Full Report
Google is rolling out a change to Chromium that "de-elevates" Google Chrome so it does not run as an administrator to increase security in Windows. [...]
Analysis Summary
# Best Practices: Preventing Browser Launch with Elevated Privileges
## Overview
These practices focus on mitigating significant security risks associated with running web browsers, specifically Google Chrome and Microsoft Edge, with administrative (elevated) privileges. Running a browser as an administrator allows any downloaded file or executed content to inherit full system access, drastically increasing the potential impact of malware or accidental execution of malicious code.
## Key Recommendations
### Immediate Actions
1. **Audit Current User Launch Methods:** Identify all current processes and scripts that launch Google Chrome or Microsoft Edge using administrative or elevated privileges.
2. **Educate Users Immediately:** Inform all end-users that launching the browser with Administrator rights is a severe security risk that grants downloaded content full system access, and instruct them to stop doing so immediately.
### Short-term Improvements (1-3 months)
1. **Implement Automatic De-Elevation (If Applicable):** Ensure systems are configured to leverage the new Chromium feature that automatically attempts to relaunch the browser without elevated permissions upon detection.
2. **Review Automation Requirements:** For any automated tools or testing environments that legitimately require elevated browser launches, explicitly utilize the command-line switch to bypass the new automatic de-elevation feature to prevent infinite launch loops.
### Long-term Strategy (3+ months)
1. **Enforce Principle of Least Privilege (PoLP):** Implement system-wide policies to restrict standard users from having administrative rights, thereby preventing them from initiating elevated browser sessions in the first place.
2. **Centralized Browser Management:** Utilize group policies or configuration management tools to standardize browser settings and actively monitor for signs of forced elevated launches across the organization.
## Implementation Guidance
### For Small Organizations
- Direct end-users to always use standard shortcuts for launching Chrome/Edge.
- Manually check common workstations to ensure desktop shortcuts or startup items are not configured to "Run as administrator."
- If using Windows Group Policy (GPO), configure settings to prevent shortcuts from having elevated permissions.
### For Medium Organizations
- Deploy configuration updates (once fully released and stable) to enforce automatic de-elevation across standard user profiles.
- Use endpoint detection and response (EDR) systems to alert administrators when Chrome or Edge processes start with the `SeTcbPrivilege` or equivalent elevated tokens.
### For Large Enterprises
- **Leverage Configuration Management:** Deploy configuration changes via SCCM, Intune, or equivalent tools specifically targeting browser executable properties to prevent "Run as administrator" from being enabled by default or via user preference.
- **Integrate De-Elevation Testing:** Before full rollout, thoroughly test automated tools that rely on elevated browser access to ensure they correctly leverage the `-do-not-de-elevate` switch or are restructured to operate without elevated privileges.
- **Process Monitoring:** Implement strong process monitoring to detect and terminate any process attempting to launch Chrome/Edge elevated, unless explicitly exempted via documented procedures.
## Configuration Examples
**1. Preventing Infinite De-elevation Loops (For Automated Systems)**
When a process needs to run the browser elevated (e.g., automated security testing), use the following command-line switch after the initial attempted de-elevation:
bash
chrome.exe --do-not-de-elevate
*Note: This switch should ONLY be used for processes where automatic de-elevation is confirmed to cause failure or looping, ensuring standard user launches are not affected.*
## Compliance Alignment
- **NIST SP 800-53 (AC-6):** Accountability and Authorization (Least Privilege) – Restricting user application access to system resources.
- **CIS Benchmark for Web Browsers (Specific Control areas):** Focus on configurations that manage application execution context and integrity.
- **ISO/IEC 27001 (A.9.2.5):** Access Control to applications and systems – Ensuring only authorized and necessary privileges are granted to running processes.
## Common Pitfalls to Avoid
- **Ignoring Legacy Tools:** Failing to scan for and update internal applications or scripts (especially in CI/CD pipelines or testing environments) that rely on launching the browser elevated.
- **Assuming Updates Fix Everything:** Relying solely on Google/Microsoft to implement the fix without verifying execution or endpoint protection policies still in place that might override the browser's settings.
- **Not Handling Automation:** Failing to account for the `-do-not-de-elevate` command, which can cause essential security and testing automation tools to fail deployment or enter unusable launch loops.
## Resources
- **Chromium Commit Log:** Reference the underlying code changes submitted by Microsoft developers implementing the de-elevation logic.
- **Microsoft Edge Security Documentation:** Review past documentation regarding the elevation handling implemented in Edge, as the Chrome feature is based on those existing changes.
- **Local Security Policy Editor (gpedit.msc):** Utilize this tool to manage default application execution privileges for standard user accounts.