How To Deploy AdBlocker for Enterprise
Learn how to deploy ad-blocking software to your computers in order to protect your users from malvertising.
Rolling out ad blockers to my organization (300+ endpoints) has reduced our web infection rate by ~80%, slightly reduced our outbound traffic peaks and improved user experience. It's a win all around expect for the small businesses and writers who rely on advertising for income, but unfortunately malvertising has become “a very real threat” that SMB's must defend their employees against.
In this article I will teach you how to deploy AdBlock to your users which will not only block ads but also coin miners and other types of Malvertising. This post aims to update a guide from @SwiftOnSecurity on the Decent Security blog and I will be covering three major browsers, Chrome, Firefox and IE. Edge is coming soon!
Before moving on through this article please ensure that you have the Chrome and Firefox ADMX templates installed.
Chrome (The Easiest)
uBlock Origin for Chrome is easy because the GPOs are well established and documented. Make sure you have installed Google ADMX templates before moving on!
1: Open Group Policy Editor and navigate to:
Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions>Configure the list of force-installed apps and extensions
2: Open the GPO and modify the value to contain string
cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
This string is a combination of the uBlock Origin unique extension ID and the Google Chrome update URL. More info on that here.
3: Link the GPO to an OU for testing.
Test the GPO is working by opening the Chrome Extensions page. uBlock should be installed and force enabled.
Firefox
Again, before proceeding please make sure you have downloaded and installed the latest Firefox ADMX. You can find them here.
Warning: CCK2 Configurations and registry keys can cause issues with Firefox group policy. Please consider completely clearing out CCK2 before continuing. This includes reg keys and config files.
1: Open Group Policy Editor and navigate to:
Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox > Extensions > Extensions to Install
2: Configure the GPO with the string:
https://addons.mozilla.org/firefox/downloads/file/1672871/ublock_origin-1.18.4-an+fx.xpi
This string is a direct link to the download. A newer version might be available.
3: Apply the GPO to an OU and check Firefox for installation uBlock Origin.
Internet Explorer
I have saved IE for last as it is the most complex. IE Requires 2 GPOs and a full fat software installation.
IE requires two GPOs because in my testing I found unless “ShowStatusBar” (See Image 1 above) was configured the extension would not load.
This is a user setting so, we must create a user policy.
1: Open Group Policy Editor:
User configuration > Preferences > Windows Settings > Registry
Create the following registry keys:
1.1: SupressFirstRunPage
HKEY_CURRENT_USER\Software\AdblockPlus
This registry key stops an irritating uBlock splash screen from opening when a user opens IE for the first time. I think its important to keep the user experience tidy.
1.2: Enable Status Bar (Enables the ABP icon in Image 1 above)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
This key enables the IE Status bar. As mentioned above the extension does not seem to work without it.
Here are the raw registry keys.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\AdblockPlus]
“suppress_first_run_page”=”true”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE]
“ShowStatusBar”=dword:00000001
2: Install AdBlock Plus for IE:
Link to site
Direct download link
You will want to roll this MSI out across your organisation.
Use your deployment tool of choice to silently install with the blow command line:
msiexec.exe /i “adblockplusie-1.6-x64.msi” /qn ALLUSERS=2
To test your new AdBlocker visit: https://blockads.fivefilters.org/?pihole in each browser and confirm “Ad Blocking Enabled!”