HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.84k stars 143 forks source link

Security baseline for Microsoft Edge #50

Closed rafalfitt closed 1 year ago

rafalfitt commented 1 year ago

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-114/ba-p/3839728

HotCakeX commented 1 year ago

Hi @rafalfitt Thanks for brining this up ^^

The reason I didn't use security baselines for Microsoft Edge and instead use registry to apply the policies is because of this:

This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain, Windows 10 Pro or Enterprise instances that enrolled for device management, or macOS instances that are that are managed via MDM or joined to a domain via MCX.

There are many important security measures that require AAD or Domain Controller joined PCs. All of them are mentioned here.

I think the reason is that they can be potentially abused by registry or Group Policy modifications by 3rd party apps or malware.

I just tried this, injected the latest the Edge 114 Group Policy ADMX files and then applied the Edge 114 Security baseline, this is the result:

image

Those are the items that can't be applied without a domain controller or AAD.

There is another issue about using security baselines for Microsoft Edge. The Group Policy ADMX files aren't included in Windows by default. They are updated every month so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues.

Some of the policies in the Security baseline for Microsoft Edge are applied by default, the policies just make sure non-Admins in corporations etc. can't change them. However, the Harden Windows Security script assumes everyone already has Admin privileges, so it just automatically configures the security features and isn't intended to prevent users with Admin privileges from changing their own device's settings.

Finally, as you can see in the screenshot, the Security baseline uses a policy that blocks all the extensions by default and requires administrators to explicitly add each extension that the users require to use in an allow list.

image

I hope you agree with me that it's not practical to use this policy on personal computers. 😇

rafalfitt commented 1 year ago
  1. "There are many important security measures that require AAD or Domain Controller joined PCs." - yes, you are right.
  2. "The Group Policy ADMX files aren't included in Windows by default. They are updated every month" - you are right "so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues." - IMHO this is not true - AFAIK the GPO settings are stored in registry.pol (if done using .ADMX + gpedit.msc) and/or in registry (after application), so the updated ADMX is not really needed.

if all/most recommended settings are applied in the script (I've not checked so far), perhaps only a mention of "Security baseline for Microsoft Edge" is needed on https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

HotCakeX commented 1 year ago
  1. "There are many important security measures that require AAD or Domain Controller joined PCs." - yes, you are right.
  2. "The Group Policy ADMX files aren't included in Windows by default. They are updated every month" - you are right "so users would have to make sure they run the script after each Edge version release to keep their ADMX files up to date and prevent any issues." - IMHO this is not true - AFAIK the GPO settings are stored in registry.pol (if done using .ADMX + gpedit.msc) and/or in registry (after application), so the updated ADMX is not really needed.

if all/most recommended settings are applied in the script (I've not checked so far), perhaps only a mention of "Security baseline for Microsoft Edge" is needed on https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

Oh yes, you're right in #2, the script could download and install latest ADMX files first and then apply the latest Edge Security baselines, every time the Edge category was run, so no issue with keeping the local ADMX files up to date.

I should check the new policies again and if any of them improves security and isn't being applied by default in Edge I'll add it to the script, will also change the Readme like you suggested. 👍

rafalfitt commented 1 year ago

IMHO: .ADMX is only needed if you use GPEDIT.MSC if you have a registry.pol (it will be applied to registry when booting by Group Policy Client service) or settings in registry (in Policies key) - you can ignore missing/outdated .ADMX, no need to download .ADMX

HotCakeX commented 1 year ago

IMHO: .ADMX is only needed if you use GPEDIT.MSC if you have a registry.pol (it will be applied to registry when booting by Group Policy Client service) or settings in registry (in Policies key) - you can ignore missing/outdated .ADMX, no need to download .ADMX

Awesome, thank you! I just tried applying the Edge Security baseline without injecting the ADMX files first and it worked! not sure if it's best practices this way but it works :)

So just to make sure, you still suggest to add Edge security baselines to the script with everything mentioned before?

rafalfitt commented 1 year ago

yes, I do suggest, as it makes a nice complete set: Microsoft Windows security baseline Microsoft 365 Apps security baseline Microsoft Edge security baseline

HotCakeX commented 1 year ago

yes, I do suggest, as it makes a nice complete set: Microsoft Windows security baseline Microsoft 365 Apps security baseline Microsoft Edge security baseline

But what do you suggest to do about the problems I mentioned?

rafalfitt commented 1 year ago

there is no SLA - IMHO "best effort" is good enough, as we don't want to over-complicate/introduce more dependencies/etc.: policies are set in the registry, the result is outside our scope of work (require AAD or Domain Controller joined PCs or other limitations).

HotCakeX commented 1 year ago

there is no SLA - IMHO "best effort" is good enough, as we don't want to over-complicate/introduce more dependencies/etc.: policies are set in the registry, the result is outside our scope of work (require AAD or Domain Controller joined PCs or other limitations).

There is no signed agreement for service level, true, but since I use this too i don't want best effort, i want the best.

Going to close this issue for the following reasons:

  1. Important settings that are also included in Edge security baselines require AAD or domain controller. So, using Edge security baseline in standalone mode doesn't provide the same security.
  2. Edge security baseline has policies that cause a lot of inconvenience and do more bad than good when it comes to personal users. Those policies are shown in the screenshots above, such as a policy that blocks all of the extensions.
  3. Using Edge security baseline would require a lot of overrides due to the reasons mentioned earlier, making it essentially useless.
  4. The script applies similar security policies and even more, using registry keys, they have the same effect. If there is any particular policy that you think should be added (and it's not already enabled by default in Edge) then please open a new issue for it.

Thank you! have a good one!

HotCakeX commented 1 year ago

Just pushed an update to the Edge category

https://github.com/HotCakeX/Harden-Windows-Security/commit/42e0ba61a415de594f994a20a1477efbc77f93a1

https://github.com/HotCakeX/Harden-Windows-Security#edge-browser-configurations

starchturrets commented 1 year ago

You don't need to do regedits to set edge policies, you can simply point LGPO.exe at a .pol file - the only thing you'll need the admx files for is if you want to override the policies manually. Or if you want GPReport.html to have the proper policy names displayed.

HotCakeX commented 1 year ago

You don't need to do regedits to set edge policies, you can simply point LGPO.exe at a .pol file - the only thing you'll need the admx files for is if you want to override the policies manually. Or if you want GPReport.html to have the proper policy names displayed.

I know but why would I do that? The majority of the policies require Microsoft Entra ID or Domain Controller to work, see here: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies

So Edge security baselines are not suitable to use for personal devices. Registry is easier to implement and also verify by people, it's in plaintext in CSV file, so I use registry keys to implement the few security related policies that are still usable with MSA account.

starchturrets commented 1 year ago

Because the repo says

The script primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets.

So that makes it seem like if it was possible to use a GPO instead of a registry key, it would be better. I don't necessarily mean using the edge baselines.