Microsoft last updated its security baseline for Edge browser 107, but it is still valid for the current versions. It contains the manufacturer's recommended group policy settings to increase security. However, none of the most recent policies are included in the list.

As with Windows, Microsoft also maintains a list of settings for the Edge browser that admins should import into their environment, if possible. However, it is advisable to evaluate the settings from the security baseline and configure them individually, as they might have undesirable effects.

The following overview groups the policies by topic and adds some explanations for better understanding.

Group Policy settings for Microsoft Edge

Group Policy settings for Microsoft Edge

Internet Explorer Mode

NameRecommended status
Allow unconfigured sites to be reloaded in Internet Explorer modeDisabled
Show the Reload in Internet Explorer mode button in the toolbarDisabled

These two settings relate to loading pages in (embedded) Internet Explorer while using the Edge browser. The first option allows users to open pages in IE even if the pages are not included in the sitelist for Internet Explorer Mode. The second provides a button for this purpose.

SSL/TLS

NameRecommended status
Allow users to proceed from the HTTPS warning pageDisabled
Enable 3DES cipher suites in TLSDisabled
Minimum TLS version enabledEnabled: TLS 1.2

These settings ensure that legacy encryption methods (3DES) and TLS versions (before 1.2) are disabled. The first policy prevents users from ignoring the warning and continuing to load the page after SSL problems occur (such as an expired certificate).

Authentication/passwords

NameRecommended status
Allow Basic authentication for HTTPDisabled
Supported authentication schemesEnabled: NTLM, negotiate
Enable saving passwords to the password managerDisabled
Allow using the deprecated U2F Security Key API (obsolete)Disabled

These settings block some insecure methods of authentication. The Universal Second Factor (U2F) API is obsolete and removed from Edge in version 104.

It is interesting to see that Microsoft discourages the use of the integrated password manager. This can even synchronize saved passwords with the Authenticator app.

SmartScreen

NameRecommended status
Configure Microsoft Defender SmartScreenEnabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sitesEnabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloadsEnabled

Defender SmartScreen uses reputation-based methods to evaluate whether websites or downloaded files pose a threat. The first setting activates the protection mechanism, while the other two ensure that users cannot ignore warnings and are prevented from further interaction with the objects in question.

Browser extensions

NameRecommended status
Enable browser legacy extension point blockingEnabled
Control which extensions cannot be installedEnabled: *
Allow user-level native messaging hosts (installed without admin permissions)Disabled

Extensions often come from unknown sources and should always be treated with caution. Therefore, most professional environments prevent users from installing them. The second setting in the table does just that.

The first policy blocks the use of extensions based on outdated architecture, and the third prevents extensions from exchanging messages with Win32 applications that are installed without administrative privileges.

Memory management/isolation

NameRecommended status
Enable site isolation for every siteEnabled
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated contextDisabled

SharedArrayBuffers are memory areas used for data sharing. They have vulnerabilities in several popular processors. By default, Chromium browsers run each window and tab in a separate process. By enabling the first option, users can no longer change this.

Display

NameRecommended status
Enhance images enabledDisabled
Specifies whether the display-capture permissions-policy is checked or skippedEnabled

This second setting protects web pages from embedded iFrames being able to read the contents of the parent document. It has been deprecated since Edge 107 and will be removed with version 110.

It is not clear how the improvement of graphics through higher contrast or color adjustments in the first setting is relevant to security.

Miscellaneous

NameRecommended status
Force WebSQL to be enabledDisabled
Configure Edge TyposquattingCheckerEnabled
Specifies whether to allow insecure websites to make requests to more-private network endpointsDisabled

WebSQL is an obsolete database technology (based on SQLite) and will be removed from Chromium. The corresponding setting in the security baseline ensures that users can no longer activate the WebSQL engine.

Typosquatting is when malicious parties take advantage of users' typos, for example, by registering domains with names that differ only slightly from those of popular websites. Edge has an appropriate checking mechanism that should be enabled.

New group policies for Edge 107

Some settings were added in version 107, one of which (for WebSQL) was included in the security baseline. Some of them may be relevant to security, but it's up to admins to enable them.

  • Allow local MHTML files to open automatically in Internet Explorer mode
  • Enhanced Security Mode configuration for Intranet zone sites
  • Force WebSQL in non-secure contexts to be enabled (deprecated)
  • Force WebSQL to be enabled
  • Re-enable the Event.path API until Microsoft Edge version 115
  • Web Select Enabled
  • Performance Detector Enabled
  • Enable the linked account feature
  • Allow users to add and remove their own sites during startup when the RestoreOnStartupURLs policy is configured

A number of these policies are available in both the Computers and Users branches. The baseline documentation for Edge 107 suggests disabling the online spell check setting introduced in version 105.

New group policies for Edge 108

  • Set the default "share additional operating system region" setting
  • TLS Encrypted ClientHello Enabled
  • Hide App Launcher on Microsoft Edge new tab page

Microsoft's Security Baseline blog post for Edge 108 recommends enabling the TLS Encrypted ClientHello setting, even if it is not included in the baseline.

Subscribe to 4sysops newsletter!

New group policies for Edge 109

  • Allow clipboard use on specific sites
  • Block clipboard use on specific sites
  • Default clipboard site permission
  • Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificates (deprecated)
  • Allow listed sites connect to specific HID devices
  • Allow listed sites to connect to any HID device
  • Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage

Although using the clipboard can be a security concern, Microsoft does not recommend any specific action for the three new settings related to this topic.

avataravataravatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account