Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In The Lord of the Rings, the One Ring is small, unassuming, and even useful—at first. It grants power and convenience, but every additional moment it’s worn increases risk, influence, and loss of control. The danger isn’t obvious until it’s too late.
Browser and email client extensions often play the same role in enterprise environments. They look harmless, promise productivity, and quietly expand their influence—sometimes far beyond what security teams intend. That’s why CIS Safeguard 9.4 exists.
What Is CIS Safeguard 9.4?
CIS Safeguard 9.4: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions is part of CIS Critical Security Control 9 – Email and Web Browser Protections.
The safeguard requires organizations to:
- Restrict the installation of browser and email client extensions
- Allow only approved, necessary extensions
- Prevent users from installing unvetted or unauthorized add-ons
- Regularly review and maintain extension allowlists
The intent is straightforward:
Reduce attack surface by limiting what code is allowed to run inside browsers and email clients.
Why Extensions Are a High-Risk Attack Surface
Modern browsers and email clients are powerful platforms. Extensions often have access to:
- All visited websites
- Page content and form data
- Session cookies and authentication tokens
- Email content and metadata
- Background network communications
From an attacker’s perspective, an extension is an ideal foothold. It runs:
- Inside a trusted application
- With user permissions
- Often without deep inspection
Like the One Ring, the risk is not always in what it does today, but in what control it quietly accumulates.
Real Threats Enabled by Unrestricted Extensions
- Credential Theft and Session Hijacking
Malicious or compromised extensions can:
- Read login pages
- Capture keystrokes
- Steal cookies that bypass MFA
This turns a single user install into an account-level compromise.
- Data Leakage
Extensions may access:
- Webmail content
- Cloud documents
- Internal web applications
Even well-intentioned extensions can transmit data to third parties, creating compliance and confidentiality risks.
- Malware Delivery and Command-and-Control
Some extensions:
- Inject scripts into pages
- Redirect traffic
- Communicate with external servers
Once installed, they can act as persistent malware—without triggering traditional endpoint defenses.
Why “User Choice” Is Not a Control
Many organizations rely on user discretion or acceptable-use policies to manage extensions. CIS Safeguard 9.4 explicitly moves away from this model.
Why? Because:
- Users can’t reasonably assess extension risk
- Popular extensions can be sold, hijacked, or updated maliciously
- Permissions often change silently during updates
In The Lord of the Rings, no one intends for the Ring to corrupt them. That’s the point—it doesn’t require bad intent, only continued exposure.
What Safeguard 9.4 Requires in Practice
To meet the intent of CIS Safeguard 9.4, organizations should:
Enforce Extension Allowlisting
- Only approved extensions can be installed
- Everything else is blocked by default
Control Extension Sources
- Restrict installs to official marketplaces
- Disable sideloading where possible
Apply Policies Centrally
- Enforce controls via browser management, MDM, or enterprise policy
- Do not rely on local user settings
Review Approved Extensions Regularly
- Validate continued business need
- Reassess permissions after updates
- Remove unused or redundant extensions
Email Client Extensions Matter Too
Safeguard 9.4 applies not only to browsers, but also to:
- Email client add-ins
- Productivity integrations
- Third-party mail extensions
These often have direct access to:
- Inbox content
- Attachments
- Send/receive actions
A compromised email extension can become a phishing amplifier instead of a defense.
Balancing Productivity and Security
Restricting extensions does not mean eliminating them. It means being intentional.
Effective programs:
- Approve extensions with clear business value
- Offer fast review processes for new requests
- Communicate why restrictions exist
Security friction without explanation breeds workarounds. Security with context builds trust.
How Safeguard 9.4 Fits into Control 9
CIS Control 9 focuses on reducing web and email-based risk:
- 9.1–9.3: Control what users can receive and access
- 9.4: Control what runs inside those tools
Without extension restrictions, even the best email filtering and URL blocking can be undermined from within the browser itself.
Practical Implementation Tips
To operationalize CIS Safeguard 9.4:
- Inventory Existing Extensions
You can’t restrict what you don’t know exists.
- Start with a Minimal Allowlist
Approve only what’s clearly required.
- Watch for Permission Creep
Extensions evolve, sometimes in risky ways.
- Log and Alert on Violations
Unauthorized install attempts are valuable security signals.
Final Thoughts
CIS Safeguard 9.4 is about controlling quiet power. Browser and email extensions don’t announce themselves as threats—they blend in, promise convenience, and accumulate access over time.
Organizations that restrict unnecessary or unauthorized extensions aren’t limiting productivity—they’re preventing a small, overlooked add-on from becoming the thing that compromises the entire environment.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 9 – Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
CIS Safeguard 9.4: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.
Shameless Marketing Information
Gotham Technology Group offers professional and managed services to protect your organization with technologies such as Secure Email Gateway (SEG), Secure Web Gateway (SWG), Network Security (NGFW, Route, Switch, WAP), Secure Services Edge (SSE) and Secure Access Services Edge (SASE).