Security baseline for Microsoft Edge version 108 now available


We are pleased to announce the security review for Microsoft Edge, version 108!

We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given to. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.

TLS Encrypted ClientHello Enabled (Consider)

An interesting setting Admin’s may wish to consider, particularly if using Windows Defender Network Protection or similar security software. TLS Encryped ClientHello (ECH) Enabled is a privacy-improving feature that combats one of the shortcomings of HTTPS – namely, TLS does not hide from a network observer the target hostname to which the browser is connecting. This means that your company or ISP network administrator (or anyone who can spy on network traffic) can see the hostname of the site to which your browser is connecting, which has privacy implications. ECH hides the hostname so that a network observer can only see the target IP address of browser traffic, but not which specific site at that IP is being requested.

The reason that this feature has a security impact is that some security software may be spying upon your network requests and blocking requests to specific sites based on the site’s hostname. As a specific example, the Windows Defender Network Protection feature relies upon looking at the Server Name Indication (SNI) within the ClientHello to decide whether to block traffic to sites on the “known malicious” list or the customer’s custom blocklist. If the ClientHello is encrypted by the browser’s new ECH, this Network Protection feature (and similar features in other security software) will not be able to read the SNI, and thus will not be able to block the traffic.

For Microsoft Edge specifically, there’s a subtlety around the interaction of ECH and Network Protection. Machine installed channels of Edge (Stable/Beta) are exempted from Network Protection (in favor of Microsoft Defender SmartScreen), so the implications of this policy on Microsoft Edge are really limited to Edge Canary OR users of non-Microsoft Defender security products. But IT departments using Network Protection in Google Chrome really should set the equivalent policy.

Microsoft Edge version 108 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.

As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.

Please continue to give us feedback through the Security Baselines Discussion site or this post.
Click to expand...

Source:
techcommunity.microsoft.com

Security baseline for Microsoft Edge version 108

We are pleased to announce the security review for Microsoft Edge, version 108! We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given...
techcommunity.microsoft.com
 
Click to expand...
I fail to see the point of this useless policy, since it does not work?!
It can be only used to disable ECH. Edge with the parameter works:
Code: 
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --enable-features="EncryptedClientHello"
 

Attachments

  • capture_12082022_184044.jpg
    capture_12082022_184044.jpg
    130.1 KB · Views: 1
  • capture_12082022_184304.jpg
    capture_12082022_184304.jpg
    149.3 KB · Views: 1

My Computer My Computer

At a glance

Home26H2CanAMD Ryzen 5 8600G (07/24)2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200...ASROCK Radeon RX 6600 Challenger D 8G @48FPS ...
OS
Home26H2Can
Computer type
PC/Desktop
CPU
AMD Ryzen 5 8600G (07/24)
Motherboard
ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
Memory
2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
Graphics Card(s)
ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
Sound Card
Creative Sound BlasterX AE-5 Plus (05/24)
Monitor(s) Displays
24" Philips 24M1N3200ZS/00 (05/24)
Screen Resolution
1920×1080@165Hz via DP1.4
Hard Drives
Kingston KC3000 NVMe 2TB (05/24)
ADATA XPG GAMMIX S11 Pro 512GB (07/19)
PSU
Seasonic Core GM 550 Gold (04/24)
Case
Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
Cooling
Noctua NH-U12S with Noctua NF-P12 (04/24)
Keyboard
HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
Mouse
Logitech M330 Silent Plus (01/26)
Internet Speed
500/100 Mbps via RouterOS (05/21) & TCP Optimizer
Browser
Edge, Brave for YouTube, LibreWolf for FB
Antivirus
NextDNS blocking 1/3 Traffic
Other Info
Phone: Motorola Moto G86 (02/26)
Backup: Hasleo Backup Suite (PreOS)
Headphones: Sennheiser RS170 (09/10)
Chair: Huzaro Force 4.4 Grey Mesh (05/24)
Notifier: Xiaomi Mi Band 9 Milanese (10/24)
FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
Why is this flag not there (in Edge)?

s1.png


Why does CF have to disable it?!
s2.jpg
:think:
 

My Computer My Computer

At a glance

Win 11 Enterprisei7
OS
Win 11 Enterprise
Computer type
Laptop
CPU
i7
Hard Drives
SSD

