Security baseline for Microsoft Edge

Question

Security baseline for Microsoft Edge

rafalfitt opened this issue a year ago · comments

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-114/ba-p/3839728

Violet Hansen · Answer 1 · Thu Jun 15 2023 18:12:20 GMT+0800 (China Standard Time)

Hi @rafalfitt
Thanks for brining this up ^^

The reason I didn't use security baselines for Microsoft Edge and instead use registry to apply the policies is because of this:

This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.

There are many important security measures that require AAD or Domain Controller joined PCs. All of them are mentioned here.

I think the reason is that they can be potentially abused by registry or Group Policy modifications by 3rd party apps or malware.

I just tried this, injected the latest the Edge 114 Group Policy ADMX files and then applied the Edge 114 Security baseline, this is the result:

Those are the items that can't be applied without a domain controller or AAD.

There is another issue about using security baselines for Microsoft Edge. The Group Policy ADMX files aren't included in Windows by default. They are updated every month so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues.

Some of the policies in the Security baseline for Microsoft Edge are applied by default, the policies just make sure non-Admins in corporations etc. can't change them. However, the Harden Windows Security script assumes everyone already has Admin privileges, so it just automatically configures the security features and isn't intended to prevent users with Admin privileges from changing their own device's settings.

Finally, as you can see in the screenshot, the Security baseline uses a policy that blocks all the extensions by default and requires administrators to explicitly add each extension that the users require to use in an allow list.

I hope you agree with me that it's not practical to use this policy on personal computers. 😇

Rafał Fitt · Answer 2 · Thu Jun 15 2023 18:29:04 GMT+0800 (China Standard Time)

"There are many important security measures that require AAD or Domain Controller joined PCs." - yes, you are right.
"The Group Policy ADMX files aren't included in Windows by default. They are updated every month" - you are right
"so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues." - IMHO this is not true - AFAIK the GPO settings are stored in registry.pol (if done using .ADMX + gpedit.msc) and/or in registry (after application), so the updated ADMX is not really needed.

if all/most recommended settings are applied in the script (I've not checked so far), perhaps only a mention of "Security baseline for Microsoft Edge" is needed on https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

Violet Hansen · Answer 3 · Thu Jun 15 2023 18:47:49 GMT+0800 (China Standard Time)

"There are many important security measures that require AAD or Domain Controller joined PCs." - yes, you are right.

"The Group Policy ADMX files aren't included in Windows by default. They are updated every month" - you are right
"so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues." - IMHO this is not true - AFAIK the GPO settings are stored in registry.pol (if done using .ADMX + gpedit.msc) and/or in registry (after application), so the updated ADMX is not really needed.

if all/most recommended settings are applied in the script (I've not checked so far), perhaps only a mention of "Security baseline for Microsoft Edge" is needed on https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

Oh yes, you're right in #2, the script could download and install latest ADMX files first and then apply the latest Edge Security baselines, every time the Edge category was run, so no issue with keeping the local ADMX files up to date.

I should check the new policies again and if any of them improves security and isn't being applied by default in Edge I'll add it to the script, will also change the Readme like you suggested. 👍

Rafał Fitt · Answer 4 · Thu Jun 15 2023 21:04:32 GMT+0800 (China Standard Time)

IMHO:
.ADMX is only needed if you use GPEDIT.MSC
if you have a registry.pol (it will be applied to registry when booting by Group Policy Client service) or settings in registry (in Policies key) - you can ignore missing/outdated .ADMX, no need to download .ADMX

Violet Hansen · Answer 5 · Thu Jun 15 2023 22:47:11 GMT+0800 (China Standard Time)

IMHO: .ADMX is only needed if you use GPEDIT.MSC if you have a registry.pol (it will be applied to registry when booting by Group Policy Client service) or settings in registry (in Policies key) - you can ignore missing/outdated .ADMX, no need to download .ADMX

Awesome, thank you! I just tried applying the Edge Security baseline without injecting the ADMX files first and it worked! not sure if it's best practices this way but it works :)

So just to make sure, you still suggest to add Edge security baselines to the script with everything mentioned before?

Rafał Fitt · Answer 6 · Fri Jun 16 2023 01:28:14 GMT+0800 (China Standard Time)

yes, I do suggest, as it makes a nice complete set:
Microsoft Windows security baseline
Microsoft 365 Apps security baseline
Microsoft Edge security baseline

Violet Hansen · Answer 7 · Fri Jun 16 2023 02:02:48 GMT+0800 (China Standard Time)

yes, I do suggest, as it makes a nice complete set: Microsoft Windows security baseline Microsoft 365 Apps security baseline Microsoft Edge security baseline

But what do you suggest to do about the problems I mentioned?

Rafał Fitt · Answer 8 · Fri Jun 16 2023 04:19:51 GMT+0800 (China Standard Time)

there is no SLA - IMHO "best effort" is good enough, as we don't want to over-complicate/introduce more dependencies/etc.:
policies are set in the registry, the result is outside our scope of work (require AAD or Domain Controller joined PCs or other limitations).

Violet Hansen · Answer 9 · Fri Jun 16 2023 20:41:30 GMT+0800 (China Standard Time)

there is no SLA - IMHO "best effort" is good enough, as we don't want to over-complicate/introduce more dependencies/etc.: policies are set in the registry, the result is outside our scope of work (require AAD or Domain Controller joined PCs or other limitations).

There is no signed agreement for service level, true, but since I use this too i don't want best effort, i want the best.

Going to close this issue for the following reasons:

Important settings that are also included in Edge security baselines require AAD or domain controller. So, using Edge security baseline in standalone mode doesn't provide the same security.
Edge security baseline has policies that cause a lot of inconvenience and do more bad than good when it comes to personal users. Those policies are shown in the screenshots above, such as a policy that blocks all of the extensions.
Using Edge security baseline would require a lot of overrides due to the reasons mentioned earlier, making it essentially useless.
The script applies similar security policies and even more, using registry keys, they have the same effect. If there is any particular policy that you think should be added (and it's not already enabled by default in Edge) then please open a new issue for it.

Thank you! have a good one!

Violet Hansen · Answer 10 · Tue Jun 20 2023 05:57:45 GMT+0800 (China Standard Time)

Just pushed an update to the Edge category

42e0ba6

https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

#1 Powershell Fan · Answer 11 · Tue Aug 29 2023 20:04:43 GMT+0800 (China Standard Time)

You don't need to do regedits to set edge policies, you can simply point LGPO.exe at a .pol file - the only thing you'll need the admx files for is if you want to override the policies manually. Or if you want GPReport.html to have the proper policy names displayed.

Violet Hansen · Answer 12 · Tue Aug 29 2023 20:33:41 GMT+0800 (China Standard Time)

You don't need to do regedits to set edge policies, you can simply point LGPO.exe at a .pol file - the only thing you'll need the admx files for is if you want to override the policies manually. Or if you want GPReport.html to have the proper policy names displayed.

I know but why would I do that? The majority of the policies require Microsoft Entra ID or Domain Controller to work, see here:
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies

So Edge security baselines are not suitable to use for personal devices. Registry is easier to implement and also verify by people, it's in plaintext in CSV file, so I use registry keys to implement the few security related policies that are still usable with MSA account.

#1 Powershell Fan · Answer 13 · Wed Aug 30 2023 02:37:03 GMT+0800 (China Standard Time)

Because the repo says

The script primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets.

So that makes it seem like if it was possible to use a GPO instead of a registry key, it would be better. I don't necessarily mean using the edge baselines.