Forum Discussion

Iron Contributor

Feb 08, 2022

Solved

EnhanceSecurityMode details

Hello, Can anybody point me to a resource that has details about the new EnhanceSecurityMode policy? It is not clear from the policy documentation what this actually does: Enhance the security s...

David_Laun_JP
Feb 16, 2022
AndrewSAIF

Check, out this article:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer

Johannes Goerlich

Iron Contributor

Jul 11, 2022

Kelly_Y
I just saw that in the documentation for the security modes at https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer that besides JIT also other features are mentioned as part of the modes: "These protections include Hardware-enforced Stack Protection [CET] and Arbitrary Code Guard (ACG)."

At https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/ it also reads, for example, as "By applying these protections, we can provide defense in depth that spans beyond JIT attacks."

For the SDSM (https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/)
back then it was said "Currently, SDSM disables JIT (TurboFan/Sparkplug) and enables CET." But there where no details about ACG. Not sure if ACG was already a thing.

This makes me still wondering if setting DefaultJavaScriptJitSetting policy to BlockJavaScriptJit has also an impact on CET and ACG as well as other features like CFG (which would be very confusing to me).

Johannes Goerlich

Iron Contributor

Aug 04, 2022

Behind the question mark next to the Enhance your security on the web security setting the following ist stated:

"The additional protection includes Windows operating system mitigation such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG) and Control Flow Guard (CFG)."

So my conclusion would be:

The EnhanceSecurityMode controls on Windows devices - in addition to JavaScript with JIT - the Hardware Enforced Stack Protection, ACG and CFG.

Furthermore, it seems the EnhanceSecurityMode takes the site-engagement (at least in balanced mode) into consideration (with exceptions made in EnhanceSecurityModeBypassListDomains),

while DefaultJavaScriptJitSetting blocks JIT completely (with exceptions made in JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites).

Best,

Joe

Johannes Goerlich
Iron Contributor
Aug 04, 2022
Thanks for catching up, Kelly! This updated documentation confirms my understanding. The improvements to have a third mode are very usefull. And from the linked sources i read that an emulated ACG for Linux and Mac is on track.

btw. a good read on Hardware-Enforced Stack Protection can be found at https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815

BR,
Joe
Kelly_Y
Microsoft
Aug 04, 2022
Johannes Goerlich Hi! Just wanted to let you know that in Microsoft Edge v104 there has been improvements to enhanced security mode. There is now Basic, Balanced and Strict mode. The documentation has been updated here: Browse more safely with Microsoft Edge | Microsoft Docs. Thanks!

-Kelly