Know your Edge Chromium security options

Microsoft's upcoming Chromium-based Edge browser will give Edge- and Chrome-like web security features to older versions of Microsoft Windows. Here's what you need to know.

Microsoft's Chromium Edge browser
Microsoft / Google / Vijay Kumar / Getty Images

For those of you still using Windows 7, there’s a new browser on the block that you’ll need to start planning to deploy — and it’s not Edge. Well, it is an Edge browser, but not the Edge browser you are thinking of.

Microsoft is scrapping its Edge browser based on the Spartan engine in favor of an Edge browser based on Chromium. You can install this Edge browser on Windows 7 as well as all other platforms. The browser will be separate from the operating system and be able to be uninstalled and reinstalled. It will support IE legacy mode. Unlike the current implementation where IE legacy opens in a separate browser, in Edge Chromium IE is included directly in the browser similar to how Chrome’s IE tab extension works.

The new Edge browser provides privacy controls that restrict the ability of third parties to track user actions in browser sessions. Edge Chromium differentiates itself from the Chrome browser with corporate controls (Group Policy, Mobile Device Manager and Intune) and additional controls. Even in the beta process now, you can download a beta of the Group Policy ADMX from the Enterprise landing page to determine what controls are currently being tested.

Stopping drive-by attacks

Drive-by compromise attacks can infect a system in a specific manner. As MITRE notes:

  • A user visits a website that is used to host the adversary controlled content.
  • Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
  • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  • Upon finding a vulnerable version, exploit code is delivered to the browser.
  • If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
  • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

One policy you can implement in the new Edge Chromium browser that can protect against these drive-by exploits is DefaultJavaScriptSetting, which sets whether websites can run JavaScript. You can allow it for all sites or block it for all sites. If you don't configure this policy, all sites can run JavaScript by default, and the user can change this setting. In the Group Policy settings (and ultimately in MDM and Intune) you can set the value of “1” to allow all sites to run JavaScript and “2” to not allow any site to run JavaScript.

As noted on the MITRE web page, ad blockers can help prevent that code from executing in the first place, and script blocking extensions can help prevent the execution of JavaScript commonly used during the exploitation process.

Managing Edge Chromium extensions

Because this version of Edge allows extensions, one of the key ways you can protect systems is to manage them. The new Edge browser includes the setting ExtensionInstallAllowlist, which allows you to set those extensions you approve in your firm.

Plan ahead to vet and approve allowed extensions. Half of all Chrome-based extensions have fewer than 16 installs, meaning that the bulk of the browser extension ecosystem is not well vetted and tested. Currently the top extensions are:

As you can see, these extensions do not include add-ins that I would consider good for security. Security extensions that I recommend you approve for corporate deployment include:

  • LastPass — manages passwords.
  • Ghostery — blocks tracking. This plugin may not be needed as Edge Chromium is anticipated to provide additional levels of privacy: unrestricted, balanced and strict. Unrestricted will allow websites and Microsoft to collect data as normal, restricted will allow less data and strict will make it so very little data is tracked as you browse with Microsoft Edge.

Time will tell how well business will accept the new Edge browser. The beta is stable enough that I’ve been using it as default on one of my computers. I recommend you install it and start testing its use in your network. The dev channel has been very stable and easy to use and using it now gives you a head start for later deployment.

Don’t forget to sign up for the IDG Tech Talk YouTube channel where you can see more videos of my Windows security tips.  I'll be at The Experts Conference in Charleston South Carolina August 27th and 28th talking about Office 365 and the Windows update crisis.  Hope to see you there!

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline