
309 | |||||||||
310 | |||||||||
311 | |||||||||
312 | |||||||||
313 | |||||||||
314 | |||||||||
315 | |||||||||
316 | |||||||||
317 | |||||||||
318 | |||||||||
319 | |||||||||
320 | |||||||||
321 | |||||||||
322 | |||||||||
323 | |||||||||
324 | |||||||||
325 | |||||||||
326 | |||||||||
327 | |||||||||
328 | |||||||||
329 | |||||||||
330 | |||||||||
331 | |||||||||
332 | |||||||||
333 | |||||||||
334 | |||||||||
335 | |||||||||
336 | |||||||||
337 | |||||||||
338 | |||||||||
339 | |||||||||
340 | |||||||||
341 | |||||||||
342 | |||||||||
343 | |||||||||
344 | |||||||||
345 | |||||||||
346 | |||||||||
347 | |||||||||
348 | |||||||||
349 | |||||||||
350 | |||||||||
351 | |||||||||
352 | |||||||||
353 | |||||||||
354 | |||||||||
355 | |||||||||
356 | |||||||||
357 | |||||||||
358 | |||||||||
359 | |||||||||
360 | |||||||||
361 | |||||||||
362 | |||||||||
363 | |||||||||
364 | |||||||||
365 | |||||||||
366 | |||||||||
367 | |||||||||
368 | |||||||||
369 | |||||||||
370 | |||||||||
371 | |||||||||
372 | |||||||||
373 | |||||||||
374 | |||||||||
375 | |||||||||
376 | |||||||||
377 | |||||||||
378 | |||||||||
379 | |||||||||
380 | |||||||||
381 | |||||||||
382 | |||||||||
383 | |||||||||
384 | |||||||||
385 | |||||||||
386 | |||||||||
387 | |||||||||
388 | |||||||||
389 | |||||||||
390 | |||||||||
391 | |||||||||
392 | |||||||||
393 | |||||||||
394 | |||||||||
395 | |||||||||
396 | |||||||||
397 | |||||||||
398 | |||||||||
399 | |||||||||
400 | |||||||||
401 | |||||||||
402 | |||||||||
403 | |||||||||
404 | |||||||||
405 | |||||||||
406 | |||||||||
407 | |||||||||
408 | |||||||||
409 | |||||||||
410 | |||||||||
411 | |||||||||
412 | |||||||||
413 | |||||||||
414 | |||||||||
415 | |||||||||
416 | |||||||||
417 | |||||||||
418 | |||||||||
419 | |||||||||
420 | |||||||||
421 | |||||||||
422 | |||||||||
423 | |||||||||
424 | |||||||||
425 | |||||||||
426 | |||||||||
427 | |||||||||
428 | |||||||||
429 | |||||||||
430 | |||||||||
431 | |||||||||
432 | |||||||||
433 | |||||||||
434 | |||||||||
435 | |||||||||
436 | |||||||||
437 | |||||||||
438 | |||||||||
439 | |||||||||
440 | |||||||||
441 | |||||||||
442 | |||||||||
443 | |||||||||
444 | |||||||||
445 | |||||||||
446 | |||||||||
447 | |||||||||
448 | |||||||||
449 | |||||||||
450 | |||||||||
451 | |||||||||
452 | |||||||||
453 | |||||||||
454 | |||||||||
455 | |||||||||
456 | |||||||||
457 | |||||||||
458 | |||||||||
459 | |||||||||
460 | |||||||||
461 | |||||||||
462 | |||||||||
463 | |||||||||
464 | |||||||||
465 | |||||||||
466 | |||||||||
467 | |||||||||
468 | |||||||||
469 | |||||||||
470 | |||||||||
471 | |||||||||
472 | |||||||||
473 | |||||||||
474 | |||||||||
475 | |||||||||
476 | |||||||||
477 | |||||||||
478 | |||||||||
479 | |||||||||
480 | |||||||||
481 | |||||||||
482 | |||||||||
483 | |||||||||
484 | |||||||||
485 | |||||||||
486 | |||||||||
487 | |||||||||
488 | |||||||||
489 | |||||||||
490 | |||||||||
491 | |||||||||
492 | |||||||||
493 | |||||||||
494 | |||||||||
495 | |||||||||
496 | |||||||||
497 | |||||||||
498 | |||||||||
499 | |||||||||
500 | |||||||||
501 | |||||||||
502 | |||||||||
503 | |||||||||
504 | |||||||||
505 | |||||||||
506 | |||||||||
507 | |||||||||
508 | |||||||||
509 | |||||||||
510 | |||||||||
511 | |||||||||
512 | |||||||||
513 | |||||||||
514 | |||||||||
515 | |||||||||
516 | |||||||||
517 | |||||||||
518 | |||||||||
519 | |||||||||
520 | |||||||||
521 | |||||||||
522 | |||||||||
523 | |||||||||
524 | |||||||||
525 | |||||||||
526 | |||||||||
527 | |||||||||
528 | |||||||||
529 | |||||||||
530 | |||||||||
531 | |||||||||
532 | |||||||||
533 | |||||||||
534 | |||||||||
535 | |||||||||
536 | |||||||||
537 | |||||||||
538 | |||||||||
539 | |||||||||
540 | |||||||||
541 | |||||||||
542 | |||||||||
543 | |||||||||
544 | |||||||||
545 | |||||||||
546 | |||||||||
547 | |||||||||
548 | |||||||||
549 | |||||||||
550 | |||||||||
551 | |||||||||
552 | |||||||||
553 | |||||||||
554 | |||||||||
555 | |||||||||
556 | |||||||||
557 | |||||||||
558 | |||||||||
559 | |||||||||
560 | |||||||||
561 | |||||||||
562 | |||||||||
563 | |||||||||
564 | |||||||||
565 | |||||||||
566 | |||||||||
567 | |||||||||
568 | |||||||||
569 | |||||||||
570 | |||||||||
571 | |||||||||
572 | |||||||||
573 | |||||||||
574 | |||||||||
575 | |||||||||
576 | |||||||||
577 | |||||||||
578 | |||||||||
579 | |||||||||
580 | |||||||||
581 | |||||||||
582 | |||||||||
583 | |||||||||
584 | |||||||||
585 | |||||||||
586 | |||||||||
587 | |||||||||
588 | |||||||||
589 | |||||||||
590 | |||||||||
591 | |||||||||
592 | |||||||||
593 | |||||||||
594 | |||||||||
595 | |||||||||
596 | |||||||||
597 | |||||||||
598 | |||||||||
599 | |||||||||
600 | |||||||||
601 | |||||||||
602 | |||||||||
603 | |||||||||
604 | |||||||||
605 | |||||||||
606 | |||||||||
607 | |||||||||
608 | |||||||||
609 | |||||||||
610 | |||||||||
611 | |||||||||
612 | |||||||||
613 | |||||||||
614 | |||||||||
615 | |||||||||
616 | |||||||||
617 | |||||||||
618 | |||||||||
619 | |||||||||
620 | |||||||||
621 | |||||||||
622 | |||||||||
623 | |||||||||
624 | |||||||||
625 | |||||||||
626 | |||||||||
627 | |||||||||
628 | |||||||||
629 | |||||||||
630 | |||||||||
631 | |||||||||
632 | |||||||||
633 | |||||||||
634 | |||||||||
635 | |||||||||
636 | |||||||||
637 | |||||||||
638 | |||||||||
639 | |||||||||
640 | |||||||||
641 | |||||||||
642 | |||||||||
643 | |||||||||
644 | |||||||||
645 | |||||||||
646 | |||||||||
647 | |||||||||
648 | |||||||||
649 | |||||||||
650 | |||||||||
651 | |||||||||
652 | |||||||||
653 | |||||||||
654 | |||||||||
655 | |||||||||
656 | |||||||||
657 | |||||||||
658 | |||||||||
659 | |||||||||
660 | |||||||||
661 | |||||||||
662 | |||||||||
663 | |||||||||
664 | |||||||||
665 | |||||||||
666 | |||||||||
667 | |||||||||
668 | |||||||||
669 | |||||||||
670 | |||||||||
671 | |||||||||
672 | |||||||||
673 | |||||||||
674 | |||||||||
675 | |||||||||
676 | |||||||||
677 | |||||||||
678 | |||||||||
679 | |||||||||
680 | |||||||||
681 | |||||||||
682 | |||||||||
683 | |||||||||
684 | |||||||||
685 | |||||||||
686 | |||||||||
687 | |||||||||
688 | |||||||||
689 | |||||||||
690 | |||||||||
691 | |||||||||
692 | |||||||||
693 | |||||||||
694 | |||||||||
695 | |||||||||
696 | |||||||||
697 | |||||||||
698 | |||||||||
699 | |||||||||
700 | |||||||||
701 | |||||||||
702 | |||||||||
703 | |||||||||
704 | |||||||||
705 | |||||||||
706 | |||||||||
707 | |||||||||
708 | |||||||||
709 | |||||||||
710 | |||||||||
711 | |||||||||
712 | |||||||||
713 | |||||||||
714 | |||||||||
715 | |||||||||
716 | |||||||||
717 | |||||||||
718 | |||||||||
719 | |||||||||
720 | |||||||||
721 | |||||||||
722 | |||||||||
723 | |||||||||
724 | |||||||||
725 | |||||||||
726 | |||||||||
727 | |||||||||
728 | |||||||||
729 | |||||||||
730 | |||||||||
731 | |||||||||
732 | |||||||||
733 | |||||||||
734 | |||||||||
735 | |||||||||
736 | |||||||||
737 | |||||||||
738 | |||||||||
739 | |||||||||
740 | |||||||||
741 | |||||||||
742 | |||||||||
743 | |||||||||
744 | |||||||||
745 | |||||||||
746 | |||||||||
747 | |||||||||
748 | |||||||||
749 | |||||||||
750 | |||||||||
751 | |||||||||
752 | |||||||||
753 | |||||||||
754 | |||||||||
755 | |||||||||
756 | |||||||||
757 | |||||||||
758 | |||||||||
759 | |||||||||
760 | |||||||||
761 | |||||||||
762 | |||||||||
763 | |||||||||
764 | |||||||||
765 | |||||||||
766 | |||||||||
767 | |||||||||
768 | |||||||||
769 | |||||||||
770 | |||||||||
771 | |||||||||
772 | |||||||||
773 | |||||||||
774 | |||||||||
775 | |||||||||
776 | |||||||||
777 | |||||||||
778 | |||||||||
779 | |||||||||
780 | |||||||||
781 | |||||||||
782 | |||||||||
783 | |||||||||
784 | |||||||||
785 | |||||||||
786 | |||||||||
787 | |||||||||
788 | |||||||||
789 | |||||||||
790 | |||||||||
791 | |||||||||
792 | |||||||||
793 | |||||||||
794 | |||||||||
795 | |||||||||
796 | |||||||||
797 | |||||||||
798 | |||||||||
799 | |||||||||
800 | |||||||||
801 | |||||||||
802 | |||||||||
803 | |||||||||
804 | |||||||||
805 | |||||||||
806 | |||||||||
807 | |||||||||
808 | |||||||||
809 | |||||||||
810 | |||||||||
811 | |||||||||
812 | |||||||||
813 | |||||||||
814 | |||||||||
815 | |||||||||
816 | |||||||||
817 | |||||||||
818 | |||||||||
819 | |||||||||
820 | |||||||||
821 | |||||||||
822 | |||||||||
823 | |||||||||
824 | |||||||||
825 | |||||||||
826 | |||||||||
827 | |||||||||
828 | |||||||||
829 | |||||||||
830 | |||||||||
831 | |||||||||
832 | |||||||||
833 | |||||||||
834 | |||||||||
835 | |||||||||
836 | |||||||||
837 | |||||||||
838 | |||||||||
839 | |||||||||
840 | |||||||||
841 | |||||||||
842 | |||||||||
843 | |||||||||
844 | |||||||||
845 | |||||||||
846 | |||||||||
847 | |||||||||
848 | |||||||||
849 | |||||||||
850 | |||||||||
851 | |||||||||
852 | |||||||||
853 | |||||||||
854 | |||||||||
855 | |||||||||
856 | |||||||||
857 | |||||||||
858 | |||||||||
859 | |||||||||
860 | |||||||||
861 | |||||||||
862 | |||||||||
863 | |||||||||
864 | |||||||||
865 | |||||||||
866 | |||||||||
867 | |||||||||
868 | |||||||||
869 | |||||||||
870 | |||||||||
871 | |||||||||
872 | |||||||||
873 | |||||||||
874 | |||||||||
875 | |||||||||
876 | |||||||||
877 | |||||||||
878 | |||||||||
879 | |||||||||
880 | |||||||||
881 | |||||||||
882 | |||||||||
883 | |||||||||
884 | |||||||||
885 | |||||||||
886 | |||||||||
887 | |||||||||
888 | |||||||||
889 | |||||||||
890 | |||||||||
891 | |||||||||
892 | |||||||||
893 | |||||||||
894 | |||||||||
895 | |||||||||
896 | |||||||||
897 | |||||||||
898 | |||||||||
899 | |||||||||
900 | |||||||||
901 | |||||||||
902 | |||||||||
903 | |||||||||
904 | |||||||||
905 | |||||||||
906 | |||||||||
907 | |||||||||
908 | |||||||||
909 | |||||||||
910 | |||||||||
911 | |||||||||
912 | |||||||||
913 | |||||||||
914 | |||||||||
915 | |||||||||
916 | |||||||||
917 | |||||||||
918 | |||||||||
919 | |||||||||
920 | |||||||||
921 | |||||||||
922 | |||||||||
923 | |||||||||
924 | |||||||||
925 | |||||||||
926 | |||||||||
927 | |||||||||
928 | |||||||||
929 | |||||||||
930 | |||||||||
931 | |||||||||
932 | |||||||||
933 | |||||||||
934 | |||||||||
935 | |||||||||
936 | |||||||||
937 | |||||||||
938 | |||||||||
939 | |||||||||
940 | |||||||||
941 | |||||||||
942 | |||||||||
943 | |||||||||
944 | |||||||||
945 | |||||||||
946 | |||||||||
947 | |||||||||
948 | |||||||||
949 | |||||||||
950 | |||||||||
951 | |||||||||
952 | |||||||||
953 | |||||||||
954 | |||||||||
955 | |||||||||
956 | |||||||||
957 | |||||||||
958 | |||||||||
959 | |||||||||
960 | |||||||||
961 | |||||||||
962 | |||||||||
963 | |||||||||
964 | |||||||||
965 | |||||||||
966 | |||||||||
967 | |||||||||
968 | |||||||||
969 | |||||||||
970 | |||||||||
971 | |||||||||
972 | |||||||||
973 | |||||||||
974 | |||||||||
975 | |||||||||
976 | |||||||||
977 | |||||||||
978 | |||||||||
979 | |||||||||
980 | |||||||||
981 | |||||||||
982 | |||||||||
983 | |||||||||
984 | |||||||||
985 | |||||||||
986 | |||||||||
987 | |||||||||
988 | |||||||||
989 | |||||||||
990 | |||||||||
991 | |||||||||
992 | |||||||||
993 | |||||||||
994 | |||||||||
995 | |||||||||
996 | |||||||||
997 | |||||||||
998 | |||||||||
999 | |||||||||
1000 | |||||||||
1001 | |||||||||
1002 | |||||||||
1003 | |||||||||
1004 | |||||||||
1005 | |||||||||
1006 | |||||||||
1007 | |||||||||
1008 | |||||||||
1009 | |||||||||
1010 | |||||||||
1011 | |||||||||
1012 | |||||||||
1013 | |||||||||
1014 | |||||||||
1015 | |||||||||
1016 | |||||||||
1017 | |||||||||
1018 | |||||||||
1019 | |||||||||
1020 | |||||||||
1021 | |||||||||
1022 | |||||||||
1023 | |||||||||
1024 | |||||||||
1025 | |||||||||
1026 | |||||||||
1027 | |||||||||
1028 | |||||||||
1029 | |||||||||
1030 | |||||||||
1031 | |||||||||
1032 | |||||||||
1033 | |||||||||
1034 | |||||||||
1035 | |||||||||
1036 | |||||||||
1037 | |||||||||
1038 | |||||||||
1039 | |||||||||
1040 | |||||||||
1041 | |||||||||
1042 | |||||||||
1043 | |||||||||
1044 | |||||||||
1045 | |||||||||
1046 | |||||||||
1047 | |||||||||
1048 | |||||||||
1049 | |||||||||
1050 | |||||||||
1051 | |||||||||
1052 | |||||||||
1053 | |||||||||
1054 | |||||||||
1055 | |||||||||
1056 | |||||||||
1057 | |||||||||
1058 | |||||||||
1059 | |||||||||
1060 | |||||||||
1061 | |||||||||
1062 | |||||||||
1063 | |||||||||
1064 | |||||||||
1065 | |||||||||
1066 | |||||||||
1067 | |||||||||
1068 | |||||||||
1069 | |||||||||
1070 | |||||||||
1071 | |||||||||
1072 | |||||||||
1073 | |||||||||
1074 | |||||||||
1075 | |||||||||
1076 | |||||||||
1077 | |||||||||
1078 | |||||||||
1079 | |||||||||
1080 | |||||||||
1081 | |||||||||
1082 | |||||||||
1083 | |||||||||
1084 | |||||||||
1085 | |||||||||
1086 | |||||||||
1087 | |||||||||
1088 | |||||||||
1089 | |||||||||
1090 | |||||||||
1091 | |||||||||
1092 | |||||||||
1093 | |||||||||
1094 | |||||||||
1095 | |||||||||
1096 | |||||||||
1097 | |||||||||
1098 | |||||||||
1099 | |||||||||
1100 | |||||||||
1101 | |||||||||
1102 | |||||||||
1103 | |||||||||
1104 | |||||||||
1105 | |||||||||
1106 | |||||||||
1107 | |||||||||
1108 | |||||||||
1109 | |||||||||
1110 | |||||||||
1111 | |||||||||
1112 | |||||||||
1113 | |||||||||
1114 | |||||||||
1115 | |||||||||
1116 | |||||||||
1117 | |||||||||
1118 | |||||||||
1119 | |||||||||
1120 | |||||||||
1121 | |||||||||
1122 | |||||||||
1123 | |||||||||
1124 | |||||||||
1125 | |||||||||
1126 | |||||||||
1127 | |||||||||
1128 | |||||||||
1129 | |||||||||
1130 | |||||||||
1131 | |||||||||
1132 | |||||||||
1133 | |||||||||
1134 | |||||||||
1135 | |||||||||
1136 | |||||||||
1137 | |||||||||
1138 | |||||||||
1139 | |||||||||
1140 | |||||||||
1141 |
1 | User | Impact ↧ | App Store App Blocking/Restriction | Android applications | Unknown Sources | Allow install from unknown sources | If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ | Obstruction | |
---|---|---|---|---|---|---|---|---|---|
2 | User | Impact ↥ | App Store App Blocking/Restriction | Android applications | Unknown Sources | Do not allow install from unknown sources | Obstruction | ||
3 | User | Impact ↧ | Application/Protocol Blocking | Android applications | Access to Android applications | Allow | When communication apps are censored being able to search for alternative working secure communication apps in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. | Obstruction | |
4 | Device | Likelihood ↥ | Application/Protocol Blocking | Device Update Settings | Auto Update Settings | Auto Update | Allow auto-updates | Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | Obstruction |
5 | Device | Likelihood ↧ | Application/Protocol Blocking | Device Update Settings | Auto Update Settings | Auto Update | Stop auto-updates | Updates are important. But, they can break functionality. If there are mission critical apps, and your admin team has the capacity to check to make sure they all work when chrome updates than you can stop auto-updates for the few days it takes to check if they work. If they don't then the admin can delay the updates until they have figured out how to get them working on the latest update. If you don't have an admin with this capability and capacity to do this then this will require building staff capacity at finding alternate solutions when things break. Because updates are critical for security. ( i use app/protocol blocked to mean unintentionally disabled because of an update in this case.) | Obstruction |
6 | User | Impact ↧ | Application/Protocol Blocking | Network | QUIC Protocol | Enabled | QUIC has the same security properties as HTTP/S. It also has the added perk of getting around basic HTTP/S protocol blocking. A device with QUIC enabled, connecting to a service that supports QUIC, will fallback to QUIC when HTTP/S is blocked. It is not a "real" circumvention protocol, but it does make connections just a small bit more resilient to HTTP/S blocking - https://twitter.com/seamustuohy/status/805474243509186561 | Obstruction | |
7 | User | Impact ↧ | Application/Protocol Blocking | Network | WebRTC UDP Ports | Maximum port (1024-65535) | Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | Obstruction | |
8 | User | Impact ↧ | Application/Protocol Blocking | Network | WebRTC UDP Ports | Minimum port (1024-65535) | Could be useful if webrtc is being blocked in a specific country/set of countries and you know that they are blocking based upon the ports it uses. But, unless you have a large staff base there it will likely make sense to simply do device specific configuration for the team member's going there. | Obstruction | |
9 | User | Likelihood ↥ | Certificate Spoofing | Security | Local Trust Anchors Certificates | Local Anchors Common Name Fallback | Allow | Setting this to allow can allow the name constraints certificate extension to be bypassed. Just follow best practice and block it. You will have to follow proper cert provisioning within your organization for private services. But, is that really too much to ask? - https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/ - https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx | Deception |
10 | User | Likelihood ↥ | Certificate Spoofing | Security | Local Trust Anchors Certificates | Local Anchors Sha1 | Allow SHA-1 for local trust anchors | Sometimes you just have to follow best practice - https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html | Deception |
11 | User | Likelihood ↧ | Certificate Spoofing | Security | Local Trust Anchors Certificates | Local Anchors Common Name Fallback | Block | Sometimes you just have to follow best practice | Deception |
12 | User | Impact ↧ | Circumvention Tech Regulated | Android applications | Unknown Sources | Allow install from unknown sources | If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ | Legal | |
13 | User | Impact ↥ | Circumvention Tech Regulated | Android applications | Unknown Sources | Do not allow install from unknown sources | Legal | ||
14 | User | Likelihood ↥ | Circumvention Tech Regulated | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member **cannot* uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal. | Legal | |
15 | User | Impact ↥ | Compromised Account | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | Include all private apps and extensions from my domain. | If this option is selected AND team member's are given permission to publish private apps [See "Chrome Web Store Permissions"] this can increase our attack surface. | Surveillance |
16 | User | Impact ↥ | Compromised Account | Chrome Web Store | Chrome Web Store Permissions | Allow user's to publish private apps that are restricted to your domain on Chrome Web Store. | If you allow team member's to publish private apps then a malicious actor who gets a hold of one of the devices can privately publish a malicious app and deliver it to your other team member's. By leveraging a compromised account to publish a private app to others within the google apps domain a malicious team member can increase the team member trust in the app they are receiving. If the **team member account** of admin is compromised and used in this way it can gain even more weight because it can be masqueraded as a directive from the admin/security team.The adversary can even hide their private app from administrators and other team member's through Google's built in app targeting system. They can publish an app targeting a specific country or even specific device models. | Surveillance | |
17 | User | Impact ↥ | Compromised Account | Chrome Web Store | Chrome Web Store Permissions | Allow user's to skip verification for websites not owned | This turns off the app verification feature that warns team member's when they are installing potentially harmful apps. This just amplifies the likelihood of a team member installing one of these apps if an adversary gains access to a team member account and begins spear phishing other team member's to install the private apps. | Surveillance | |
18 | User | Impact ↧ | Compromised Account | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. | Surveillance | |
19 | User | Impact ↧ | Compromised Account | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | Client certs will only allow a device with a valid certificate installed on it to connect to a service. I'm not going to go in depth about it here. But, it means that if a travel team member's username and password are compromised for any account the attacker will also need to have access to a device with that team member's certs installed. | Surveillance | |
20 | Device | Impact ↧ | Compromised Account | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team member's, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | Surveillance | |
21 | User | Likelihood ↥ | Compromised Account | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | This allows anyone with a team member's credentials to register a new device as that user. An adversary who forces a team member to provide their credentials could then register a different device, provide the team member the original device, and keep this new device on, and registered, to surveil the team member's actions. | Surveillance | |
22 | Device | Impact ↧ | Compromised Account | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Surveillance | |
23 | Device | Likelihood ↥ | Compromised Account | Sign-in Settings | Single Sign-On Cookie Behavior | Enable transfer of SAML SSO Cookies into team member session during login | This allows your single sign on credentials to be saved across different logins. It ties the security of your internal services to the security of the chrome login. Which, if you are this far into this document is likely to be fine. But, it does mean that if the chrome travel account credentials are identified, but the SSO credentials are not, an adversary can't get past the chrome login to access your internal systems. | Surveillance | |
24 | User | Impact ↥ | Compromised Account | User Experience | Download Location | Force Google Drive | Surveillance | ||
25 | User | Impact ↥ | Compromised Account | User Experience | Download Location | Set Google Drive as default, but allow team member to change | Surveillance | ||
26 | User | Impact ↧ | Compromised Account | Verified Access | Verified Access | Enable for Enterprise Extensions | If you have the resources to implement verified access on your enterprise systems (VPN's, file-servers, etc.) this will only allow specific team members, on specific enrolled devices which are running in their normal state to access those services. This is the type of security that I would like to run around the travelers sensitive information archives and any other services that contain sensitive data. | Surveillance | |
27 | User | Likelihood ↥ | Compromised Device | Android applications | Access to Android applications | Allow | Adding android applications opens up a range of possibilities for making the chromebook more useful & usable for your team member's and more secure. It can also considerably increase the attack surface you have to contend with. | Surveillance | |
28 | User | Likelihood ↥ | Compromised Device | Android applications | Account Management | Google account | By default, team member's can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. This would circumvent any google app whitelisting that was put in place on the device. | Surveillance | |
29 | User | Likelihood ↥ | Compromised Device | Android applications | Unknown Sources | Allow install from unknown sources | This can considerably increase the attack surface you have to contend with. There are currently less controls in place for android applications than there are for apps and extensions. | Surveillance | |
30 | User | Likelihood ↥ | Compromised Device | Android applications | Unknown Sources | Allow install from unknown sources | Adding the ability to install untrusted apps does significantly increase the possible attack surface. Since Google apps does not yet provide the ability add your own signing key or other way of approving specific unknown sources the administrator does not have the ability to remotely protect against an adversary installing malicious/monitoring apps when this feature is enabled. | Surveillance | |
31 | User | Likelihood ↧ | Compromised Device | Android applications | Unknown Sources | Do not allow install from unknown sources | Surveillance | ||
32 | User | Likelihood ↥ | Compromised Device | Apps and Extensions | Allow or Block All Apps and Extensions | Allow all apps and extensions except the ones I block | Surveillance | ||
33 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allow or Block All Apps and Extensions | Block all apps and extensions except the ones I allow | Surveillance | ||
34 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Chrome Packaged App | Surveillance | ||
35 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Extension | Surveillance | ||
36 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Google Apps Script | Surveillance | ||
37 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Hosted App | Surveillance | ||
38 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Legacy Packaged App | Surveillance | ||
39 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | Allowed Types of Apps and Extensions | Theme | Surveillance | ||
40 | User | Likelihood ↧ | Compromised Device | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | A whitelist of app sources can be valuable for preventing team member's from installing malicious apps and extensions, or apps that are masquerading as a team member's desired application. There are a variety of app stores/sources that are far less managed than Google Play and are more likely to have malicious apps found in them. | Surveillance | |
41 | User | Impact ↧ | Compromised Device | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Surveillance | |
42 | User | Impact ↥ | Compromised Device | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Surveillance | |
43 | Device | Impact ↥ | Compromised Device | Enrollment & Access | Disabled device return instructions | Custom text to display | Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | Surveillance | |
44 | Device | Impact ↧ | Compromised Device | Enrollment & Access | Verified Mode | Require verified mode boot for Verified Access | See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot | Surveillance | |
45 | Device | Impact ↥ | Compromised Device | Enrollment & Access | Verified Mode | Skip boot mode check for Verified Access | If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used. | Surveillance | |
46 | User | Impact ↧ | Compromised Device | Hardware | Audio Input | Disable audio input | "I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it." | Surveillance | |
47 | User | Likelihood ↥ | Compromised Device | Hardware | External Storage devices | Allow external storage devices | External storage devices add another attack surface for local attempts at compromise. | Surveillance | |
48 | User | Likelihood ↥ | Compromised Device | Hardware | External Storage devices | Allow external storage devices (read only) | External storage devices add another attack surface for local attempts at compromise. | Surveillance | |
49 | User | Impact ↧ | Compromised Device | Hardware | Video Input | Disable video input | Surveillance | ||
50 | User | Likelihood ↥ | Compromised Device | Omnibox Search Provider | Omnibox Search Provider | Allow user to select the Omnibox Search Provider | "The threat here is Omnibox (search) Hijacking. This type of malware can redirect a team member to further malicious and/or phishing pages and surveil a team member's searches. By locking the omnibox search provider to a specific subset you can make this type of malware useless. - If you encounter one of these check out this short guidance to get rid of the: https://productforums.google.com/forum/#!msg/websearch/6W1JbCZMjMU/qCm7oM8cIMQJ | Surveillance | |
51 | User | Likelihood ↧ | Compromised Device | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | Surveillance | ||
52 | Device | Likelihood ↧ | Compromised Device | Other | USB Detachable Whitelist | List of VID:PID pairs | This limits the ability of devices from accessing your applications. Therefore limiting the possibility of malicious apps and/or malicious devices compromising the other. | Surveillance | |
53 | User | Likelihood ↧ | Compromised Device | Security | Remote access clients | Remote Access Host Client Domain - Configure the required domain name for remote access clients. | In short, this will only allow registered team member's from your Google Apps domain to remotely access your traveler's chromebooks. If you have a remote access client that you use you should add its domain here. NOTE: If this setting is disabled, or not set, the host allows connections from authorized team member's from any domain. | Surveillance | |
54 | User | Likelihood ↧ | Compromised Device | Security | Safe Browsing | Always enable Safe Browsing | "Safe Browsing also protects you from abusive extensions and malicious software. At start up of Chrome, Safe Browsing scans extensions installed in your browser against the Safe Browsing list. If an extension on the list is found, Chrome will temporarily disable the extension, offer you relevant information and provide an option for you to remove the extension or re-enable it." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#malware | ||
55 | Device | Impact ↧ | Compromised Device | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Surveillance | |
56 | Device | Impact ↧ | Compromised Device | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | Surveillance |
57 | User | Likelihood ↧ | Compromised Device | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Surveillance | ||
58 | User | Likelihood ↥ | Compromised Device | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. | Surveillance | |
59 | User | Likelihood ↥ | Compromised Device | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | With managed team member is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should NOT allow multiple sign-in in these cases. | Surveillance | |
60 | User | Impact ↧ | Compromised Device | User Verification | Verified Mode | Verified Mode Boot Check | Require verified mode boot for Verified Access | See the in-depth design docs for verified boot mode, including its responses to different attack cases here. https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot | Surveillance |
61 | User | Impact ↥ | Compromised Device | User Verification | Verified Mode | Verified Mode Boot Check | Skip boot mode check for Verified Access | If a team member can skip verified boot checks then a compromised (or developer) device can access enterprise extensions. This should not be used. | Surveillance |
62 | Device | Impact ↧ | Data requests from online services | Enrollment & Access | Verified Mode | Service accounts which can verify devices but do not receive device ID | If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is. | Surveillance | |
63 | Device | Impact ↥ | Data requests from online services | Other | System timezone automatic detection | Always send WiFi access-points to server while resolving timezone | This is information that google collects and stores with your data according to its privacy policy. I don't go into much other information google collects because of our assumptions. But, this one has some really serious meta-data attached to it that is constantly being collected. https://www.google.com/policies/privacy/#infocollect | Surveillance | |
64 | User | Impact ↥ | Data requests from online services | Security | Geolocation | Allow sites to detect team member's' geolocation | Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. | Surveillance | |
65 | User | Impact ↧ | Data requests from online services | Security | Geolocation | Always ask the team member if a site wants to detect their geolocation | Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. | Surveillance | |
66 | User | Impact ↧ | Data requests from online services | Security | Geolocation | Do not allow sites to detect team member's' geolocation | Things that are seemingly inconsequential to a user, like devices providing websites geolocation in environments where your Traveler has high-power adversaries that actively make successful requests from online intermediaries for team member information, can have significant security implications because of the information they leak. | Surveillance | |
67 | User | Impact ↧ | Data requests from online services | User Verification | Verified Mode | Service accounts which can verify team member's but do not receive team member data | If you are using third party services that offer verified access mode and offer this option you it will allow you to minimize the amount of information that they know about which specific team member conducted activities using their service. This option means that they can only know that the team member is a managed user, not which team member it is. | Surveillance | |
68 | User | Impact ↥ | Decryption Forced (Device) | Hardware | External Storage devices | Disallow external storage devices | USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. | Forced Exposure | |
69 | Device | Impact ↥ | Device Confiscation | Enrollment & Access | Disabled device return instructions | Custom text to display | Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | Confiscation | |
70 | User | Impact ↥ | Device Confiscation | Hardware | External Storage devices | Disallow external storage devices | USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. | Confiscation | |
71 | Device | Impact ↧ | Device Confiscation | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | Confiscation | |
72 | Device | Impact ↧ | Device Confiscation | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | Confiscation | |
73 | User | Impact ↥ | Device Confiscation | Security | Browser History | Always save browser history | Confiscation of the travel device | Confiscation | |
74 | User | Impact ↧ | Device Confiscation | Security | Browser History | Never save browser history | This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. (Confiscation of the travel device) | Confiscation | |
75 | User | Impact ↥ | Device Confiscation | Security | Clear Browser History | Do not allow clearing history in settings menu | Confiscation of the travel device | Confiscation | |
76 | User | Impact ↧ | Device Confiscation | Security | Idle Settings | Action on idle | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) | Confiscation |
77 | User | Impact ↧ | Device Confiscation | Security | Idle Settings | Action on lid close | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) | Confiscation |
78 | User | Impact ↧ | Device Confiscation | Security | Lock Screen | Do not allow locking screen | This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. (Confiscation of the travel device) | Confiscation | |
79 | Device | Impact ↧ | Device Confiscation | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Confiscation | |
80 | Device | Impact ↧ | Device Confiscation | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Confiscation | |
81 | Device | Impact ↧ | Device Confiscation | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Confiscation | |
82 | Device | Impact ↧ | Device Confiscation | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | You could remotely get a picture of everyone who tries to login! Wouldn't that be a fun way to see if folks are trying to access your devices behind your team member's back. | Confiscation | |
83 | Device | Impact ↧ | Device Confiscation | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | Confiscation | |
84 | User | Impact ↧ | Encrypted Comms Regulated | Android applications | Unknown Sources | Allow install from unknown sources | If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ | Legal | |
85 | User | Impact ↥ | Encrypted Comms Regulated | Android applications | Unknown Sources | Do not allow install from unknown sources | Legal | ||
86 | User | Likelihood ↥ | Encrypted Comms Regulated | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member **cannot* uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal. | Legal | |
87 | User | Likelihood ↥ | Encryption Regulated | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | If you have a team that travels internationally be mindful of "cyber laws" around the import and/or use of specific types of encryption and/or circumvention technologies. A team member **cannot* uninstall forced apps. You may want to move some of these force-installed apps to the "recommended apps section of the web store" if your team member's are commonly traveling to a country where the technology those apps use is illegal. | Legal | |
88 | User | Impact ↧ | Endpoint/Route Disabling | Android applications | Access to Android applications | Allow | When endpoints (websites, servers, services) are blocked being able to search for working circumvention tools in the app store will give the team member more flexibility when they are unable to reach the admin/security team to have them identify and install an alternative solution. | Obstruction | |
89 | User | Impact ↧ | Endpoint/Route Disabling | Android applications | Unknown Sources | Allow install from unknown sources | If team member's are traveling to countries that have requested that the security applications your team needs to use are removed from the app store then this will allow them to install those apps when in-country. - http://www.androidpolice.com/2014/08/20/brazilian-court-orders-google-to-remove-secret-app-from-the-play-store-and-remotely-wipe-it-from-phones/ | Obstruction | |
90 | User | Impact ↥ | Endpoint/Route Disabling | Android applications | Unknown Sources | Do not allow install from unknown sources | Obstruction | ||
91 | Device | Impact ↧ | Full Internet Shutdown | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | Obstruction |
92 | User | Impact ↧ | Hotel Robbery & Theft | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
93 | User | Impact ↥ | Hotel Robbery & Theft | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
94 | Device | Impact ↧ | Hotel Robbery & Theft | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | Confiscation | |
95 | Device | Impact ↧ | Hotel Robbery & Theft | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | Confiscation | |
96 | User | Impact ↥ | Hotel Robbery & Theft | Security | Browser History | Always save browser history | Confiscation | ||
97 | User | Impact ↧ | Hotel Robbery & Theft | Security | Browser History | Never save browser history | This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | Confiscation | |
98 | User | Impact ↥ | Hotel Robbery & Theft | Security | Clear Browser History | Do not allow clearing history in settings menu | Confiscation | ||
99 | User | Impact ↧ | Hotel Robbery & Theft | Security | Idle Settings | Action on idle | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
100 | User | Impact ↧ | Hotel Robbery & Theft | Security | Idle Settings | Action on lid close | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
101 | User | Impact ↧ | Hotel Robbery & Theft | Security | Lock Screen | Do not allow locking screen | This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation | |
102 | Device | Impact ↧ | Hotel Robbery & Theft | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Confiscation | |
103 | Device | Impact ↧ | Hotel Robbery & Theft | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | Confiscation | |
104 | Device | Impact ↧ | Hotel Robbery & Theft | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | Confiscation |
105 | User | Likelihood ↥ | In-Country Activities Regulated | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.) | Legal | |
106 | User | Likelihood ↧ | In-Country Activities Regulated | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal |
107 | User | Likelihood ↥ | In-Country Activities Regulated | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal |
108 | User | Likelihood ↧ | In-Country Activities Regulated | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal | |
109 | Device | Impact ↥ | In-Country Activities Regulated | Enrollment & Access | Disabled device return instructions | Custom text to display | The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | Legal | |
110 | Device | Impact ↥ | In-Country Activities Regulated | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so. | Legal | |
111 | Device | Impact ↧ | In-Country Activities Regulated | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. | Legal | |
112 | Device | Impact ↧ | In-Country Activities Regulated | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. | Legal | |
113 | User | Impact ↧ | In-Transit Robbery & Theft | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
114 | User | Impact ↥ | In-Transit Robbery & Theft | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
115 | Device | Impact ↧ | In-Transit Robbery & Theft | Enrollment & Access | Disabled device return instructions | Custom text to display | Lock-screen messages, whether using an external EMM tool or the GSuite configuration here, have different ramifications when thinking about theft vs. when thinking about remotely locking down a device when the admin/security team believes that a team member has been detained or their device confiscated. This can be used to show strict proof of inaccess. The disabled device notification also exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | Confiscation | |
116 | User | Impact ↥ | In-Transit Robbery & Theft | Hardware | External Storage devices | Disallow external storage devices | USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. | Confiscation | |
117 | Device | Impact ↧ | In-Transit Robbery & Theft | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | Confiscation | |
118 | Device | Impact ↧ | In-Transit Robbery & Theft | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | Confiscation | |
119 | User | Impact ↥ | In-Transit Robbery & Theft | Security | Browser History | Always save browser history | Confiscation | ||
120 | User | Impact ↧ | In-Transit Robbery & Theft | Security | Browser History | Never save browser history | This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | Confiscation | |
121 | User | Impact ↥ | In-Transit Robbery & Theft | Security | Clear Browser History | Do not allow clearing history in settings menu | Confiscation | ||
122 | User | Impact ↧ | In-Transit Robbery & Theft | Security | Idle Settings | Action on idle | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
123 | User | Impact ↧ | In-Transit Robbery & Theft | Security | Idle Settings | Action on lid close | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
124 | User | Impact ↧ | In-Transit Robbery & Theft | Security | Lock Screen | Do not allow locking screen | This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation | |
125 | Device | Impact ↧ | In-Transit Robbery & Theft | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Confiscation | |
126 | Device | Impact ↧ | In-Transit Robbery & Theft | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | Confiscation | |
127 | Device | Impact ↧ | In-Transit Robbery & Theft | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | Confiscation |
128 | User | Impact ↥ | Intermittent Connectivity | User Experience | Download Location | Force Google Drive | In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent. | Obstruction | |
129 | User | Impact ↥ | Lacking/Intermittent Access to Broadband | Content | Google Drive Syncing over Cellular | Disable Google Drive syncing over cellular connections | Obstruction | ||
130 | User | Impact ↧ | Lacking/Intermittent Access to Broadband | Content | Google Drive Syncing over Cellular | Enable Google Drive syncing over cellular connections | If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable | Obstruction | |
131 | Device | Impact ↧ | Lacking/Intermittent Access to Broadband | Other | Mobile Data Roaming | Allow mobile data roaming | If mobile data is available, but broadband access is not then enabling this (as long as the team member has cellular capabilities) can be valuable | Obstruction | |
132 | Device | Impact ↥ | Lacking/Intermittent Access to Broadband | Other | Mobile Data Roaming | Do not allow mobile data roaming | Obstruction | ||
133 | User | Impact ↥ | Lacking/Intermittent Access to Broadband | User Experience | Download Location | Force Google Drive | In some instances a team member will want to have offline data. Esp. in cases where online access will be Intermittent. | Obstruction | |
134 | User | Impact ↧ | Limited/Throttled Connectivity | Content | Images | Images | Allow user to configure | There is the one case for low connectivity regions where the team member might want to configure it themself to save on bandwidth when using the internet. | Obstruction |
135 | Device | Impact ↧ | Limited/Throttled Connectivity | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | [1-14] Day(s) | If you have multiple team members traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | Obstruction |
136 | Device | Impact ↥ | Limited/Throttled Connectivity | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | None | If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | Obstruction |
137 | User | Impact ↥ | Limited/Throttled Connectivity | Network | Proxy Settings | Always use the proxy auto-config specified below | Proxies be inconvenient in low connectivity areas. If there are concerns about passive surveillance than the use of a proxy that is only configured to proxy non-TLS (HTTP) connections can provide a greater level of security against surveillance without impacting connections that already have TLS. | Obstruction | |
138 | User | Impact ↥ | Limited/Throttled Connectivity | Network | Proxy Settings | Always use the proxy specified below | Proxies be inconvenient in low connectivity areas. | Obstruction | |
139 | User | Impact ↧ | Limited/Throttled Connectivity | Network | Proxy Settings | Never use a proxy | Proxies be inconvenient in low connectivity areas. | Obstruction | |
140 | User | Impact ↥ | Limited/Throttled Connectivity | Network | QUIC Protocol | Disabled | QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad. | Obstruction | |
141 | User | Impact ↧ | Limited/Throttled Connectivity | Network | QUIC Protocol | Enabled | QUIC has the same security properties as HTTP/S. It also reduces latency. It's useful when networking conditions are bad. | Obstruction | |
142 | User | Impact ↥ | Limited/Throttled Connectivity | User Experience | Download Location | Force Google Drive | In some instances a team member will want to have offline data. Esp. in cases where data is throttled/slow. | Obstruction | |
143 | User | Impact ↥ | Login Forced (Device) | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.) | Login Forced | |
144 | User | Impact ↥ | Login Forced (Device) | Apps and Extensions | Task Manager | Allow user's to end processes with the Chrome task manager | There is currently only one possible security related reason I can think of to restrict team member access to the task manager. If we were using an external Enterprise mobility management tool (remote-wipe/control application) and we did not want malicious actors with physical access to be able to shut down those apps using the task manager. This document uses the G Suites built in EMM tools and permission management to deal with this. As such, we do not need to restrict task manager access. | Login Forced | |
145 | User | Impact ↧ | Login Forced (Device) | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Login Forced |
146 | User | Impact ↥ | Login Forced (Device) | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Login Forced |
147 | User | Impact ↧ | Login Forced (Device) | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Login Forced | |
148 | User | Impact ↧ | Login Forced (Device) | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Login Forced | |
149 | User | Impact ↥ | Login Forced (Device) | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Login Forced | |
150 | User | Likelihood ↥ | Login Forced (Device) | General | Smart Lock for Chrome | Allow Smart Lock for Chrome | Allows your chrome device to be unlocked through proximity to a specific smartphone. This is an undesireable feature. We want multi-factor authentication for login to our travel devices. This removes a factor. | Login Forced | |
151 | User | Impact ↥ | Login Forced (Device) | Hardware | External Storage devices | Disallow external storage devices | USB's and SD's are a critical part of many people's travel security plans. They are used to separate senstive information from the device. | Login Forced | |
152 | User | Impact ↧ | Login Forced (Device) | Security | Incognito Mode | Allow incognito mode | Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | Login Forced | |
153 | User | Impact ↥ | Login Forced (Device) | Security | Incognito Mode | Disallow incognito mode | Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | Login Forced | |
154 | Device | Impact ↧ | Login Forced (Device) | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Login Forced | |
155 | Device | Impact ↧ | Login Forced (Device) | Sign-in Settings | Single Sign-On Camera Permissions | Whitelist of single sign-on camera permissions | I know what you are thinking. Why would I want to give my login service camera access? If you do some research your next question will be What is all that is holy is a "clever badge?" [1] Well, this function allows your team member's to use the device's camera to support single sign on. Heck, if you really wanted to you could have it ping a 24 hour desk who knew what your team member's looked like and have them authenticate based upon a conversation that ensures that they are not under duress and are in good health. That would be a cluster-f**ck of sadness that would quickly fall apart, but, you could do it. It's a cool feature. It's mostly useful for adding another form of multi-factor. I don't see any amazing services that are using it yet. [1] https://clever.com/products/badges (QR codes for kids to login to stuff) | Login Forced | |
156 | User | Impact ↥ | Login Forced (Device) | Startup | Homepage | Homepage is always the new tab page | New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP | ||
157 | User | Impact ↥ | Login Forced (Device) | User Experience | Bookmark Editing | Enable bookmark editing | Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | Login Forced | |
158 | User | Impact ↥ | Login Forced (Device) | User Experience | Managed Bookmarks | Managed Bookmarks | These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. | Login Forced | |
159 | User | Impact ↥ | Login Forced (Device) | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. | Login Forced | |
160 | User | Impact ↥ | Login Forced (Device) | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | With managed user is primary the per-profile user-policies and some admin console policies will also apply to the secondary user. BUT, if there is a policy defined network than the secondary account will have access to the network with any apps installed on their account. As such, you should not allow multiple sign-in in these cases. | Login Forced | |
161 | User | Impact ↥ | Login Forced (Service) | Security | Password Manager | Allow user to configure | In environments where team member's are allowed to use the password manager it is important to have properly built their security awareness to understand the security implications of saving passwords for different types of accounts. | Login Forced | |
162 | User | Impact ↥ | Login Forced (Service) | Security | Password Manager | Always allow use of password manager | Login Forced | ||
163 | User | Impact ↧ | Login Forced (Service) | Security | Password Manager | Never allow use of password manager | Choosing "never allow use" is an absolutist technical control that is appropriate for some high threat environments, but unnecessary and inconvenient in many others. It raises the question, "How does your team weigh the psycho-social value of being able to save a netflix password against their willingness to follow your instructions?" | Login Forced | |
164 | Device | Impact ↧ | Login Forced (Service) | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Login Forced | |
165 | Device | Impact ↧ | Login Forced (Service) | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. | Login Forced | |
166 | User | Impact ↧ | Passive Internet Surveillance | Content | Cookies | Allow Cookies for URL Patterns | Surveillance | ||
167 | User | Impact ↧ | Passive Internet Surveillance | Content | Cookies | Allow Session-Only Cookies for URL Patterns | Surveillance | ||
168 | User | Impact ↥ | Passive Internet Surveillance | Content | Cookies | Default Cookie Setting | Allow sites to set cookies | Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | Surveillance |
169 | User | Impact ↧ | Passive Internet Surveillance | Content | Cookies | Default Cookie Setting | Keep cookies for the duration of the session | Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | Surveillance |
170 | User | Impact ↧ | Passive Internet Surveillance | Content | Cookies | Default Cookie Setting | Never allow sites to set cookies | Actors who have targeted ISP level passive surveillance can use cookies that are sent in the clear to identify a team member across different networks. (I'm enumerating threat's that I think about here! Not saying that it is a threat that your team member's need to worry about. :D ) | Surveillance |
171 | User | Impact ↥ | Passive Internet Surveillance | Content | Third-Party Cookie Blocking | Allow third-party cookies | This is another fingerprinting threat, and therefore not very relevant for most contexts. | Surveillance | |
172 | User | Impact ↧ | Passive Internet Surveillance | Content | Third-Party Cookie Blocking | Disallow third-party cookies | This is another fingerprinting threat, and therefore not very relevant for most contexts. | Surveillance | |
173 | User | Impact ↥ | Passive Internet Surveillance | Network | Proxy Settings | Always auto detect the proxy | Surveillance | ||
174 | User | Impact ↧ | Passive Internet Surveillance | Network | Proxy Settings | Always use the proxy auto-config specified below | Surveillance | ||
175 | User | Impact ↧ | Passive Internet Surveillance | Network | Proxy Settings | Always use the proxy specified below | Surveillance | ||
176 | User | Impact ↥ | Passive Internet Surveillance | Network | WebRTC UDP Ports | Maximum port (1024-65535) | One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | Surveillance | |
177 | User | Impact ↥ | Passive Internet Surveillance | Network | WebRTC UDP Ports | Minimum port (1024-65535) | One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | Surveillance | |
178 | User | Impact ↥ | Passive Internet Surveillance | Security | Online Revocation Checks | Perform online OCSP/CRL checks | Online OCSP/CRL checks should not be enabled. It is bad in just about every sort of way. To quote the chromium policy list "In light of the fact that soft-fail, online revocation checks provide no effective security benefit..." This means that on a failure a revoked certificate will still be used. | Surveillance | |
179 | User | Impact ↥ | Passive Internet Surveillance | User Experience | DNS Pre-fetching | Always pre-fetch DNS | I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | Surveillance | |
180 | User | Impact ↧ | Passive Internet Surveillance | User Experience | DNS Pre-fetching | Never pre-fetch DNS | I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | Surveillance | |
181 | User | Impact ↥ | Passive Mobile Data Surveillance | Security | Online Revocation Checks | Perform online OCSP/CRL checks | Surveillance | ||
182 | User | Likelihood ↥ | Pharming | Content | JavaScript | JavaScript | Allow sites to run JavaScript | Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | Deception |
183 | User | Likelihood ↥ | Pharming | Content | JavaScript | Allow These Sites to Run JavaScript | Deception | ||
184 | User | Likelihood ↧ | Pharming | Content | JavaScript | JavaScript | Do not allow sites to run JavaScript | Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | Deception |
185 | User | Impact ↥ | Pharming | Content | Outdated Plugins | Allow outdated plugins to be used as normal plugins | Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | Deception | |
186 | User | Impact ↧ | Pharming | Content | Outdated Plugins | Disallow outdated plugins | Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | Deception | |
187 | User | Impact ↧ | Pharming | Content | Plug-ins | Plug-ins | Block all plug-ins | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | Deception |
188 | User | Impact ↥ | Pharming | Content | Plug-ins | Plug-ins | Run plug-ins automatically | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | Deception |
189 | User | Impact ↥ | Pharming | Content | Plugin Authorization | Always run plugins that require authorization | Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | Deception | |
190 | User | Impact ↧ | Pharming | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | Deception | |
191 | User | Impact ↧ | Pharming | Content | URL Blocking | URL Blacklist | A blacklist, with blacklist problems. But, while this is not directly relevant to the travel use case this is an easy enough field to fill up with 1000 common typosquatting for your domains [1]. With some research and lots of testing using your network logs this could also be used to block common practices in phishing attacks. Honestly, the only reason I am allowing this blacklist is because I think it would be fun to implement. [1] https://github.com/elceef/dnstwist | Deception | |
192 | User | Impact ↥ | Pharming | Security | Malicious Sites | Allow user to proceed anyway to malicious sites | If your team member's are doing investigative research it might also make sense to allow them to proceed to malicious sites. But, even then they should likely not be using their primary device to do it. If they wish to use chromebooks for these use cases instead of their primary browser then a more locked down setup can be created, either on easily wipeable chromebooks or by setting up disposable VM's that they can remote into from their travel chromebook. | Deception | |
193 | User | Impact ↧ | Pharming | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | Deception | ||
194 | User | Impact ↧ | Pharming | Security | Safe Browsing | Always enable Safe Browsing | Safe browsing helps protect team member's from websites that may contain malware and/or pharmed content. When a team member attempts to connect to a url safe browsing checks web pages against local copies of Google's "Safe Browsing lists." If the hash of a url the team member is attempting to visit matches one of the hashes of the items in the Safe Browsing Lists it will warn the user. [1] The privacy preserving implementation of safe browsing make enabling it the obvious choice. [1] https://github.com/scheib/chromium/blob/9ae6b4f4a8679c8598316544dccf378b86f99845/chrome/browser/safe_browsing/client_side_model_loader.cc | Deception | |
195 | User | Impact ↧ | Pharming | User Experience | Form Auto-fill | Never auto-fill forms | Browser autofill phishing/pharming was just trending on the info-sec news circuit. | Deception | |
196 | User | Impact ↧ | Pharming | User Experience | Managed Bookmarks | Managed Bookmarks | It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obsfucated account. | Deception | |
197 | User | Likelihood ↥ | Phishing | Content | JavaScript | JavaScript | Allow sites to run JavaScript | Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | Deception |
198 | User | Likelihood ↥ | Phishing | Content | JavaScript | Allow These Sites to Run JavaScript | Deception | ||
199 | User | Likelihood ↧ | Phishing | Content | JavaScript | JavaScript | Do not allow sites to run JavaScript | Yeah, but that does not mean we should break the internet! Instead we should force install an ad-blocker and allow the team member to make these decisions on a more granular basis. | Deception |
