We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 92!
We have reviewed the settings in Microsoft Edge version 92 and updated our guidance with the addition of 3 settings and the removal of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context
To prevent cross-origin data theft, JavaScript SharedArrayBuffers can only be used from cross-origin-isolated contexts. To maintain proper cross-origin security, this policy should not be used to relax the isolation restriction. The security baseline has prohibited this and configured this setting to Disabled.
Allow unconfigured sites to be reloaded in Internet Explorer mode
When it comes to security, administrators are the experts. Allowing an end-user to relax their security posture without awareness of the implications doesn’t usually end well, especially when attackers can use social-engineering techniques to trick users into making unsafe choices. Therefore, the security baseline forbids allowing end-users to open arbitrary websites in IE mode.
NOTE: If your enterprise has legacy sites that still require IE mode, you should configure them using the IE mode policies outlined here.
Specifies whether to allow insecure websites to make requests to more-private network endpoints
Allowing public internet sites to “peek” behind your firewall by using the user’s browser to mix intranet resources into internet-delivered pages represents a dangerous attack surface, and browsers are beginning to introduce restrictions upon such architectures. The baseline requires enforcement of the new browser restriction that any such intranet requests are blocked if the internet page was delivered over insecure HTTP.
NOTE: If for some reason you need to permit insecure cross-network requests for legacy sites, you can configure temporary exceptions in ‘Allow the listed sites to make requests to more-private network endpoints from insecure contexts’
Allow certificates signed using SHA-1 when issued by local trust anchors
As we communicated in the version 85 release, this setting was temporary and a bridge for organizations. We have removed this setting from the baseline as the setting is considered obsolete and there is no supported mechanism to allow SHA-1 any longer, even for certificates issued by your non-public Certificate Authorities.
Microsoft Edge version 92 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.
Please continue to give us feedback through the Security Baseline Community or this post.
Learn more: aka.ms/baselines | Download the Security Compliance Toolkit: aka.ms/SCT