Feb 08 2022 04:14 PM
Hello,
Can anybody point me to a resource that has details about the new EnhanceSecurityMode policy? It is not clear from the policy documentation what this actually does:
Microsoft Edge Browser Policy Documentation | Microsoft Docs
I searched this forum and elsewhere for information, but I can only find the release notes, the policy documentation, and news articles that point to these original sources.
Is this mode a rebranding of the 'super duper secure mode' announced last year that disables JIT?
Thanks!
Andrew
Feb 16 2022 02:58 AM - edited Feb 16 2022 02:58 AM
SolutionJun 17 2022 03:09 AM
Jun 17 2022 11:57 AM
@Johannes Goerlich Hello! Yes, based upon the documentation for the DefaultJavaScriptJitSetting policy it does say "Disabling the JavaScript JIT may allow Microsoft Edge to render web content in a more secure configuration."
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#defaultjavascriptjitsetting
-Kelly
Jun 23 2022 05:31 AM
Jun 29 2022 10:37 AM
@Johannes Goerlich Setting the EnhanceSecurityMode policy to Strict mode or setting the DefaultJavaScriptJitSetting policy to BlockJavaScriptJit will have the same effect by changing the Enhance your security on the web setting (edge://settings/privacy) to Strict.
-Kelly
Jul 08 2022 03:29 AM
Jul 11 2022 04:30 AM
@Kelly_Y
I just saw that in the documentation for the security modes at https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer that besides JIT also other features are mentioned as part of the modes: "These protections include Hardware-enforced Stack Protection [CET] and Arbitrary Code Guard (ACG)."
At https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/ it also reads, for example, as "By applying these protections, we can provide defense in depth that spans beyond JIT attacks."
For the SDSM (https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/)
back then it was said "Currently, SDSM disables JIT (TurboFan/Sparkplug) and enables CET." But there where no details about ACG. Not sure if ACG was already a thing.
This makes me still wondering if setting DefaultJavaScriptJitSetting policy to BlockJavaScriptJit has also an impact on CET and ACG as well as other features like CFG (which would be very confusing to me).
Aug 04 2022 05:21 AM
Behind the question mark next to the Enhance your security on the web security setting the following ist stated:
"The additional protection includes Windows operating system mitigation such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG) and Control Flow Guard (CFG)."
So my conclusion would be:
The EnhanceSecurityMode controls on Windows devices - in addition to JavaScript with JIT - the Hardware Enforced Stack Protection, ACG and CFG.
Furthermore, it seems the EnhanceSecurityMode takes the site-engagement (at least in balanced mode) into consideration (with exceptions made in EnhanceSecurityModeBypassListDomains),
Best,
Joe
Aug 04 2022 11:50 AM
@Johannes Goerlich Hi! Just wanted to let you know that in Microsoft Edge v104 there has been improvements to enhanced security mode. There is now Basic, Balanced and Strict mode. The documentation has been updated here: Browse more safely with Microsoft Edge | Microsoft Docs. Thanks!
-Kelly
Aug 04 2022 01:21 PM - edited Aug 04 2022 01:26 PM
Thanks for catching up, Kelly! This updated documentation confirms my understanding. The improvements to have a third mode are very usefull. And from the linked sources i read that an emulated ACG for Linux and Mac is on track.
btw. a good read on Hardware-Enforced Stack Protection can be found at https://techcommunity.microsoft.com/t5/windows-kernel-internals-blog/understanding-hardware-enforced...
BR,
Joe
Feb 16 2022 02:58 AM - edited Feb 16 2022 02:58 AM
Solution
Check, out this article: