Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

New Windows browser security options and guidance: What you need to know

Feature
Oct 20, 20215 mins
Internet SecurityWindows Security

Microsoft has added new Edge update options and enhanced browser security modes, including a beta Super Duper Secure Mode.

browser security
Credit: Thinkstock

As we move cloud computing, your browser is your operating system. While we tend to hold back in business patching to ensure there are no side effects, it can be dangerous to tak that approach with browser patching. Case in point: Google acknowledged the twelfth and thirteenth Chrome zero-day attacks in a recent blog post. Because Edge is built on the Chrome platform, you should consider how each targeted zero day in Chrome impacts the Edge browser.

New Edge update options

If your firm needs a bit more time before rolling out browser updates due to impact on line-of-business apps, there is another way to deal with the changes that will keep you patched for security issues. Starting with Edge 94, Microsoft now supports several release channels. In March, Edge moved to a four-week development cycle where new features will be included in Edge every four weeks.

Microsoft is now including an option to update features in Edge every eight weeks. If you want to stay on a supported browser, you can choose the Stable channel. This is most used and considered “broad deployment.” It’s updated every four weeks. Next is Extended Stable, which allows for a longer eight-week release cycle and is fully supported. The Beta channel is still supported by Microsoft and has a four-week release cycle. Two more channels, Dev and Canary, are not officially supported and considered testing platforms only.

To deploy Edge on Extended Stable, Use Group Policy to select the browser patching cadence. Download and install the latest Edge Group Policy administrative templates. Then go to, in order:

  • Group Policy editor
  • Computer Configuration
  • Administrative Templates
  • Microsoft Edge Update
  • Applications
  • Microsoft Edge

Select “Target Channel override” and then “Enabled.” Under “Options,” pick “Extended Stable” from the “Policy” dropdown list. I recommend that you evaluate slowing down from the normal release process to the Extended Stable for desktops that require more stability.

Edge’s Super Duper Secure Mode

Edge is testing a new Super Duper Secure Mode that is offered only in the beta version at this time. The new mode will remove just-in-time (JIT) compilation from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users’ systems. You need to be on one of the beta channels to enable this feature. To test this mode, download the Edge beta version from the Edge Insider release page. You can also download Dev or Canary versions. Once you have it installed, enable Super Duper Secure Mode by going to edge://flags/#edge-enable-super-duper-secure-mode and toggling on the new feature. You will then be prompted to restart your browser.

Enhanced Safe Browsing mode

Chrome has additional security features as well with its Enhanced Safe Browsing mode. You can opt into this mode by going to:

  • Settings
  • Privacy
  • Security settings
  • Security

Select “Enhanced protection” mode under “Safe Browsing.” Change from Standard browsing to Enhanced protection. It will send URLs to Safe Browsing to check them. It also sends a small sample of pages, downloads, extension activity, and system information to help discover new threats. The setting also sends links and data to your Google Account when you’re signed in to protect you across Google apps. So, it will track more of your browsing.

Other browser security controls

Additional controls that you should review include the current Windows Security Technical Implementation Guide for Google Chrome. Updated on July 13, 2021, this guide was published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. You’ll want to ensure that your browsers are allowed to support only TLS.

There are several ways to set this value. To adjust this in the browser in the omnibox (address bar), type chrome://policy. Review the setting for “SSLVersionMin” and review the “Policy Name” column to set it for “tls1.2”. If you want to use the registry method, select “Start regedit” and then navigate to HKLMSoftwarePoliciesGoogleChrome. Check to see if the “SSLVersionMin” value name does not exist or its value data is not set to “tls1.2”. As the browser hardening guidance in the Security Technical Implementation Guides (STIGs) documents, if the registry value isn’t there, the computer will not pass muster. The STIGs consider it a finding of a security weakness.

To use Windows Group Policy. go to the “Group Policy editor” tool with gpedit.msc. Then navigate to:

  • Policy Path: Computer Configuration
  • Administrative Templates
  • Google
  • Google Chrome.

Look at “Policy Name: Minimum SSL version enabled”. Change it to “Policy State: Enabled” and change the Policy Value: to “TLS 1.2”.

The STIG provides guidance for Edge as well. Similar to Chrome, set the policy value for “Computer Configuration/Administrative Templates/Microsoft Edge/Minimum TLS version enabled” to “TLS 1.2”. Not to be left out, Firefox also has security mandates.

For all the browsers you have on your systems, review what extensions are installed and determine if you want to limit or block as needed. Often with browser security, being proactive and blocking and limiting what can be installed is the best way to be secure and is wise if you have a firm that has extreme security needs.

As CISA notes, educate users to use caution when opening email attachments or when using peer-to-peer file sharing, instant messaging, or chat rooms. Being aware of what you are browsing and what you are clicking on will go a long way to helping keep your systems secure.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author