Blog Post

Microsoft Security Baselines Blog
2 MIN READ

Security baseline for Microsoft Edge v92

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Jul 26, 2021

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 92!

 

We have reviewed the settings in Microsoft Edge version 92 and updated our guidance with the addition of 3 settings and the removal of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the new package from the Security Compliance Toolkit.

 

 

Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context

To prevent cross-origin data theft, JavaScript SharedArrayBuffers can only be used from cross-origin-isolated contexts. To maintain proper cross-origin security, this policy should not be used to relax the isolation restriction. The security baseline has prohibited this and configured this setting to Disabled.

 

 

Allow unconfigured sites to be reloaded in Internet Explorer mode

When it comes to security, administrators are the experts. Allowing an end-user to relax their security posture without awareness of the implications doesn’t usually end well, especially when attackers can use social-engineering techniques to trick users into making unsafe choices. Therefore, the security baseline forbids allowing end-users to open arbitrary websites in IE mode.

 

NOTE: If your enterprise has legacy sites that still require IE mode, you should configure them using the IE mode policies outlined here.

 

 

Specifies whether to allow insecure websites to make requests to more-private network endpoints

Allowing public internet sites to “peek” behind your firewall by using the user’s browser to mix intranet resources into internet-delivered pages represents a dangerous attack surface, and browsers are beginning to introduce restrictions upon such architectures. The baseline requires enforcement of the new browser restriction that any such intranet requests are blocked if the internet page was delivered over insecure HTTP.

 

NOTE: If for some reason you need to permit insecure cross-network requests for legacy sites, you can configure temporary exceptions in ‘Allow the listed sites to make requests to more-private network endpoints from insecure contexts’

 

 

Allow certificates signed using SHA-1 when issued by local trust anchors

As we communicated in the version 85 release, this setting was temporary and a bridge for organizations. We have removed this setting from the baseline as the setting is considered obsolete and there is no supported mechanism to allow SHA-1 any longer, even for certificates issued by your non-public Certificate Authorities.

 

 

Microsoft Edge version 92 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet in the release to make it easier for you to find them.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

 

Please continue to give us feedback through the Security Baseline Community or this post.

Updated Jul 19, 2021
Version 1.0
  • SilviaAR's avatar
    SilviaAR
    Copper Contributor

    Hi all,

    We are going to publish Edge Chromium in our Citrix XenApp servers. We would need to remove the address bar for all users in Edge Chromium running on XenApp servers to prevent them from browsing, but we are not able to use Kiosk mode.

    Would it be possible?

     

    Thanks in advance.

     

  • nketchum's avatar
    nketchum
    Copper Contributor

    Anyone getting any errors when updating the ADMX templates on this one?

    The resource for: (string.Name_ForceInstallsMachine) seems to be missing from the msedgeupdate.adml file.