200 | User | Impact ↥ | Phishing | Content | Notifications | Notifications | Allow sites to show desktop notifications | "This is a complex one for me. It does fall under the basic guidelines for not destroying your team's workflow using security. But, I think desktop notifications are ripe for future phishing attacks (see below). As such, if after surveying my team member base I discover that notifications are not being used I would choose the option ""Do not allow notifications."" But, if there are team member's who do already use notifications I would just do some user-awareness training around the possible threats of notifications and allow them to show/block notifications as they see fit. I choose this over (allowing a team member to configure) because of how convinceing I beleive these attacks will be. I see desktop notifications as a likely future avenue for phishing and wateringhole attacks. I have not seen examples of this being abused. But, their feature set combined with their platform native look makes them especially likely to be used in this way. These alerts don't require the website to be open, can play sounds or cause the team member's device to vibrate, stay shown until a team member to interacts with them, and run javascript or take a team member to a URL when they click on events. This makes them a convinceing interface for fakeing legitimate platform security/anti-virus/etc. alerts. https://developers.google.com/web/fundamentals/engage-and-retain/push-notifications/notification-behaviour" | Deception |
201 | User | Impact ↧ | Phishing | Content | Notifications | Notifications | Do not allow sites to show desktop notifications | Deception | |
202 | User | Impact ↥ | Phishing | Content | Outdated Plugins | Allow outdated plugins to be used as normal plugins | Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | Deception | |
203 | User | Impact ↧ | Phishing | Content | Outdated Plugins | Disallow outdated plugins | Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | Deception | |
204 | User | Impact ↧ | Phishing | Content | Plug-ins | Plug-ins | Block all plug-ins | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | Deception |
205 | User | Impact ↥ | Phishing | Content | Plug-ins | Plug-ins | Run plug-ins automatically | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | Deception |
206 | User | Impact ↥ | Phishing | Content | Plugin Authorization | Always run plugins that require authorization | Flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | Deception | |
207 | User | Impact ↧ | Phishing | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | Deception | |
208 | User | Impact ↧ | Phishing | User Experience | Form Auto-fill | Never auto-fill forms | Browser autofill phishing/pharming was just trending on the info-sec news circuit. | Deception | |
209 | User | Impact ↧ | Phishing | User Experience | Managed Bookmarks | Managed Bookmarks | It also is a way to ensure that team member's have easy access to the websites that will likely be the targets of phishing/pharming attacks. By teaching team member's to go to their auto-installed bookmark instead of clicking on any email link you can stop many credential phishing attacks. These will be on every device, so if you are trying to obfuscate the team member's affiliation with those sites you will want to create an obfuscated account. | Deception | |
210 | Device | Impact ↥ | Power Outage | Power & Shutdown | Power Management | Do not allow device to sleep/shut down when idle on the sign-in screen | The device will still draw power with idle. It's not a huge amount. But, if they are dealing with limited power it might be nice to know that their device will conserve power as much as possible. | Obstruction | |
211 | User | Impact ↥ | Spoofed Access Point | Network | Proxy Settings | Always auto detect the proxy | Deception | ||
212 | User | Impact ↧ | Targeted Workplace Raids | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
213 | User | Impact ↥ | Targeted Workplace Raids | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Confiscation | |
214 | Device | Impact ↧ | Targeted Workplace Raids | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | Confiscation | |
215 | Device | Impact ↧ | Targeted Workplace Raids | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | Confiscation | |
216 | User | Impact ↥ | Targeted Workplace Raids | Security | Browser History | Always save browser history | Confiscation | ||
217 | User | Impact ↧ | Targeted Workplace Raids | Security | Browser History | Never save browser history | This might be useful for environments where your search history may be inspected but the entire device does not necessarily need to be upon ever logout. But, an empty search history can raise suspicion. | Confiscation | |
218 | User | Impact ↥ | Targeted Workplace Raids | Security | Clear Browser History | Do not allow clearing history in settings menu | Confiscation | ||
219 | User | Impact ↧ | Targeted Workplace Raids | Security | Idle Settings | Action on idle | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
220 | User | Impact ↧ | Targeted Workplace Raids | Security | Idle Settings | Action on lid close | Logout | This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation |
221 | User | Impact ↧ | Targeted Workplace Raids | Security | Lock Screen | Do not allow locking screen | This confusingly worded option provides greater security (and inconvenience) when the lock screen is disabled. When the lock screen is not allowed the team member will be logged out entirely in situations where the lock screen would normally have been activated. This is ideal for environments wiping the current activity off of the device should be quick, automatic, and frequent to be quick and easy to do. | Confiscation | |
222 | Device | Impact ↧ | Targeted Workplace Raids | Sign-in Settings | Guest Mode | Allow guest mode | Useful for mid-range threat environments where the team member does not want full ephemeral usage, but does not want to have their recent online behavior tracked between sessions. | Confiscation | |
223 | Device | Impact ↧ | Targeted Workplace Raids | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | Confiscation | |
224 | Setting | Risk Mod | Threat | Category | Title | Sub Item | Option | Comments | Threat Category |
225 | User | Likelihood ↥ | Topical/Information Censorship | User Experience | DNS Pre-fetching | Always pre-fetch DNS | I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | Legal | |
226 | User | Likelihood ↧ | Topical/Information Censorship | User Experience | DNS Pre-fetching | Never pre-fetch DNS | I have security concerns with pre-fetching that make me lean towards not allowing or even allowing team member's to configure. I don't want my team member's devices requesting the location of sites that they have not actually requested. In places with passive monitoring where sites they have accessed might be used against my team member's I want to make sure they are not being connected to sites through their DNS queries that they may never have actually requested content from. The evidence that is collected in these types of incidents will be minimal. With HTTPS, the costs of storing widescale passive traffic captures, etc. It will be hard to disprove a case built just on DNS. | Legal | |
227 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Cast | Do not allow team member's to Cast | Insider Threat | ||
228 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Cookies | Allow Cookies for URL Patterns | Insider Threat | ||
229 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Cookies | Allow Session-Only Cookies for URL Patterns | Insider Threat | ||
230 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Cookies | Default Cookie Setting | Keep cookies for the duration of the session | Insider Threat | |
231 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Cookies | Default Cookie Setting | Never allow sites to set cookies | Insider Threat | |
232 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Google Drive Syncing | Disable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Insider Threat | |
233 | User | Likelihood ↧ | Traveler Circumvent Mitigations | Content | Google Drive Syncing | Enable Google Drive syncing | "Drive Sync creates a special folder with offline access to documents and syncing back to the google drive of the user. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | Insider Threat | |
234 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Images | Images | Do not show images | This is not relevant for security purposes and would cause any normal team member to be furious. | Insider Threat |
235 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | JavaScript | Allow These Sites to Run JavaScript | Insider Threat | ||
236 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | JavaScript | JavaScript | Do not allow sites to run JavaScript | Insider Threat | |
237 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Notifications | Notifications | Always ask the team member if a site can show desktop notifications | Because of the "exhausted Traveler 'just work!' problem" I think that initial acceptance of the initial phishing website to provide notifications will be hard to stop. After this the attacker can then send the notification based phishing attack at a later point. | Insider Threat |
238 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Notifications | Notifications | Do not allow sites to show desktop notifications | It does fall under the basic guidelines for not destroying your team's workflow using security. | Insider Threat |
239 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Outdated Plugins | Disallow outdated plugins | Again, they only allow flash, and it better be up to date with its crazy vulnerabilities in older versions | Insider Threat | |
240 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Plug-ins | Plug-ins | Block all plug-ins | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | Insider Threat |
241 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Pop-ups | Pop-ups | Block all pop-ups | Another whitelist with all the whitelist problems. But, popups are SO prevalent that this is even worse than most. Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | Insider Threat |
242 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Safe Search and Restricted Mode | Google Safe Search for Google Web Search queries | Always use Safe Search for Google Web Search queries | All "Safe Search" does is filter explicit or pornographic images. Not relevant to our security model. And, if it gets in the way of researcher and/or personal device usage when traveling the team member is going to find a way to circumvent it. | Insider Threat |
243 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Safe Search and Restricted Mode | Restricted Mode for YouTube | Enforce at least Moderate Restricted Mode on YouTube | Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention. | Insider Threat |
244 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Safe Search and Restricted Mode | Restricted Mode for YouTube | Enforce Strict Restricted Mode for YouTube | Same as Safe Search, but for youtube videos. Not relevant and possibly leads to circumvention. | Insider Threat |
245 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Content | Screenshot | Disable screenshot | I see no reason to disable screenshot. Especially if team member's are conducting research, etc. where they may need screenshots of websites or temporary communications they have on the chromebook. | Insider Threat | |
246 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Device Update Settings | Auto Update Settings | Auto reboot after updates | Allow auto-reboots | This can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying. | Insider Threat |
247 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Device Update Settings | Release Channel | Allow user to configure | The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. They will end up having to use other devices that work. | Insider Threat | |
248 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Device Update Settings | Release Channel | Move to Beta Channel | Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | Insider Threat | |
249 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Device Update Settings | Release Channel | Move to Development Channel | Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | Insider Threat | |
250 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | This will allow you to enforce specific devices for specific types of domains. If a team member tries to reset their device to use it with a regular account this will not work. | Insider Threat | |
251 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Enrollment & Access | Verified Access | Enable for Content Protection | Ahhh, built in copyright protections. I don't care about you at all for this context. But, possibly in the future your team member's will want to buy protected media from YouTube or others that use this. Who knows. | Insider Threat | |
252 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place. | Insider Threat | |
253 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Hardware | Audio Input | Disable audio input | "I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. In the long-term I would move towards this with high-risk team's. But, you will have to get them all small headset/microphones and ensure that they remember to take them with them when they travel. This could be a huge impediment to their work if they can't use their ""secured travel device"" to conduct sensitive calls and/or video-chats. AV is always the worst. So, for team's I would start with it enabled, and then once you have made sure you can build adoption of the practices (and bought everyone nice travel headsets) you can move to disabling it." | Insider Threat | |
254 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Hardware | Audio Output | Disable audio output | Insider Threat | ||
255 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Hardware | External Storage devices | Allow external storage devices (read only) | Don't break core functionality for security reasons. | Insider Threat | |
256 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Hardware | External Storage devices | Disallow external storage devices | Don't break core functionality for security reasons. | Insider Threat | |
257 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Hardware | Video Input | Disable video input | This makes me happy from a privacy perspective (except that you have to disable hangouts separately). But, the inability to whitelist anything except google hangouts could lead to it getting in the way of staff conducting their work. If you are only using google hangouts for video communications within your org, and among the possible partners your team will have to communicate with while traveling this could be a way to ensure that video based surveillance by apps cannot occur. The same considerations mentioned about the use of ephemeral devices still apply. | Insider Threat | |
258 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Network | Proxy Settings | Always use the proxy auto-config specified below | Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy. | Insider Threat | |
259 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Network | Proxy Settings | Always use the proxy specified below | Proxies be maddening for team member's in already low connectivity areas. They are likely to turn to other devices they have to get their work done if their chromebook is too slow because of a proxy. There are other ways of protecting traffic than an always on proxy. | Insider Threat | |
260 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox. | Insider Threat | |
261 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Omnibox Search Provider | Search Suggest | Never allow team member's to use Search Suggest | Insider Threat | ||
262 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | Insider Threat | |
263 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | Insider Threat | |
264 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Printing | Printing | Disable printing | Don't destroy a team member's ability to use the device to get the work done! | Insider Threat | |
265 | User | Likelihood ↧ | Traveler Circumvent Mitigations | Security | Geolocation | Allow sites to detect team member's' geolocation | Insider Threat | ||
266 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Security | Geolocation | Allow user to configure | This is *unintentional* circumvention in many cases. Giving a team member a one click ability to enable geolocation saps them of the ability to make choices about which future apps and sites should have geolocation access. But, these types of one-click decisions are often the choice that is made by a frustrated, jet-lagged, and stressed team member that is attempting to get their applications working more easily. | Insider Threat | |
267 | User | Likelihood ↧ | Traveler Circumvent Mitigations | Security | Geolocation | Always ask the team member if a site wants to detect their geolocation | This might be annoying to some traveler's. But, the tradeoff is important. Proper security awareness training around why should be available for those who find it difficult. Having your team member's trust that you will be receptive to their difficulties enough to reach out to tell you that this is difficult is critical for seemingly small things, like geolocation, that actually can have significant security implications because of the information they leak. | Insider Threat | |
268 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Security | Geolocation | Do not allow sites to detect team member's' geolocation | Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps) | Insider Threat | |
269 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Security | Idle Settings | Idle time in minutes (leave empty for system default) | When searching for common complaints about chromebooks the short time until the system idles is a very common complaint. Adding a base idle time will ensure your team member's have a consistent experience across devices (idle time varies by device). But, making this too short will be counterproductive. Building security awareness to the level that you are confident that team member's are locking the screen when they walk away from their computer will be a more valuable intervention and less likely to push a team member to find ways to circumvent the security (e.g. using personal devices). | Insider Threat | |
270 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Security | Lock Screen | Do not allow locking screen | Having all the applications and windows one had open wiped every time the have to walk away from their computer can become frustrating very quickly. As such, this option should be saved for specific higher risk environments. | ||
271 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Security | Malicious Sites | Prevent team member from proceeding anyway to malicious sites | Insider Threat | ||
272 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Session Settings | Show Logout Button in Tray | Does not show logout button in tray | Insider Threat | ||
273 | User | Likelihood ↧ | Traveler Circumvent Mitigations | Session Settings | Show Logout Button in Tray | Show logout button in tray | Make it easy for team member's to follow the appropriate logout practices. | Insider Threat | |
274 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Accessibility Control | Turn off accessibility settings on sign-in screen upon logout | Don't be evil. If a team member needs accessibility settings have them be saved between logins. You can always hard reset the device when you get it back to remove this. But, don't force the team member to keep reconfiguring their accessibility controls. | Insider Threat | |
275 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Guest Mode | Do not allow guest mode | Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. | Insider Threat | |
276 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Sign-in Settings | Guest Mode | Do not allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | Insider Threat | |
277 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Sign-in Keyboard | [All the Keyboards] | Useful if all your team member's are of a non-english (the default) keyboard setup. | Insider Threat | |
278 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Sign-in Language | [All the Languages] | Useful if all your team member's are of a non-english (the default) language. | Insider Threat | |
279 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If accounts other than the sub-org accounts can access device team member's might log in with their personal accounts | Insider Threat | |
280 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If accounts other than the sub-org accounts can access it might hurt other claims to proof of inaccess, even though it does not actually indicate that you can access sensitive accounts, just that you can access OTHER accounts on this device. | Insider Threat | |
281 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues. | Insider Threat | |
282 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | Single Sign-On Cookie Behavior | Disable transfer of SAML SSO Cookies into team member session during login | It can be annoying to have to log into multiple services each time you login | Insider Threat | |
283 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Sign-in Settings | Single Sign-On Cookie Behavior | Enable transfer of SAML SSO Cookies into team member session during login | It can be annoying to have to log into multiple services each time you login | Insider Threat | |
284 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | Sign-in Settings | team member Data | Do not erase all local team member data | This is the opposite of the ephemeral mode we have been talking about. And for good reason. It does not delete all team member state between logins. This way any settings and/or configurations do not have to be re-entered every login. This is a lot less of a pain than the other option. | Insider Threat | |
285 | Device | Likelihood ↥ | Traveler Circumvent Mitigations | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | Insider Threat | |
286 | Device | Impact ↧ | Traveler Circumvent Mitigations | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | Insider Threat |
287 | Device | Likelihood ↧ | Traveler Circumvent Mitigations | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | Insider Threat |
288 | Device | Impact ↧ | Traveler Circumvent Mitigations | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | Insider Threat |
289 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Bookmark Bar | Disable bookmark bar | There is no security reason to disable this | Insider Threat | |
290 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Bookmark Bar | Enable bookmark bar | Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | Insider Threat | |
291 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Bookmark Editing | Disable bookmark editing | Don't get in the way of the team member's workflow. Just make sure that they have the proper info-sec awareness to understand what they might be revealing if their device gets confiscated with custom bookmarks. | Insider Threat | |
292 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Developer Tools | Never allow use of built-in developer tools | Don't dis empower team member's for no reason. | Insider Threat | |
293 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Download Location | Force Google Drive | We don't want forced online storage. Likely lead to unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | Insider Threat | |
294 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Download Location | Local Downloads folder, but allow team member to change | By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | Insider Threat | |
295 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Download Location | Set Google Drive as default, but allow team member to change | By defaulting to the local downloads folder we will avoid unintentional/unknowing persistence of data within the travel accounts google drive. This is especially true in the case of more ephemeral focused setups. | Insider Threat | |
296 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Form Auto-fill | Never auto-fill forms | See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | Insider Threat | |
297 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Google Translate | Never offer translation | Don't break all the useful things on the internet. | Insider Threat | |
298 | User | Likelihood ↧ | Traveler Circumvent Mitigations | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Insider Threat | ||
299 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Multiple Sign-in Access | Managed team member must be the primary team member (secondary team member's are allowed) | I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | Insider Threat | |
300 | User | Likelihood ↥ | Traveler Circumvent Mitigations | User Experience | Multiple Sign-in Access | Unrestricted team member access (allow any team member to be added to any other user's session) | I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | Insider Threat | |
301 | User | Likelihood ↥ | Traveler Circumvent Mitigations | Verified Access | Verified Access | Enable for Enterprise Extensions | With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the systems that are in-place. | Insider Threat | |
302 | User | Likelihood ↥ | Traveler Detained | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | Pinning apps makes them more easily used but also makes them more visible during a casual search by a border patrol. It is worth considering this trade off when pinning apps that might raise an officials suspicions if the device is casually examined. | Detained | |
303 | User | Impact ↥ | Traveler Detained | Security | Clear Browser History | Allow clearing history in settings menu | The laws around the destruction of evidence differ by country. An rough assessment of the legal risks associated with team member's clearing their history, using incognito mode, and/or ephemeral mode should be done in the early phases of exploring how to deal with data retention/destruction during travel. | Detained | |
304 | Device | Impact ↥ | Traveler Detained | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts matches the domain of the organization and the organizational affiliation can be of issue for the traveler this will not force identification upon casual inspection of the device. ("domain shown" + "not welcome" + "unknown" + "domains =") = forced identification upon casual inspection which is bad ("domain shown" + "not welcome" + "known" + "domains =") = no impact. | Detained | |
305 | Device | Impact ↧ | Traveler Detained | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Detained | |
306 | Device | Impact ↧ | Traveler Detained | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Detained | |
307 | Device | Impact ↥ | Traveler Detained | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | Detained | |
308 | Device | Impact ↧ | Traveler Detained | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), if a device has been stolen, or if their has been an internet shutdown. (impact used as a way to indicate that by identifying one of these states earlier than you would otherwise you can react to it.) | Detained |
309 | Device | Likelihood ↧ | Traveler Mislead/Lie to Border Officials | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | Legal | |
310 | Device | Likelihood ↥ | Traveler Mislead/Lie to Border Officials | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] | Legal | |
311 | Device | Impact ↥ | Traveler Mislead/Lie to Border Officials | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts does not have any website or online presence and is attempting to hide the affiliation of the team member (this is a whole other can of worms that I'm not getting into) then this can open up the same "hiding identity risks." (""domain shown"" + ""not welcome"" + ""no online presence for domain"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] | Legal | |
312 | Device | Impact ↧ | Traveler Mislead/Lie to Border Officials | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Legal | |
313 | Device | Impact ↧ | Traveler Mislead/Lie to Border Officials | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Legal | |
314 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | I will choose which private apps and extensions to include. | Private apps can be used to create organization specific web applications for a variety of purposes. You could, for instance, use it to add a pinned web app that links to the travel policy. This would be another way of ensuring that a team member who is forced to unlock and provide their device to easily show "proof of inaccess." | Legal |
315 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Content | Client Certificates | Automatically Select Client Certificate for These Sites - If a site matching a pattern below requests a client certificate, Chrome will automatically select one for it. | Using client certs for primary accounts will mean that a team member legitimately cannot access those primary accounts with their travel device. Of course, this requires clear and absolutist language to be included in the border-guard facing documentation to make this clear. | Legal | |
316 | Device | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | Legal | |
317 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | General | Avatar | Upload Avatar File | Custom Avatar is one of the ways to provide a "managed" indicator to help your staff prove that they are not able to access personal & sensitive content | Legal | |
318 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | General | Wallpaper | Upload Wallpaper File | Can be set to the travel policy // rules. Make this look like the overbearing IT / security team to make it clear to border officials that the team member is not in control of their account. Especially useful if the "restrictions" are very clearly laid out so the border control can understand in seconds that this is a waste of their time and beyond the control of the individual. | Legal | |
319 | Device | Likelihood ↥ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection" | Legal | |
320 | Device | Impact ↥ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Autocomplete Domain | Use the domain name, set below, for autocomplete at sign in | If the domain that is used for travel accounts does not match the domain of the organization and the organizational affiliation can be of issue for the traveler this will show alternate affiliation upon casual inspection of the device. If the border official knows the affiliation already, or the Traveler needs to show affiliation this can cause issues. (""domain shown"" + ""not welcome"" + ""known"" + ""domains !="") = ""they are 'hiding their identity' which proves they are up to no good"" [bad] (""domain shown"" + ""not welcome"" + ""unknown"" + ""domains !="") = does not expose team member affiliation upon casual inspection" | Legal | |
321 | Device | Impact ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Legal | |
322 | Device | Impact ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Legal | |
323 | Device | Likelihood ↥ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | Legal | |
324 | Device | Impact ↥ | Traveler Perceived to be Misleading/Lying to Border Officials | Sign-in Settings | Single Sign-On IdP Redirection | Allow user's to go directly to SAML SSO IdP page | This option has the team member enter their email address before being taken to the SAML IdP page of your organization. If your SAML IdP site exposes organizational information than forcing the team member to enter their email first adds a small barrier between opening the device and exposing organizational information. Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows team member's to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). | Legal | |
325 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Startup | Home Button | Always show 'Home' button | This, when combined with a default homepage with the "device usage rules" and proper team member training can be another mechanism for a team member to provide "proof of inaccess". Once they have been forced to log in or give their password they can simply inform the border guard to click on the homepage button to see IT's policy and prove that you don't have access. | Legal | |
326 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Startup | Homepage | Homepage is always the Homepage URL, set below | This has to be set for the "always show home button" option in [Startup > Home Button] to work. | Legal | |
327 | User | Likelihood ↥ | Traveler Perceived to be Misleading/Lying to Border Officials | Startup | Homepage | Homepage is always the new tab page | This can't be set for the "always show home button" option in [Startup > Home Button] to work. | Legal | |
328 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Startup | Pages to Load on Startup | Pages to Load on Startup | For even more forceful proof of inaccess the IT policies could be put in a page to load on startup. This would mean that a border guard who was just provided the login credentials would still immediately encounter the IT Policies. | Legal | |
329 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | Startup | Pages to Load on Startup | Pages to Load on Startup | Legal | ||
330 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | User Experience | Managed Bookmarks | Managed Bookmarks | Managed bookmarks is another way for a Traveler to provide "proof of inaccess" without having every interface on their device covered in warnings. They can simply tell the border guard to look at the travel device policy in their bookmarks. | Legal | |
331 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | User Experience | Managed Bookmarks | Managed Bookmarks Folder Name | For proof of inaccess it could be valuable to name this something official. | Legal | |
332 | User | Likelihood ↧ | Traveler Perceived to be Misleading/Lying to Border Officials | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Multiple accounts logged in on a device raises questions about the legitimacy of proof of inaccess provided by a user. | Legal | |
333 | User | Likelihood ↥ | Traveler/Partner Association Regulated | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying Private apps. (i.e. Apps that link to organizational login portals, etc.) | Legal | |
334 | User | Likelihood ↧ | Traveler/Partner Association Regulated | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal |
335 | User | Likelihood ↥ | Traveler/Partner Association Regulated | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use the 'For [YOUR_DOMAIN>TLD]' collection: | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal |
336 | User | Likelihood ↧ | Traveler/Partner Association Regulated | Chrome Web Store | Chrome Web Store Homepage | What should the collection name be? | See the "Appropriate Organizational Identifiers" mitigation regarding an organizationally identifying collection name. | Legal | |
337 | Device | Impact ↥ | Traveler/Partner Association Regulated | Enrollment & Access | Disabled device return instructions | Custom text to display | The disabled device notification exposes the domain that the device is on. If there are concerns about identifying the traveler's association the primary domain used for travel accounts should be taken into consideration. | Legal | |
338 | Device | Impact ↥ | Traveler/Partner Association Regulated | Enrollment & Access | Forced Re-enrollment | Force device to re-enroll into this domain after wiping | If a team member needs to switch over a personal account mid-trip because conditions have changed and their association with your organization has become more dangerous this would prohibit them from doing so. | Legal | |
339 | User | Likelihood ↥ | Traveler/Partner Association Regulated | Network | WebRTC UDP Ports | Maximum port (1024-65535) | One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | Legal | |
340 | User | Likelihood ↥ | Traveler/Partner Association Regulated | Network | WebRTC UDP Ports | Minimum port (1024-65535) | One consideration here is that by setting this value to a very small set of unique ports it will act as a fingerprint your user base. This is only going to be relevant if you are highly targeted, are in a region with widespread and advanced passive surveillance, and are attempting to have some team member's obfuscate their association with the project. (i.e. if you are providing these to a diverse, otherwise disconnected, group of targeted actors within a country this could be used to uniquely identify associated chromebooks through passive monitoring. ) In most countries this is a HIGHLY unlikely scenerio. But, we are starting to see a trend towards highly advanced passive surveillance systems and, in my opinion, need to start thinking about the likelihood of network level fingerprinting in an increasing number of threat environments. | Legal | |
341 | Device | Likelihood ↥ | Traveler/Partner Association Regulated | Sign-in Settings | Sign-in Keyboard | [All the Keyboards] | Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world. | Legal | |
342 | Device | Likelihood ↥ | Traveler/Partner Association Regulated | Sign-in Settings | Sign-in Language | [All the Languages] | Not so useful if your default language might create some level of suspicion about your team member when a device is confiscated. i.e. entering a country that has serious issues with xenophobia against certain regions of the world. | Legal | |
343 | Device | Impact ↧ | Traveler/Partner Association Regulated | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | If travel sub-organization's use a different domain then this feature would not force them to login using their organization's primary (tained) domain in front of border officials. | Legal | |
344 | Device | Impact ↧ | Traveler/Partner Association Regulated | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | If travel sub-organization's use a different domain then this can be used to limit the ability for the team member to be forced to login to their primary team member account at their organization when traveling. (Requires that only authorized devices can login in your organization and that the Traveler did not bring along any other authorized devices) | Legal | |
345 | |||||||||
346 | |||||||||
347 | |||||||||
348 | |||||||||
349 | |||||||||
350 | |||||||||
351 | |||||||||
352 | |||||||||
353 | |||||||||
354 | |||||||||
355 | |||||||||
356 | |||||||||
357 | |||||||||
358 | |||||||||
359 | |||||||||
360 | |||||||||
361 | |||||||||
362 | |||||||||
363 | |||||||||
364 | |||||||||
365 | |||||||||
366 | |||||||||
367 | |||||||||
368 | |||||||||
369 | |||||||||
370 | |||||||||
371 | |||||||||
372 | |||||||||
373 | |||||||||
374 | |||||||||
375 | |||||||||
376 | |||||||||
377 | |||||||||
378 | |||||||||
379 | |||||||||
380 | |||||||||
381 | |||||||||
382 | |||||||||
383 | |||||||||
384 | |||||||||
385 | |||||||||
386 | |||||||||
387 | |||||||||
388 | |||||||||
389 | |||||||||
390 | |||||||||
391 | |||||||||
392 | |||||||||
393 | |||||||||
394 | |||||||||
395 | |||||||||
396 | |||||||||
397 | |||||||||
398 | |||||||||
399 | |||||||||
400 | |||||||||
401 | |||||||||
402 | |||||||||
403 | |||||||||
404 | |||||||||
405 | |||||||||
406 | |||||||||
407 | |||||||||
408 | |||||||||
409 | |||||||||
410 | |||||||||
411 | |||||||||
412 | |||||||||
413 | |||||||||
414 | |||||||||
415 | |||||||||
416 | |||||||||
417 | |||||||||
418 | |||||||||
419 | |||||||||
420 | |||||||||
421 | |||||||||
422 | |||||||||
423 | |||||||||
424 | |||||||||
425 | |||||||||
426 | |||||||||
427 | |||||||||
428 | |||||||||
429 | |||||||||
430 | |||||||||
431 | |||||||||
432 | |||||||||
433 | |||||||||
434 | |||||||||
435 | |||||||||
436 | |||||||||
437 | |||||||||
438 | |||||||||
439 | |||||||||
440 | |||||||||
441 | |||||||||
442 | |||||||||
443 | |||||||||
444 | |||||||||
445 | |||||||||
446 | |||||||||
447 | |||||||||
448 | |||||||||
449 | |||||||||
450 | |||||||||
451 | |||||||||
452 | |||||||||
453 | |||||||||
454 | |||||||||
455 | |||||||||
456 | |||||||||
457 | |||||||||
458 | |||||||||
459 | |||||||||
460 | |||||||||
461 | |||||||||
462 | |||||||||
463 | |||||||||
464 | |||||||||
465 | |||||||||
466 | |||||||||
467 | |||||||||
468 | |||||||||
469 | |||||||||
470 | |||||||||
471 | |||||||||
472 | |||||||||
473 | |||||||||
474 | |||||||||
475 | |||||||||
476 | |||||||||
477 | |||||||||
478 | |||||||||
479 | |||||||||
480 | |||||||||
481 | |||||||||
482 | |||||||||
483 | |||||||||
484 | |||||||||
485 | |||||||||
486 | |||||||||
487 | |||||||||
488 | |||||||||
489 | |||||||||
490 | |||||||||
491 | |||||||||
492 | |||||||||
493 | |||||||||
494 | |||||||||
495 | |||||||||
496 | |||||||||
497 | |||||||||
498 | |||||||||
499 | |||||||||
500 | |||||||||
501 | |||||||||
502 | |||||||||
503 | |||||||||
504 | |||||||||
505 | |||||||||
506 | |||||||||
507 | |||||||||
508 | |||||||||
509 | |||||||||
510 | |||||||||
511 | |||||||||
512 | |||||||||
513 | |||||||||
514 | |||||||||
515 | |||||||||
516 | |||||||||
517 | |||||||||
518 | |||||||||
519 | |||||||||
520 | |||||||||
521 | |||||||||
522 | |||||||||
523 | |||||||||
524 | |||||||||
525 | |||||||||
526 | |||||||||
527 | |||||||||
528 | |||||||||
529 | |||||||||
530 | |||||||||
531 | |||||||||
532 | |||||||||
533 | |||||||||
534 | |||||||||
535 | |||||||||
536 | |||||||||
537 | |||||||||
538 | |||||||||
539 | |||||||||
540 | |||||||||
541 | |||||||||
542 | |||||||||
543 | |||||||||
544 | |||||||||
545 | |||||||||
546 | |||||||||
547 | |||||||||
548 | |||||||||
549 | |||||||||
550 | |||||||||
551 | |||||||||
552 | |||||||||
553 | |||||||||
554 | |||||||||
555 | |||||||||
556 | |||||||||
557 | |||||||||
558 | |||||||||
559 | |||||||||
560 | |||||||||
561 | |||||||||
562 | |||||||||
563 | |||||||||
564 | |||||||||
565 | |||||||||
566 | |||||||||
567 | |||||||||
568 | |||||||||
569 | |||||||||
570 | |||||||||
571 | |||||||||
572 | |||||||||
573 | |||||||||
574 | |||||||||
575 | |||||||||
576 | |||||||||
577 | |||||||||
578 | |||||||||
579 | |||||||||
580 | |||||||||
581 | |||||||||
582 | |||||||||
583 | |||||||||
584 | |||||||||
585 | |||||||||
586 | |||||||||
587 | |||||||||
588 | |||||||||
589 | |||||||||
590 | |||||||||
591 | |||||||||
592 | |||||||||
593 | |||||||||
594 | |||||||||
595 | |||||||||
596 | |||||||||
597 | |||||||||
598 | |||||||||
599 | |||||||||
600 | |||||||||
601 | |||||||||
602 | |||||||||
603 | |||||||||
604 | |||||||||
605 | |||||||||
606 | |||||||||
607 | |||||||||
608 | |||||||||
609 | |||||||||
610 | |||||||||
611 | |||||||||
612 | |||||||||
613 | |||||||||
614 | |||||||||
615 | |||||||||
616 | |||||||||
617 | |||||||||
618 | |||||||||
619 | |||||||||
620 | |||||||||
621 | |||||||||
622 | |||||||||
623 | |||||||||
624 | |||||||||
625 | |||||||||
626 | |||||||||
627 | |||||||||
628 | |||||||||
629 | |||||||||
630 | |||||||||
631 | |||||||||
632 | |||||||||
633 | |||||||||
634 | |||||||||
635 | |||||||||
636 | |||||||||
637 | |||||||||
638 | |||||||||
639 | |||||||||
640 | |||||||||
641 | |||||||||
642 | |||||||||
643 | |||||||||
644 | |||||||||
645 | |||||||||
646 | |||||||||
647 | |||||||||
648 | |||||||||
649 | |||||||||
650 | |||||||||
651 | |||||||||
652 | |||||||||
653 | |||||||||
654 | |||||||||
655 | |||||||||
656 | |||||||||
657 | |||||||||
658 | |||||||||
659 | |||||||||
660 | |||||||||
661 | |||||||||
662 | |||||||||
663 | |||||||||
664 | |||||||||
665 | |||||||||
666 | |||||||||
667 | |||||||||
668 | |||||||||
669 | |||||||||
670 | |||||||||
671 | |||||||||
672 | |||||||||
673 | |||||||||
674 | |||||||||
675 | |||||||||
676 | |||||||||
677 | |||||||||
678 | |||||||||
679 | |||||||||
680 | |||||||||
681 | |||||||||
682 | |||||||||
683 | |||||||||
684 | |||||||||
685 | |||||||||
686 | |||||||||
687 | |||||||||
688 | |||||||||
689 | |||||||||
690 | |||||||||
691 | |||||||||
692 | |||||||||
693 | |||||||||
694 | |||||||||
695 | |||||||||
696 | |||||||||
697 | |||||||||
698 | |||||||||
699 | |||||||||
700 | |||||||||
701 | |||||||||
702 | |||||||||
703 | |||||||||
704 | |||||||||
705 | |||||||||
706 | |||||||||
707 | |||||||||
708 | |||||||||
709 | |||||||||
710 | |||||||||
711 | |||||||||
712 | |||||||||
713 | |||||||||
714 | |||||||||
715 | |||||||||
716 | |||||||||
717 | |||||||||
718 | |||||||||
719 | |||||||||
720 | |||||||||
721 | |||||||||
722 | |||||||||
723 | |||||||||
724 | |||||||||
725 | |||||||||
726 | |||||||||
727 | |||||||||
728 | |||||||||
729 | |||||||||
730 | |||||||||
731 | |||||||||
732 | |||||||||
733 | |||||||||
734 | |||||||||
735 | |||||||||
736 | |||||||||
737 | |||||||||
738 | |||||||||
739 | |||||||||
740 | |||||||||
741 | |||||||||
742 | |||||||||
743 | |||||||||
744 | |||||||||
745 | |||||||||
746 | |||||||||
747 | |||||||||
748 | |||||||||
749 | |||||||||
750 | |||||||||
751 | |||||||||
752 | |||||||||
753 | |||||||||
754 | |||||||||
755 | |||||||||
756 | |||||||||
757 | |||||||||
758 | |||||||||
759 | |||||||||
760 | |||||||||
761 | |||||||||
762 | |||||||||
763 | |||||||||
764 | |||||||||
765 | |||||||||
766 | |||||||||
767 | |||||||||
768 | |||||||||
769 | |||||||||
770 | |||||||||
771 | |||||||||
772 | |||||||||
773 | |||||||||
774 | |||||||||
775 | |||||||||
776 | |||||||||
777 | |||||||||
778 | |||||||||
779 | |||||||||
780 | |||||||||
781 | |||||||||
782 | |||||||||
783 | |||||||||
784 | |||||||||
785 | |||||||||
786 | |||||||||
787 | |||||||||
788 | |||||||||
789 | |||||||||
790 | |||||||||
791 | |||||||||
792 | |||||||||
793 | |||||||||
794 | |||||||||
795 | |||||||||
796 | |||||||||
797 | |||||||||
798 | |||||||||
799 | |||||||||
800 | |||||||||
801 | |||||||||
802 | |||||||||
803 | |||||||||
804 | |||||||||
805 | |||||||||
806 | |||||||||
807 | |||||||||
808 | |||||||||
809 | |||||||||
810 | |||||||||
811 | |||||||||
812 | |||||||||
813 | |||||||||
814 | |||||||||
815 | |||||||||
816 | |||||||||
817 | |||||||||
818 | |||||||||
819 | |||||||||
820 | |||||||||
821 | |||||||||
822 | |||||||||
823 | |||||||||
824 | |||||||||
825 | |||||||||
826 | |||||||||
827 | |||||||||
828 | |||||||||
829 | |||||||||
830 | |||||||||
831 | |||||||||
832 | |||||||||
833 | |||||||||
834 | |||||||||
835 | |||||||||
836 | |||||||||
837 | |||||||||
838 | |||||||||
839 | |||||||||
840 | |||||||||
841 | |||||||||
842 | |||||||||
843 | |||||||||
844 | |||||||||
845 | |||||||||
846 | |||||||||
847 | |||||||||
848 | |||||||||
849 | |||||||||
850 | |||||||||
851 | |||||||||
852 | |||||||||
853 | |||||||||
854 | |||||||||
855 | |||||||||
856 | |||||||||
857 | |||||||||
858 | |||||||||
859 | |||||||||
860 | |||||||||
861 | |||||||||
862 | |||||||||
863 | |||||||||
864 | |||||||||
865 | |||||||||
866 | |||||||||
867 | |||||||||
868 | |||||||||
869 | |||||||||
870 | |||||||||
871 | |||||||||
872 | |||||||||
873 | |||||||||
874 | |||||||||
875 | |||||||||
876 | |||||||||
877 | |||||||||
878 | |||||||||
879 | |||||||||
880 | |||||||||
881 | |||||||||
882 | |||||||||
883 | |||||||||
884 | |||||||||
885 | |||||||||
886 | |||||||||
887 | |||||||||
888 | |||||||||
889 | |||||||||
890 | |||||||||
891 | |||||||||
892 | |||||||||
893 | |||||||||
894 | |||||||||
895 | |||||||||
896 | |||||||||
897 | |||||||||
898 | |||||||||
899 | |||||||||
900 | |||||||||
901 | |||||||||
902 | |||||||||
903 | |||||||||
904 | |||||||||
905 | |||||||||
906 | |||||||||
907 | |||||||||
908 | |||||||||
909 | |||||||||
910 | |||||||||
911 | |||||||||
912 | |||||||||
913 | |||||||||
914 | |||||||||
915 | |||||||||
916 | |||||||||
917 | |||||||||
918 | |||||||||
919 | |||||||||
920 | |||||||||
921 | |||||||||
922 | |||||||||
923 | |||||||||
924 | |||||||||
925 | |||||||||
926 | |||||||||
927 | |||||||||
928 | |||||||||
929 | |||||||||
930 | |||||||||
931 | |||||||||
932 | |||||||||
933 | |||||||||
934 | |||||||||
935 | |||||||||
936 | |||||||||
937 | |||||||||
938 | |||||||||
939 | |||||||||
940 | |||||||||
941 | |||||||||
942 | |||||||||
943 | |||||||||
944 | |||||||||
945 | |||||||||
946 | |||||||||
947 | |||||||||
948 | |||||||||
949 | |||||||||
950 | |||||||||
951 | |||||||||
952 | |||||||||
953 | |||||||||
954 | |||||||||
955 | |||||||||
956 | |||||||||
957 | |||||||||
958 | |||||||||
959 | |||||||||
960 | |||||||||
961 | |||||||||
962 | |||||||||
963 | |||||||||
964 | |||||||||
965 | |||||||||
966 | |||||||||
967 | |||||||||
968 | |||||||||
969 | |||||||||
970 | |||||||||
971 | |||||||||
972 | |||||||||
973 | |||||||||
974 | |||||||||
975 | |||||||||
976 | |||||||||
977 | |||||||||
978 | |||||||||
979 | |||||||||
980 | |||||||||
981 | |||||||||
982 | |||||||||
983 | |||||||||
984 | |||||||||
985 | |||||||||
986 | |||||||||
987 | |||||||||
988 | |||||||||
989 | |||||||||
990 | |||||||||
991 | |||||||||
992 | |||||||||
993 | |||||||||
994 | |||||||||
995 | |||||||||
996 | |||||||||
997 | |||||||||
998 | |||||||||
999 | |||||||||
1000 | |||||||||
1001 | |||||||||
1002 | |||||||||
1003 | |||||||||
1004 | |||||||||
1005 | |||||||||
1006 | |||||||||
1007 | |||||||||
1008 | |||||||||
1009 | |||||||||
1010 | |||||||||
1011 | |||||||||
1012 | |||||||||
1013 | |||||||||
1014 | |||||||||
1015 | |||||||||
1016 | |||||||||
1017 | |||||||||
1018 | |||||||||
1019 | |||||||||
1020 | |||||||||
1021 | |||||||||
1022 | |||||||||
1023 | |||||||||
1024 | |||||||||
1025 | |||||||||
1026 | |||||||||
1027 | |||||||||
1028 | |||||||||
1029 | |||||||||
1030 | |||||||||
1031 | |||||||||
1032 | |||||||||
1033 | |||||||||
1034 | |||||||||
1035 | |||||||||
1036 | |||||||||
1037 | |||||||||
1038 | |||||||||
1039 | |||||||||
1040 | |||||||||
1041 | |||||||||
1042 | |||||||||
1043 | |||||||||
1044 | |||||||||
1045 | |||||||||
1046 | |||||||||
1047 | |||||||||
1048 | |||||||||
1049 | |||||||||
1050 | |||||||||
1051 | |||||||||
1052 | |||||||||
1053 | |||||||||
1054 | |||||||||
1055 | |||||||||
1056 | |||||||||
1057 | |||||||||
1058 | |||||||||
1059 | |||||||||
1060 | |||||||||
1061 | |||||||||
1062 | |||||||||
1063 | |||||||||
1064 | |||||||||
1065 | |||||||||
1066 | |||||||||
1067 | |||||||||
1068 | |||||||||
1069 | |||||||||
1070 | |||||||||
1071 | |||||||||
1072 | |||||||||
1073 | |||||||||
1074 | |||||||||
1075 | |||||||||
1076 | |||||||||
1077 | |||||||||
1078 | |||||||||
1079 | |||||||||
1080 | |||||||||
1081 | |||||||||
1082 | |||||||||
1083 | |||||||||
1084 | |||||||||
1085 | |||||||||
1086 | |||||||||
1087 | |||||||||
1088 | |||||||||
1089 | |||||||||
1090 | |||||||||
1091 | |||||||||
1092 | |||||||||
1093 | |||||||||
1094 | |||||||||
1095 | |||||||||
1096 | |||||||||
1097 | |||||||||
1098 | |||||||||
1099 | |||||||||
1100 | |||||||||
1101 | |||||||||
1102 | |||||||||
1103 | |||||||||
1104 | |||||||||
1105 | |||||||||
1106 | |||||||||
1107 | |||||||||
1108 | |||||||||
1109 | |||||||||
1110 | |||||||||
1111 | |||||||||
1112 | |||||||||
1113 | |||||||||
1114 | |||||||||
1115 | |||||||||
1116 | |||||||||
1117 | |||||||||
1118 | |||||||||
1119 | |||||||||
1120 | |||||||||
1121 | |||||||||
1122 | |||||||||
1123 | |||||||||
1124 | |||||||||
1125 | |||||||||
1126 | |||||||||
1127 | |||||||||
1128 | |||||||||
1129 | |||||||||
1130 | |||||||||
1131 | |||||||||
1132 | |||||||||
1133 | |||||||||
1134 | |||||||||
1135 | |||||||||
1136 | |||||||||
1137 | |||||||||
1138 | |||||||||
1139 | |||||||||
1140 | |||||||||
1141 | |||||||||
1142 | |||||||||
1143 | |||||||||
1144 | |||||||||
1145 | |||||||||
1146 | |||||||||
1147 | |||||||||
1148 | |||||||||
1149 | |||||||||
1150 | |||||||||
1151 | |||||||||
1152 | |||||||||
1153 | |||||||||
1154 | |||||||||
1155 | |||||||||
1156 | |||||||||
1157 | |||||||||
1158 | |||||||||
1159 | |||||||||
1160 | |||||||||
1161 | |||||||||
1162 | |||||||||
1163 | |||||||||
1164 | |||||||||
1165 | |||||||||
1166 | |||||||||
1167 | |||||||||
1168 | |||||||||
1169 | |||||||||
1170 | |||||||||
1171 | |||||||||
1172 | |||||||||
1173 | |||||||||
1174 | |||||||||
1175 | |||||||||
1176 | |||||||||
1177 | |||||||||
1178 | |||||||||
1179 | |||||||||
1180 | |||||||||
1181 | |||||||||
1182 | |||||||||
1183 | |||||||||
1184 | |||||||||
1185 | |||||||||
1186 | |||||||||
1187 | |||||||||
1188 | |||||||||
1189 | |||||||||
1190 | |||||||||
1191 | |||||||||
1192 | |||||||||
1193 | |||||||||
1194 | |||||||||
1195 | |||||||||
1196 | |||||||||
1197 | |||||||||
1198 | |||||||||
1199 | |||||||||
1200 | |||||||||
1201 | |||||||||
1202 | |||||||||
1203 | |||||||||
1204 | |||||||||
1205 | |||||||||
1206 | |||||||||
1207 | |||||||||
1208 | |||||||||
1209 | |||||||||
1210 | |||||||||
1211 | |||||||||
1212 | |||||||||
1213 | |||||||||
1214 | |||||||||
1215 | |||||||||
1216 | |||||||||
1217 | |||||||||
1218 | |||||||||
1219 | |||||||||
1220 | |||||||||
1221 | |||||||||
1222 | |||||||||
1223 | |||||||||
1224 | |||||||||
1225 | |||||||||
1226 | |||||||||
1227 | |||||||||
1228 | |||||||||
1229 | |||||||||
1230 | |||||||||
1231 | |||||||||
1232 | |||||||||
1233 | |||||||||
1234 | |||||||||
1235 | |||||||||
1236 | |||||||||
1237 | |||||||||
1238 | |||||||||
1239 | |||||||||
1240 | |||||||||
1241 | |||||||||
1242 | |||||||||
1243 | |||||||||
1244 | |||||||||
1245 | |||||||||
1246 | |||||||||
1247 | |||||||||
1248 | |||||||||
1249 | |||||||||
1250 | |||||||||
1251 | |||||||||
1252 | |||||||||
1253 | |||||||||
1254 | |||||||||
1255 | |||||||||
1256 | |||||||||
1257 | |||||||||
1258 | |||||||||
1259 | |||||||||
1260 | |||||||||
1261 | |||||||||
1262 | |||||||||
1263 | |||||||||
1264 | |||||||||
1265 | |||||||||
1266 | |||||||||
1267 | |||||||||
1268 | |||||||||
1269 | |||||||||
1270 | |||||||||
1271 | |||||||||
1272 | |||||||||
1273 | |||||||||
1274 | |||||||||
1275 | |||||||||
1276 | |||||||||
1277 | |||||||||
1278 | |||||||||
1279 | |||||||||
1280 | |||||||||
1281 | |||||||||
1282 | |||||||||
1283 | |||||||||
1284 | |||||||||
1285 | |||||||||
1286 | |||||||||
1287 | |||||||||
1288 | |||||||||
1289 | |||||||||
1290 | |||||||||
1291 | |||||||||
1292 | |||||||||
1293 | |||||||||
1294 | |||||||||
1295 | |||||||||
1296 | |||||||||
1297 | |||||||||
1298 | |||||||||
1299 | |||||||||
1300 | |||||||||
1301 | |||||||||
1302 | |||||||||
1303 | |||||||||
1304 | |||||||||
1305 | |||||||||
1306 | |||||||||
1307 | |||||||||
1308 | |||||||||
1309 | |||||||||
1310 | |||||||||
1311 | |||||||||
1312 | |||||||||
1313 | |||||||||
1314 | |||||||||
1315 | |||||||||
1316 | |||||||||
1317 | |||||||||
1318 | |||||||||
1319 | |||||||||
1320 | |||||||||
1321 | |||||||||
1322 | |||||||||
1323 | |||||||||
1324 | |||||||||
1325 | |||||||||
1326 | |||||||||
1327 | |||||||||
1328 | |||||||||
1329 | |||||||||
1330 | |||||||||
1331 | |||||||||
1332 | |||||||||
1333 | |||||||||
1334 | |||||||||
1335 | |||||||||
1336 | |||||||||
1337 | |||||||||
1338 | |||||||||
1339 | |||||||||
1340 | |||||||||
1341 | |||||||||
1342 | |||||||||
1343 | |||||||||
1344 | |||||||||
1345 | |||||||||
1346 | |||||||||
1347 | |||||||||
1348 | |||||||||
1349 | |||||||||
1350 | |||||||||
1351 | |||||||||
1352 | |||||||||
1353 | |||||||||
1354 | |||||||||
1355 | |||||||||
1356 | |||||||||
1357 | |||||||||
1358 | |||||||||
1359 | |||||||||
1360 | |||||||||
1361 | |||||||||
1362 | |||||||||
1363 | |||||||||
1364 | |||||||||
1365 | |||||||||
1366 | |||||||||
1367 | |||||||||
1368 | |||||||||
1369 | |||||||||
1370 | |||||||||
1371 | |||||||||
1372 | |||||||||
1373 | |||||||||
1374 | |||||||||
1375 | |||||||||
1376 | |||||||||
1377 | |||||||||
1378 | |||||||||
1379 | |||||||||
1380 | |||||||||
1381 | |||||||||
1382 | |||||||||
1383 | |||||||||
1384 | |||||||||
1385 | |||||||||
1386 | |||||||||
1387 | |||||||||
1388 | |||||||||
1389 | |||||||||
1390 | |||||||||
1391 | |||||||||
1392 | |||||||||
1393 | |||||||||
1394 | |||||||||
1395 | |||||||||
1396 | |||||||||
1397 | |||||||||
1398 | |||||||||
1399 | |||||||||
1400 | |||||||||
1401 | |||||||||
1402 | |||||||||
1403 | |||||||||
1404 | |||||||||
1405 | |||||||||
1406 | |||||||||
1407 | |||||||||
1408 | |||||||||
1409 | |||||||||
1410 | |||||||||
1411 | |||||||||
1412 | |||||||||
1413 | |||||||||
1414 | |||||||||
1415 | |||||||||
1416 | |||||||||
1417 | |||||||||
1418 | |||||||||
1419 | |||||||||
1420 | |||||||||
1421 | |||||||||
1422 | |||||||||
1423 | |||||||||
1424 | |||||||||
1425 | |||||||||
1426 | |||||||||
1427 | |||||||||
1428 | |||||||||
1429 | |||||||||
1430 | |||||||||
1431 | |||||||||
1432 | |||||||||
1433 | |||||||||
1434 | |||||||||
1435 | |||||||||
1436 | |||||||||
1437 | |||||||||
1438 | |||||||||
1439 | |||||||||
1440 | |||||||||
1441 | |||||||||
1442 | |||||||||
1443 | |||||||||
1444 | |||||||||
1445 | |||||||||
1446 | |||||||||
1447 | |||||||||
1448 | |||||||||
1449 | |||||||||
1450 | |||||||||
1451 | |||||||||
1452 | |||||||||
1453 | |||||||||
1454 | |||||||||
1455 | |||||||||
1456 | |||||||||
1457 | |||||||||
1458 | |||||||||
1459 | |||||||||
1460 | |||||||||
1461 | |||||||||
1462 | |||||||||
1463 | |||||||||
1464 | |||||||||
1465 | |||||||||
1466 | |||||||||
1467 | |||||||||
1468 | |||||||||
1469 | |||||||||
1470 | |||||||||
1471 | |||||||||
1472 | |||||||||
1473 | |||||||||
1474 | |||||||||
1475 | |||||||||
1476 | |||||||||
1477 | |||||||||
1478 | |||||||||
1479 | |||||||||
1480 | |||||||||
1481 | |||||||||
1482 | |||||||||
1483 | |||||||||
1484 | |||||||||
1485 | |||||||||
1486 | |||||||||
1487 | |||||||||
1488 | |||||||||
1489 | |||||||||
1490 | |||||||||
1491 | |||||||||
1492 | |||||||||
1493 | |||||||||
1494 | |||||||||
1495 | |||||||||
1496 | |||||||||
1497 | |||||||||
1498 | |||||||||
1499 | |||||||||
1500 | |||||||||
1501 | |||||||||
1502 | |||||||||
1503 | |||||||||
1504 | |||||||||
1505 | |||||||||
1506 | |||||||||
1507 | |||||||||
1508 | |||||||||
1509 | |||||||||
1510 | |||||||||
1511 | |||||||||
1512 | |||||||||
1513 | |||||||||
1514 | |||||||||
1515 | |||||||||
1516 | |||||||||
1517 | |||||||||
1518 | |||||||||
1519 | |||||||||
1520 | |||||||||
1521 | |||||||||
1522 | |||||||||
1523 | |||||||||
1524 | |||||||||
1525 | |||||||||
1526 | |||||||||
1527 | |||||||||
1528 | |||||||||
1529 | |||||||||
1530 | |||||||||
1531 | |||||||||
1532 | |||||||||
1533 | |||||||||
1534 | |||||||||
1535 | |||||||||
1536 | |||||||||
1537 | |||||||||
1538 | |||||||||
1539 | |||||||||
1540 | |||||||||
1541 | |||||||||
1542 | |||||||||
1543 | |||||||||
1544 | |||||||||
1545 | |||||||||
1546 | |||||||||
1547 | |||||||||
1548 | |||||||||
1549 | |||||||||
1550 | |||||||||
1551 | |||||||||
1552 | |||||||||
1553 | |||||||||
1554 | |||||||||
1555 | |||||||||
1556 | |||||||||
1557 | |||||||||
1558 | |||||||||
1559 | |||||||||
1560 | |||||||||
1561 | |||||||||
1562 | |||||||||
1563 | |||||||||
1564 | |||||||||
1565 | |||||||||
1566 | |||||||||
1567 | |||||||||
1568 | |||||||||
1569 | |||||||||
1570 | |||||||||
1571 | |||||||||
1572 | |||||||||
1573 | |||||||||
1574 | |||||||||
1575 | |||||||||
1576 | |||||||||
1577 | |||||||||
1578 | |||||||||
1579 | |||||||||
1580 | |||||||||
1581 | |||||||||
1582 | |||||||||
1583 | |||||||||
1584 | |||||||||
1585 | |||||||||
1586 | |||||||||
1587 | |||||||||
1588 | |||||||||
1589 | |||||||||
1590 | |||||||||
1591 | |||||||||
1592 | |||||||||
1593 | |||||||||
1594 | |||||||||
1595 | |||||||||
1596 | |||||||||
1597 | |||||||||
1598 | |||||||||
1599 | |||||||||
1600 | |||||||||
1601 | |||||||||
1602 | |||||||||
1603 | |||||||||
1604 | |||||||||
1605 | |||||||||
1606 | |||||||||
1607 | |||||||||
1608 | |||||||||
1609 | |||||||||
1610 | |||||||||
1611 | |||||||||
1612 | |||||||||
1613 | |||||||||
1614 | |||||||||
1615 | |||||||||
1616 | |||||||||
1617 | |||||||||
1618 | |||||||||
1619 | |||||||||
1620 | |||||||||
1621 | |||||||||
1622 | |||||||||
1623 | |||||||||
1624 | |||||||||
1625 | |||||||||
1626 | |||||||||
1627 | |||||||||
1628 | |||||||||
1629 | |||||||||
1630 | |||||||||
1631 | |||||||||
1632 | |||||||||
1633 | |||||||||
1634 | |||||||||
1635 | |||||||||
1636 | |||||||||
1637 | |||||||||
1638 | |||||||||
1639 | |||||||||
1640 | |||||||||
1641 | |||||||||
1642 | |||||||||
1643 | |||||||||
1644 | |||||||||
1645 | |||||||||
1646 | |||||||||
1647 | |||||||||
1648 | |||||||||
1649 | |||||||||
1650 | |||||||||
1651 | |||||||||
1652 | |||||||||
1653 | |||||||||
1654 | |||||||||
1655 | |||||||||
1656 | |||||||||
1657 | |||||||||
1658 | |||||||||
1659 | |||||||||
1660 | |||||||||
1661 | |||||||||
1662 | |||||||||
1663 | |||||||||
1664 | |||||||||
1665 | |||||||||
1666 | |||||||||
1667 | |||||||||
1668 | |||||||||
1669 | |||||||||
1670 | |||||||||
1671 | |||||||||
1672 | |||||||||
1673 | |||||||||
1674 | |||||||||
1675 | |||||||||
1676 | |||||||||
1677 | |||||||||
1678 | |||||||||
1679 | |||||||||
1680 | |||||||||
1681 | |||||||||
1682 | |||||||||
1683 | |||||||||
1684 | |||||||||
1685 | |||||||||
1686 | |||||||||
1687 | |||||||||
1688 | |||||||||
1689 | |||||||||
1690 | |||||||||
1691 | |||||||||
1692 | |||||||||
1693 | |||||||||
1694 | |||||||||
1695 | |||||||||