My Computer My Computer

At a glance

Home26H2CanAMD Ryzen 5 8600G (07/24)2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200...ASROCK Radeon RX 6600 Challenger D 8G @48FPS ...
OS
Home26H2Can
Computer type
PC/Desktop
CPU
AMD Ryzen 5 8600G (07/24)
Motherboard
ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
Memory
2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
Graphics Card(s)
ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
Sound Card
Creative Sound BlasterX AE-5 Plus (05/24)
Monitor(s) Displays
24" Philips 24M1N3200ZS/00 (05/24)
Screen Resolution
1920×1080@165Hz via DP1.4
Hard Drives
Kingston KC3000 NVMe 2TB (05/24)
ADATA XPG GAMMIX S11 Pro 512GB (07/19)
PSU
Seasonic Core GM 550 Gold (04/24)
Case
Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
Cooling
Noctua NH-U12S with Noctua NF-P12 (04/24)
Keyboard
HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
Mouse
Logitech M330 Silent Plus (01/26)
Internet Speed
500/100 Mbps via RouterOS (05/21) & TCP Optimizer
Browser
Edge, Brave for YouTube, LibreWolf for FB
Antivirus
NextDNS blocking 1/3 Traffic
Other Info
Phone: Motorola Moto G86 (02/26)
Backup: Hasleo Backup Suite (PreOS)
Headphones: Sennheiser RS170 (09/10)
Chair: Huzaro Force 4.4 Grey Mesh (05/24)
Notifier: Xiaomi Mi Band 9 Milanese (10/24)
FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
atinfo said:
Why does CF have to disable it?!
View attachment 79053
:think:
Click to expand...
It's in Beta at CF, they often turn beta stuff off if it's not working correctly while they get things fixed; if that's from your CF account, then click the read more. I can't look as I've not been accepted into the beta yet.

1700988302454.png
 

My Computers My Computers

System One System Two Other systems

  • At a glance

    Windows 11 WorkstationRyzen 9 5950XCorsair Vengeance RGB PRO Black 64GB (4x16GB)...ASUS AMD Radeon RX 6900 XT 16GB ROG Strix LC OC
    OS
    Windows 11 Workstation
    Computer type
    PC/Desktop
    Manufacturer/Model
    doofenshmirtz evil incorporated
    CPU
    Ryzen 9 5950X
    Motherboard
    Asus ROG Crosshair VIII Formula
    Memory
    Corsair Vengeance RGB PRO Black 64GB (4x16GB) 3600MHz AMD Ryzen Tuned DDR4
    Graphics Card(s)
    ASUS AMD Radeon RX 6900 XT 16GB ROG Strix LC OC
    Sound Card
    Sound BlasterX Katana
    Monitor(s) Displays
    3 x27" Dell U2724D & 1 x 34" Dell U3415W
    Hard Drives
    Samsung 980 Pro 1TB M.2 2280 PCI-e 4.0 x4 NVMe Solid State
    Drive
    PSU
    ASUS ROG THOR 850W 80 Plus Platinum
    Case
    ASUS ROG Strix Helios Midi-Tower ARGB Gaming Case
    Cooling
    ASUS ROG Strix LC Performance RGB AIO CPU Liquid Cooler - 360mm
    Keyboard
    Logi Ergo
    Mouse
    Logitech MX Vertical
    Internet Speed
    1000/200 Mbps
    Browser
    Chrome
    Antivirus
    Windows Defender, Malwarebytes Pro
    Other Info
    HP M281 Printer
    Logitech Brio Stream webcam
    Logitech G Yeti orb mic

  • At a glance

    Windows 11 ProSnapdragon X2 Plus64GB
    Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop
    CPU
    Snapdragon X2 Plus
    Memory
    64GB
    Monitor(s) Displays
    15"
  • Nothing to see here.
You must log in or register to reply here.

Similar threads

  • Article Article
Security Baseline Review for Microsoft Edge version 148 available
Replies
0
Views
77
Brink
Brink
  • Article Article
Security Baseline Review for Microsoft Edge version 147 available
Replies
2
Views
710
Brink
Brink
  • Article Article
Security Baseline Review for Microsoft Edge version 146 available
Replies
0
Views
247
Brink
Brink
  • Article Article
Security Baseline Review for Microsoft Edge version 145 available
Replies
0
Views
376
Brink
Brink
  • Article Article
Security Baseline Review for Microsoft Edge version 144 available
Replies
0
Views
443
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom