Secure your Browser!

Secure your Browser!

Introduction

As more and more companies move their systems to a SaaS solution, it is crucial to make sure that your browsers are protected. Your company might not have a policy about which browsers are allowed, so there can be different browsers to take into account.

Luckily for us, there are some useful resources out there that can help us.


Which options do I have?

There are different options available if you want to create a baseline for the browser in your company. The options that I am familiar with currently are described below.

  • Microsoft Intune
    • Security Baseline for Microsoft Edge
  • CIS Benchmarks
    • Microsoft Edge
    • Google Chrome
    • Mozilla Firefox
  • STIG
    • Microsoft Edge
    • Google Chrome
    • Mozilla Firefox

If you are using Google Chrome in your environment, a lot of the settings can be found in the settings catalog. ADMX files can be imported to Intune if you need to configure settings for Firefox, but also in case you are missing settings for Chrome.


Configuration

In this blog, I will take a look at the security baseline for Microsoft Edge in Intune.

The baseline is a good starting point in order to get started. If you are looking to expand your baseline in the future, I would recommend you to move the policies into settings catalog.

  1. First, navigate to the Intune portal and the endpoint security tab.
  2. Click on the security baselines tab, right under all devices 👇
  1. From here, make sure to pick the correct baseline.
  1. Click on the baseline, and click create profile. Name your baseline according to your naming convention.
  2. Now, we are at the interesting part! By default, all the policies in the baseline are configured to meet best practices.
    1. That said, make sure to go through each policy and get an understanding of what it does. Even though it's best practice, it might not fit in your company.

For a proper explanation of each policy, have a look at the browser policy reference on Microsoft Learn.

I will test the standard policies in my environment, so I will leave them as they are.

  1. Assign the baseline to a test group, and make sure to create it.

Let's take a look at a device!

When your settings for Edge have been applied on your test device, can these be seen in the browser if you use "edge://policy/".

The "edge://policy" site is a great resource because this will show you all the settings applied, and most of them provide a link to MS, where it explains the policy.

If you are more into the registry, I've got you covered! First of all, open the registry editor and browse to the below path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers

Find the correct provider, unfold the default folder, and lastly, the folder named device.

Here you can see all the policies applied from the baseline and how they've been configured.


Tips & Tricks

SmartScreen is a part of the security baseline for Edge in Intune, and that is wonderful! However, SmartScreen can sometimes cause some issues for legitimate websites.

A tip that I would like to share is "edge://security-diagnostics/"

0:00
/0:05

With the tool in the bottom, you can check websites to see if they will be blocked by SmartScreen. Microsoft provides links for demonstrations that can be used to test SmartScreen.

For a quick demonstration, I will use a link from MS that is flagged for phishing. I will copy the link in and click on check URL.

Just to be sure that my SmartScreen settings has been applied properly, I can also test a link that will download a malicious file.

Luckily, my settings has been applied correctly.


Community Resources

If you are at that point, where the security baseline isn't enough, would you need to create the policies manually in the settings catalog. Luckily for us, James Robinson has created the OpenIntuneBaseline, which also includes policies for both Microsoft Edge and Google Chrome.

His baseline is a great starting point, and from there on, you can build on top of that.

Hint: The files can be imported to your tenant with another community tool by Micke Karlsson called IntuneManagement.

Many thanks to James and Micke!


Conclusion

Thank you for reading this blog. I hope it gave you some tips and tricks on where to begin with a baseline for your browser. The baselines in Intune are a good starting point, but from there, the settings catalog is the way to go.

One thing to keep in mind with the baseline for Edge in Intune is that it doesn't include update policies, so these have to be created separately.