Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Security baseline for Microsoft Edge, version 88
Published Jan 25 2021 08:26 AM 17.1K Views
Microsoft

 

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88!

 

We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the Security Compliance Toolkit.

 

Basic Authentication

HTTP Basic Authentication is a non-secure authentication method that relies on sending the username and password to the server in plaintext (base64). When Basic Authentication is used over non-secure HTTP connections, the credentials can be trivially stolen by others on the network.

Basic Authentication for HTTP has been configurable since Internet Explorer 7. Until now, however, there wasn't a way to configure it for Microsoft Edge. With version 88 we now have that ability and are recommending the disablement of basic authentication over HTTP. Disabling Basic Authentication over HTTP falls in line with our other security baselines where we disable this method.

 

Microsoft Edge version 88 introduced 17 new computer settings and 17 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.

 

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

 

Please continue to give us feedback through the Security Baselines Discussion site or this post.

 

8 Comments
Copper Contributor

I have been following the baselines and already have Basic authentication disabled with 'Microsoft Edge\HTTP authentication\Supported Authentication schemes: Enabled: ntlm, negotiate'. It seems like the new recommended 'Allow Basic authentication over HTTP' would not have an effect if Basic auth is already disabled. Would setting 'disallow Basic over HTTP' make if feasible to add Basic auth back to the list of supported authentication schemes? We've had to make an exception group for embedded equipment that use Basic, and it seems that this would eliminate much of that need.

Copper Contributor

I don't see the spreadsheet attached, can that be added

Microsoft

@MikeGnau the spreadsheet is contained within the release that is posted on the Download Center

Microsoft

@GavinHW had to consult with the PM on this one as I wasn't positive on the best answer for you...  Here is his response:

 
If you specify "Supported authentication schemes" without allowing Basic, then this new policy has no effect.
 
If you add basic back to "Supported authentication schemes", you can then set "Allow Basic authentication for HTTP" to disabled to permit Basic for only HTTPS connections.
Copper Contributor

@Rick_Munck I wonder why Microsoft recommends removing  basic authentication from the "Supported authentication schemes"  as a default in the security baseline and then also disables it over http too when, as you said, removing it from the "Supported authentication schemes" renders the http setting useless ?

I guess this will confuse people and might make them believe that it's save to add basic authentication back into the "Supported authentication schemes" which it is not.

Copper Contributor

Hi,

What is the point of setting Allow basic authentication for HTTP to Disabled, if it is not added in the supported authentication schemes? It will still not allow for Basic Authentication over HTTPS as far as I understand.

Microsoft Edge\HTTP authenticationAllow Basic authentication for HTTPDisabled
Microsoft Edge\HTTP authenticationSupported authentication schemesEnabled: ntlm,negotiate
Microsoft

@Old-School-Trancer as mentioned in the above response it gives greater control as there are certain cases where one might need to allow Basic but restrict it to HTTPS.  We have seen and gotten his request from multiple customers which was the reason for adding the ability.

 

@Richard_van_Nuland please review the above response to GavinHW, there are certain scenarios where both settings are required to better control a need from certain user groups

Copper Contributor

It appears that "Allow Basic Auth over HTTP" was added to the base Chromium build, so it will be supported cross browser. Now it will be a debate if we want to go off baseline to re-enable Basic but with the HTTPS req as a control/mitigation.

 

I will say, I prefer the Firefox authentication policy. It allows you to control per authentication scheme per origin, which give good granularity. So you can set something along the lines of 'only allow Basic auth to this domain or URL and block everywhere else'. The Chromium monolithic approach of a single authentication scheme list and a single kerberos delegation list can be limiting. 

Version history
Last update:
‎Jan 25 2021 08:20 AM
Updated by: