Blog Post

Microsoft Security Baselines Blog
2 MIN READ

Security baseline for Microsoft Edge v102

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Jun 03, 2022

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 102!

 

We have reviewed the new settings in Microsoft Edge version 102 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 98 package continues to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.

 

There are 2 settings we would like to call out, Enable the network service sandbox and List of origins that allow all HTTP authentication

 

Enable the network service sandbox (Consider Testing)

This policy controls whether the network service process runs sandboxed.  Sandboxing of the network service will reduce security risks, however we are not ready to enforce this setting yet.  In the future, sandboxing of the network service will be enabled by default and required by the security baseline, but for now please test turning the policy on and see if anything breaks in your environment, specifically in the application compatibility arena.  If you experience any issues, please talk to your Antivirus/security-software vendor and mention this policy setting.

 

List of origins that allow all HTTP authentication (Worth Mentioning)

The last time we discussed HTTP authentication was with version 88.  Since then, admins have asked for more granularity.  With version 102, this policy provides a way for Enterprises to safely deploy an existing lockdown policy (AuthSchemes) to turn off legacy schemes (e.g. Basic and Digest) while still allowing the use of those legacy schemes on individually-listed websites. That means, for instance, and admin can now set a configuration of  “My users cannot use ‘Basic’ auth except on https://crustyoldservicegettingreplacedsoon.contoso.intranet. This wasn’t possible before—if you needed to allow a legacy auth scheme for any site, you had to allow it for every site.

 

Microsoft Edge version 102 introduced 7 new computer settings and 7 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

 

Please continue to give us feedback through the Security Baselines Discussion site or this post.

Published Jun 03, 2022
Version 1.0

2 Comments

  • Annijonn's avatar
    Annijonn
    Copper Contributor

    Thanks for letting us know about it, I think you can also explore out the different options about it.

  • OliverUlm's avatar
    OliverUlm
    Copper Contributor

    During testing of the Network Service Sandbox Setting in our IT department our developers ran into issues with applications no longer starting for debugging from Visual Studio (browser reported a Timeout). Upon further investigation it turned out that the setting seems to completely block requests to localhost.

     

    We verified this at least with IIS Express (from Visual Studio 2019 and 2022), as well as with the node-js dev-server. We also identified at least one SaaS-application that uses requests to localhost from it's Web Interface to communicate with a locally installed connector application for telephony integration (CTI).

     

    Is this restriction of calls to localhost intentional or something that has simply slipped through so far? Is there some more in depth documentation on what excatly is restricted inside this sandbox (I was unable to find this information through an admittedly short google search).