Microsoft Edge: And the Fantabulous Security of One Browser

Microsoft Edge: And the Fantabulous Security of One Browser

This time a simple blog about creating an Edge baseline with the settings catalog (and administrative tools) and deploy it with PowerShell.

While writing this blog, I decided to also add some information on how you could retrieve and push settings with PowerShell. In the blog, I am also pointing out my updated blog about Fiddler

I have created a lot of blogs about securing your endpoints, securing your data, securing your Microsoft 365 but I have not talked about making sure your Edge browser is configured and secured properly.

 I am going to divide this blog into 2 parts

  1. Some background information on why you need to secure your Edge Browser
  2. How you could automate the security and configuration of your Edge Browser with PowerShell (Settings Catalog and Administrative Templates)

1.Background information

First, we are going to take a look at why you need to secure your Edge Browser.  When you want to secure Microsoft Edge, you could easily deploy the Microsoft edge security Baseline in the Endpoint security Intune tab.

But I guess you could be asking yourself, why do I need to secure my Browser? Let’s take a look at some of the risks and mitigations.

Browser Extensions

Extensions, or add-ons, are simple tools that customize your browser experience and offer you more control. But at the same time could redirect users to ads, phishing sites, collect user data, or download malware on infected systems.

The CacheFlow extension is one of the many examples

Extensions could also be downloaded from other sites, including sites that are infected with malware. It could install malicious extensions even without the users’ knowledge.

So I guess blocking the possibility to add extensions is the way to go and specify which extension may and can be installed.

Site Isolation

Do you remember the Spectre attack from 2018?  The Spectre vulnerability takes advantage of flaws in the optimization features of modern CPUs in order to circumvent the security mechanisms that prevent different processes from accessing each other’s memory space. Luckily news CPU’s have mitigated the spectre vulnerability at the hardware level it’s still important to enable site isolation mode.

With Site Isolation mode turned on you could mitigate this attack. Site isolation is a security feature that separates web pages from each Site to its own process. Spectre attacks are all about inducing the processor to leak data at a specific moment. So let’s configure site isolation to make sure the hacker will find it more difficult to get their hands on some sensitive information

Defender SmartScreen

SmartScreen is a feature that helps protect your PC from downloaded malware and malicious websites. When you are downloading an application or file, smart screen will check it against a Microsoft database. If Microsoft has the information it is safe SmartScreen will allow it to run. If Microsoft thinks it is dangerous malware, SmartScreen blocks it. It also makes sure malicious web content will be blocked.

So this feature is very important to be configured and it has be enabled!

TLS

TLS is a cryptographic protocol that provide data encryption and authentication between different endpoints. It’s very important this authentication and encryption is secured.

TLS versions:

TLS 1.0 was released in 1999. It has been known to be vulnerable to attacks like POODLE and BEAST.

TLS 1.1 Has no known vulnerabilities but it does not provide any modern cipermodes.

TLS 1.2 keeps data being transferred across the network more secure.

TLS 1.3 has removed common vulnerabilities within the protocol strengthening overall security.

But luckily Microsoft Edge version 84 disables the protocols TLS 1.0 and TLS 1.1 by default but It is still possible to reactive the protocols so we need to make sure TLS 1.2 is the minimum SSL version.

SHA-1

SHA-1 is most often used to verify that a file has been unaltered. This is done by producing a checksum before the file has been transmitted, and then again once it reaches its destination.

But in 2005 it has been found insecure because there is security weaknesses in SHA-1 that make the hash particularly susceptible to collision attacks.

2.How you could automate the security and configuration of your Edge Browser with PowerShell

But this is only the hardening part. I guess you also need to define some other settings, like

*Enable the default search provider

*The default search provider url/name

*Automatically sign in with the work account

*Force synchronization

*Automatically import another browser’s data and settings at first run.

When you only want to deploy edge security settings you could stick to the Security Baseline but when you also want to deploy some additional settings I am recommending creating a new settings catalog or an administrative template. I would choose the administrative templates to deploy all the edge settings because deploying the edge settings from the settings catalog with PowerShell gave me a lot and I mean a lot of errors

When you need to deploy this for each tenant you enroll/configure it can take alot of your time, so you need to Automate it.

First I will show you how you could automate the deployment of administrative templates with Powershell. If you are not interested in the administrative templates but want to deploy them by using the settings catalog, skip the first part…

1.Administrative Templates deployment with Powershell

So for now here is the zip File for the administrative templates. It contains the PowerShell script and the JSON files to deploy it to Intune.

https://call4cloud.nl/wp-content/uploads/2021/05/Edge-1.zip

I will look into the settings catalog as soon as possible!

2.Settings catalog deployment with PowerShell

First some background information about retreiving the settings catalog. Let’s try to create a connection and retrieve the accestoken.

$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceURI = "https://graph.microsoft.com/"
$authority = "https://login.microsoftonline.com/common"
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
$authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
$accessToken = $authResult.result.AccessToken

Now we established the connection we need to specify the URL where the configuration settings are stored


$apiUri = 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies'

Let’s start invoking some stuff

$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUri -Method get
$data.value

We need to take a note of the id, we will need it in the next step as we need to define the specific policy we want to take a good look at.

$apiUri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('ID')/settings"
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUri -Method get
$data.value | fl

And the results…

If you don’t want to use PowerShell to retrieve the settings, take a look at my blog about Fiddler.

And now we are going to do the opposite, we are going to PUT something instead of GETting something

LINK TO THE EDGE SETTINGS CATALOG DEPLOYMENT POWERSHELL SCRIPT:

https://call4cloud.nl/wp-content/uploads/2021/05/deploy-edge.txt

Conclusion:

Don’t forget about securing your Edge Browser. Even when your devices are secure, your browser also needs to be secure. You really don’t want your browser to be responsible for a security breach.

Security Breach GIFs - Get the best GIF on GIPHY

2 thoughts on “Microsoft Edge: And the Fantabulous Security of One Browser

  1. This is so cool. Noob question, how do you generate the body in the PowerShell script? is there a funtional to generate this piece?
    $body = @””

    1. Hi,

      Generating could be difficult. I Used the intune portal to create it and watch fiddler to get back the JSON/body I need

Leave a Reply

Your email address will not be published. Required fields are marked *

77  +    =  79