1696 | |||||||||
1697 | |||||||||
1698 | |||||||||
1699 | |||||||||
1700 | |||||||||
1701 | |||||||||
1702 | |||||||||
1703 | |||||||||
1704 | |||||||||
1705 | |||||||||
1706 | |||||||||
1707 | |||||||||
1708 | |||||||||
1709 | |||||||||
1710 | |||||||||
1711 | |||||||||
1712 | |||||||||
1713 | |||||||||
1714 | |||||||||
1715 | |||||||||
1716 | |||||||||
1717 | |||||||||
1718 | |||||||||
1719 | |||||||||
1720 | |||||||||
1721 | |||||||||
1722 | |||||||||
1723 | |||||||||
1724 | |||||||||
1725 | |||||||||
1726 | |||||||||
1727 | |||||||||
1728 | |||||||||
1729 | |||||||||
1730 | |||||||||
1731 | |||||||||
1732 | |||||||||
1733 | |||||||||
1734 | |||||||||
1735 | |||||||||
1736 | |||||||||
1737 | |||||||||
1738 | |||||||||
1739 | |||||||||
1740 | |||||||||
1741 | |||||||||
1742 | |||||||||
1743 | |||||||||
1744 | |||||||||
1745 | |||||||||
1746 | |||||||||
1747 | |||||||||
1748 | |||||||||
1749 | |||||||||
1750 | |||||||||
1751 | |||||||||
1752 | |||||||||
1753 | |||||||||
1754 | |||||||||
1755 | |||||||||
1756 | |||||||||
1757 | |||||||||
1758 | |||||||||
1759 | |||||||||
1760 | |||||||||
1761 | |||||||||
1762 | |||||||||
1763 | |||||||||
1764 | |||||||||
1765 | |||||||||
1766 | |||||||||
1767 | |||||||||
1768 | |||||||||
1769 | |||||||||
1770 | |||||||||
1771 | |||||||||
1772 | |||||||||
1773 | |||||||||
1774 | |||||||||
1775 | |||||||||
1776 | |||||||||
1777 | |||||||||
1778 | |||||||||
1779 | |||||||||
1780 | |||||||||
1781 | |||||||||
1782 | |||||||||
1783 | |||||||||
1784 | |||||||||
1785 | |||||||||
1786 | |||||||||
1787 | |||||||||
1788 | |||||||||
1789 | |||||||||
1790 | |||||||||
1791 | |||||||||
1792 | |||||||||
1793 | |||||||||
1794 | |||||||||
1795 | |||||||||
1796 | |||||||||
1797 | |||||||||
1798 | |||||||||
1799 | |||||||||
1800 | |||||||||
1801 | |||||||||
1802 | |||||||||
1803 | |||||||||
1804 | |||||||||
1805 | |||||||||
1806 | |||||||||
1807 | |||||||||
1808 | |||||||||
1809 | |||||||||
1810 | |||||||||
1811 | |||||||||
1812 | |||||||||
1813 | |||||||||
1814 | |||||||||
1815 | |||||||||
1816 | |||||||||
1817 | |||||||||
1818 | |||||||||
1819 | |||||||||
1820 | |||||||||
1821 | |||||||||
1822 | |||||||||
1823 | |||||||||
1824 | |||||||||
1825 | |||||||||
1826 | |||||||||
1827 | |||||||||
1828 | |||||||||
1829 | |||||||||
1830 | |||||||||
1831 | |||||||||
1832 | |||||||||
1833 | |||||||||
1834 | |||||||||
1835 | |||||||||
1836 | |||||||||
1837 | |||||||||
1838 | |||||||||
1839 | |||||||||
1840 | |||||||||
1841 | |||||||||
1842 | |||||||||
1843 | |||||||||
1844 | |||||||||
1845 | |||||||||
1846 | |||||||||
1847 | |||||||||
1848 | |||||||||
1849 | |||||||||
1850 | |||||||||
1851 | |||||||||
1852 | |||||||||
1853 | |||||||||
1854 | |||||||||
1855 | |||||||||
1856 | |||||||||
1857 | |||||||||
1858 | |||||||||
1859 | |||||||||
1860 | |||||||||
1861 | |||||||||
1862 | |||||||||
1863 | |||||||||
1864 | |||||||||
1865 | |||||||||
1866 | |||||||||
1867 | |||||||||
1868 | |||||||||
1869 | |||||||||
1870 | |||||||||
1871 | |||||||||
1872 | |||||||||
1873 | |||||||||
1874 | |||||||||
1875 | |||||||||
1876 | |||||||||
1877 | |||||||||
1878 | |||||||||
1879 | |||||||||
1880 | |||||||||
1881 | |||||||||
1882 | |||||||||
1883 | |||||||||
1884 | |||||||||
1885 | |||||||||
1886 | |||||||||
1887 | |||||||||
1888 | |||||||||
1889 | |||||||||
1890 | |||||||||
1891 | |||||||||
1892 | |||||||||
1893 | |||||||||
1894 | |||||||||
1895 | |||||||||
1896 | |||||||||
1897 | |||||||||
1898 | |||||||||
1899 | |||||||||
1900 | |||||||||
1901 | |||||||||
1902 | |||||||||
1903 | |||||||||
1904 | |||||||||
1905 | |||||||||
1906 | |||||||||
1907 | |||||||||
1908 | |||||||||
1909 | |||||||||
1910 | |||||||||
1911 | |||||||||
1912 | |||||||||
1913 | |||||||||
1914 | |||||||||
1915 | |||||||||
1916 | |||||||||
1917 | |||||||||
1918 | |||||||||
1919 | |||||||||
1920 | |||||||||
1921 | |||||||||
1922 | |||||||||
1923 | |||||||||
1924 | |||||||||
1925 | |||||||||
1926 | |||||||||
1927 | |||||||||
1928 | |||||||||
1929 | |||||||||
1930 | |||||||||
1931 | |||||||||
1932 | |||||||||
1933 | |||||||||
1934 | |||||||||
1935 | |||||||||
1936 | |||||||||
1937 | |||||||||
1938 | |||||||||
1939 | |||||||||
1940 | |||||||||
1941 | |||||||||
1942 | |||||||||
1943 | |||||||||
1944 | |||||||||
1945 | |||||||||
1946 | |||||||||
1947 | |||||||||
1948 | |||||||||
1949 | |||||||||
1950 | |||||||||
1951 | |||||||||
1952 | |||||||||
1953 | |||||||||
1954 | |||||||||
1955 | |||||||||
1956 | |||||||||
1957 | |||||||||
1958 | |||||||||
1959 | |||||||||
1960 | |||||||||
1961 | |||||||||
1962 | |||||||||
1963 | |||||||||
1964 | |||||||||
1965 | |||||||||
1966 | |||||||||
1967 | |||||||||
1968 | |||||||||
1969 | |||||||||
1970 | |||||||||
1971 | |||||||||
1972 | |||||||||
1973 | |||||||||
1974 | |||||||||
1975 | |||||||||
1976 | |||||||||
1977 | |||||||||
1978 | |||||||||
1979 | |||||||||
1980 | |||||||||
1981 | |||||||||
1982 | |||||||||
1983 | |||||||||
1984 | |||||||||
1985 | |||||||||
1986 | |||||||||
1987 | |||||||||
1988 | |||||||||
1989 | |||||||||
1990 | |||||||||
1991 | |||||||||
1992 | |||||||||
1993 | |||||||||
1994 | |||||||||
1995 | |||||||||
1996 | |||||||||
1997 | |||||||||
1998 | |||||||||
1999 | |||||||||
2000 | |||||||||
2001 | |||||||||
2002 | |||||||||
2003 | |||||||||
2004 | |||||||||
2005 | |||||||||
2006 | |||||||||
2007 | |||||||||
2008 | |||||||||
2009 | |||||||||
2010 | |||||||||
2011 | |||||||||
2012 | |||||||||
2013 | |||||||||
2014 | |||||||||
2015 | |||||||||
2016 | |||||||||
2017 | |||||||||
2018 | |||||||||
2019 | |||||||||
2020 | |||||||||
2021 | |||||||||
2022 | |||||||||
2023 | |||||||||
2024 | |||||||||
2025 | |||||||||
2026 | |||||||||
2027 | |||||||||
2028 | |||||||||
2029 | |||||||||
2030 | |||||||||
2031 | |||||||||
2032 | |||||||||
2033 | |||||||||
2034 | |||||||||
2035 | |||||||||
2036 | |||||||||
2037 | |||||||||
2038 | |||||||||
2039 | |||||||||
2040 | |||||||||
2041 | |||||||||
2042 | |||||||||
2043 | |||||||||
2044 | |||||||||
2045 | |||||||||
2046 | |||||||||
2047 | |||||||||
2048 | |||||||||
2049 | |||||||||
2050 | |||||||||
2051 | |||||||||
2052 | |||||||||
2053 | |||||||||
2054 | |||||||||
2055 | |||||||||
2056 | |||||||||
2057 | |||||||||
2058 | |||||||||
2059 | |||||||||
2060 | |||||||||
2061 | |||||||||
2062 | |||||||||
2063 | |||||||||
2064 | |||||||||
2065 | |||||||||
2066 | |||||||||
2067 | |||||||||
2068 | |||||||||
2069 | |||||||||
2070 | |||||||||
2071 | |||||||||
2072 | |||||||||
2073 | |||||||||
2074 | |||||||||
2075 | |||||||||
2076 | |||||||||
2077 | |||||||||
2078 | |||||||||
2079 | |||||||||
2080 | |||||||||
2081 | |||||||||
2082 | |||||||||
2083 | |||||||||
2084 | |||||||||
2085 | |||||||||
2086 | |||||||||
2087 | |||||||||
2088 | |||||||||
2089 | |||||||||
2090 | |||||||||
2091 | |||||||||
2092 | |||||||||
2093 | |||||||||
2094 | |||||||||
2095 | |||||||||
2096 | |||||||||
2097 | |||||||||
2098 | |||||||||
2099 | |||||||||
2100 | |||||||||
2101 | |||||||||
2102 | |||||||||
2103 | |||||||||
2104 | |||||||||
2105 | |||||||||
2106 | |||||||||
2107 | |||||||||
2108 | |||||||||
2109 | |||||||||
2110 | |||||||||
2111 | |||||||||
2112 | |||||||||
2113 | |||||||||
2114 | |||||||||
2115 | |||||||||
2116 | |||||||||
2117 | |||||||||
2118 | |||||||||
2119 | |||||||||
2120 | |||||||||
2121 | |||||||||
2122 | |||||||||
2123 | |||||||||
2124 | |||||||||
2125 | |||||||||
2126 | |||||||||
2127 | |||||||||
2128 | |||||||||
2129 | |||||||||
2130 | |||||||||
2131 | |||||||||
2132 | |||||||||
2133 | |||||||||
2134 | |||||||||
2135 | |||||||||
2136 | |||||||||
2137 | |||||||||
2138 | |||||||||
2139 | |||||||||
2140 | |||||||||
2141 | |||||||||
2142 | |||||||||
2143 | |||||||||
2144 | |||||||||
2145 | |||||||||
2146 | |||||||||
2147 | |||||||||
2148 | |||||||||
2149 | |||||||||
2150 | |||||||||
2151 | |||||||||
2152 | |||||||||
2153 | |||||||||
2154 | |||||||||
2155 | |||||||||
2156 | |||||||||
2157 | |||||||||
2158 | |||||||||
2159 | |||||||||
2160 | |||||||||
2161 | |||||||||
2162 | |||||||||
2163 | |||||||||
2164 | |||||||||
2165 | |||||||||
2166 | |||||||||
2167 | |||||||||
2168 | |||||||||
2169 | |||||||||
2170 | |||||||||
2171 | |||||||||
2172 | |||||||||
2173 | |||||||||
2174 | |||||||||
2175 | |||||||||
2176 | |||||||||
2177 | |||||||||
2178 | |||||||||
2179 | |||||||||
2180 | |||||||||
2181 | |||||||||
2182 | |||||||||
2183 | |||||||||
2184 | |||||||||
2185 | |||||||||
2186 | |||||||||
2187 | |||||||||
2188 | |||||||||
2189 | |||||||||
2190 | |||||||||
2191 | |||||||||
2192 | |||||||||
2193 | |||||||||
2194 | |||||||||
2195 | |||||||||
2196 | |||||||||
2197 | |||||||||
2198 | |||||||||
2199 | |||||||||
2200 | |||||||||
2201 | |||||||||
2202 | |||||||||
2203 | |||||||||
2204 | |||||||||
2205 | |||||||||
2206 | |||||||||
2207 | |||||||||
2208 | |||||||||
2209 | |||||||||
2210 | |||||||||
2211 | |||||||||
2212 | |||||||||
2213 | |||||||||
2214 | |||||||||
2215 | |||||||||
2216 | |||||||||
2217 | |||||||||
2218 | |||||||||
2219 | |||||||||
2220 | |||||||||
2221 | |||||||||
2222 | |||||||||
2223 | |||||||||
2224 | |||||||||
2225 | |||||||||
2226 | |||||||||
2227 | |||||||||
2228 | |||||||||
2229 | |||||||||
2230 | |||||||||
2231 | |||||||||
2232 | |||||||||
2233 | |||||||||
2234 | |||||||||
2235 | |||||||||
2236 | |||||||||
2237 | |||||||||
2238 | |||||||||
2239 | |||||||||
2240 | |||||||||
2241 | |||||||||
2242 | |||||||||
2243 | |||||||||
2244 | |||||||||
2245 | |||||||||
2246 | |||||||||
2247 | |||||||||
2248 | |||||||||
2249 | |||||||||
2250 | |||||||||
2251 | |||||||||
2252 | |||||||||
2253 | |||||||||
2254 | |||||||||
2255 | |||||||||
2256 | |||||||||
2257 | |||||||||
2258 | |||||||||
2259 | |||||||||
2260 | |||||||||
2261 | |||||||||
2262 | |||||||||
2263 | |||||||||
2264 | |||||||||
2265 | |||||||||
2266 | |||||||||
2267 | |||||||||
2268 | |||||||||
2269 | |||||||||
2270 | |||||||||
2271 | |||||||||
2272 | |||||||||
2273 | |||||||||
2274 | |||||||||
2275 | |||||||||
2276 | |||||||||
2277 | |||||||||
2278 | |||||||||
2279 | |||||||||
2280 | |||||||||
2281 | |||||||||
2282 | |||||||||
2283 | |||||||||
2284 | |||||||||
2285 | |||||||||
2286 | |||||||||
2287 | |||||||||
2288 | |||||||||
2289 | |||||||||
2290 | |||||||||
2291 | |||||||||
2292 | |||||||||
2293 | |||||||||
2294 | |||||||||
2295 | |||||||||
2296 | |||||||||
2297 | |||||||||
2298 | |||||||||
2299 | |||||||||
2300 | |||||||||
2301 | |||||||||
2302 | |||||||||
2303 | |||||||||
2304 | |||||||||
2305 | |||||||||
2306 | |||||||||
2307 | |||||||||
2308 | |||||||||
2309 | |||||||||
2310 | |||||||||
2311 | |||||||||
2312 | |||||||||
2313 | |||||||||
2314 | |||||||||
2315 | |||||||||
2316 | |||||||||
2317 | |||||||||
2318 | |||||||||
2319 | |||||||||
2320 | |||||||||
2321 | |||||||||
2322 | |||||||||
2323 | |||||||||
2324 | |||||||||
2325 | |||||||||
2326 | |||||||||
2327 | |||||||||
2328 | |||||||||
2329 | |||||||||
2330 | |||||||||
2331 | |||||||||
2332 | |||||||||
2333 | |||||||||
2334 | |||||||||
2335 | |||||||||
2336 | |||||||||
2337 | |||||||||
2338 | |||||||||
2339 | |||||||||
2340 | |||||||||
2341 | |||||||||
2342 | |||||||||
2343 | |||||||||
2344 | |||||||||
2345 | |||||||||
2346 | |||||||||
2347 | |||||||||
2348 | |||||||||
2349 | |||||||||
2350 | |||||||||
2351 | |||||||||
2352 | |||||||||
2353 | |||||||||
2354 | |||||||||
2355 | |||||||||
2356 | |||||||||
2357 | |||||||||
2358 | |||||||||
2359 | |||||||||
2360 | |||||||||
2361 | |||||||||
2362 | |||||||||
2363 | |||||||||
2364 | |||||||||
2365 | |||||||||
2366 | |||||||||
2367 | |||||||||
2368 | |||||||||
2369 | |||||||||
2370 | |||||||||
2371 | |||||||||
2372 | |||||||||
2373 | |||||||||
2374 | |||||||||
2375 | |||||||||
2376 | |||||||||
2377 | |||||||||
2378 | |||||||||
2379 | |||||||||
2380 | |||||||||
2381 | |||||||||
2382 | |||||||||
2383 | |||||||||
2384 | |||||||||
2385 | |||||||||
2386 | |||||||||
2387 | |||||||||
2388 | |||||||||
2389 | |||||||||
2390 | |||||||||
2391 | |||||||||
2392 | |||||||||
2393 | |||||||||
2394 | |||||||||
2395 | |||||||||
2396 | |||||||||
2397 | |||||||||
2398 | |||||||||
2399 | |||||||||
2400 | |||||||||
2401 | |||||||||
2402 | |||||||||
2403 | |||||||||
2404 | |||||||||
2405 | |||||||||
2406 | |||||||||
2407 | |||||||||
2408 | |||||||||
2409 | |||||||||
2410 | |||||||||
2411 | |||||||||
2412 | |||||||||
2413 | |||||||||
2414 | |||||||||
2415 | |||||||||
2416 | |||||||||
2417 | |||||||||
2418 | |||||||||
2419 | |||||||||
2420 | |||||||||
2421 | |||||||||
2422 | |||||||||
2423 | |||||||||
2424 | |||||||||
2425 | |||||||||
2426 | |||||||||
2427 | |||||||||
2428 | |||||||||
2429 | |||||||||
2430 | |||||||||
2431 | |||||||||
2432 | |||||||||
2433 | |||||||||
2434 | |||||||||
2435 | |||||||||
2436 | |||||||||
2437 | |||||||||
2438 | |||||||||
2439 | |||||||||
2440 | |||||||||
2441 | |||||||||
2442 | |||||||||
2443 | |||||||||
2444 | |||||||||
2445 | |||||||||
2446 | |||||||||
2447 | |||||||||
2448 | |||||||||
2449 | |||||||||
2450 | |||||||||
2451 | |||||||||
2452 | |||||||||
2453 | |||||||||
2454 | |||||||||
2455 | |||||||||
2456 | |||||||||
2457 | |||||||||
2458 | |||||||||
2459 | |||||||||
2460 | |||||||||
2461 | |||||||||
2462 | |||||||||
2463 | |||||||||
2464 | |||||||||
2465 | |||||||||
2466 | |||||||||
2467 | |||||||||
2468 | |||||||||
2469 | |||||||||
2470 | |||||||||
2471 | |||||||||
2472 | |||||||||
2473 | |||||||||
2474 | |||||||||
2475 | |||||||||
2476 | |||||||||
2477 | |||||||||
2478 | |||||||||
2479 | |||||||||
2480 | |||||||||
2481 | |||||||||
2482 | |||||||||
2483 | |||||||||
2484 | |||||||||
2485 | |||||||||
2486 | |||||||||
2487 | |||||||||
2488 | |||||||||
2489 | |||||||||
2490 | |||||||||
2491 | |||||||||
2492 | |||||||||
2493 | |||||||||
2494 | |||||||||
2495 | |||||||||
2496 | |||||||||
2497 | |||||||||
2498 | |||||||||
2499 | |||||||||
2500 | |||||||||
2501 | |||||||||
2502 | |||||||||
2503 | |||||||||
2504 | |||||||||
2505 | |||||||||
2506 | |||||||||
2507 | |||||||||
2508 | |||||||||
2509 | |||||||||
2510 | |||||||||
2511 | |||||||||
2512 | |||||||||
2513 | |||||||||
2514 | |||||||||
2515 | |||||||||
2516 | |||||||||
2517 | |||||||||
2518 | |||||||||
2519 | |||||||||
2520 | |||||||||
2521 | |||||||||
2522 | |||||||||
2523 | |||||||||
2524 | |||||||||
2525 | |||||||||
2526 | |||||||||
2527 | |||||||||
2528 | |||||||||
2529 | |||||||||
2530 | |||||||||
2531 | |||||||||
2532 | |||||||||
2533 | |||||||||
2534 | |||||||||
2535 | |||||||||
2536 | |||||||||
2537 | |||||||||
2538 | |||||||||
2539 | |||||||||
2540 | |||||||||
2541 | |||||||||
2542 | |||||||||
2543 | |||||||||
2544 | |||||||||
2545 | |||||||||
2546 | |||||||||
2547 | |||||||||
2548 | |||||||||
2549 | |||||||||
2550 | |||||||||
2551 | |||||||||
2552 | |||||||||
2553 | |||||||||
2554 | |||||||||
2555 | |||||||||
2556 | |||||||||
2557 | |||||||||
2558 | |||||||||
2559 | |||||||||
2560 | |||||||||
2561 | |||||||||
2562 | |||||||||
2563 | |||||||||
2564 | |||||||||
2565 | |||||||||
2566 | |||||||||
2567 | |||||||||
2568 | |||||||||
2569 | |||||||||
2570 | |||||||||
2571 | |||||||||
2572 | |||||||||
2573 | |||||||||
2574 | |||||||||
2575 | |||||||||
2576 | |||||||||
2577 | |||||||||
2578 | |||||||||
2579 | |||||||||
2580 | |||||||||
2581 | |||||||||
2582 | |||||||||
2583 | |||||||||
2584 | |||||||||
2585 | |||||||||
2586 | |||||||||
2587 | |||||||||
2588 | |||||||||
2589 | |||||||||
2590 | |||||||||
2591 | |||||||||
2592 | |||||||||
2593 | |||||||||
2594 | |||||||||
2595 | |||||||||
2596 | |||||||||
2597 | |||||||||
2598 | |||||||||
2599 | |||||||||
2600 | |||||||||
2601 | |||||||||
2602 | |||||||||
2603 | |||||||||
2604 | |||||||||
2605 | |||||||||
2606 | |||||||||
2607 | |||||||||
2608 | |||||||||
2609 | |||||||||
2610 | |||||||||
2611 | |||||||||
2612 | |||||||||
2613 | |||||||||
2614 | |||||||||
2615 | |||||||||
2616 | |||||||||
2617 | |||||||||
2618 | |||||||||
2619 | |||||||||
2620 | |||||||||
2621 | |||||||||
2622 | |||||||||
2623 | |||||||||
2624 | |||||||||
2625 | |||||||||
2626 | |||||||||
2627 | |||||||||
2628 | |||||||||
2629 | |||||||||
2630 | |||||||||
2631 | |||||||||
2632 | |||||||||
2633 | |||||||||
2634 | |||||||||
2635 | |||||||||
2636 | |||||||||
2637 | |||||||||
2638 | |||||||||
2639 | |||||||||
2640 | |||||||||
2641 | |||||||||
2642 | |||||||||
2643 | |||||||||
2644 | |||||||||
2645 | |||||||||
2646 | |||||||||
2647 | |||||||||
2648 | |||||||||
2649 | |||||||||
2650 | |||||||||
2651 | |||||||||
2652 | |||||||||
2653 | |||||||||
2654 | |||||||||
2655 | |||||||||
2656 | |||||||||
2657 | |||||||||
2658 | |||||||||
2659 | |||||||||
2660 | |||||||||
2661 | |||||||||
2662 | |||||||||
2663 | |||||||||
2664 | |||||||||
2665 | |||||||||
2666 | |||||||||
2667 | |||||||||
2668 | |||||||||
2669 | |||||||||
2670 | |||||||||
2671 | |||||||||
2672 | |||||||||
2673 | |||||||||
2674 | |||||||||
2675 | |||||||||
2676 | |||||||||
2677 | |||||||||
2678 | |||||||||
2679 | |||||||||
2680 | |||||||||
2681 | |||||||||
2682 | |||||||||
2683 | |||||||||
2684 | |||||||||
2685 | |||||||||
2686 | |||||||||
2687 | |||||||||
2688 | |||||||||
2689 | |||||||||
2690 | |||||||||
2691 | |||||||||
2692 | |||||||||
2693 | |||||||||
2694 | |||||||||
2695 | |||||||||
2696 | |||||||||
2697 | |||||||||
2698 | |||||||||
2699 | |||||||||
2700 | |||||||||
2701 | |||||||||
2702 | |||||||||
2703 | |||||||||
2704 | |||||||||
2705 | |||||||||
2706 | |||||||||
2707 | |||||||||
2708 | |||||||||
2709 | |||||||||
2710 | |||||||||
2711 | |||||||||
2712 | |||||||||
2713 | |||||||||
2714 | |||||||||
2715 | |||||||||
2716 | |||||||||
2717 | |||||||||
2718 | |||||||||
2719 | |||||||||
2720 | |||||||||
2721 | |||||||||
2722 | |||||||||
2723 | |||||||||
2724 | |||||||||
2725 | |||||||||
2726 | |||||||||
2727 | |||||||||
2728 | |||||||||
2729 | |||||||||
2730 | |||||||||
2731 | |||||||||
2732 | |||||||||
2733 | |||||||||
2734 | |||||||||
2735 | |||||||||
2736 | |||||||||
2737 | |||||||||
2738 | |||||||||
2739 | |||||||||
2740 | |||||||||
2741 | |||||||||
2742 | |||||||||
2743 | |||||||||
2744 | |||||||||
2745 | |||||||||
2746 | |||||||||
2747 | |||||||||
2748 | |||||||||
2749 | |||||||||
2750 | |||||||||
2751 | |||||||||
2752 | |||||||||
2753 | |||||||||
2754 | |||||||||
2755 | |||||||||
2756 | |||||||||
2757 | |||||||||
2758 | |||||||||
2759 | |||||||||
2760 | |||||||||
2761 | |||||||||
2762 | |||||||||
2763 | |||||||||
2764 | |||||||||
2765 | |||||||||
2766 | |||||||||
2767 | |||||||||
2768 | |||||||||
2769 | |||||||||
2770 | |||||||||
2771 | |||||||||
2772 | |||||||||
2773 | |||||||||
2774 | |||||||||
2775 | |||||||||
2776 | |||||||||
2777 | |||||||||
2778 | |||||||||
2779 | |||||||||
2780 | |||||||||
2781 | |||||||||
2782 | |||||||||
2783 | |||||||||
2784 | |||||||||
2785 | |||||||||
2786 | |||||||||
2787 | |||||||||
2788 | |||||||||
2789 | |||||||||
2790 | |||||||||
2791 | |||||||||
2792 | |||||||||
2793 | |||||||||
2794 | |||||||||
2795 | |||||||||
2796 | |||||||||
2797 | |||||||||
2798 | |||||||||
2799 | |||||||||
2800 | |||||||||
2801 | |||||||||
2802 | |||||||||
2803 | |||||||||
2804 | |||||||||
2805 | |||||||||
2806 | |||||||||
2807 | |||||||||
2808 | |||||||||
2809 | |||||||||
2810 | |||||||||
2811 | |||||||||
2812 | |||||||||
2813 | |||||||||
2814 | |||||||||
2815 | |||||||||
2816 | |||||||||
2817 | |||||||||
2818 | |||||||||
2819 | |||||||||
2820 | |||||||||
2821 | |||||||||
2822 | |||||||||
2823 | |||||||||
2824 | |||||||||
2825 | |||||||||
2826 | |||||||||
2827 | |||||||||
2828 | |||||||||
2829 | |||||||||
2830 | |||||||||
2831 | |||||||||
2832 | |||||||||
2833 | |||||||||
2834 | |||||||||
2835 | |||||||||
2836 | |||||||||
2837 | |||||||||
2838 | |||||||||
2839 | |||||||||
2840 | |||||||||
2841 | |||||||||
2842 | |||||||||
2843 | |||||||||
2844 | |||||||||
2845 | |||||||||
2846 | |||||||||
2847 | |||||||||
2848 | |||||||||
2849 | |||||||||
2850 | |||||||||
2851 | |||||||||
2852 | |||||||||
2853 | |||||||||
2854 | |||||||||
2855 | |||||||||
2856 | |||||||||
2857 | |||||||||
2858 | |||||||||
2859 | |||||||||
2860 | |||||||||
2861 | |||||||||
2862 | |||||||||
2863 | |||||||||
2864 | |||||||||
2865 | |||||||||
2866 | |||||||||
2867 | |||||||||
2868 | |||||||||
2869 | |||||||||
2870 | |||||||||
2871 | |||||||||
2872 | |||||||||
2873 | |||||||||
2874 | |||||||||
2875 | |||||||||
2876 | |||||||||
2877 | |||||||||
2878 | |||||||||
2879 | |||||||||
2880 | |||||||||
2881 | |||||||||
2882 | |||||||||
2883 | |||||||||
2884 | |||||||||
2885 | |||||||||
2886 | |||||||||
2887 | |||||||||
2888 | |||||||||
2889 | |||||||||
2890 | |||||||||
2891 | |||||||||
2892 | |||||||||
2893 | |||||||||
2894 | |||||||||
2895 | |||||||||
2896 | |||||||||
2897 | |||||||||
2898 | |||||||||
2899 | |||||||||
2900 | |||||||||
2901 | |||||||||
2902 | |||||||||
2903 | |||||||||
2904 | |||||||||
2905 | |||||||||
2906 | |||||||||
2907 | |||||||||
2908 | |||||||||
2909 | |||||||||
2910 | |||||||||
2911 | |||||||||
2912 | |||||||||
2913 | |||||||||
2914 | |||||||||
2915 | |||||||||
2916 | |||||||||
2917 | |||||||||
2918 | |||||||||
2919 | |||||||||
2920 | |||||||||
2921 | |||||||||
2922 | |||||||||
2923 | |||||||||
2924 | |||||||||
2925 | |||||||||
2926 | |||||||||
2927 | |||||||||
2928 | |||||||||
2929 | |||||||||
2930 | |||||||||
2931 | |||||||||
2932 | |||||||||
2933 | |||||||||
2934 | |||||||||
2935 | |||||||||
2936 | |||||||||
2937 | |||||||||
2938 | |||||||||
2939 | |||||||||
2940 | |||||||||
2941 | |||||||||
2942 | |||||||||
2943 | |||||||||
2944 | |||||||||
2945 | |||||||||
2946 | |||||||||
2947 | |||||||||
2948 | |||||||||
2949 | |||||||||
2950 | |||||||||
2951 | |||||||||
2952 | |||||||||
2953 | |||||||||
2954 | |||||||||
2955 | |||||||||
2956 | |||||||||
2957 | |||||||||
2958 | |||||||||
2959 | |||||||||
2960 | |||||||||
2961 | |||||||||
2962 | |||||||||
2963 | |||||||||
2964 | |||||||||
2965 | |||||||||
2966 | |||||||||
2967 | |||||||||
2968 | |||||||||
2969 | |||||||||
2970 | |||||||||
2971 | |||||||||
2972 | |||||||||
2973 | |||||||||
2974 | |||||||||
2975 | |||||||||
2976 | |||||||||
2977 | |||||||||
2978 | |||||||||
2979 | |||||||||
2980 | |||||||||
2981 | |||||||||
2982 | |||||||||
2983 | |||||||||
2984 | |||||||||
2985 | |||||||||
2986 | |||||||||
2987 | |||||||||
2988 | |||||||||
2989 | |||||||||
2990 | |||||||||
2991 | |||||||||
2992 | |||||||||
2993 | |||||||||
2994 | |||||||||
2995 | |||||||||
2996 | |||||||||
2997 | |||||||||
2998 | |||||||||
2999 | |||||||||
3000 | |||||||||
3001 | |||||||||
3002 | |||||||||
3003 | |||||||||
3004 | |||||||||
3005 | |||||||||
3006 | |||||||||
3007 | |||||||||
3008 | |||||||||
3009 | |||||||||
3010 | |||||||||
3011 | |||||||||
3012 | |||||||||
3013 | |||||||||
3014 | |||||||||
3015 | |||||||||
3016 | |||||||||
3017 | |||||||||
3018 | |||||||||
3019 | |||||||||
3020 | |||||||||
3021 | |||||||||
3022 | |||||||||
3023 | |||||||||
3024 | |||||||||
3025 | |||||||||
3026 | |||||||||
3027 | |||||||||
3028 | |||||||||
3029 | |||||||||
3030 | |||||||||
3031 | |||||||||
3032 | |||||||||
3033 | |||||||||
3034 | |||||||||
3035 | |||||||||
3036 | |||||||||
3037 | |||||||||
3038 | |||||||||
3039 | |||||||||
3040 | |||||||||
3041 | |||||||||
3042 | |||||||||
3043 | |||||||||
3044 | |||||||||
3045 | |||||||||
3046 | |||||||||
3047 | |||||||||
3048 | |||||||||
3049 | |||||||||
3050 | |||||||||
3051 | |||||||||
3052 | |||||||||
3053 | |||||||||
3054 | |||||||||
3055 | |||||||||
3056 | |||||||||
3057 | |||||||||
3058 | |||||||||
3059 | |||||||||
3060 | |||||||||
3061 | |||||||||
3062 | |||||||||
3063 | |||||||||
3064 | |||||||||
3065 | |||||||||
3066 | |||||||||
3067 | |||||||||
3068 | |||||||||
3069 | |||||||||
3070 | |||||||||
3071 | |||||||||
3072 | |||||||||
3073 | |||||||||
3074 | |||||||||
3075 | |||||||||
3076 | |||||||||
3077 | |||||||||
3078 | |||||||||
3079 | |||||||||
3080 | |||||||||
3081 | |||||||||
3082 | |||||||||
3083 | |||||||||
3084 | |||||||||
3085 | |||||||||
3086 | |||||||||
3087 | |||||||||
3088 | |||||||||
3089 | |||||||||
3090 | |||||||||
3091 | |||||||||
3092 | |||||||||
3093 | |||||||||
3094 | |||||||||
3095 | |||||||||
3096 | |||||||||
3097 | |||||||||
3098 | |||||||||
3099 | |||||||||
3100 | |||||||||
3101 | |||||||||
3102 | |||||||||
3103 | |||||||||
3104 | |||||||||
3105 | |||||||||
3106 | |||||||||
3107 | |||||||||
3108 | |||||||||
3109 | |||||||||
3110 | |||||||||
3111 | |||||||||
3112 | |||||||||
3113 | |||||||||
3114 | |||||||||
3115 | |||||||||
3116 | |||||||||
3117 | |||||||||
3118 | |||||||||
3119 | |||||||||
3120 | |||||||||
3121 | |||||||||
3122 | |||||||||
3123 | |||||||||
3124 | |||||||||
3125 | |||||||||
3126 | |||||||||
3127 | |||||||||
3128 | |||||||||
3129 | |||||||||
3130 | |||||||||
3131 | |||||||||
3132 | |||||||||
3133 | |||||||||
3134 | |||||||||
3135 | |||||||||
3136 | |||||||||
3137 | |||||||||
3138 | |||||||||
3139 | |||||||||
3140 | |||||||||
3141 | |||||||||
3142 | |||||||||
3143 | |||||||||
3144 | |||||||||
3145 | |||||||||
3146 | |||||||||
3147 | |||||||||
3148 | |||||||||
3149 | |||||||||
3150 | |||||||||
3151 | |||||||||
3152 | |||||||||
3153 | |||||||||
3154 | |||||||||
3155 | |||||||||
3156 | |||||||||
3157 | |||||||||
3158 | |||||||||
3159 | |||||||||
3160 | |||||||||
3161 | |||||||||
3162 | |||||||||
3163 | |||||||||
3164 | |||||||||
3165 | |||||||||
3166 | |||||||||
3167 | |||||||||
3168 | |||||||||
3169 | |||||||||
3170 | |||||||||
3171 | |||||||||
3172 | |||||||||
3173 | |||||||||
3174 | |||||||||
3175 | |||||||||
3176 | |||||||||
3177 | |||||||||
3178 | |||||||||
3179 | |||||||||
3180 | |||||||||
3181 | |||||||||
3182 | |||||||||
3183 | |||||||||
3184 | |||||||||
3185 | |||||||||
3186 | |||||||||
3187 | |||||||||
3188 | |||||||||
3189 | |||||||||
3190 | |||||||||
3191 | |||||||||
3192 | |||||||||
3193 | |||||||||
3194 | |||||||||
3195 | |||||||||
3196 | |||||||||
3197 | |||||||||
3198 | |||||||||
3199 | |||||||||
3200 | |||||||||
3201 | |||||||||
3202 | |||||||||
3203 | |||||||||
3204 | |||||||||
3205 | |||||||||
3206 | |||||||||
3207 | |||||||||
3208 | |||||||||
3209 | |||||||||
3210 | |||||||||
3211 | |||||||||
3212 | |||||||||
3213 | |||||||||
3214 | |||||||||
3215 | |||||||||
3216 | |||||||||
3217 | |||||||||
3218 | |||||||||
3219 | |||||||||
3220 | |||||||||
3221 | |||||||||
3222 | |||||||||
3223 | |||||||||
3224 | |||||||||
3225 | |||||||||
3226 | |||||||||
3227 | |||||||||
3228 | |||||||||
3229 | |||||||||
3230 | |||||||||
3231 | |||||||||
3232 | |||||||||
3233 | |||||||||
3234 | |||||||||
3235 | |||||||||
3236 | |||||||||
3237 | |||||||||
3238 | |||||||||
3239 | |||||||||
3240 | |||||||||
3241 | |||||||||
3242 | |||||||||
3243 | |||||||||
3244 | |||||||||
3245 | |||||||||
3246 | |||||||||
3247 | |||||||||
3248 | |||||||||
3249 | |||||||||
3250 | |||||||||
3251 | |||||||||
3252 | |||||||||
3253 | |||||||||
3254 | |||||||||
3255 | |||||||||
3256 | |||||||||
3257 | |||||||||
3258 | |||||||||
3259 | |||||||||
3260 | |||||||||
3261 | |||||||||
3262 | |||||||||
3263 | |||||||||
3264 | |||||||||
3265 | |||||||||
3266 | |||||||||
3267 | |||||||||
3268 | |||||||||
3269 | |||||||||
3270 | |||||||||
3271 | |||||||||
3272 | |||||||||
3273 | |||||||||
3274 | |||||||||
3275 | |||||||||
3276 | |||||||||
3277 | |||||||||
3278 | |||||||||
3279 | |||||||||
3280 | |||||||||
3281 | |||||||||
3282 | |||||||||
3283 | |||||||||
3284 | |||||||||
3285 | |||||||||
3286 | |||||||||
3287 | |||||||||
3288 | |||||||||
3289 | |||||||||
3290 | |||||||||
3291 | |||||||||
3292 | |||||||||
3293 | |||||||||
3294 | |||||||||
3295 | |||||||||
3296 | |||||||||
3297 | |||||||||
3298 | |||||||||
3299 | |||||||||
3300 | |||||||||
3301 | |||||||||
3302 | |||||||||
3303 | |||||||||
3304 | |||||||||
3305 | |||||||||
3306 | |||||||||
3307 | |||||||||
3308 | |||||||||
3309 | |||||||||
3310 | |||||||||
3311 | |||||||||
3312 | |||||||||
3313 | |||||||||
3314 | |||||||||
3315 | |||||||||
3316 | |||||||||
3317 | |||||||||
3318 | |||||||||
3319 | |||||||||
3320 | |||||||||
3321 | |||||||||
3322 | |||||||||
3323 | |||||||||
3324 | |||||||||
3325 | |||||||||
3326 | |||||||||
3327 | |||||||||
3328 | |||||||||
3329 | |||||||||
3330 | |||||||||
3331 | |||||||||
3332 | |||||||||
3333 | |||||||||
3334 | |||||||||
3335 | |||||||||
3336 | |||||||||
3337 | |||||||||
3338 | |||||||||
3339 | |||||||||
3340 | |||||||||
3341 | |||||||||
3342 | |||||||||
3343 | |||||||||
3344 | |||||||||
3345 | |||||||||
3346 | |||||||||
3347 | |||||||||
3348 | |||||||||
3349 | |||||||||
3350 | |||||||||
3351 | |||||||||
3352 | |||||||||
3353 | |||||||||
3354 | |||||||||
3355 | |||||||||
3356 | |||||||||
3357 | |||||||||
3358 | |||||||||
3359 | |||||||||
3360 | |||||||||
3361 | |||||||||
3362 | |||||||||
3363 | |||||||||
3364 | |||||||||
3365 | |||||||||
3366 | |||||||||
3367 | |||||||||
3368 | |||||||||
3369 | |||||||||
3370 | |||||||||
3371 | |||||||||
3372 | |||||||||
3373 | |||||||||
3374 | |||||||||
3375 | |||||||||
3376 | |||||||||
3377 | |||||||||
3378 | |||||||||
3379 | |||||||||
3380 | |||||||||
3381 | |||||||||
3382 | |||||||||
3383 | |||||||||
3384 | |||||||||
3385 | |||||||||
3386 | |||||||||
3387 | |||||||||
3388 | |||||||||
3389 | |||||||||
3390 | |||||||||
3391 | |||||||||
3392 | |||||||||
3393 | |||||||||
3394 | |||||||||
3395 | |||||||||
3396 | |||||||||
3397 | |||||||||
3398 | |||||||||
3399 | |||||||||
3400 | |||||||||
3401 | |||||||||
3402 | |||||||||
3403 | |||||||||
3404 | |||||||||
3405 | |||||||||
3406 | |||||||||
3407 | |||||||||
3408 | |||||||||
3409 | |||||||||
3410 | |||||||||
3411 | |||||||||
3412 | |||||||||
3413 | |||||||||
3414 | |||||||||
3415 | |||||||||
3416 | |||||||||
3417 | |||||||||
3418 | |||||||||
3419 | |||||||||
3420 | |||||||||
3421 | |||||||||
3422 | |||||||||
3423 | |||||||||
3424 | |||||||||
3425 | |||||||||
3426 | |||||||||
3427 | |||||||||
3428 | |||||||||
3429 | |||||||||
3430 | |||||||||
3431 | |||||||||
3432 | |||||||||
3433 | |||||||||
3434 | |||||||||
3435 | |||||||||
3436 | |||||||||
3437 | |||||||||
3438 | |||||||||
3439 | |||||||||
3440 | |||||||||
3441 | |||||||||
3442 | |||||||||
3443 | |||||||||
3444 | |||||||||
3445 | |||||||||
3446 | |||||||||
3447 | |||||||||
3448 | |||||||||
3449 | |||||||||
3450 | |||||||||
3451 | |||||||||
3452 | |||||||||
3453 | |||||||||
3454 | |||||||||
3455 | |||||||||
3456 | |||||||||
3457 | |||||||||
3458 | |||||||||
3459 | |||||||||
3460 | |||||||||
3461 | |||||||||
3462 | |||||||||
3463 | |||||||||
3464 | |||||||||
3465 | |||||||||
3466 | |||||||||
3467 | |||||||||
3468 | |||||||||
3469 | |||||||||
3470 | |||||||||
3471 | |||||||||
3472 | |||||||||
3473 | |||||||||
3474 | |||||||||
3475 | |||||||||
3476 | |||||||||
3477 | |||||||||
3478 | |||||||||
3479 | |||||||||
3480 | |||||||||
3481 | |||||||||
3482 | |||||||||
3483 | |||||||||
3484 | |||||||||
3485 | |||||||||
3486 | |||||||||
3487 | |||||||||
