Skip to content

Commit

Permalink
Updated Edge policies
Browse files Browse the repository at this point in the history
After doing a full review of all the available Edge browser policies up until Version 114.0.1823.55, updated the script policies for Edge and the documentation accordingly to reflect the new changes. Please view the GitHub Readme's Edge category section for full details.

The Edge policies no longer enforce Cloudflare DNS over HTTPS and instead use the OS's DNS over HTTPS. This change is being made to allow MDAG (Microsoft Defender Application Control) to be able to connect to the Internet. With Edge enforcing DoH, it wouldn't be able to connect and would show DNS related errors. Windows 11's system wide DNS over HTTPS settings also apply to MDAG connections as well as any other apps, so they are more secure and preferred.
  • Loading branch information
HotCakeX committed Jun 19, 2023
1 parent 3d7f02f commit 42e0ba6
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 7 deletions.
14 changes: 11 additions & 3 deletions Payload/Registry.csv
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,19 @@ Miscellaneous,HKLM:\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClien
Miscellaneous,HKLM:\Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,1,String,WinVerifyTrust Signature Validation
Miscellaneous,HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,1,String,WinVerifyTrust Signature Validation
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,1,DWORD,Recommends to block 3rd party cookies
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,secure,String,Enables Secure DNS without insecure fallback
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsTemplates,https://chrome.cloudflare-dns.com/dns-query,String,Set DNS over HTTPS template to Cloudflare's
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,automatic,String,Sets Edge to use system's DNS over HTTPS. This makes MDAG to work properly too
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,2,DWORD,Automatically upgrade HTTP connections to HTTPS
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,1,DWORD,Enable Encrypted Client Hello
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,WebRtcLocalhostIpHandling,default_public_interface_only,String,Allow public interface over http default route. This doesn't expose the local IP address when using WebRTC
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,SSLErrorOverrideAllowed,0,DWORD,Prevents users from proceeding from the HTTPS warning page
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,0,DWORD,Block Basic authentication for HTTP
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,WebRtcRespectOsRoutingTableEnabled,1,DWORD,WebRTC will respect the Windows OS routing table rules when making peer to peer connections
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,RendererAppContainerEnabled,1,DWORD,Launches Renderer processes into an App Container for additional security benefits
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,PDFSecureMode,1,DWORD,Secure mode and Certificate-based Digital Signature validation in native PDF reader
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,2,DWORD,Allow devices using Edge category of the hardening script to receive new features and experimentations like normal devices
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,1,DWORD,Enforces the audio process to run sandboxed
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,2,DWORD,Recommends that the share additional operating system region setting to be set to never.
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\Recommended,NewPDFReaderEnabled,1,DWORD,Recommends the new Adobe PDF reader be used in Edge for PDFs
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,0xc013,String,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1)
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,0xc014,String,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1)
Edge,HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,0x0035,String,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1)
Expand All @@ -48,4 +56,4 @@ NonAdmin,HKCU:\Software\Microsoft\Clipboard,CloudClipboardAutomaticUpload,1,DWOR
NonAdmin,HKCU:\Software\Microsoft\Clipboard,EnableCloudClipboard,1,DWORD,last one to enable Clipboard sync
NonAdmin,HKCU:\Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,1,DWORD,turn on Show text suggestions when typing on the physical keyboard for the current user toggles the option in Windows settings
NonAdmin,HKCU:\Software\Microsoft\Input\Settings,MultilingualEnabled,1,DWORD,turn on Multilingual text suggestions for the current user toggles the option in Windows settings
NonAdmin,HKCU:\Control Panel\Accessibility\StickyKeys,Flags,506,String,turn off sticky key shortcut of pressing shift key 5 time fast
NonAdmin,HKCU:\Control Panel\Accessibility\StickyKeys,Flags,506,String,turn off sticky key shortcut of pressing shift key 5 time fast
18 changes: 14 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -857,12 +857,22 @@ In Windows by default, devices will scan daily, automatically download and insta

<br>

- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Block 3rd party cookies](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#blockthirdpartycookies)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Use DNS over HTTPS](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#dnsoverhttpsmode)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Set DNS over HTTPS template to Cloudflare's](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#dnsoverhttpstemplates)
*Edge policies checked until version 114.0.1823.55*

- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Block 3rd party cookies](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#blockthirdpartycookies) - Recommendatory policy
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Set Edge to use system's DNS over HTTPS](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#control-the-mode-of-dns-over-https)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Automatic HTTPS upgrade of HTTP connections](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#configure-automatic-https)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Enable Encrypted Client Hello](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#encryptedclienthelloenabled)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Restrict exposure of local IP address by WebRTC](https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#webrtclocalhostiphandling)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Disable the ability to access insecure websites with TLS errors](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allow-users-to-proceed-from-the-https-warning-page)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Disable Basic HTTP authentication scheme](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#basicauthoverhttpenabled)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Force WebRTC respect the Windows OS routing table rules when making P2P connections](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#enable-support-for-windows-os-routing-table-rules-when-making-peer-to-peer-connections-via-webrtc)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Launch Renderer processes into an App Container for additional security benefits](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#enable-renderer-in-app-container)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Enforces Secure mode and Certificate-based Digital Signature validation in native PDF reader](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#secure-mode-and-certificate-based-digital-signature-validation-in-native-pdf-reader)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Allow devices using this hardening category to receive new features and experimentations like normal devices](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#control-communication-with-the-experimentation-and-configuration-service)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Enforce the audio process to run sandboxed.](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allow-the-audio-sandbox-to-run)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Sets the share additional operating system region setting to never.](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#set-the-default-share-additional-operating-system-region-setting) - Recommendatory policy
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet">[Sets the new Adobe PDF reader to be used in Edge for PDFs](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#microsoft-edge-built-in-pdf-reader-powered-by-adobe-acrobat-enabled) - Recommendatory policy
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/roratinggem.gif" width="28" alt="Rotating pink gem denoting registry or cmdlet"> [Disables the following weak Cipher Suites](https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#tlsciphersuitedenylist)
- [Site 1 to test TLS in your browser](https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html)
- [Site 2 to test TLS in your browser](https://browserleaks.com/tls)
Expand Down Expand Up @@ -893,7 +903,7 @@ Some settings require the client to be joined to Windows Server Active Directory
- [Microsoft Edge Beta channel change log](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-beta-channel)
- [Microsoft Edge Mobile stable channel change log](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-mobile-stable-channel)
- [Edge Insider for Beta/Dev/Canary channels](https://www.microsoftedgeinsider.com/en-us/)
- [Microsoft Edge Security baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) - Works without ingesting [ADMX policy files](https://www.microsoft.com/en-us/edge/business/download) first.
- [Microsoft Edge Security baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) - Work without ingesting [ADMX policy files](https://www.microsoft.com/en-us/edge/business/download) first - This script includes them
- [Reason why the script doesn't use it.](https://github.com/HotCakeX/Harden-Windows-Security/issues/50)

<p align="right"><a href="#menu-back-to-top">💡 (back to categories)</a></p>
Expand Down

0 comments on commit 42e0ba6

Please sign in to comment.