How to harden Microsoft Edge against cyberattacks

I’m old enough to remember the screeching sound of a modem as it connected to the internet. Now we hold in our pockets more technology than I used with Netscape Navigator and Altavista to explore the World Wide Web, and web browsers have become the portal through which we access most of our critical apps and services. As we enter the era of cloud computing and the end of Adobe Flash, it’s time for enterprises to not only standardize on a web browser, but to ensure that your settings and deployments are secure as they can be.

Standardizing on the Chromium-based Edge browser

For many years we’ve had to install multiple browsers because vendors did not support built-in browsers, or they targeted their applications for one browser. With Chrome-based Edge, it’s possible to go back to a single browser without your application ecosystem suffering ill effects.

Microsoft has released a Security baseline for Microsoft Edge version 85. It has also provided the Microsoft Security Compliance Toolkit 1.0, which includes information and recommendations. With this kit you can use Group Policy or scripts to better harden your Edge browser against threats.

End use of SHA-1 signed certificates

One new setting in the Edge version 85 kit, “Allow certificates signed using SHA-1 when issued by local trust anchors”, is deprecated (no longer under active development) but is needed to assist in the migration from SHA-1 signed certificates. Microsoft will remove this setting from the browser in mid-2021 and there will be no way to support SHA-1 signed certificates using Edge. Migrate away from SHA-1 as soon as you can as all the major browsers have dropped support. NIST deprecated SHA-1 in 2011 and Microsoft dropped it from Edge and Internet Explorer in 2017 because the hashing algorithm is susceptible to collision attacks that allow the creation of spoofed certificates.

Define which external apps to launch

The baseline documentation also includes guidance for IT professionals to define browser-based applications that can launch an external application. For example, if your organization uses online Word, Excel or Teams, you can ensure that your users do not get a prompt, but rather the application will open.

Define allowed and blocked extensions

You can download Group Policy files and templates to better control the browser. For example, you can set policies for extensions such as “ExtensionInstallAllowlist” and “ExtensionInstallBlcoklist”. They control what extensions can or cannot be installed, respectively. This is similar to the group policy supported by Google Chrome. A blocklist value of ‘*’ means all extensions are blocked unless they are explicitly listed in the allowlist.

In the Windows registry these are located at: SOFTWAREPoliciesMicrosoftEdgeExtensionInstallBlocklist

You then set the value name as numbers such as 1, 2 or 3 and set the name of the extension you want to block as a REG_SZ value. I recommend reviewing what extensions you want to install in Edge browser. Attackers or malicious advertisements often wiggle into systems through extensions. I’ve also seen extensions used to take over the default search engine. Establish a baseline of extensions that are allowed in your firm. Vet and approve third-party coded software extensions in a secure environment.

Use SmartScreen settings

Another key browser setting is SmartScreen, a Microsoft technology that scans websites to determine if they are secure. Microsoft reviews content on websites and reputation. It automatically provides the following protections in your browser:

• Anti-phishing and anti-malware support
• Reputation-based URL and app protection
• Operating system integration
• Improved heuristics and diagnostic data
• Management through Group Policy and Microsoft Intune
• Blocking URLs associated with potentially unwanted applications

Investigate browser isolation

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends  investigating the use of browser isolation. This browser barrier creates a block between the browser and the operating system. All web traffic is untrusted. Rather than securing the browser on the workstation with Group Policy and other settings as noted in the security baseline, browser isolation sets up the ability to browse the internet in a remote session on a cloud deployment or server.

Isolation technology is not new; it’s been more used by larger enterprises and government entities. Two technologies support browser isolation:

Client-side browser isolation may not be as robust as server side browser isolation given that it does not provide air gapped or physical isolation. Software vulnerabilities in the operating system or the client-side browser technology could lead to exposure.

Server-side browser isolation—or these days cloud-based browser isolation—puts an ultimate air gap between you and the web. Companies such as Webgap and Authentic8 allow you to have a complete barrier between your users and their browsing experience, as do other vendors.