Security baseline (FINAL) for Chromium-based Microsoft Edge, version 79

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Microsoft is pleased to announce the enterprise-ready release of the recommended security configuration baseline settings for the next version of Microsoft Edge based on Chromium, version 79. The settings recommended in this baseline are identical to the ones we recommended in the version 79 draft, minus one setting that we have removed and that we discuss below. We continue to welcome feedback through the Baselines Discussion site.

 

The baseline package is now available as part of the Security Compliance Toolkit. Like all our baseline packages, the downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, and all the recommended settings in spreadsheet form, as Policy Analyzer rules, and as GP Reports.

 

Microsoft Edge is being rebuilt with the open-source Chromium project, and many of its security configuration options are inherited from that project. These Group Policy settings are entirely distinct from those for the original version of Microsoft Edge built into Windows 10: they are in different folders in the Group Policy editor and they reference different registry keys. The Group Policy settings that control the new version of Microsoft Edge are located under “Administrative Templates\Microsoft Edge,” while those that control the current version of Microsoft Edge remain located under “Administrative Templates\Windows Components\Microsoft Edge.” You can download the latest policy templates for the new version of Microsoft Edge from the Microsoft Edge Enterprise landing page. To learn more about managing the new version of Microsoft Edge, see Configure Microsoft Edge for Windows.

 

As with our current Windows and Office security baselines, our recommendations for Microsoft Edge configuration follow a streamlined and efficient approach to baseline definition when compared with the baselines we published before Windows 10. The foundation of that approach is essentially this:

  • The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.

(For further explanation, see the “Why aren’t we enforcing more defaults?” section in this blog post.)

 

Version 79 of the Chromium-based version of Microsoft Edge has 216 enforceable Computer Configuration policy settings and another 200 User Configuration policy settings. Following our streamlined approach, our recommended baseline configures a grand total of eleven Group Policy settings. You can find full documentation in the download package’s Documentation subdirectory.

 

The one difference between this baseline and the version 79 draft is that we have removed the recommendation to disable “Force Microsoft Defender SmartScreen checks on downloads from trusted sources.” By default, SmartScreen will perform these checks. While performing checks on files from trusted sources increases the likelihood of false positives – particularly from intranet sources that host files that are seldom if ever seen in the outside world – we have decided not to apply that decision to all customers adopting our baseline. Depending on who can store files in locations that are considered “trusted sources” and the rigor they apply to restricting what gets stored there, internal sites might in fact end up hosting untrustworthy content that should be checked. Our baseline therefore neither enables nor disables the setting. Organizations choosing to disable this setting can therefore do so without contradicting our baseline recommendations.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.