- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
As with Windows, Microsoft also maintains a list of settings for the Edge browser that admins should import into their environment, if possible. However, it is advisable to evaluate the settings from the security baseline and configure them individually, as they might have undesirable effects.
The following overview groups the policies by topic and adds some explanations for better understanding.
Group Policy settings for Microsoft Edge
Internet Explorer Mode
| Name | Recommended status |
| Allow unconfigured sites to be reloaded in Internet Explorer mode | Disabled |
| Show the Reload in Internet Explorer mode button in the toolbar | Disabled |
These two settings relate to loading pages in (embedded) Internet Explorer while using the Edge browser. The first option allows users to open pages in IE even if the pages are not included in the sitelist for Internet Explorer Mode. The second provides a button for this purpose.
SSL/TLS
| Name | Recommended status |
| Allow users to proceed from the HTTPS warning page | Disabled |
| Enable 3DES cipher suites in TLS | Disabled |
| Minimum TLS version enabled | Enabled: TLS 1.2 |
These settings ensure that legacy encryption methods (3DES) and TLS versions (before 1.2) are disabled. The first policy prevents users from ignoring the warning and continuing to load the page after SSL problems occur (such as an expired certificate).
Authentication/passwords
| Name | Recommended status |
| Allow Basic authentication for HTTP | Disabled |
| Supported authentication schemes | Enabled: NTLM, negotiate |
| Enable saving passwords to the password manager | Disabled |
| Allow using the deprecated U2F Security Key API (obsolete) | Disabled |
These settings block some insecure methods of authentication. The Universal Second Factor (U2F) API is obsolete and removed from Edge in version 104.
It is interesting to see that Microsoft discourages the use of the integrated password manager. This can even synchronize saved passwords with the Authenticator app.
SmartScreen
| Name | Recommended status |
| Configure Microsoft Defender SmartScreen | Enabled |
| Prevent bypassing Microsoft Defender SmartScreen prompts for sites | Enabled |
| Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads | Enabled |
Defender SmartScreen uses reputation-based methods to evaluate whether websites or downloaded files pose a threat. The first setting activates the protection mechanism, while the other two ensure that users cannot ignore warnings and are prevented from further interaction with the objects in question.
Browser extensions
| Name | Recommended status |
| Enable browser legacy extension point blocking | Enabled |
| Control which extensions cannot be installed | Enabled: * |
| Allow user-level native messaging hosts (installed without admin permissions) | Disabled |
Extensions often come from unknown sources and should always be treated with caution. Therefore, most professional environments prevent users from installing them. The second setting in the table does just that.
The first policy blocks the use of extensions based on outdated architecture, and the third prevents extensions from exchanging messages with Win32 applications that are installed without administrative privileges.
Memory management/isolation
| Name | Recommended status |
| Enable site isolation for every site | Enabled |
| Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context | Disabled |
SharedArrayBuffers are memory areas used for data sharing. They have vulnerabilities in several popular processors. By default, Chromium browsers run each window and tab in a separate process. By enabling the first option, users can no longer change this.
Display
| Name | Recommended status |
| Enhance images enabled | Disabled |
| Specifies whether the display-capture permissions-policy is checked or skipped | Enabled |
This second setting protects web pages from embedded iFrames being able to read the contents of the parent document. It has been deprecated since Edge 107 and will be removed with version 110.
It is not clear how the improvement of graphics through higher contrast or color adjustments in the first setting is relevant to security.
Miscellaneous
| Name | Recommended status |
| Force WebSQL to be enabled | Disabled |
| Configure Edge TyposquattingChecker | Enabled |
| Specifies whether to allow insecure websites to make requests to more-private network endpoints | Disabled |
WebSQL is an obsolete database technology (based on SQLite) and will be removed from Chromium. The corresponding setting in the security baseline ensures that users can no longer activate the WebSQL engine.
Typosquatting is when malicious parties take advantage of users' typos, for example, by registering domains with names that differ only slightly from those of popular websites. Edge has an appropriate checking mechanism that should be enabled.
New group policies for Edge 107
Some settings were added in version 107, one of which (for WebSQL) was included in the security baseline. Some of them may be relevant to security, but it's up to admins to enable them.
- Allow local MHTML files to open automatically in Internet Explorer mode
- Enhanced Security Mode configuration for Intranet zone sites
- Force WebSQL in non-secure contexts to be enabled (deprecated)
- Force WebSQL to be enabled
- Re-enable the Event.path API until Microsoft Edge version 115
- Web Select Enabled
- Performance Detector Enabled
- Enable the linked account feature
- Allow users to add and remove their own sites during startup when the RestoreOnStartupURLs policy is configured
A number of these policies are available in both the Computers and Users branches. The baseline documentation for Edge 107 suggests disabling the online spell check setting introduced in version 105.
New group policies for Edge 108
- Set the default "share additional operating system region" setting
- TLS Encrypted ClientHello Enabled
- Hide App Launcher on Microsoft Edge new tab page
Microsoft's Security Baseline blog post for Edge 108 recommends enabling the TLS Encrypted ClientHello setting, even if it is not included in the baseline.
Subscribe to 4sysops newsletter!
New group policies for Edge 109
- Allow clipboard use on specific sites
- Block clipboard use on specific sites
- Default clipboard site permission
- Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificates (deprecated)
- Allow listed sites connect to specific HID devices
- Allow listed sites to connect to any HID device
- Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage
Although using the clipboard can be a security concern, Microsoft does not recommend any specific action for the three new settings related to this topic.