3488 | |||||||||
3489 | |||||||||
3490 | |||||||||
3491 | |||||||||
3492 | |||||||||
3493 | |||||||||
3494 | |||||||||
3495 | |||||||||
3496 | |||||||||
3497 | |||||||||
3498 | |||||||||
3499 | |||||||||
3500 | |||||||||
3501 | |||||||||
3502 | |||||||||
3503 | |||||||||
3504 | |||||||||
3505 | |||||||||
3506 | |||||||||
3507 | |||||||||
3508 | |||||||||
3509 | |||||||||
3510 | |||||||||
3511 | |||||||||
3512 | |||||||||
3513 | |||||||||
3514 | |||||||||
3515 | |||||||||
3516 | |||||||||
3517 | |||||||||
3518 | |||||||||
3519 | |||||||||
3520 | |||||||||
3521 | |||||||||
3522 | |||||||||
3523 | |||||||||
3524 | |||||||||
3525 | |||||||||
3526 | |||||||||
3527 | |||||||||
3528 | |||||||||
3529 | |||||||||
3530 | |||||||||
3531 | |||||||||
3532 | |||||||||
3533 | |||||||||
3534 | |||||||||
3535 | |||||||||
3536 | |||||||||
3537 | |||||||||
3538 | |||||||||
3539 | |||||||||
3540 | |||||||||
3541 | |||||||||
3542 | |||||||||
3543 | |||||||||
3544 | |||||||||
3545 | |||||||||
3546 | |||||||||
3547 | |||||||||
3548 | |||||||||
3549 | |||||||||
3550 | |||||||||
3551 | |||||||||
3552 | |||||||||
3553 | |||||||||
3554 | |||||||||
3555 | |||||||||
3556 | |||||||||
3557 | |||||||||
3558 | |||||||||
3559 | |||||||||
3560 | |||||||||
3561 | |||||||||
3562 | |||||||||
3563 | |||||||||
3564 | |||||||||
3565 | |||||||||
3566 | |||||||||
3567 | |||||||||
3568 | |||||||||
3569 | |||||||||
3570 | |||||||||
3571 | |||||||||
3572 | |||||||||
3573 | |||||||||
3574 | |||||||||
3575 | |||||||||
3576 | |||||||||
3577 | |||||||||
3578 | |||||||||
3579 | |||||||||
3580 | |||||||||
3581 | |||||||||
3582 | |||||||||
3583 | |||||||||
3584 | |||||||||
3585 | |||||||||
3586 | |||||||||
3587 | |||||||||
3588 | |||||||||
3589 | |||||||||
3590 | |||||||||
3591 | |||||||||
3592 | |||||||||
3593 | |||||||||
3594 | |||||||||
3595 | |||||||||
3596 | |||||||||
3597 | |||||||||
3598 | |||||||||
3599 | |||||||||
3600 | |||||||||
3601 | |||||||||
3602 | |||||||||
3603 | |||||||||
3604 | |||||||||
3605 | |||||||||
3606 | |||||||||
3607 | |||||||||
3608 | |||||||||
3609 | |||||||||
3610 | |||||||||
3611 | |||||||||
3612 | |||||||||
3613 | |||||||||
3614 | |||||||||
3615 | |||||||||
3616 | |||||||||
3617 | |||||||||
3618 | |||||||||
3619 | |||||||||
3620 | |||||||||
3621 | |||||||||
3622 | |||||||||
3623 | |||||||||
3624 | |||||||||
3625 | |||||||||
3626 | |||||||||
3627 | |||||||||
3628 | |||||||||
3629 | |||||||||
3630 | |||||||||
3631 | |||||||||
3632 | |||||||||
3633 | |||||||||
3634 | |||||||||
3635 | |||||||||
3636 | |||||||||
3637 | |||||||||
3638 | |||||||||
3639 | |||||||||
3640 | |||||||||
3641 | |||||||||
3642 | |||||||||
3643 | |||||||||
3644 | |||||||||
3645 | |||||||||
3646 | |||||||||
3647 | |||||||||
3648 | |||||||||
3649 | |||||||||
3650 | |||||||||
3651 | |||||||||
3652 | |||||||||
3653 | |||||||||
3654 | |||||||||
3655 | |||||||||
3656 | |||||||||
3657 | |||||||||
3658 | |||||||||
3659 | |||||||||
3660 | |||||||||
3661 | |||||||||
3662 | |||||||||
3663 | |||||||||
3664 | |||||||||
3665 | |||||||||
3666 | |||||||||
3667 | |||||||||
3668 | |||||||||
3669 | |||||||||
3670 | |||||||||
3671 | |||||||||
3672 | |||||||||
3673 | |||||||||
3674 | |||||||||
3675 | |||||||||
3676 | |||||||||
3677 | |||||||||
3678 | |||||||||
3679 | |||||||||
3680 | |||||||||
3681 | |||||||||
3682 | |||||||||
3683 | |||||||||
3684 | |||||||||
3685 | |||||||||
3686 | |||||||||
3687 | |||||||||
3688 | |||||||||
3689 | |||||||||
3690 | |||||||||
3691 | |||||||||
3692 | |||||||||
3693 | |||||||||
3694 | |||||||||
3695 | |||||||||
3696 | |||||||||
3697 | |||||||||
3698 | |||||||||
3699 | |||||||||
3700 | |||||||||
3701 | |||||||||
3702 | |||||||||
3703 | |||||||||
3704 | |||||||||
3705 | |||||||||
3706 | |||||||||
3707 | |||||||||
3708 | |||||||||
3709 | |||||||||
3710 | |||||||||
3711 | |||||||||
3712 | |||||||||
3713 | |||||||||
3714 | |||||||||
3715 | |||||||||
3716 | |||||||||
3717 | |||||||||
3718 | |||||||||
3719 | |||||||||
3720 | |||||||||
3721 | |||||||||
3722 | |||||||||
3723 | |||||||||
3724 | |||||||||
3725 | |||||||||
3726 | |||||||||
3727 | |||||||||
3728 | |||||||||
3729 | |||||||||
3730 | |||||||||
3731 | |||||||||
3732 | |||||||||
3733 | |||||||||
3734 | |||||||||
3735 | |||||||||
3736 | |||||||||
3737 | |||||||||
3738 | |||||||||
3739 | |||||||||
3740 | |||||||||
3741 | |||||||||
3742 | |||||||||
3743 | |||||||||
3744 | |||||||||
3745 | |||||||||
3746 | |||||||||
3747 | |||||||||
3748 | |||||||||
3749 | |||||||||
3750 | |||||||||
3751 | |||||||||
3752 | |||||||||
3753 | |||||||||
3754 | |||||||||
3755 | |||||||||
3756 | |||||||||
3757 | |||||||||
3758 | |||||||||
3759 | |||||||||
3760 | |||||||||
3761 | |||||||||
3762 | |||||||||
3763 | |||||||||
3764 | |||||||||
3765 | |||||||||
3766 | |||||||||
3767 | |||||||||
3768 | |||||||||
3769 | |||||||||
3770 | |||||||||
3771 | |||||||||
3772 | |||||||||
3773 | |||||||||
3774 | |||||||||
3775 | |||||||||
3776 | |||||||||
3777 | |||||||||
3778 | |||||||||
3779 | |||||||||
3780 | |||||||||
3781 | |||||||||
3782 | |||||||||
3783 | |||||||||
3784 | |||||||||
3785 | |||||||||
3786 | |||||||||
3787 | |||||||||
3788 | |||||||||
3789 | |||||||||
3790 | |||||||||
3791 | |||||||||
3792 | |||||||||
3793 | |||||||||
3794 | |||||||||
3795 | |||||||||
3796 | |||||||||
3797 | |||||||||
3798 | |||||||||
3799 | |||||||||
3800 | |||||||||
3801 | |||||||||
3802 | |||||||||
3803 | |||||||||
3804 | |||||||||
3805 | |||||||||
3806 | |||||||||
3807 | |||||||||
3808 | |||||||||
3809 | |||||||||
3810 | |||||||||
3811 | |||||||||
3812 | |||||||||
3813 | |||||||||
3814 | |||||||||
3815 | |||||||||
3816 | |||||||||
3817 | |||||||||
3818 | |||||||||
3819 | |||||||||
3820 | |||||||||
3821 | |||||||||
3822 | |||||||||
3823 | |||||||||
3824 | |||||||||
3825 | |||||||||
3826 | |||||||||
3827 | |||||||||
3828 | |||||||||
3829 | |||||||||
3830 | |||||||||
3831 | |||||||||
3832 | |||||||||
3833 | |||||||||
3834 | |||||||||
3835 | |||||||||
3836 | |||||||||
3837 | |||||||||
3838 | |||||||||
3839 | |||||||||
3840 | |||||||||
3841 | |||||||||
3842 | |||||||||
3843 | |||||||||
3844 | |||||||||
3845 | |||||||||
3846 | |||||||||
3847 | |||||||||
3848 | |||||||||
3849 | |||||||||
3850 | |||||||||
3851 | |||||||||
3852 | |||||||||
3853 | |||||||||
3854 | |||||||||
3855 | |||||||||
3856 | |||||||||
3857 | |||||||||
3858 | |||||||||
3859 | |||||||||
3860 | |||||||||
3861 | |||||||||
3862 | |||||||||
3863 | |||||||||
3864 | |||||||||
3865 | |||||||||
3866 | |||||||||
3867 | |||||||||
3868 | |||||||||
3869 | |||||||||
3870 | |||||||||
3871 | |||||||||
3872 | |||||||||
3873 | |||||||||
3874 | |||||||||
3875 | |||||||||
3876 | |||||||||
3877 | |||||||||
3878 | |||||||||
3879 | |||||||||
3880 | |||||||||
3881 | |||||||||
3882 | |||||||||
3883 | |||||||||
3884 | |||||||||
3885 | |||||||||
3886 | |||||||||
3887 | |||||||||
3888 | |||||||||
3889 | |||||||||
3890 | |||||||||
3891 | |||||||||
3892 | |||||||||
3893 | |||||||||
3894 | |||||||||
3895 | |||||||||
3896 | |||||||||
3897 | |||||||||
3898 | |||||||||
3899 | |||||||||
3900 | |||||||||
3901 | |||||||||
3902 | |||||||||
3903 | |||||||||
3904 | |||||||||
3905 | |||||||||
3906 | |||||||||
3907 | |||||||||
3908 | |||||||||
3909 | |||||||||
3910 | |||||||||
3911 | |||||||||
3912 | |||||||||
3913 | |||||||||
3914 | |||||||||
3915 | |||||||||
3916 | |||||||||
3917 | |||||||||
3918 | |||||||||
3919 | |||||||||
3920 | |||||||||
3921 | |||||||||
3922 | |||||||||
3923 | |||||||||
3924 | |||||||||
3925 | |||||||||
3926 | |||||||||
3927 | |||||||||
3928 | |||||||||
3929 | |||||||||
3930 | |||||||||
3931 | |||||||||
3932 | |||||||||
3933 | |||||||||
3934 | |||||||||
3935 | |||||||||
3936 | |||||||||
3937 | |||||||||
3938 | |||||||||
3939 | |||||||||
3940 | |||||||||
3941 | |||||||||
3942 | |||||||||
3943 | |||||||||
3944 | |||||||||
3945 | |||||||||
3946 | |||||||||
3947 | |||||||||
3948 | |||||||||
3949 | |||||||||
3950 | |||||||||
3951 | |||||||||
3952 | |||||||||
3953 | |||||||||
3954 | |||||||||
3955 | |||||||||
3956 | |||||||||
3957 | |||||||||
3958 | |||||||||
3959 | |||||||||
3960 | |||||||||
3961 | |||||||||
3962 | |||||||||
3963 | |||||||||
3964 | |||||||||
3965 | |||||||||
3966 | |||||||||
3967 | |||||||||
3968 | |||||||||
3969 | |||||||||
3970 | |||||||||
3971 | |||||||||
3972 | |||||||||
3973 | |||||||||
3974 | |||||||||
3975 | |||||||||
3976 | |||||||||
3977 | |||||||||
3978 | |||||||||
3979 | |||||||||
3980 | |||||||||
3981 | |||||||||
3982 | |||||||||
3983 | |||||||||
3984 | |||||||||
3985 | |||||||||
3986 | |||||||||
3987 | |||||||||
3988 | |||||||||
3989 | |||||||||
3990 | |||||||||
3991 | |||||||||
3992 | |||||||||
3993 | |||||||||
3994 | |||||||||
3995 | |||||||||
3996 | |||||||||
3997 | |||||||||
3998 | |||||||||
3999 | |||||||||
4000 | |||||||||
4001 | |||||||||
4002 | |||||||||
4003 | |||||||||
4004 | |||||||||
4005 | |||||||||
4006 | |||||||||
4007 | |||||||||
4008 | |||||||||
4009 | |||||||||
4010 | |||||||||
4011 | |||||||||
4012 | |||||||||
4013 | |||||||||
4014 | |||||||||
4015 | |||||||||
4016 | |||||||||
4017 | |||||||||
4018 | |||||||||
4019 | |||||||||
4020 | |||||||||
4021 | |||||||||
4022 | |||||||||
4023 | |||||||||
4024 | |||||||||
4025 | |||||||||
4026 | |||||||||
4027 | |||||||||
4028 | |||||||||
4029 | |||||||||
4030 | |||||||||
4031 | |||||||||
4032 | |||||||||
4033 | |||||||||
4034 | |||||||||
4035 | |||||||||
4036 | |||||||||
4037 | |||||||||
4038 | |||||||||
4039 | |||||||||
4040 | |||||||||
4041 | |||||||||
4042 | |||||||||
4043 | |||||||||
4044 | |||||||||
4045 | |||||||||
4046 | |||||||||
4047 | |||||||||
4048 | |||||||||
4049 | |||||||||
4050 | |||||||||
4051 | |||||||||
4052 | |||||||||
4053 | |||||||||
4054 | |||||||||
4055 | |||||||||
4056 | |||||||||
4057 | |||||||||
4058 | |||||||||
4059 | |||||||||
4060 |
1 | ||
---|---|---|
2 | Is there a way to make managed Chromebooks *NOT* display the organization's domain name? | A partial solution: add a secondary domain, add one user on that domain and allow it to enroll devices. Will show the secondary domain. Note: that does not limit the initial domain from showing when a device is disabled by an admin. Additionally using "domain autocomplete at sign-in" with another domain will show that domain. But, won't stop sign in on your primary travel account. |
1 | < Index | ||||||||
---|---|---|---|---|---|---|---|---|---|
2 | Setting | Impact | Requirement | Category | Title | Sub Item | Option | Comments | |
3 | User | Inhibits | Allow for Greater Security | Content | Cookies | Default Cookie Setting | Allow sites to set cookies | I would consider this the default. You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way. | |
4 | User | Supports | Allow for Greater Security | Content | Cookies | Default Cookie Setting | Allow user to configure | With team member's with greater security awareness and/or aptitude who are going to multiple different threat environments this can be a useful option. | |
5 | User | Supports | Allow for Greater Security | Content | Google Drive Syncing | Allow user to decide whether to use Google Drive syncing | |||
6 | User | Inhibits | Allow for Greater Security | Content | Google Drive Syncing | Enable Google Drive syncing | |||
7 | User | Inhibits | Allow for Greater Security | Content | JavaScript | JavaScript | Allow sites to run JavaScript | ||
8 | User | Inhibits | Allow for Greater Security | Content | Outdated Plugins | Allow outdated plugins to be used as normal plugins | |||
9 | User | Inhibits | Allow for Greater Security | Content | Plug-ins | Plug-ins | Run plug-ins automatically | Flash is poison, Flash is dead in 2020! Make sure your team is not using flash based web apps before disabling. (Flash is the only "plugin" that is left in Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=615738) | |
10 | User | Inhibits | Allow for Greater Security | Content | Plugin Authorization | Always run plugins that require authorization | |||
11 | User | Supports | Allow for Greater Security | Content | Plugin Authorization | Ask for user permission before running plugins that require authorization | Follow the guidelines around giving team member a choice to be more secure. It can be inconvenient, but flash is such a constantly vulnerable component of the web that I don't want to just allow it in any way. | ||
12 | User | Inhibits | Allow for Greater Security | Content | Pop-ups | Pop-ups | Allow all pop-ups | Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | |
13 | User | Inhibits | Allow for Greater Security | Content | Third-Party Cookie Blocking | Allow third-party cookies | This is another fingerprinting threat, and therefore not relevant for this context. | ||
14 | User | Inhibits | Allow for Greater Security | Network | Proxy Settings | Always auto detect the proxy | Are you kidding me. | ||
15 | User | Inhibits | Allow for Greater Security | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | By locking to a search provider that is less secure than others you can disrupt the threat model of your travelers if they accidentally type an address wrong and it get's interpreted as a search. | ||
16 | User | Supports | Allow for Greater Security | Omnibox Search Provider | Search Suggest | Always allow team member's to use Search Suggest | See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||
17 | User | Inhibits | Allow for Greater Security | Security | Geolocation | Allow sites to detect team member's' geolocation | |||
18 | User | Supports | Allow for Greater Security | Security | Incognito Mode | Allow incognito mode | Incognito mode is a useful tool for ensuring that sensitive research and other online activity is not exposed on devices that otherwise save the browser history. It has clear benefits. I see no security reasons to disable incognito mode. | ||
19 | User | Inhibits | Allow for Greater Security | Security | Incognito Mode | Disallow incognito mode | |||
20 | User | Inhibits | Allow for Greater Security | Security | Password Manager | Always allow use of password manager | Since the third option allows a team member to configure this option I see no reason to prevent some team member's from enabling greater security by turning password manager usage off. If you are thinking about this option just use the "team member configuration" option instead. | ||
21 | User | Inhibits | Allow for Greater Security | Startup | Homepage | Homepage is always the new tab page | |||
22 | User | Supports | Allow for Greater Security | User Experience | DNS Pre-fetching | Allow user to configure | I don't think that not pre-fetching will impact the team member significantly. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model. | ||
23 | User | Supports | Allow for Greater Security | User Experience | DNS Pre-fetching | Always pre-fetch DNS | |||
24 | User | Inhibits | Allow for Greater Security | User Experience | Download Location | Force Google Drive | We don't want forced online storage. If a team member needs to keep their profile free of downloads for their own increased security forcing this will get in their way. | ||
25 | User | Supports | Allow for Greater Security | User Experience | Form Auto-fill | Allow user to configure | See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||
26 | User | Supports | Allow for Greater Security | User Experience | Google Translate | Allow user to configure | |||
27 | User | Inhibits | Allow for Greater Security | User Experience | Google Translate | Always offer translation | See all the previous comments about giving team member's the power to increase their security without breaking their workflow. | ||
28 | User | Supports | Allow for Greater Security | User Experience | Spell Check Service | Allow user to decide whether to use the spell checking web service | Like many other information leaks in chrome this is very threat-model specific. But, as with those, it is important to allow for team member's with greater security needs to add those controls without destroying the workflow of others. | ||
29 | User | Inhibits | Allow for Greater Security | User Experience | Spell Check Service | Enable the spell checking web service | Chrome does come with a client-side spell checker. This option will enable the web-based spell checker that sends all a team member's typing to Google's servers. Note, that if the team member is using google docs it is already using this feature, just natively within google docs. | ||
30 | Device | Inhibits | Allow for Greater Security | Device Update Settings | Auto Update Settings | Auto Update | Stop auto-updates | If you don't have an admin with this capability and capacity to quickly check and release updates then this will require allowing updates and building staff capacity at finding alternate solutions when things break. Because updates are critical for security. Don't let an admin's fear of things breaking combined with a lack of time get in the way of real security. | |
31 | Device | Supports | Allow for Greater Security | Device Update Settings | Release Channel | Allow user to configure | The travel accounts should be on stable or configure by default. Don't put team member's on unstable platforms. It's just not cool. | ||
32 | Device | Supports | Allow for Greater Security | Sign-in Settings | Guest Mode | Allow guest mode | |||
33 | Device | Inhibits | Allow for Greater Security | Sign-in Settings | Guest Mode | Do not allow guest mode | Not providing a way for the team member to browser in an ephemeral manner makes it harder for them to make strategic decisions about when to save history. If they need to make these decisions it takes much greater knowledge about where that history is saved to clear it out without modes like this. | ||
34 | Device | Inhibits | Allow for Greater Security | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
35 | User | Supports | Localizable & Internationalizable Practices | Android applications | Unknown Sources | Allow install from unknown sources | If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.) | ||
36 | User | Inhibits | Localizable & Internationalizable Practices | Android applications | Unknown Sources | Do not allow install from unknown sources | If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used in one region or another but are not included in Google Play. Only allowing Google Play Store apps can decrease adoption of this travel solution. If the localized apps that your international team member's need are not included in the play store they will likely still bring along their own devices. (See the many places I discuss the problems with team member's having to bring additional devices along.) | ||
37 | User | Both | Localizable & Internationalizable Practices | Apps and Extensions | App and Extension Install Sources | List of URL Patterns | If you have an international team you must take into consideration that there are a multitude of app-sources/stores and many of them have apps and extensions that are widely used, but are not included in Google Play.. | ||
38 | User | Inhibits | Low Resourced Administrator | Enrollment Controls | Enrollment Permissions | Do not allow team member's in this organization to enroll new or deprovisioned devices | This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel. | ||
39 | User | Inhibits | Low Resourced Administrator | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | A user's organizational unit determines which services and features are available to that user. By putting all our temporary travel accounts into a specific team member organization designated for travel we can set our travel team member permissions in that organizational unit once, instead of every time we create a new user. This also applies to Solo team member's who want to increase the ease of device setup and refreshing. | ||
40 | User | Supports | Low Resourced Administrator | Chrome Web Store | Chrome Web Store Homepage | Which private apps should be included in the collection? | Include all private apps and extensions from my domain. | Because we are restricting team member's to a "travel" sub-organization we can segment any "internal" private apps used in daily business from the apps that are available during travel. This allows administrators to manage what apps are available simply by adding and/or removing them from the organization. This would allow them to avoid the extra step of adding those apps in this menu. When team member's are given permission to publish private apps this can increase our attack surface. [See "Chrome Web Store Permissions"]. | |
41 | User | Supports | Low Resourced Administrator | Apps and Extensions | Force-installed Apps and Extensions | Manage force-installed apps | The auto-installation of these apps will also decrease the number of steps an administrator needs to worry about during the device setup process. | ||
42 | User | Inhibits | Low Resourced Administrator | Content | Cookies | Allow Cookies for URL Patterns | If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | ||
43 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Cookies | Allow Cookies for URL Patterns | If you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | ||
44 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Cookies | Allow Session-Only Cookies for URL Patterns | You might create a VERY broad URL pattern for this to allow session cookies for large swaths of the internet when persistent cookies are otherwise blocked. Of course, like with the other cookie whitelists if you have a lot of team member's doing white/blacklisting in this way is going to be a LOT of work to get all the convenience sites that your team member's want. The workload can lead to overly restrictive policies because of an exhausted administrative staff. | ||
45 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Cookies | Default Cookie Setting | Keep cookies for the duration of the session | ||
46 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Cookies | Default Cookie Setting | Never allow sites to set cookies | You don't want the internet to seem broken on these devices. team member's will quickly abandon them if it feels that way. | |
47 | User | Supports | Receptive and Trusted Admin/Security Team | Content | Google Drive Syncing | Enable Google Drive syncing | This, when used in the following travel document support use-case, can make the travel device far more useful for the Traveler than it would be otherwise. Offline access to required documents is a very useful thing. Because we are creating travel accounts for these team member's you could use this to give the team member a space for storing non-sensitive travel documents that they needed. The workflow I am thinking about is the administrator re-enabling the team member's travel account week(s) before their travel. They can then seed their google drive travel folder with the non-sensitive documents they want offline access to during their travel. One the day(s) before their travel when they are given their chromebook it will automatically sync to their device. | ||
48 | User | Requires | Receptive and Trusted Admin/Security Team | Content | JavaScript | Allow These Sites to Run JavaScript | |||
49 | User | Requires | Receptive and Trusted Admin/Security Team | Content | JavaScript | JavaScript | Do not allow sites to run JavaScript | ||
50 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Notifications | Allow These Sites to Show Desktop Notifications | |||
51 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Notifications | Notifications | Do not allow sites to show desktop notifications | ||
52 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Outdated Plugins | Disallow outdated plugins | |||
53 | User | Supports | Receptive and Trusted Admin/Security Team | Content | Plug-ins | Allow Plug-ins on These Sites | if there is a small group of folks that need flash apps when they travel (I'm thinking of accountants and the hellish systems they are forced to use or people who have to interact with government websites) I would use the "allow plug-ins on these sites" option to limit where flash is allowed to run. Because it is soon to be deprecated it makes sense to maintain this whitelist even if it is a bit onerous for your administrator. | ||
54 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Plug-ins | Plug-ins | Block all plug-ins | ||
55 | User | Requires | Receptive and Trusted Admin/Security Team | Content | Pop-ups | Pop-ups | Block all pop-ups | Another place where blocking, even though these are commonly used maliciously, can be a huge inconvenience for the user. The few legitimate sites where popups are a required part of the workflow should still be supported. (i.e. financial sites, government sites, and all the other places that lag behind best practice due to onerous compliance regulations.) | |
56 | User | Requires | Receptive and Trusted Admin/Security Team | Omnibox Search Provider | Omnibox Search Provider | Lock the Omnibox Search Provider settings to the values below | By choosing a search provider that is not liked by your team member's (for functionality or privacy reasons) you will have just crippled the omnibox forcing them into an alternative workflow to use a search they like. Remember, the omnibox is a convenience feature. A team member can go to whatever search engine they would like, just not from the omnibox. | ||
57 | User | Requires | Receptive and Trusted Admin/Security Team | Security | Geolocation | Always ask the team member if a site wants to detect their geolocation | |||
58 | User | Requires | Receptive and Trusted Admin/Security Team | Security | Geolocation | Do not allow sites to detect team member's' geolocation | Geolocation is included in many websites because it is incredibly convenient. Disabling it entirely will likely encourage team member's to circumvent this inconvenience by using other geolocation enabled devices for apps and sites that benefit from geolocation (i.e. direction and map apps) | ||
59 | User | Requires | Receptive and Trusted Admin/Security Team | User Experience | DNS Pre-fetching | Never pre-fetch DNS | I don't think that not pre-fetching will impact the team member in any meaningful way. And, I feel like this is the kind of option that will be clicked on by a team member who is trying to get the internet running quicker without understanding how it impacts their risk model. | ||
60 | User | Requires | Receptive and Trusted Admin/Security Team | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | Without multiple-sign in access a team member can still log out of their account and log back in with a different user. This merely allows them to have multiple team member's logged in ""without having to sign out of their account and sign back in to another"". This one really depends on the workflow of your team member's. | ||
61 | User | Requires | Receptive and Trusted Admin/Security Team | Verified Access | Verified Access | Enable for Enterprise Extensions | With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security. | ||
62 | Device | Requires | Receptive and Trusted Admin/Security Team | Device Update Settings | Auto Update Settings | Auto reboot after updates | Allow auto-reboots | Auto-Reboots can be really annoying if you have devices set to be ephemeral and a team member is in a long-stretch of having their device on to work on something and all of a sudden it is reset and all their local data and credentials are wiped. In this case it might make sense to have those team member's on non-ephemeral devices, or to work with them on better workflows that support both ephemeral devices and longterm editing. But, either way it can be annoying. | |
63 | Device | Supports | Receptive and Trusted Admin/Security Team | Device Update Settings | Release Channel | Move to Beta Channel | Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | ||
64 | Device | Supports | Receptive and Trusted Admin/Security Team | Device Update Settings | Release Channel | Move to Development Channel | Admins should have some devices here to test apps. team member's with unique app/workflow needs should also be able to *test* apps here if they want to. But, the travel accounts should be on stable or configure by default. | ||
65 | Device | Requires | Receptive and Trusted Admin/Security Team | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | ||
66 | Device | Requires | Receptive and Trusted Admin/Security Team | Enrollment & Access | Verified Access | Enable for Enterprise Extensions | With this, team member's lose the ability to connect to these services from their other devices. If a team member has a workflow that Requires that they access services from other devices you need to find a way to make it work or they will circumvent the security. | ||
67 | Device | Requires | Receptive and Trusted Admin/Security Team | Other | System timezone automatic detection | Always use coarse timezone detection | This uses the IP-only method of figuring out your local time zone. VPN's and Tor can cause problems here so if you are having your team member's use secure tunnels you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||
68 | Device | Requires | Receptive and Trusted Admin/Security Team | Other | System timezone automatic detection | Never auto-detect timezone | The IP-only method of figuring out your local time zone can get messed up by VPN's and Tor. So if you are having your team member's use secure tunnels, and are not comfortable with the Wi-Fi AP timezone mode, you will want to train team member's about why it shows the wrong time or just force never auto-detect timezone. | ||
69 | Device | Requires | Receptive and Trusted Admin/Security Team | Other | Time Zone | [All the timezones] | If you have a specific timezone that your team member's want as a default and the devices are being reset from some other location this might make sense. I don't really see it though. | ||
70 | Device | Requires | Receptive and Trusted Admin/Security Team | Other | USB Detachable Whitelist | List of VID:PID pairs | This let's you whitelist USB devices that can be accessed directly by applications. By default USB flash drives, webcam and headset are not redirected to applications. So, in order to allow a remote desktop or desktop virtualization software able to run off of a specific piece of hardware you have to approve that hardware in the interface. If you are going to be buying usb headsets for your staff to use when traveling, make sure you only get a few different kinds and then whitelist them here. | ||
71 | Device | Requires | Receptive and Trusted Admin/Security Team | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | ||
72 | Device | Requires | Receptive and Trusted Admin/Security Team | Power & Shutdown | Scheduled Reboot | Number of days before reboot; leave empty for unset | In the future this will be another way to thwart data that is left on team member's devices after they are confiscated, stolen, or lost. It has all the same drawbacks as well. It requires training your team member's to expect it and understand why it is in place, making sure it fits with their workflows, and being receptive to changes in its frequency if it does interfere. (Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown. For more information, see How do I schedule a Chrome device to reboot?) | ||
73 | Device | Requires | Receptive and Trusted Admin/Security Team | Sign-in Settings | Guest Mode | Allow guest mode | With a guest mode team member's will be presented with a device that does not contain any of the other security measures we have in place on team member accounts. With proper training on how to safely anonymously use their devices and then remove the trail of data from that use they can have the best of both worlds. | ||
74 | Device | Requires | Receptive and Trusted Admin/Security Team | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
75 | Device | Requires | Receptive and Trusted Admin/Security Team | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | If a team member cannot login to their (Sanitized) personal accounts when needed it can lead to issues. | ||
76 | Device | Requires | Receptive and Trusted Admin/Security Team | Sign-in Settings | team member Data | Erase all local team member data | This is the ephemeral mode we have been talking about. Deletes all team member state between logins. It also means that any settings and/or configurations that are not hard-coded will have to be re-entered. This is a HUGE pain if the team member is using a lot of apps and does not have a password manager that is pre-configured on the device. | ||
77 | Device | Requires | Receptive and Trusted Admin/Security Team | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | |
78 | Device | Supports | Receptive and Trusted Admin/Security Team | User & Device Reporting | Device Reporting | Device State Reporting | Enable device state reporting | Allows you to keep track of the status of your devices. Most importantly this one allows you to see if one of your team member devices has had their boot mode changed (one of the ways to compromise a chromebook). By monitoring this you can quickly identify possible malicious behavior, alert the user, and, if they meant to change modes for some reason, to make sure that if they need greater access you can support it in the future. | |
79 | Device | Requires | Receptive and Trusted Admin/Security Team | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | |
80 | Device | Supports | Receptive and Trusted Admin/Security Team | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | |
81 | Device | Requires | Receptive and Trusted Admin/Security Team | User & Device Reporting | Inactive Device Notifications | Email addresses to receive notification reports | Email addresses to receive notification reports | Make sure that the people who see these know what they mean and that there are redundancies who has access so incidents don't get missed. | |
82 | Device | Requires | Receptive and Trusted Admin/Security Team | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | |
83 | Device | Supports | Receptive and Trusted Admin/Security Team | User & Device Reporting | Inactive Device Notifications | Inactive Device Notification Reports | Enable inactive device notifications | Helps your admin keep track of devices that are not in use. This is a way to identify if a team member is likely circumventing the controls that the device provides by using another device, if that team member may be in trouble (as indicated by their ceasing all work), or if a device has been stolen. | |
84 | User | Requires | Receptive and Trusted Admin/Security Team | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment. | ||
85 | User | Supports | Receptive and Trusted Admin/Security Team | Android applications | Access to Android applications | Allow | This may be useful for gaining initial adoption when you do not have the capacity to do an assessment of the app needs of all of your team member's. | ||
86 | User | Inhibits | Security must not make the traveler ineffective | Hardware | Video Input | Disable video input | Make sure that your traveler's do not need to use non-google video apps to communicate with their partners, etc when they are traveling. | ||
87 | User | Supports | Security must not make the traveler ineffective | Android applications | Android applications on Chrome devices | Allow | Adding android applications opens up a range of possibilities for making the chromebook more useful, usable, and more secure for your team member's. It can also considerably increase the attack surface you have to contend with. When I considered this I decided that by increasing the utility of the device was more likely to build adoption and adherence to the security procedures. | ||
88 | Device | Supports | Security must not make the traveler ineffective | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | [1-14] Day(s) | If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | |
89 | Device | Inhibits | Security must not make the traveler ineffective | Device Update Settings | Auto Update Settings | Randomly scatter auto-updates over | None | If you have multiple team member's traveling together who are all using their own chrome devices in a country with limited connectivity scattering updates will limit the traffic spike of them all attempting to update at the same time. | |
90 | Device | Inhibits | Security must not make the traveler ineffective | Enrollment & Access | Disabled device return instructions | Custom text to display | This can be used to show strict proof of inaccess when a team member is traveling. Only do this if the team member will not need their device when traveling. Also, this will require a pre-determined process for unlocking the team member's device once they have arrived at their destination. | ||
91 | Device | Inhibits | Security must not make the traveler ineffective | Power & Shutdown | Power Management | Allow device to sleep/shut down when idle on the sign-in screen | This is great for ensuring that devices are secured after a certain point of idleness. But, if you are using ephemeral mode, or team member's are relying on offline mode, etc. This can lead to big problems. So, be careful with this one. | ||
92 | Device | Inhibits | Security must not make the traveler ineffective | Sign-in Settings | Sign-in Restriction | Do not allow any users to Sign-in | This would limit a significant amount of the controls we have put in place. So, no. Don't use this. | ||
93 | User | Supports | Security must not make the traveler ineffective | User Experience | Bookmark Bar | Allow user to decide whether to enable bookmark bar | Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | ||
94 | User | Supports | Security must not make the traveler ineffective | User Experience | Bookmark Bar | Enable bookmark bar | Chromebooks already have small screens. I would let the team member configure their bookmark bar as they wish. Consider other options for the visibility of proof of inaccess than this one. | ||
95 | User | Supports | Security must not make the traveler ineffective | Apps and Extensions | Pinned Apps and Extensions | Manage pinned apps | Pinning apps that are common in team member's workflows will make it easier and quicker for a team member to adopt to the chromebook workflow. | ||
96 | User | Supports | Self-Managed Considerations | Enrollment Controls | Device Enrollment | Place Chrome device in team member organization | This will make it far easier for self-managed groups to grow without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc. | ||
97 | User | Inhibits | Self-Managed Considerations | Enrollment Controls | Enrollment Permissions | Do not allow team member's in this organization to enroll new or deprovisioned devices | This option requires a greater amount of administrator availability to ensure that device enrolment does not impede the team's ability to add, and fully reset devices during travel. | ||
98 | User | Inhibits | Self-Managed Considerations | Enrollment Controls | Asset Identifier During Enrollment | team member's in this organization can provide asset ID and location during enrollment | If you are an individual you don't need to track who has what hardware. | ||
99 | User | Supports | Self-Managed Considerations | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | It should be noted that a team member who purchase a chromebook independently will often have to also purchase the "management license" for that chromebook separately. If you are going to support team member enrollment make sure you have clear, easy to follow guidance that your will guide your team member's through the steps required to prepare the device for enrollment. | ||
100 | User | Supports | Self-Managed Considerations | Enrollment Controls | Enrollment Permissions | Allow user's in this organization to enroll new or deprovisioned devices | Self managed groups: This might makes it easier for self-managed groups to increase the number of chromebooks being used without providing everyone with an administrator account. By using this option the member's can simply add their own devices and the administrators only have to worry about the apps to use, etc. | ||
101 | User | Supports | Support Personal Computing Needs | Hardware | Audio Input | Disable audio input | By disabling internal microphones you have greater assurances that the apps that your team member's are installing are not listening in on them at all times. This helps to lock down the device even if the team member installed a non-work-related app that attempts to listen to the environment. I gotta give Google's chrome team some serious props for this one. When disabled, this won't allow any websites or applications use the internal microphone. While surveillance focused folks like myself would really like a hardware based switch for audio and video on our personal devices, this is a powerful tool for providing widescale assurances that none of your staff have installed apps that are secretly listening in. | ||
102 | User | Inhibits | Support Personal Computing Needs | Hardware | Video Input | Disable video input | This removed the traveler's ability to use a webcam to chat with their loved ones unless they are using google hangouts. Depending upon how you support this, this would get in the way of many traveler's personal needs. | ||
103 | User | Requires | Support Personal Computing Needs | User Experience | Multiple Sign-in Access | Block multiple sign-in access for team member's in this organization | I also have concerns about having team member's signed in to their personal account and forgetting that their primary account is logged in. As such, my instinct would be to have it disabled to force the device to be a single-team member device. This will require supporting some level of personal account access, forwarding, and/or support on the travel devices. You can't expect a team member to not have any access to their personal accounts when traveling. | ||
104 | Device | Requires | Support Personal Computing Needs | Sign-in Settings | Sign-in Restriction | comma-delimited list of usernames | You can use *.YOURDOMAIN domain to limit across the board. Also important to take into consideration possible secondary google apps domains that your team member's might need to access, and keep separate from their current device, on their account. | ||
105 | Device | Requires | Support Personal Computing Needs | Sign-in Settings | Sign-in Restriction | Restrict Sign-in to list of users: | This will allow you to limit the ability for personal accounts to be used with these chromebooks. As with all other restrictions on team member capabilities this should be done after working with your team member's to identify an appropriate solution for meeting their personal computing needs during travel. | ||
106 | Device | Supports | Support Personal Computing Needs | User & Device Reporting | Device Reporting | Device team member Tracking | Enable tracking recent device user's | Allows you to track team member's on a device. This is a great way to build up an understanding of login needs early on when you have not locked personal accounts from devices. You can use this information to survey team member's who logged in with their personal accounts about what they needed to access those accounts for. This will allow you to figure out what kind of personal account support is needed. Note: team member's will not be tracked if the device is configured to erase all local team member data. | |
107 | User | Supports | Widely Dispersed Team | Chrome Web Store | Chrome Web Store Homepage | Chrome Web Store Homepage | Use a custom page, set below | The Chrome Web Store Recommendations can be a valuable tool. In distributed and/or largely independent team's it provides a simple portal for app recommendations for commonly requested mitigations. As a team member perceives their threat landscape changing around them they may decide to incorporate additional technical mitigations (such as VPN's, password managers, encrypted communications tools, etc.). The security team and/or administrators can seed the recommendations section with the apps that have been previously used and evaluated. | |
108 | User | Inhibits | Allow for Greater Security | Startup | Homepage | Homepage is always the new tab page | New tab page exposes commonly used websites. This is an information exposure vector that some travlers may not want. "If you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past." - https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#NTP | ||
109 | |||||||||
110 | |||||||||
111 | |||||||||
112 | |||||||||
113 | |||||||||
114 | |||||||||
115 | |||||||||
116 | |||||||||
117 | |||||||||
118 | |||||||||
119 | |||||||||
120 | |||||||||
121 | |||||||||
122 | |||||||||
123 | |||||||||
124 | |||||||||
125 | |||||||||
126 | |||||||||
127 | |||||||||
128 | |||||||||
129 | |||||||||
130 | |||||||||
131 | |||||||||
132 | |||||||||
133 | |||||||||
134 | |||||||||
135 | |||||||||
136 | |||||||||
137 | |||||||||
138 | |||||||||
139 | |||||||||
140 | |||||||||
141 | |||||||||
142 | |||||||||
143 | |||||||||
144 | |||||||||
145 | |||||||||
146 | |||||||||
147 | |||||||||
148 | |||||||||
149 | |||||||||
150 | |||||||||
151 | |||||||||
152 | |||||||||
153 | |||||||||
154 | |||||||||
155 | |||||||||
156 | |||||||||
157 | |||||||||
158 | |||||||||
159 | |||||||||
160 | |||||||||
161 | |||||||||
162 | |||||||||
163 | |||||||||
164 | |||||||||
165 | |||||||||
166 | |||||||||
167 | |||||||||
168 | |||||||||
169 | |||||||||
170 | |||||||||
171 | |||||||||
172 | |||||||||
173 | |||||||||
174 | |||||||||
175 | |||||||||
176 | |||||||||
177 | |||||||||
178 | |||||||||
179 | |||||||||
180 | |||||||||
181 | |||||||||
182 | |||||||||
183 | |||||||||
184 | |||||||||
185 | |||||||||
186 | |||||||||
187 | |||||||||
188 | |||||||||
189 | |||||||||
190 | |||||||||
191 | |||||||||
192 | |||||||||
193 | |||||||||
194 | |||||||||
195 | |||||||||
196 | |||||||||
197 | |||||||||
198 | |||||||||
199 | |||||||||
200 | |||||||||
201 | |||||||||
202 | |||||||||
203 | |||||||||
204 | |||||||||
205 | |||||||||
206 | |||||||||
207 | |||||||||
208 | |||||||||
209 | |||||||||
210 | |||||||||
211 | |||||||||
212 | |||||||||
213 | |||||||||
214 | |||||||||
215 | |||||||||
216 | |||||||||
217 | |||||||||
218 | |||||||||
219 | |||||||||
220 | |||||||||
221 | |||||||||
222 | |||||||||
223 | |||||||||
224 | |||||||||
225 | |||||||||
226 | |||||||||
227 | |||||||||
228 | |||||||||
229 | |||||||||
230 | |||||||||
231 | |||||||||
232 | |||||||||
233 | |||||||||
234 | |||||||||
235 | |||||||||
236 | |||||||||
237 | |||||||||
238 | |||||||||
239 | |||||||||
240 | |||||||||
241 | |||||||||
242 | |||||||||
243 | |||||||||
244 | |||||||||
245 | |||||||||
246 | |||||||||
247 | |||||||||
248 | |||||||||
249 | |||||||||
250 | |||||||||
251 | |||||||||
252 | |||||||||
253 | |||||||||
254 | |||||||||
255 | |||||||||
256 | |||||||||
257 | |||||||||
258 | |||||||||
259 | |||||||||
260 | |||||||||
261 | |||||||||
262 | |||||||||
263 | |||||||||
264 | |||||||||
265 | |||||||||
266 | |||||||||
267 | |||||||||
268 | |||||||||
269 | |||||||||
270 | |||||||||
271 | |||||||||
272 | |||||||||
273 | |||||||||
274 | |||||||||
275 | |||||||||
276 | |||||||||
277 | |||||||||
278 | |||||||||
279 | |||||||||
280 | |||||||||
281 | |||||||||
282 | |||||||||
283 | |||||||||
284 | |||||||||
285 | |||||||||
286 | |||||||||
287 | |||||||||
288 | |||||||||
289 | |||||||||
290 | |||||||||
291 | |||||||||
292 | |||||||||
293 | |||||||||
294 | |||||||||
295 | |||||||||
296 | |||||||||
297 | |||||||||
298 | |||||||||
299 | |||||||||
300 | |||||||||
301 | |||||||||
302 | |||||||||
303 | |||||||||
304 | |||||||||
305 | |||||||||
306 | |||||||||
307 | |||||||||
308 | |||||||||
309 | |||||||||
310 | |||||||||
311 | |||||||||
312 | |||||||||
313 | |||||||||
314 | |||||||||
315 | |||||||||
316 | |||||||||
317 | |||||||||
318 | |||||||||
319 | |||||||||
320 | |||||||||
321 | |||||||||
322 | |||||||||
323 | |||||||||
324 | |||||||||
325 | |||||||||
326 | |||||||||
327 | |||||||||
328 | |||||||||
329 | |||||||||
330 | |||||||||
331 | |||||||||
332 | |||||||||
333 | |||||||||
334 | |||||||||
335 | |||||||||
336 | |||||||||
337 | |||||||||
338 | |||||||||
339 | |||||||||
340 | |||||||||
341 | |||||||||
342 | |||||||||
343 | |||||||||
344 | |||||||||
345 | |||||||||
346 | |||||||||
347 | |||||||||
348 | |||||||||
349 | |||||||||
350 | |||||||||
351 | |||||||||
352 | |||||||||
353 | |||||||||
354 | |||||||||
355 | |||||||||
356 | |||||||||
357 | |||||||||
358 | |||||||||
359 | |||||||||
360 | |||||||||
361 | |||||||||
362 | |||||||||
363 | |||||||||
364 | |||||||||
365 | |||||||||
366 | |||||||||
367 | |||||||||
368 | |||||||||
369 | |||||||||
370 | |||||||||
371 | |||||||||
372 | |||||||||
373 | |||||||||
374 | |||||||||
375 | |||||||||
376 | |||||||||
377 | |||||||||
378 | |||||||||
379 | |||||||||
380 | |||||||||
381 | |||||||||
382 | |||||||||
383 | |||||||||
384 | |||||||||
385 | |||||||||
386 | |||||||||
387 | |||||||||
388 | |||||||||
389 | |||||||||
390 | |||||||||
391 | |||||||||
392 | |||||||||
393 | |||||||||
394 | |||||||||
395 | |||||||||
396 | |||||||||
397 | |||||||||
398 | |||||||||
399 | |||||||||
400 | |||||||||
401 | |||||||||
402 | |||||||||
403 | |||||||||
404 | |||||||||
405 | |||||||||
406 | |||||||||
407 | |||||||||
408 | |||||||||
409 | |||||||||
410 | |||||||||
411 | |||||||||
412 | |||||||||
413 | |||||||||
414 | |||||||||
415 | |||||||||
416 | |||||||||
417 | |||||||||
418 | |||||||||
419 | |||||||||
420 | |||||||||
421 | |||||||||
422 | |||||||||
423 | |||||||||
424 | |||||||||
425 | |||||||||
426 | |||||||||
427 | |||||||||
428 | |||||||||
429 | |||||||||
430 | |||||||||
431 | |||||||||
432 | |||||||||
433 | |||||||||
434 | |||||||||
435 | |||||||||
436 | |||||||||
437 | |||||||||
438 | |||||||||
439 | |||||||||
440 | |||||||||
441 | |||||||||
442 | |||||||||
443 | |||||||||
444 | |||||||||
445 | |||||||||
446 | |||||||||
447 | |||||||||
448 | |||||||||
449 | |||||||||
450 | |||||||||
451 | |||||||||
452 | |||||||||
453 | |||||||||
454 | |||||||||
455 | |||||||||
456 | |||||||||
457 | |||||||||
458 | |||||||||
459 | |||||||||
460 | |||||||||
461 | |||||||||
462 | |||||||||
463 | |||||||||
464 | |||||||||
465 | |||||||||
466 | |||||||||
467 | |||||||||
468 | |||||||||
469 | |||||||||
470 | |||||||||
471 | |||||||||
472 | |||||||||
473 | |||||||||
474 | |||||||||
475 | |||||||||
476 | |||||||||
477 | |||||||||
478 | |||||||||
479 | |||||||||
480 | |||||||||
481 | |||||||||
482 | |||||||||
483 | |||||||||
484 | |||||||||
485 | |||||||||
486 | |||||||||
487 | |||||||||
488 | |||||||||
489 | |||||||||
490 | |||||||||
491 | |||||||||
492 | |||||||||
493 | |||||||||
494 | |||||||||
495 | |||||||||
496 | |||||||||
497 | |||||||||
498 | |||||||||
499 | |||||||||
500 | |||||||||
501 | |||||||||
502 | |||||||||
503 | |||||||||
504 | |||||||||
505 | |||||||||
506 | |||||||||
507 | |||||||||
508 | |||||||||
509 | |||||||||
510 | |||||||||
511 | |||||||||
512 | |||||||||
513 | |||||||||
514 | |||||||||
515 | |||||||||
516 | |||||||||
517 | |||||||||
518 | |||||||||
519 | |||||||||
520 | |||||||||
521 | |||||||||
522 | |||||||||
523 | |||||||||
524 | |||||||||
525 | |||||||||
526 | |||||||||
527 | |||||||||
528 | |||||||||
529 | |||||||||
530 | |||||||||
531 | |||||||||
532 | |||||||||
533 | |||||||||
534 | |||||||||
535 | |||||||||
536 | |||||||||
537 | |||||||||
538 | |||||||||
539 | |||||||||
540 | |||||||||
541 | |||||||||
542 | |||||||||
543 | |||||||||
544 | |||||||||
545 | |||||||||
546 | |||||||||
547 | |||||||||
548 | |||||||||
549 | |||||||||
550 | |||||||||
551 | |||||||||
552 | |||||||||
553 | |||||||||
554 | |||||||||
555 | |||||||||
556 | |||||||||
557 | |||||||||
558 | |||||||||
559 | |||||||||
560 | |||||||||
561 | |||||||||
562 | |||||||||
563 | |||||||||
564 | |||||||||
565 | |||||||||
566 | |||||||||
567 | |||||||||
568 | |||||||||
569 | |||||||||
570 | |||||||||
571 | |||||||||
572 | |||||||||
573 | |||||||||
574 | |||||||||
575 | |||||||||
576 | |||||||||
577 | |||||||||
578 | |||||||||
579 | |||||||||
580 | |||||||||
581 | |||||||||
582 | |||||||||
583 | |||||||||
584 | |||||||||
585 | |||||||||
586 | |||||||||
587 | |||||||||
588 | |||||||||
589 | |||||||||
590 | |||||||||
591 | |||||||||
592 | |||||||||
593 | |||||||||
594 | |||||||||
595 | |||||||||
596 | |||||||||
597 | |||||||||
598 | |||||||||
599 | |||||||||
600 | |||||||||
601 | |||||||||
602 | |||||||||
603 | |||||||||
604 | |||||||||
605 | |||||||||
606 | |||||||||
607 | |||||||||
608 | |||||||||
609 | |||||||||
610 | |||||||||
611 | |||||||||
612 | |||||||||
613 | |||||||||
614 | |||||||||
615 | |||||||||
616 | |||||||||
617 | |||||||||
618 | |||||||||
619 | |||||||||
620 | |||||||||
621 | |||||||||
622 | |||||||||
623 | |||||||||
624 | |||||||||
625 | |||||||||
626 | |||||||||
627 | |||||||||
628 | |||||||||
629 | |||||||||
630 | |||||||||
631 | |||||||||
632 | |||||||||
633 | |||||||||
634 | |||||||||
635 | |||||||||
636 | |||||||||
637 | |||||||||
638 | |||||||||
639 | |||||||||
640 | |||||||||
641 | |||||||||
642 | |||||||||
643 | |||||||||
644 | |||||||||
645 | |||||||||
646 | |||||||||
647 | |||||||||
648 | |||||||||
649 | |||||||||
650 | |||||||||
651 | |||||||||
652 | |||||||||
653 | |||||||||
654 | |||||||||
655 | |||||||||
656 | |||||||||
657 | |||||||||
658 | |||||||||
659 | |||||||||
660 | |||||||||
661 | |||||||||
662 | |||||||||
663 | |||||||||
664 | |||||||||
665 | |||||||||
666 | |||||||||
667 | |||||||||
668 | |||||||||
669 | |||||||||
670 | |||||||||
671 | |||||||||
672 | |||||||||
673 | |||||||||
674 | |||||||||
675 | |||||||||
676 | |||||||||
677 | |||||||||
678 | |||||||||
679 | |||||||||
680 | |||||||||
681 | |||||||||
682 | |||||||||
683 | |||||||||
684 | |||||||||
685 | |||||||||
686 | |||||||||
687 | |||||||||
688 | |||||||||
689 | |||||||||
690 | |||||||||
691 | |||||||||
692 | |||||||||
693 | |||||||||
694 | |||||||||
695 | |||||||||
696 | |||||||||
697 | |||||||||
698 | |||||||||
699 | |||||||||
700 | |||||||||
701 | |||||||||
702 | |||||||||
703 | |||||||||
704 | |||||||||
705 | |||||||||
706 | |||||||||
707 | |||||||||
708 | |||||||||
709 | |||||||||
710 | |||||||||
711 | |||||||||
712 | |||||||||
713 | |||||||||
714 | |||||||||
715 | |||||||||
716 | |||||||||
717 | |||||||||
718 | |||||||||
719 | |||||||||
720 | |||||||||
721 | |||||||||
722 | |||||||||
723 | |||||||||
724 | |||||||||
725 | |||||||||
726 | |||||||||
727 | |||||||||
728 | |||||||||
729 | |||||||||
730 | |||||||||
731 | |||||||||
732 | |||||||||
733 | |||||||||
734 | |||||||||
735 | |||||||||
736 | |||||||||
737 | |||||||||
738 | |||||||||
739 | |||||||||
740 | |||||||||
741 | |||||||||
742 | |||||||||
743 | |||||||||
744 | |||||||||
745 | |||||||||
746 | |||||||||
747 | |||||||||
748 | |||||||||
749 | |||||||||
750 | |||||||||
751 | |||||||||
752 | |||||||||
753 | |||||||||
754 | |||||||||
755 | |||||||||
756 | |||||||||
757 | |||||||||
758 | |||||||||
759 | |||||||||
760 | |||||||||
761 | |||||||||
762 | |||||||||
763 | |||||||||
764 | |||||||||
765 | |||||||||
766 | |||||||||
767 | |||||||||
768 | |||||||||
769 | |||||||||
770 | |||||||||
771 | |||||||||
772 | |||||||||
773 | |||||||||
774 | |||||||||
775 | |||||||||
776 | |||||||||
777 | |||||||||
778 | |||||||||
779 | |||||||||
780 | |||||||||
781 | |||||||||
782 | |||||||||
783 | |||||||||
784 | |||||||||
785 | |||||||||
786 | |||||||||
787 | |||||||||
788 | |||||||||
789 | |||||||||
790 | |||||||||
791 | |||||||||
792 | |||||||||
793 | |||||||||
794 | |||||||||
795 | |||||||||
796 | |||||||||
797 | |||||||||
798 | |||||||||
799 | |||||||||
800 | |||||||||
801 | |||||||||
802 | |||||||||
803 | |||||||||
804 | |||||||||
805 | |||||||||
806 | |||||||||
807 | |||||||||
808 | |||||||||
809 | |||||||||
810 | |||||||||
811 | |||||||||
812 | |||||||||
813 | |||||||||
814 | |||||||||
815 | |||||||||
816 | |||||||||
817 | |||||||||
818 | |||||||||
819 | |||||||||
820 | |||||||||
821 | |||||||||
822 | |||||||||
823 | |||||||||
824 | |||||||||
825 | |||||||||
826 | |||||||||
827 | |||||||||
828 | |||||||||
829 | |||||||||
830 | |||||||||
831 | |||||||||
832 | |||||||||
833 | |||||||||
834 | |||||||||
835 | |||||||||
836 | |||||||||
837 | |||||||||
838 | |||||||||
839 | |||||||||
840 | |||||||||
841 | |||||||||
842 | |||||||||
843 | |||||||||
844 | |||||||||
845 | |||||||||
846 | |||||||||
847 | |||||||||
848 | |||||||||
849 | |||||||||
850 | |||||||||
851 | |||||||||
852 | |||||||||
853 | |||||||||
854 | |||||||||
855 | |||||||||
856 | |||||||||
857 | |||||||||
858 | |||||||||
859 | |||||||||
860 | |||||||||
861 | |||||||||
862 | |||||||||
863 | |||||||||
864 | |||||||||
865 | |||||||||
866 | |||||||||
867 | |||||||||
868 | |||||||||
869 | |||||||||
870 | |||||||||
871 | |||||||||
872 | |||||||||
873 | |||||||||
874 | |||||||||
875 | |||||||||
876 | |||||||||
877 | |||||||||
878 | |||||||||
879 | |||||||||
880 | |||||||||
881 | |||||||||
882 | |||||||||
883 | |||||||||
884 | |||||||||
885 | |||||||||
886 | |||||||||
887 | |||||||||
888 | |||||||||
889 | |||||||||
890 | |||||||||
891 | |||||||||
892 | |||||||||
893 | |||||||||
894 | |||||||||
895 | |||||||||
896 | |||||||||
897 | |||||||||
898 | |||||||||
899 | |||||||||
900 | |||||||||
901 | |||||||||
902 | |||||||||
903 | |||||||||
904 | |||||||||
905 | |||||||||
906 | |||||||||
907 | |||||||||
908 | |||||||||
909 | |||||||||
910 | |||||||||
911 | |||||||||
912 | |||||||||
913 | |||||||||
914 | |||||||||
915 | |||||||||
916 | |||||||||
917 | |||||||||
918 | |||||||||
919 | |||||||||
920 | |||||||||
921 | |||||||||
922 | |||||||||
923 | |||||||||
924 | |||||||||
925 | |||||||||
926 | |||||||||
927 | |||||||||
928 | |||||||||
929 | |||||||||
930 | |||||||||
931 | |||||||||
932 | |||||||||
933 | |||||||||
934 | |||||||||
935 | |||||||||
936 | |||||||||
937 | |||||||||
938 | |||||||||
939 | |||||||||
940 | |||||||||
941 | |||||||||
942 | |||||||||
943 | |||||||||
944 | |||||||||
945 | |||||||||
946 | |||||||||
947 |
1 | < Index | ||
---|---|---|---|
2 | Term | Definition | Source |
3 | Bookmark Bar | ||
4 | Chrome OS CA Certificates | ||
5 | Chrome Password Manager | Not a regular password manager... this is the chrome one. | |
6 | Chrome Plug-Ins | ||
7 | Client Certificate | ||
8 | Compatibility | How consistent the innovation is with the values, experiences, and needs of the potential adopters. | Diffusion of Innovation Theory |
9 | Complexity | How difficult the innovation is to understand and/or use. | Diffusion of Innovation Theory |
10 | Content Protection (Verified Mode) | ||
11 | Cookies | ||
12 | data compression proxy | ||
13 | Desktop Notifications | ||
14 | Device Enrollment | ||
15 | DNS Pre-fetching | ||
16 | Enterprise Extensions | ||
17 | Google Cloud Print | ||
18 | Google Drive Syncing | ||
19 | Guest Mode | ||
20 | Impact ↥ | ||
21 | Impact ↧ | ||
22 | incognito mode | ||
23 | IP-Only Timezone Identification | ||
24 | Kiosk Mode | ||
25 | Likelihood ↥ | ||
26 | Likelihood ↧ | ||
27 | local team member data | ||
28 | Lock Screen | ||
29 | Logout | ||
30 | malicious sites | ||
31 | Managed Bookmarks | ||
32 | Multiple Sign-in Access | ||
33 | Observability | The extent to which the innovation provides tangible results. | Diffusion of Innovation Theory |
34 | OCSP/CRL | ||
35 | Omnibox Search Provider | ||
36 | Organizational Identity Provider (IdP) | ||
37 | persistent Cookies | ||
38 | Pinned apps | ||
39 | Private apps and extensions | ||
40 | Privilege Group | ||
41 | Proof Of Inaccess | The "proof of inaccess" mitigation is a set of smaller controls that are put in place to provide "proof" to a border guard that the Traveler only has access to the accounts they have provided and that they have no ability to regain access to those accounts without an external party intervening. (administrators, security team, etc.). | |
42 | Proxy | ||
43 | Public Session Kiosk | ||
44 | QUIC Protocol | ||
45 | Relative Advantage | The degree to which an innovation is seen as better than the idea, program, or product it replaces. | Diffusion of Innovation Theory |
46 | Remote Access Client | ||
47 | Remote Access Host | ||
48 | Restricted Mode on YouTube | ||
49 | Safe Browsing | ||
50 | Safe Search | ||
51 | SAML SSO Cookies | ||
52 | Search Suggest | ||
53 | Security Assertion Markup Language (SAML) | ||
54 | Sensitive Contacts | In-Country people and organization's whom, if officials knew were connected to the Traveler and/or their activities during the trip, could lead to unacceptable impacts to the travel or themselves during the trip. | |
55 | Sensitive Data | Data that could lead to unacceptable impacts for the team/organization, the travelers, their partners, or their beneficiaries. | |
56 | SHA-1 deprecation | ||
57 | Single App Kiosk | ||
58 | Single Sign-On (SSO) | ||
59 | Sleep | ||
60 | Smart Lock | ||
61 | SSL record splitting | ||
62 | Third-Party Cookies | ||
63 | TPM | ||
64 | Triability | The extent to which the innovation can be tested or experimented with before a commitment to adopt is made. | Diffusion of Innovation Theory |
65 | Unknown sources | ||
66 | USB VID:PID Pairs | ||
67 | Verified Access | ||
68 | Verified Mode | ||
69 | Verified Mode Boot | ||
70 | WebGL | ||
71 | WebRTC | ||
72 | WiFi AP Timezone API |
1 | < Index | |||
---|---|---|---|---|
2 | Type | Needs Full Incorporation | Name | Link |
3 | G Suite Settings | N/A | G Suite main settings index | |
4 | G Suite Settings | N/A | G Suite Device Settings menu | |
5 | G Suite Settings | N/A | G Suite Public Session Settings menu | |
6 | G Suite Settings | N/A | G Suite User Settings menu | |
7 | General Info | No | Chrome Device Deployment Guide | |
8 | General Info | No | Manage Chromebooks using Active Directory | |
9 | General Info | No | Mobile Device Management Help | |
10 | General Info | Yes | Chrome Device Settings Help | |
11 | General Info | Yes | Chrome User Settings Help | |
12 | General Info | No | Public Session Settings Help | |
13 | General Info | No | Android Application Settings Help | |
14 | General Info | No | Chromium OS Design Docs - Protecting Cached team member Data | |
15 | General Info | No | Chromium OS Design Docs - Security Overview | |
16 | General Info | No | Chromium OS Design Docs - System Hardening | |
17 | General Info | No | Chromium OS Design Docs - Verified Boot | |
18 | General Info | No | Chromium OS Design Docs - Secure Web Proxy | |
19 | Citation | No | Group Policy Administrative Templates Catalog (Chrome) | |
20 | Citation | N/A | "Brazilian Court Orders Google To Remove 'Secret' App From The Play Store And Remotely Wipe It From Phones" | |
21 | Citation | Yes | Constraints: what they are and how they’re used | |
22 | Citation | Yes | Chrome Issue: Deprecate chrome://plugins | |
23 | Citation | N/A | CAPEC-195: Principal Spoof | |
24 | Citation | N/A | CAPEC-595: Connection Reset | |
25 | Citation | N/A | CAPEC-603: Blockage | |
26 | Citation | N/A | CAPEC-616: Establish Rogue Location | |
27 | Citation | N/A | CAPEC-89: Pharming | |
28 | Citation | N/A | CAPEC-98: Phishing | |
29 | Citation | N/A | Clever Badges | |
30 | Citation | Yes | Web Fundamentals: Chrome Notification Behavior | |
31 | Citation | N/A | dnstwist | |
32 | Citation | Yes | Client Side Loader Source Code for Safe Browsing on Chromium | |
33 | Citation | No | Choosing Strategy over Tactics | |
34 | Citation | Yes | [FAQ] "PUPs" - Potentially Unwanted Programs | |
35 | Citation | Yes | Additional domains FAQ | |
36 | Citation | No | Access another computer with Chrome Remote Desktop | |
37 | Citation | Yes | Twitter comments on why users might need to override malicious ID classification | |
38 | Citation | N/A | My Twitter | |
39 | Citation | No | Google Privacy Policy - Information we collect | |
40 | Citation | No | SANS Critical Security Controls | |
41 | Citation | Yes | X.509 Name Constraints certificate extension – all you should know | |
42 | Citation | Yes | SHA-1 Certificates in Chrome | |
43 | General Info | No | Google Chrome Privacy Whitepaper | |
44 | Citation | Yes | Copilot HTTPS and the QUIC protocol | |
45 | Citation | Yes | Chrome Security FAQ | |
46 | Citation | Yes | How private browsing works | |
47 | Citation | No | Technical analysis of client identification mechanisms | |
48 | Citation | Yes | OCSP: Check For Server Certificate Revocation checkbox is confusing | |
49 | General Info | No | Google Safe Browsing | |
50 | Citation | Yes | Turks detained for using encrypted app 'had human rights breached' | |
51 | Citation | Yes | Turkey coup plotters' use of 'amateur' app helped unveil their network | |
52 | Citation | Yes | DHS proposes to add request for social media identifiers to ESTA and to Form I-94W: | |
53 | Citation | Yes | Illustrative List Of Overregulation Of Non Profit Organizations (Iv. Limitation To The Right To Communication And Cooperation) | |
54 | Citation | Yes | Defending Civil Society Report | |
55 | General Info | Yes | Security Brag Sheet | |
56 | General Info | Yes | Chrome Sandbox | |
57 | General Info | Yes | Chrome-specific security education documentation | |
58 | General Info | Yes | Technical analysis of client identification mechanisms | |
59 | General Info | Yes | Chrome Extensions: Threat Analysis and Countermeasures | |
60 | General Info | Yes | The Security Architecture of the Chromium Browser | |
61 | General Info | Yes | Protecting Cached User Data | |
62 | ||||
63 | ||||
64 | ||||
65 | ||||
66 | ||||
67 | ||||
68 | ||||
69 | ||||
70 | ||||
71 | ||||
72 | ||||
73 | ||||
74 | ||||
75 | ||||
76 | ||||
77 | ||||
78 | ||||
79 | ||||
80 | ||||
81 | ||||
82 | ||||
83 | ||||
84 | ||||
85 | ||||
86 | ||||
87 | ||||
88 | ||||
89 | ||||
90 | ||||
91 | ||||
92 | ||||
93 | ||||
94 | ||||
95 | ||||
96 | ||||
97 | ||||
98 | ||||
99 | ||||
100 | ||||
101 | ||||
102 | ||||
103 | ||||
104 | ||||
105 | ||||
106 | ||||
107 | ||||
108 | ||||
109 | ||||
110 | ||||
111 | ||||
112 | ||||
113 | ||||
114 | ||||
115 | ||||
116 | ||||
117 | ||||
118 | ||||
119 | ||||
120 | ||||
121 | ||||
122 | ||||
123 | ||||
124 | ||||
125 | ||||
126 | ||||
127 | ||||
128 | ||||
129 | ||||
130 | ||||
131 | ||||
132 | ||||
133 | ||||
134 | ||||
135 | ||||
136 | ||||
137 | ||||
138 | ||||
139 | ||||
140 | ||||
141 | ||||
142 | ||||
143 | ||||
144 | ||||
145 | ||||
146 | ||||
147 | ||||
148 | ||||
149 | ||||
150 | ||||
151 | ||||
152 | ||||
153 | ||||
154 | ||||
155 | ||||
156 | ||||
157 | ||||
158 | ||||
159 | ||||
160 | ||||
161 | ||||
162 | ||||
163 | ||||
164 | ||||
165 | ||||
166 | ||||
167 | ||||
168 | ||||
169 | ||||
170 | ||||
171 | ||||
172 | ||||
173 | ||||
174 | ||||
175 | ||||
176 | ||||
177 | ||||
178 | ||||
179 | ||||
180 | ||||
181 | ||||
182 | ||||
183 | ||||
184 | ||||
185 | ||||
186 | ||||
187 | ||||
188 | ||||
189 | ||||
190 | ||||
191 | ||||
192 | ||||
193 | ||||
194 | ||||
195 | ||||
196 | ||||
197 | ||||
198 | ||||
199 | ||||
200 | ||||
201 | ||||
202 | ||||
203 | ||||
204 | ||||
205 | ||||
206 | ||||
207 | ||||
208 | ||||
209 | ||||
210 | ||||
211 | ||||
212 | ||||
213 | ||||
214 | ||||
215 | ||||
216 | ||||
217 | ||||
218 | ||||
219 | ||||
220 | ||||
221 | ||||
222 | ||||
223 | ||||
224 | ||||
225 | ||||
226 | ||||
227 | ||||
228 | ||||
229 | ||||
230 | ||||
231 | ||||
232 | ||||
233 | ||||
234 | ||||
235 | ||||
236 | ||||
237 | ||||
238 | ||||
239 | ||||
240 | ||||
241 | ||||
242 | ||||
243 | ||||
244 | ||||
245 | ||||
246 | ||||
247 | ||||
248 | ||||
249 | ||||
250 | ||||
251 | ||||
252 | ||||
253 | ||||
254 | ||||
255 | ||||
256 | ||||
257 | ||||
258 | ||||
259 | ||||
260 | ||||
261 | ||||
262 | ||||
263 | ||||
264 | ||||
265 | ||||
266 | ||||
267 | ||||
268 | ||||
269 | ||||
270 | ||||
271 | ||||
272 | ||||
273 | ||||
274 | ||||
275 | ||||
276 | ||||
277 | ||||
278 | ||||
279 | ||||
280 | ||||
281 | ||||
282 | ||||
283 | ||||
284 | ||||
285 | ||||
286 | ||||
287 | ||||
288 | ||||
289 | ||||
290 | ||||
291 | ||||
292 | ||||
293 | ||||
294 | ||||
295 | ||||
296 | ||||
297 | ||||
298 | ||||
299 | ||||
300 | ||||
301 | ||||
302 | ||||
303 | ||||
304 | ||||
305 | ||||
306 | ||||
307 | ||||
308 | ||||
309 | ||||
310 | ||||
311 | ||||
312 | ||||
313 | ||||
314 | ||||
315 | ||||
316 | ||||
317 | ||||
318 | ||||
319 | ||||
320 | ||||
321 | ||||
322 | ||||
323 | ||||
324 | ||||
325 | ||||
326 | ||||
327 | ||||
328 | ||||
329 | ||||
330 | ||||
331 | ||||
332 | ||||
333 | ||||
334 | ||||
335 | ||||
336 | ||||
337 | ||||
338 | ||||
339 | ||||
340 | ||||
341 | ||||
342 | ||||
343 | ||||
344 | ||||
345 | ||||
346 | ||||
347 | ||||
348 | ||||
349 | ||||
350 | ||||
351 | ||||
352 | ||||
353 | ||||
354 | ||||
355 | ||||
356 | ||||
357 | ||||
358 | ||||
359 | ||||
360 | ||||
361 | ||||
362 | ||||
363 | ||||
364 | ||||
365 | ||||
366 | ||||
367 | ||||
368 | ||||
369 | ||||
370 | ||||
371 | ||||
372 | ||||
373 | ||||
374 | ||||
375 | ||||
376 | ||||
377 | ||||
378 | ||||
379 | ||||
380 | ||||
381 | ||||
382 | ||||
383 | ||||
384 | ||||
385 | ||||
386 | ||||
387 | ||||
388 | ||||
389 | ||||
390 | ||||
391 | ||||
392 | ||||
393 | ||||
394 | ||||
395 | ||||
396 | ||||
397 | ||||
398 | ||||
399 | ||||
400 | ||||
401 | ||||
402 | ||||
403 | ||||
404 | ||||
405 | ||||
406 | ||||
407 | ||||
408 | ||||
409 | ||||
410 | ||||
411 | ||||
412 | ||||
413 | ||||
414 | ||||
415 | ||||
416 | ||||
417 | ||||
418 | ||||
419 | ||||
420 | ||||
421 | ||||
422 | ||||
423 | ||||
424 | ||||
425 | ||||
426 | ||||
427 | ||||
428 | ||||
429 | ||||
430 | ||||
431 | ||||
432 | ||||
433 | ||||
434 | ||||
435 | ||||
436 | ||||
437 | ||||
438 | ||||
439 | ||||
440 | ||||
441 | ||||
442 | ||||
443 | ||||
444 | ||||
445 | ||||
446 | ||||
447 | ||||
448 | ||||
449 | ||||
450 | ||||
451 | ||||
452 | ||||
453 | ||||
454 | ||||
455 | ||||
456 | ||||
457 | ||||
458 | ||||
459 | ||||
460 | ||||
461 | ||||
462 | ||||
463 | ||||
464 | ||||
465 | ||||
466 | ||||
467 | ||||
468 | ||||
469 | ||||
470 | ||||
471 | ||||
472 | ||||
473 | ||||
474 | ||||
475 | ||||
476 | ||||
477 | ||||
478 | ||||
479 | ||||
480 | ||||
481 | ||||
482 | ||||
483 | ||||
484 | ||||
485 | ||||
486 | ||||
487 | ||||
488 | ||||
489 | ||||
490 | ||||
491 | ||||
492 | ||||
493 | ||||
494 | ||||
495 | ||||
496 | ||||
497 | ||||
498 | ||||
499 | ||||
500 | ||||
501 | ||||
502 | ||||
503 | ||||
504 | ||||
505 | ||||
506 | ||||
507 | ||||
508 | ||||
509 | ||||
510 | ||||
511 | ||||
512 | ||||
513 | ||||
514 | ||||
515 | ||||
516 | ||||
517 | ||||
518 | ||||
519 | ||||
520 | ||||
521 | ||||
522 | ||||
523 | ||||
524 | ||||
525 | ||||
526 | ||||
527 | ||||
528 | ||||
529 | ||||
530 | ||||
531 | ||||
532 | ||||
533 | ||||
534 | ||||
535 | ||||
536 | ||||
537 | ||||
538 | ||||
539 | ||||
540 | ||||
541 | ||||
542 | ||||
543 | ||||
544 | ||||
545 | ||||
546 | ||||
547 | ||||
548 | ||||
549 | ||||
550 | ||||
551 | ||||
552 | ||||
553 | ||||
554 | ||||
555 | ||||
556 | ||||
557 | ||||
558 | ||||
559 | ||||
560 | ||||
561 | ||||
562 | ||||
563 | ||||
564 | ||||
565 | ||||
566 | ||||
567 | ||||
568 | ||||
569 | ||||
570 | ||||
571 | ||||
572 | ||||
573 | ||||
574 | ||||
575 | ||||
576 | ||||
577 | ||||
578 | ||||
579 | ||||
580 | ||||
581 | ||||
582 | ||||
583 | ||||
584 | ||||
585 | ||||
586 | ||||
587 | ||||
588 | ||||
589 | ||||
590 | ||||
591 | ||||
592 | ||||
593 | ||||
594 | ||||
595 | ||||
596 | ||||
597 | ||||
598 | ||||
599 | ||||
600 | ||||
601 | ||||
602 | ||||
603 | ||||
604 | ||||
605 | ||||
606 | ||||
607 | ||||
608 | ||||
609 | ||||
610 | ||||
611 | ||||
612 | ||||
613 | ||||
614 | ||||
615 | ||||
616 | ||||
617 | ||||
618 | ||||
619 | ||||
620 | ||||
621 | ||||
622 | ||||
623 | ||||
624 | ||||
625 | ||||
626 | ||||
627 | ||||
628 | ||||
629 | ||||
630 | ||||
631 | ||||
632 | ||||
633 | ||||
634 | ||||
635 | ||||
636 | ||||
637 | ||||
638 | ||||
639 | ||||
640 | ||||
641 | ||||
642 | ||||
643 | ||||
644 | ||||
645 | ||||
646 | ||||
647 | ||||
648 | ||||
649 | ||||
650 | ||||
651 | ||||
652 | ||||
653 | ||||
654 | ||||
655 | ||||
656 | ||||
657 | ||||
658 | ||||
659 | ||||
660 | ||||
661 | ||||
662 | ||||
663 | ||||
664 | ||||
665 | ||||
666 | ||||
667 | ||||
668 | ||||
669 | ||||
670 | ||||
671 | ||||
672 | ||||
673 | ||||
674 | ||||
675 | ||||
676 | ||||
677 | ||||
678 | ||||
679 | ||||
680 | ||||
681 | ||||
682 | ||||
683 | ||||
684 | ||||
685 | ||||
686 | ||||
687 | ||||
688 | ||||
689 | ||||
690 | ||||
691 | ||||
692 | ||||
693 | ||||
694 | ||||
695 | ||||
696 | ||||
697 | ||||
698 | ||||
699 | ||||
700 | ||||
701 | ||||
702 | ||||
703 | ||||
704 | ||||
705 | ||||
706 | ||||
707 | ||||
708 | ||||
709 | ||||
710 | ||||
711 | ||||
712 | ||||
713 | ||||
714 | ||||
715 | ||||
716 | ||||
717 | ||||
718 | ||||
719 | ||||
720 | ||||
721 | ||||
722 | ||||
723 | ||||
724 | ||||
725 | ||||
726 | ||||
727 | ||||
728 | ||||
729 | ||||
730 | ||||
731 | ||||
732 | ||||
733 | ||||
734 | ||||
735 | ||||
736 | ||||
737 | ||||
738 | ||||
739 | ||||
740 | ||||
741 | ||||
742 | ||||
743 | ||||
744 | ||||
745 | ||||
746 | ||||
747 | ||||
748 | ||||
749 | ||||
750 | ||||
751 | ||||
752 | ||||
753 | ||||
754 | ||||
755 | ||||
756 | ||||
757 | ||||
758 | ||||
759 | ||||
760 | ||||
761 | ||||
762 | ||||
763 | ||||
764 | ||||
765 | ||||
766 | ||||
767 | ||||
768 | ||||
769 | ||||
770 | ||||
771 | ||||
772 | ||||
773 | ||||
774 | ||||
775 | ||||
776 | ||||
777 | ||||
778 | ||||
779 | ||||
780 | ||||
781 | ||||
782 | ||||
783 | ||||
784 | ||||
785 | ||||
786 | ||||
787 | ||||
788 | ||||
789 | ||||
790 | ||||
791 | ||||
792 | ||||
793 | ||||
794 | ||||
795 | ||||
796 | ||||
797 | ||||
798 | ||||
799 | ||||
800 | ||||
801 | ||||
802 | ||||
803 | ||||
804 | ||||
805 | ||||
806 | ||||
807 | ||||
808 | ||||
809 | ||||
810 | ||||
811 | ||||
812 | ||||
813 | ||||
814 | ||||
815 | ||||
816 | ||||
817 | ||||
818 | ||||
819 | ||||
820 | ||||
821 | ||||
822 | ||||
823 | ||||
824 | ||||
825 | ||||
826 | ||||
827 | ||||
828 | ||||
829 | ||||
830 | ||||
831 | ||||
832 | ||||
833 | ||||
834 | ||||
835 | ||||
836 | ||||
837 | ||||
838 | ||||
839 | ||||
840 | ||||
841 | ||||
842 | ||||
843 | ||||
844 | ||||
845 | ||||
846 | ||||
847 | ||||
848 | ||||
849 | ||||
850 | ||||
851 | ||||
852 | ||||
853 | ||||
854 | ||||
855 | ||||
856 | ||||
857 | ||||
858 | ||||
859 | ||||
860 | ||||
861 | ||||
862 | ||||
863 | ||||
864 | ||||
865 | ||||
866 | ||||
867 | ||||
868 | ||||
869 | ||||
870 | ||||
871 | ||||
872 | ||||
873 | ||||
874 | ||||
875 | ||||
876 | ||||
877 | ||||
878 | ||||
879 | ||||
880 | ||||
881 | ||||
882 | ||||
883 | ||||
884 | ||||
885 | ||||
886 | ||||
887 | ||||
888 | ||||
889 | ||||
890 | ||||
891 | ||||
892 | ||||
893 | ||||
894 | ||||
895 | ||||
896 | ||||
897 | ||||
898 | ||||
899 | ||||
900 | ||||
901 | ||||
902 | ||||
903 | ||||
904 | ||||
905 | ||||
906 | ||||
907 | ||||
908 | ||||
909 | ||||
910 | ||||
911 | ||||
912 | ||||
913 | ||||
914 | ||||
915 | ||||
916 | ||||
917 | ||||
918 | ||||
919 | ||||
920 | ||||
921 | ||||
922 | ||||
923 | ||||
924 | ||||
925 | ||||
926 | ||||
927 | ||||
928 | ||||
929 | ||||
930 | ||||
931 | ||||
932 | ||||
933 | ||||
934 | ||||
935 | ||||
936 | ||||
937 | ||||
938 | ||||
939 | ||||
940 | ||||
941 | ||||
942 | ||||
943 | ||||
944 | ||||
945 | ||||
946 | ||||
947 | ||||
948 | ||||
949 | ||||
950 | ||||
951 | ||||
952 | ||||
953 | ||||
954 | ||||
955 | ||||
956 | ||||
957 | ||||
958 | ||||
959 | ||||
960 | ||||
961 | ||||
962 | ||||
963 | ||||
964 | ||||
965 | ||||
966 | ||||
967 | ||||
968 | ||||
969 | ||||
970 | ||||
971 | ||||
972 | ||||
973 | ||||
974 | ||||
975 | ||||
976 | ||||
977 | ||||
978 | ||||
979 | ||||
980 | ||||
981 | ||||
982 | ||||
983 | ||||
984 | ||||
985 | ||||
986 | ||||
987 | ||||
988 | ||||
989 | ||||
990 | ||||
991 | ||||
992 | ||||
993 | ||||
994 | ||||
995 | ||||
996 | ||||
997 |
1 | < Index | |
---|---|---|
2 | TODO List | |
3 | Requirements was added as a data-set after I did the initial configuration walk-through. As such, all configuration options need to be explored in relation to the requirements. | |
4 | Go through each mitigation and check it against the entire list of possible controls. I've missed a bunch of connections. | |
5 | Add network shutdown threats related to having chromebook delete all local information. | |
6 | Add phishing threats for items before "Security, Safe Browsing, Always enable Safe Browsing" | |
7 | Add threat "Traveler Circumvents of Mitigations" for items before "Security, Geolocation, Allow sites to detect team member's' geolocation" | |
8 | Add mitigation "Receptive and Trusted Admin/Security Team" for items before "Security, Geolocation, Allow sites to detect team member's' geolocation". This should be added to all controls that will impede the team member's workflow. (Use the "Traveler circumvent mitigation as a guide for later items that were missed) | |
9 | Add threat of "website fingerprinting" for items before "Content 3D Content Always allow display of 3D content" | |
10 | QUESTION: can we change the organization a team member is in, and therefore their devices configuration without access to the device? Is it easy enough to do that a team member could easily re-enroll their device once we have changed their group? | |
11 | Add "Needs Assessment (Apps)" "required" mitigation to ALL whitelisting and blacklisting items | |
12 | Add "Supports" "Receptive and Trusted Admin/Security Team" Mitigation in places where there are identified edge-cases that an administrator should watch out for and communicate to their team member's so that they show the receptiveness and build the trust that they need. (Do this across the board) | |
13 | Add "requires" "threat intel feeds" for any blacklists once you have done whitelists and blacklists | |
14 | Add mitigation element about allowing team member's to obtain greater privacy from Google on items that send additional data to google, (i.e. spell checking web service.) Not the purpose of this exercise, but just nice. | |
15 | Add Google, M-LAT's, and company data collection from both a privacy and security standpoint to the assumptions section so that it is not included in every mitigation and threat item. :D Like many other information leaks in chrome the info from these individual points (printing, spell checking) are each a very specific aspect of a threat-model. | |
16 | Add target specific options in 'settings - threat' | |
17 | Have comments on how each threat impacts the threat context from "threat context comments" populate the items and chart in "threat context" | |
18 | Add "Inhibits Low Resourced Administrator" Requirement to all Whitelist Mitigations | |
19 | Add "Inhibits Self-Managed Considerations" Requirement to all Whitelist Mitigations | |
20 | Use cases columns need to be removed from the "[X] - settings" pages now that the "self-managed considerations" requirement has been added. But, simply removing them will break lot's of QUERY calls all over the place. A full review of all queries needs to be done after the column is removed. | |
21 | Move all "chromebook settings specific" mitigations out of mitigations and into the settings. If there is a larger mitigation that is missing add it to the mitigations. | |
22 | Clean up mitigation language | |
23 | Add new user settings (Single Sign-On Online Login Frequency) and (Single Sign-On) to configuration options [Also, did these appear because I upgraded to device management?] | |
24 | proof of inaccess items (icon, wallpapper, homepage, page to load on startup, | |
25 | Look into the notification "Multiple sign-in will be disabled for users where SSL-inspecting certs are in effect" that occurs when you disable multiple sign-in access. What does that mean? | |
26 | re-work the "user settings" considerations for the option "sign in keyboards" that you can create an ordered list. This means you can support a wide range of languages. This is not default, it's opening up access. | |
27 | Make note that android apps have to be added in the "app mangement interface in a horrible way" https://admin.google.com/AdminHome#ChromeAppList: | |
28 | Add subscriber for when apps we have approved request new permissions | |
29 | Explore if Android apps can be added to the "recommended apps" section | |
30 | Check out how the Android app "Custom configuration" option for admins work. Can I actually load up a custom config file for my team with VPN credentials, Umbrella Guides, etc? | |
31 | Check out SAML IdP // SSO and Secure Tunnels and other services I might want in regards to Cusom Configuration. i.e. can I pre-configure VPN access for my team directly from the admin interface so they don't have to? | |
32 | TODO Add "recovery codes" mitigation for non-google accounts (i.e. social media, email, etc.) for security team to lockdown accounts if detained. | |
33 | Create example "proof of inaccess" backgrounds, icons, etc. | |
34 | Evaluate if Public Keyosks could be useful for completely non-logged in sessions for users in high risk environments? | |
35 | USER SETTING -> "Chrome Web Store, Chrome Web Store Permissions, Allow user's to skip verification for websites not owned" I think this is turning off the harmful app detection warnings in Google Play... I should do some testing to check though. https://support.google.com/googleplay/android-developer/answer/2992033?hl=en | |
36 | USER SETTING -> "Security, Idle Settings" "All of these workflows need to be run through to get correct guidance on how they work and feel." | |
37 | Sit down with the chrome design documents and use them to add/modify threats/mitigations impacts | |
38 | Sit down with google chrom privacy whitepaper and use them to add/modify threats/mitigations impacts https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html | |
39 | Sit down.... Chrome Security FAQ - https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md | |
40 | explore site isolation | |
41 | Chrome Browser Profiles offer no additional security: "Because the data for all users which have been used for an instance of Chrome are associated with a single operating system identity, there is no expectation of special privacy. That is, there is no additional encryption of preferences and settings on the local machine other than that which already exists for user data directories in Chrome. Obviously, a password is needed to log in to a specific Chrome identity on the browser. However, no additional protection for the user data directories is planned. On Mac OS X, in fact, because passwords are stored in the commonly accessible keychain, it will be possible for a user in one account to access the passwords that have been stored on that machine by a user with another account." | https://www.chromium.org/user-experience/multi-profiles |
42 | ||
43 | ||
44 | ||
45 | ||
46 | ||
47 | ||
48 | ||
49 | ||
50 | ||
51 | ||
52 | ||
53 | ||
54 | ||
55 | ||
56 | ||
57 | ||
58 | ||
59 | ||
60 | ||
61 | ||
62 | ||
63 | ||
64 | ||
65 | ||
66 | ||
67 | ||
68 | ||
69 | ||
70 | ||
71 | ||
72 | ||
73 | ||
74 | ||
75 | ||
76 | ||
77 | ||
78 | ||
79 | ||
80 | ||
81 | ||
82 | ||
83 | ||
84 | ||
85 | ||
86 | ||
87 | ||
88 | ||
89 | ||
90 | ||
91 | ||
92 | ||
93 | ||
94 | ||
95 | ||
96 | ||
97 | ||
98 | ||
99 | ||
100 | ||
101 | ||
102 | ||
103 | ||
104 | ||
105 | ||
106 | ||
107 | ||
108 | ||
109 | ||
110 | ||
111 | ||
112 | ||
113 | ||
114 | ||
115 | ||
116 | ||
117 | ||
118 | ||
119 | ||
120 | ||
121 | ||
122 | ||
123 | ||
124 | ||
125 | ||
126 | ||
127 | ||
128 | ||
129 | ||
130 | ||
131 | ||
132 | ||
133 | ||
134 | ||
135 | ||
136 | ||
137 | ||
138 | ||
139 | ||
140 | ||
141 | ||
142 | ||
143 | ||
144 | ||
145 | ||
146 | ||
147 | ||
148 | ||
149 | ||
150 | ||
151 | ||
152 | ||
153 | ||
154 | ||
155 | ||
156 | ||
157 | ||
158 | ||
159 | ||
160 | ||
161 | ||
162 | ||
163 | ||
164 | ||
165 | ||
166 | ||
167 | ||
168 | ||
169 | ||
170 | ||
171 | ||
172 | ||
173 | ||
174 | ||
175 | ||
176 | ||
177 | ||
178 | ||
179 | ||
180 | ||
181 | ||
182 | ||
183 | ||
184 | ||
185 | ||
186 | ||
187 | ||
188 | ||
189 | ||
190 | ||
191 | ||
192 | ||
193 | ||
194 | ||
195 | ||
196 | ||
197 | ||
198 | ||
199 | ||
200 | ||
201 | ||
202 | ||
203 | ||
204 | ||
205 | ||
206 | ||
207 | ||
208 | ||
209 | ||
210 | ||
211 | ||
212 | ||
213 | ||
214 | ||
215 | ||
216 | ||
217 | ||
218 | ||
219 | ||
220 | ||
221 | ||
222 | ||
223 | ||
224 | ||
225 | ||
226 | ||
227 | ||
228 | ||
229 | ||
230 | ||
231 | ||
232 | ||
233 | ||
234 | ||
235 | ||
236 | ||
237 | ||
238 | ||
239 | ||
240 | ||
241 | ||
242 | ||
243 | ||
244 | ||
245 | ||
246 | ||
247 | ||
248 | ||
249 | ||
250 | ||
251 | ||
252 | ||
253 | ||
254 | ||
255 | ||
256 | ||
257 | ||
258 | ||
259 | ||
260 | ||
261 | ||
262 | ||
263 | ||
264 | ||
265 | ||
266 | ||
267 | ||
268 | ||
269 | ||
270 | ||
271 | ||
272 | ||
273 | ||
274 | ||
275 | ||
276 | ||
277 | ||
278 | ||
279 | ||
280 | ||
281 | ||
282 | ||
283 | ||
284 | ||
285 | ||
286 | ||
287 | ||
288 | ||
289 | ||
290 | ||
291 | ||
292 | ||
293 | ||
294 | ||
295 | ||
296 | ||
297 | ||
298 | ||
299 | ||
300 | ||
301 | ||
302 | ||
303 | ||
304 | ||
305 | ||
306 | ||
307 | ||
308 | ||
309 | ||
310 | ||
311 | ||
312 | ||
313 | ||
314 | ||
315 | ||
316 | ||
317 | ||
318 | ||
319 | ||
320 | ||
321 | ||
322 | ||
323 | ||
324 | ||
325 | ||
326 | ||
327 | ||
328 | ||
329 | ||
330 | ||
331 | ||
332 | ||
333 | ||
334 | ||
335 | ||
336 | ||
337 | ||
338 | ||
339 | ||
340 | ||
341 | ||
342 | ||
343 | ||
344 | ||
345 | ||
346 | ||
347 | ||
348 | ||
349 | ||
350 | ||
351 | ||
352 | ||
353 | ||
354 | ||
355 | ||
356 | ||
357 | ||
358 | ||
359 | ||
360 | ||
361 | ||
362 | ||
363 | ||
364 | ||
365 | ||
366 | ||
367 | ||
368 | ||
369 | ||
370 | ||
371 | ||
372 | ||
373 | ||
374 | ||
375 | ||
376 | ||
377 | ||
378 | ||
379 | ||
380 | ||
381 | ||
382 | ||
383 | ||
384 | ||
385 | ||
386 | ||
387 | ||
388 | ||
389 | ||
390 | ||
391 | ||
392 | ||
393 | ||
394 | ||
395 | ||
396 | ||
397 | ||
398 | ||
399 | ||
400 | ||
401 | ||
402 | ||
403 | ||
404 | ||
405 | ||
406 | ||
407 | ||
408 | ||
409 | ||
410 | ||
411 | ||
412 | ||
413 | ||
414 | ||
415 | ||
416 | ||
417 | ||
418 | ||
419 | ||
420 | ||
421 | ||
422 | ||
423 | ||
424 | ||
425 | ||
426 | ||
427 | ||
428 | ||
429 | ||
430 | ||
431 | ||
432 | ||
433 | ||
434 | ||
435 | ||
436 | ||
437 | ||
438 | ||
439 | ||
440 | ||
441 | ||
442 | ||
443 | ||
444 | ||
445 | ||
446 | ||
447 | ||
448 | ||
449 | ||
450 | ||
451 | ||
452 | ||
453 | ||
454 | ||
455 | ||
456 | ||
457 | ||
458 | ||
459 | ||
460 | ||
461 | ||
462 | ||
463 | ||
464 | ||
465 | ||
466 | ||
467 | ||
468 | ||
469 | ||
470 | ||
471 | ||
472 | ||
473 | ||
474 | ||
475 | ||
476 | ||
477 | ||
478 | ||
479 | ||
480 | ||
481 | ||
482 | ||
483 | ||
484 | ||
485 | ||
486 | ||
487 | ||
488 | ||
489 | ||
490 | ||
491 | ||
492 | ||
493 | ||
494 | ||
495 | ||
496 | ||
497 | ||
498 | ||
499 | ||
500 | ||
501 | ||
502 | ||
503 | ||
504 | ||
505 | ||
506 | ||
507 | ||
508 | ||
509 | ||
510 | ||
511 | ||
512 | ||
513 | ||
514 | ||
515 | ||
516 | ||
517 | ||
518 | ||
519 | ||
520 | ||
521 | ||
522 | ||
523 | ||
524 | ||
525 | ||
526 | ||
527 | ||
528 | ||
529 | ||
530 | ||
531 | ||
532 | ||
533 | ||
534 | ||
535 | ||
536 | ||
537 | ||
538 | ||
539 | ||
540 | ||
541 | ||
542 | ||
543 | ||
544 | ||
545 | ||
546 | ||
547 | ||
548 | ||
549 | ||
550 | ||
551 | ||
552 | ||
553 | ||
554 | ||
555 | ||
556 | ||
557 | ||
558 | ||
559 | ||
560 | ||
561 | ||
562 | ||
563 | ||
564 | ||
565 | ||
566 | ||
567 | ||
568 | ||
569 | ||
570 | ||
571 | ||
572 | ||
573 | ||
574 | ||
575 | ||
576 | ||
577 | ||
578 | ||
579 | ||
580 | ||
581 | ||
582 | ||
583 | ||
584 | ||
585 | ||
586 | ||
587 | ||
588 | ||
589 | ||
590 | ||
591 | ||
592 | ||
593 | ||
594 | ||
595 | ||
596 | ||
597 | ||
598 | ||
599 | ||
600 | ||
601 | ||
602 | ||
603 | ||
604 | ||
605 | ||
606 | ||
607 | ||
608 | ||
609 | ||
610 | ||
611 | ||
612 | ||
613 | ||
614 | ||
615 | ||
616 | ||
617 | ||
618 | ||
619 | ||
620 | ||
621 | ||
622 | ||
623 | ||
624 | ||
625 | ||
626 | ||
627 | ||
628 | ||
629 | ||
630 | ||
631 | ||
632 | ||
633 | ||
634 | ||
635 | ||
636 | ||
637 | ||
638 | ||
639 | ||
640 | ||
641 | ||
642 | ||
643 | ||
644 | ||
645 | ||
646 | ||
647 | ||
648 | ||
649 | ||
650 | ||
651 | ||
652 | ||
653 | ||
654 | ||
655 | ||
656 | ||
657 | ||
658 | ||
659 | ||
660 | ||
661 | ||
662 | ||
663 | ||
664 | ||
665 | ||
666 | ||
667 | ||
668 | ||
669 | ||
670 | ||
671 | ||
672 | ||
673 | ||
674 | ||
675 | ||
676 | ||
677 | ||
678 | ||
679 | ||
680 | ||
681 | ||
682 | ||
683 | ||
684 | ||
685 | ||
686 | ||
687 | ||
688 | ||
689 | ||
690 | ||
691 | ||
692 | ||
693 | ||
694 | ||
695 | ||
696 | ||
697 | ||
698 | ||
699 | ||
700 | ||
701 | ||
702 | ||
703 | ||
704 | ||
705 | ||
706 | ||
707 | ||
708 | ||
709 | ||
710 | ||
711 | ||
712 | ||
713 | ||
714 | ||
715 | ||
716 | ||
717 | ||
718 | ||
719 | ||
720 | ||
721 | ||
722 | ||
723 | ||
724 | ||
725 | ||
726 | ||
727 | ||
728 | ||
729 | ||
730 | ||
731 | ||
732 | ||
733 | ||
734 | ||
735 | ||
736 | ||
737 | ||
738 | ||
739 | ||
740 | ||
741 | ||
742 | ||
743 | ||
744 | ||
745 | ||
746 | ||
747 | ||
748 | ||
749 | ||
750 | ||
751 | ||
752 | ||
753 | ||
754 | ||
755 | ||
756 | ||
757 | ||
758 | ||
759 | ||
760 | ||
761 | ||
762 | ||
763 | ||
764 | ||
765 | ||
766 | ||
767 | ||
768 | ||
769 | ||
770 | ||
771 | ||
772 | ||
773 | ||
774 | ||
775 | ||
776 | ||
777 | ||
778 | ||
779 | ||
780 | ||
781 | ||
782 | ||
783 | ||
784 | ||
785 | ||
786 | ||
787 | ||
788 | ||
789 | ||
790 | ||
791 | ||
792 | ||
793 | ||
794 | ||
795 | ||
796 | ||
797 | ||
798 | ||
799 | ||
800 | ||
801 | ||
802 | ||
803 | ||
804 | ||
805 | ||
806 | ||
807 | ||
808 | ||
809 | ||
810 | ||
811 | ||
812 | ||
813 | ||
814 | ||
815 | ||
816 | ||
817 | ||
818 | ||
819 | ||
820 | ||
821 | ||
822 | ||
823 | ||
824 | ||
825 | ||
826 | ||
827 | ||
828 | ||
829 | ||
830 | ||
831 | ||
832 | ||
833 | ||
834 | ||
835 | ||
836 | ||
837 | ||
838 | ||
839 | ||
840 | ||
841 | ||
842 | ||
843 | ||
844 | ||
845 | ||
846 | ||
847 | ||
848 | ||
849 | ||
850 | ||
851 | ||
852 | ||
853 | ||
854 | ||
855 | ||
856 | ||
857 | ||
858 | ||
859 | ||
860 | ||
861 | ||
862 | ||
863 | ||
864 | ||
865 | ||
866 | ||
867 | ||
868 | ||
869 | ||
870 | ||
871 | ||
872 | ||
873 | ||
874 | ||
875 | ||
876 | ||
877 | ||
878 | ||
879 | ||
880 | ||
881 | ||
882 | ||
883 | ||
884 | ||
885 | ||
886 | ||
887 | ||
888 | ||
889 | ||
890 | ||
891 | ||
892 | ||
893 | ||
894 | ||
895 | ||
896 | ||
897 | ||
898 | ||
899 | ||
900 | ||
901 | ||
902 | ||
903 | ||
904 | ||
905 | ||
906 | ||
907 | ||
908 | ||
909 | ||
910 | ||
911 | ||
912 | ||
913 | ||
914 | ||
915 | ||
916 | ||
917 | ||
918 | ||
919 | ||
920 | ||
921 | ||
922 | ||
923 | ||
924 | ||
925 | ||
926 | ||
927 | ||
928 | ||
929 | ||
930 | ||
931 | ||
932 | ||
933 | ||
934 | ||
935 | ||
936 | ||
937 | ||
938 | ||
939 | ||
940 | ||
941 | ||
942 | ||
943 | ||
944 | ||
945 | ||
946 | ||
947 | ||
948 | ||
949 | ||
950 | ||
951 | ||
952 | ||
953 | ||
954 | ||
955 | ||
956 | ||
957 | ||
958 | ||
959 | ||
960 | ||
961 | ||
962 | ||
963 | ||
964 | ||
965 | ||
966 | ||
967 | ||
968 | ||
969 | ||
970 | ||
971 | ||
972 | ||
973 | ||
974 | ||
975 | ||
976 | ||
977 | ||
978 | ||
979 | ||
980 | ||
981 | ||
982 | ||
983 | ||
984 | ||
985 | ||
986 | ||
987 | ||
988 | ||
989 | ||
990 | ||
991 | ||
992 | ||
993 | ||
994 | ||
995 | ||
996 | ||
997 |