I\u2019m old enough to remember the screeching sound of a modem as it connected to the internet. Now we hold in our pockets more technology than I used with Netscape Navigator and Altavista to explore the World Wide Web, and web browsers have become the portal through which we access most of our critical apps and services. As we enter the era of cloud computing and the end of Adobe Flash, it\u2019s time for enterprises to not only standardize on a web browser, but to ensure that your settings and deployments are secure as they can be.Standardizing on the Chromium-based Edge browserFor many years we\u2019ve had to install multiple browsers because vendors did not support built-in browsers, or they targeted their applications for one browser. With Chrome-based Edge, it\u2019s possible to go back to a single browser without your application ecosystem suffering ill effects.Microsoft has released a Security baseline for Microsoft Edge version 85. It has also provided the Microsoft Security Compliance Toolkit 1.0, which includes information and recommendations. With this kit you can use Group Policy or scripts to better harden your Edge browser against threats. End use of SHA-1 signed certificatesOne new setting in the Edge version 85 kit, \u201cAllow certificates signed using SHA-1 when issued by local trust anchors\u201d, is deprecated (no longer under active development) but is needed to assist in the migration from SHA-1 signed certificates. Microsoft will remove this setting from the browser in mid-2021 and there will be no way to support SHA-1 signed certificates using Edge. Migrate away from SHA-1 as soon as you can as all the major browsers have dropped support. NIST deprecated SHA-1 in 2011 and Microsoft dropped it from Edge and Internet Explorer in 2017 because the hashing algorithm is susceptible to collision attacks that allow the creation of spoofed certificates.Define which external apps to launchThe baseline documentation also includes guidance for IT professionals to define browser-based applications that can launch an external application. For example, if your organization uses online Word, Excel or Teams, you can ensure that your users do not get a prompt, but rather the application will open.Define allowed and blocked extensionsYou can download Group Policy files and templates to better control the browser. For example, you can set policies for extensions such as \u201cExtensionInstallAllowlist\u201d and \u201cExtensionInstallBlcoklist\u201d. They control what extensions can or cannot be installed, respectively. This is similar to the group policy supported by Google Chrome. A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.In the Windows registry these are located at: SOFTWAREPoliciesMicrosoftEdgeExtensionInstallBlocklistYou then set the value name as numbers such as 1, 2 or 3 and set the name of the extension you want to block as a REG_SZ value. I recommend reviewing what extensions you want to install in Edge browser. Attackers or malicious advertisements often wiggle into systems through extensions. I\u2019ve also seen extensions used to take over the default search engine. Establish a baseline of extensions that are allowed in your firm. Vet and approve third-party coded software extensions in a secure environment.Use SmartScreen settingsAnother key browser setting is SmartScreen, a Microsoft technology that scans websites to determine if they are secure. Microsoft reviews content on websites and reputation. It automatically provides the following protections in your browser:Anti-phishing and anti-malware supportReputation-based URL and app protectionOperating system integrationImproved heuristics and diagnostic dataManagement through Group Policy and Microsoft IntuneBlocking URLs associated with potentially unwanted applicationsInvestigate browser isolationThe US Cybersecurity and Infrastructure Security Agency (CISA) recommends\u00a0 investigating the use of browser isolation. This browser barrier creates a block between the browser and the operating system. All web traffic is untrusted. Rather than securing the browser on the workstation with Group Policy and other settings as noted in the security baseline, browser isolation sets up the ability to browse the internet in a remote session on a cloud deployment or server.Isolation technology is not new; it\u2019s been more used by larger enterprises and government entities. Two technologies support browser isolation:Client-side browser isolation may not be as robust as server side browser isolation given that it does not provide air gapped or physical isolation. Software vulnerabilities in the operating system or the client-side browser technology could lead to exposure.Server-side browser isolation\u2014or these days cloud-based browser isolation\u2014puts an ultimate air gap between you and the web. Companies such as Webgap and Authentic8 allow you to have a complete barrier between your users and their browsing experience, as do other vendors.