Security oriented users who need to harden their Chromebooks
This isn't very everyone. However, I figured it could help some users needing additional security (like journalists).
Phase 1: Attack Surface Reduction
- Remove all Play Store Apps:
- Open Settings (Gear Icon)
- On the left menu, click Apps.
- Click Manage Google Play Preferences.
- Click Turn Off.
Phase 2: Account & Login Hardening (Disable Guest Browsing)
- Restrict signing onto device to only you:
- Go to Settings > Privacy and security > Manage other people.
- Turn off Enable Guest Browsing.
- Turn on Restrict sign-in to the following users and ensure only your account is
- listed.
- Require Password on wake:
- Go to Setting > Privacy and security > Screen lock.
- Toggle on for show lock screen when waking from sleep.
Phase 3: Network & Browser Hardening
- Enable Secure DNS:
- Go to Settings > Privacy and security > Security.
- Toggle on for Use secure DNS.
- Select Add custom DNS service provider.
- Type in “https://dns.quad9.net/dns-query”
- Verify it is working by visiting “on.quad9.net”. If it says Yes then you are now using military-grade encrypted DNS.
- Force HTTPS Encryption:
- Go to Settings > Privacy and security > Security.
- Toggle On to Always use secure connection.
- Strict Cookie Blocking:
- Go to Settings > Privacy and security > Third-party cookies.
- Select Block third-party cookies.
- Toggle On Send a ‘Do Not Track’ request.
Phase 4: OS Hardening
- Disable Linux:
- Go to Settings > Advanced > Developers > Linux development environment and click Remove.
Phase 5: Browser-Only VPN
- Open Chrome and visit the Chrome Web Store.
- Search for Proton VPN.
- Click Add to Chrome.
- Pin the extension.
- Go to https://dnsleaktest.com to test if it is working.
Phase 6: From safe search to enhanced protection
- Go to Settings > Privacy and security > Security.
- Click Enhanced Protection.
Phase 7: Managing extensions (Chromebook Recovery Utility, Password Alert, Proton VPN)
- Type in chrome://extensions into the address bar and press enter.
Phase 8: Turn on “Ask Every Time” for downloads.
- Open Chrome and click the three-dot menu (⋮) in the top right.
- Select Settings.
- In the left sidebar, click Downloads.
- Toggle the switch for “Ask where to save each file before downloading” to the ON position.
Phase 9: Disable Bluetooth
- Go to Settings > Bluetooth > toggle OFF.
Phase 10: Block Protected Content Identifiers
- Go to Settings > Privacy and security > Site Settings > Additional content settings > Protected content IDs > select Don’t allow sites to use identifiers to play protected content.
Phase 11: Disable “Preload pages”
- Go to Settings > Performance and turn Preload pages Off.
Phase 12: Enable Site Isolation
- Go to chrome://flags > search Strict-Origin-Isolation > select Enabled.
Phase 13: Anonymize local IPs
- Go to chrome://flags > search webrtc-hide-local-ips-with-mdns > select Enabled.
Phase 14: Limiting the V8 optimizer
- Go to Chrome Settings > Privacy and security > Site Settings > Additional Content Settings > JavaScript optimization & security > select Don’t allow sites to use the V8 optimizer.
Phase 15: Sign up to Google's Advanced Protection Program.
- Go to Google's Advanced Protection Program page and sign up.
- Use hardware security keys.
Notes:
Keep the Chromebook updated.
Reboot the Chromebook on a regular basis.
Use a privacy screen cover.