Security baseline for Microsoft Edge version 85
source link: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-85/ba-p/1618585
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
08-28-2020 11:05 AM
We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 85!
We have reviewed the settings in Microsoft Edge version 85 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Microsoft Download Center. You can download the version 85 package from the Security Compliance Toolkit.
SHA-1
A new (but, ironically, deprecated) setting has been added to version 85: Allow certificates signed using SHA-1 when issued by local trust anchors. While it might seem odd that we are adding a deprecated setting to the baseline, this one is important. Microsoft Edge forbids certificates signed using SHA-1 by default, and the security baseline is enforcing this to ensure Enterprises recognize that allowing SHA-1 chains is not a secure configuration. Should you need to use a SHA-1 chain for compatibility with existing applications that depend on it, moving away from that configuration as soon as possible is critical to the security of your organization. In version 92 of Microsoft Edge (mid-2021) this setting will be removed, and there will be no supported mechanism to allow SHA-1, even for certificates issued by your non-public Certificate Authorities, after that.
App protocol prompts
While they may not seem directly related to security, app protocols are something you should be mindful of, as they provide a mechanism for escaping the browser sandbox. New policies to help manage these might therefore be useful in your organization as you strive to balance security and productivity.
To make managing app protocols easier, we first added a flag in version 82, exposed a user-facing option in version 84, and have added a policy for the IT Pro to manage them in version 85: Define a list of protocols that can launch an external application from listed origins without prompting the user. For a detail discussion on the topic, we recommend reading Eric Lawrence’s blog here.
Commonly seen with applications like Microsoft 365 Apps, Microsoft Teams, Skype, the user is by default prompted to allow the external application to launch as depicted in the below examples.
Leveraging this setting will suppress that prompt and reduce noise to the end user by approving the content at the enterprise level. Reducing end user prompts both improves user productivity and helps them make better decisions when an unexpected request appears by reducing prompt fatigue!
While you are at Eric’s blog, be sure to check out his other posts.
Baseline Package Refresh
Since a new setting has been added we have updated the security baseline package which will include the usual artifacts, as well as a list of new settings from version 84 to 85 and version 80 to 85. This way, those that have been keeping up with the blog have a smaller set of settings to review, and those only looking at the actual released package can see all the changes.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.
Please continue to give us feedback through the Security Baselines Discussion site and via this post!
08-30-2020 09:51 PM
To save someone else the time of hunting through the registry to find the proper protocol for Teams, it's "msteams".
The full, JSON I tested with Group Policy with Edge 85 was:
[
{
"allowed_origins": [
"https://.teams.microsoft.com"
],
"protocol": "msteams"
}
]08-31-2020 12:38 AM
FYI: In Windows 10 go to Settings > Apps > Default-Apps > Choose default apps by protocol. You can find (nearly) every protocol available on your machine. MSTEAMS is listed.
08-31-2020 09:02 AM
Maybe I am just dense. But where are the ADMX files for Edge 85?
EDIT: For those who were losrt likee me, you can find them at the Edge for Business download portal. https://www.microsoft.com/en-us/edge/business/download You can select your build and hit "Get Policy Templates" instead of, or in addition to, "Download".
08-31-2020 05:30 PM
This is by far one of the more complex Edge policies that I've come across 
It makes a lot of sense to implement and great to have this level of flexibility but so far I've hit a few hurdles and was hoping someone could steer me in the right direction.
In my example I'm simply trying to suppress the following prompts for Excel/Word:
Using the following JSON:
[{"allowed_origins":["live.com","office.com","sharepoint.com"],"protocol":"ms-excel"},{"allowed_origins":["live.com","office.com","sharepoint.com"],"protocol":"ms-word"}]I've pulled the protocols from those defined within Default Apps | Choose Default Applications by Protocol but I'm not entirely sure if these are correct as the example from https://docs.microsoft.com/en-gb/DeployEdge/microsoft-edge-policies#autolaunchprotocolsfromorigins is a little ambiguous. The example JSON includes the protocols spotify, outlook and teams yet none exist on my W10 1909 /w Microsoft 365 Apps for enterprise (16.0.13029.20460) [current channel] - also as @DidiHai76 mentions it's msteams not teams. Granted I don't have Spotify installed but on my device the application Outlook utilises the protocols FEED, FEEDS, MAILTO, STSSYNC and WEBCALS and the application Excel is referenced only for MS-EXCEL. In any case experimented with both ms-excel/excel and ms-word/word.
As far as ensuring all the usual culprits of group policy, I've added the JSON into the "Define a list of protocols that can launch an external application from listed origins without prompting the user" policy by way of the updated ADXM and verified it exists within the AutoLaunchProtocolsFromOrigins REG_SZ value in the "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" key as well as confirming it appears within edge://policy/. I'm testing with (Edge Stable 85.0.564.41 and current admx).
Note: Anyone unfamiliar with JSON (like me) who needs to both validate and convert to a one-liner that GPMC will accept, I've used https://jsonformatter.curiousconcept.com.
08-31-2020 08:26 PM
@csrswalch Your policy worked straight away for me - I dropped it straight into the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and restarted Edge and tried opening an excel & word doc in SharePoint online and it got no prompt. I trimmed some of the domains and combined it with my Teams policy and ended up with
[{"allowed_origins":["officeapps.live.com"],"protocol":"ms-excel"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-word"},{"allowed_origins":["https://.teams.microsoft.com"],"protocol":"msteams"}]
09-01-2020 03:44 PM
Thanks for confirming @AndrewT - needed another set of eyes because it's magically started to work for me now too! I've added to yours to include OneNote and PowerPoint which should pretty much cover off our environment and many others I imagine. Thanks again.
[{"allowed_origins":["officeapps.live.com"],"protocol":"ms-excel"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-powerpoint"},{"allowed_origins":["officeapps.live.com"],"protocol":"ms-word"},{"allowed_origins":["https://.teams.microsoft.com"],"protocol":"msteams"},{"allowed_origins":["officeapps.live.com"],"protocol":"onenote"}]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK