MDM & GP Tips Blog

Jun 2020
09

Establishing Edge v83 Security Baselines with Group Policy

MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines.  A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices.  For instance, MEM offers security baselines for Windows 10, Microsoft Defender ATP and Edge.  Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum security level that will address fundamental security and compliance issues.  Some admins may be surprised that security baselines are available for Group Policy as well.

The Benefits of Using Security Baselines


While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state.  There are a number of benefits of using security baselines offered by Microsoft.

  • They are already configured by Microsoft security experts
  • They enforce settings that mitigates contemporary security threats.
  • Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
  • They ensure that users and device configuration settings are compliant with the baseline

Security Baselines are not just for MDM

Microsoft has been releasing Security baselines since the Windows XP days.  Because Group Policy offers far more settings than MDM, the simplification that they offer for AD environments is even more of a benefit.  For instance, there are more than 200 Microsoft Edge Group Policy settings for Windows, but only some of these are security related.   By implementing Microsoft Edge baselines, you can rest assure that you are deploying the most up-to-date security settings for Microsoft Edge using your GPO environment.

Security Baseline for Microsoft Edge v83

Microsoft just recently announced the release of the Microsoft v83 of Microsoft Edge.  Microsoft continues to release new versions and settings for the new Chromium Edge browser.  Version 83 includes 19 new computer and user based settings.  The accumulated total of Edge settings currently stands at 311 Computer policy settings and 286 User configuration policy settings.  The current baseline involves 12 of these settings which are identical to the v80 security baseline.

To obtain the security baseline for Microsoft Edge, you need to download the Security Compliance Kit.  The compliance kit the following:

  • Importable GPOs
  • A script to apply the GPOs to local policy
  • A script to import the GPOs into Active Directory Group Policy
  • A spreadsheet documenting all recommended settings in spreadsheet form
  • Policy Analyzer rules
  • GP Reports
  • Documentation

Implementing the Baseline into your AD Environment

Keep in mind that you must have the Edge v83 ADMX files contained within your Central Store as a prerequisite.  Once you download the toolkit, open the Scripts folder and run either the local policy script or the AD import script as shown below.

In this example we using the Baseline-ADimport script.  The script will then import a GPO called MSFT Edge version 80 – Computer that involves the following Administrative Templates.

Some of the configured settings include the following:

The toolkit includes a GP Reports Folder that contains an HTML report of GPO templates available in the baseline.

It is recommended that you stay current with the latest security baselines of Edge and Windows 10.  You can keep abreast of future baselines as they become available through the Microsoft website.   

You can learn about the newest policy settings available with Edge v83 on the Microsoft website

 

Oct 2016
04

Next Group Policy Training: Atlanta. (And some security stuff that scared my pants off !)

Next GP Class Stop: Atlanta. (And some security stuff that scared my pants off !)

Hey Team.. ! Just got back from Atlanta… where last week I was at Ignite.

Quick Ignite report: Nothing blew my face off, but it was nice to physically be back in touch with friends, customers and students.
The human connection CANNOT be underrated !

Check this picture out of a dinner on Wednesday night. Can you name all the people in this photo: http://screencast.com/t/daL5kTOFfU ?

And, guess what? I’m coming back to Atlanta… TWICE MORE this year.
First: Techstravaganza 2016 Nov 18th !

What is it? This is the annual Atlanta IT Pro user group meetup, and it’s awesome. And I’m giving two speeches and one is the keynote ! Come hear me speak about:
– “Top Windows Server 2016 and Windows 10 Gotchas”
– “Why Group Policy isn’t dead, still matters, and what’s new in Group Policy for Windows 10”

When is it? Nov 18th, 2016.. One Day only !

How do you sign up? Sign up and get tickets here: https://www.eventbrite.com/e/atlanta-techstravaganza-2016-tickets-27792984565
Second: My next Group Policy Class : Dec 12 – 15 (Four Days)

We have two seats remaining my class next week in Chicago.. and see you all who are coming NEXT MONDAY!!
And it’s really been like forever since I’ve had GP class in Atlanta.
So.. Guess where I’m going next!? Atlanta ! Dec 12 -15.
We’ve got a great location, great room rate, it’s just going to be a super awesome amazeballs class.. I know it.
And you can join aboard… How do you do that I hear you cry? http://dev.gpanswers.com/training
Price: $2500 for the four days.
Results?: Priceless.
So what scared the heck out of me? Well, check this out.. There’s a video you have to see. It will freak you out.. !
Stealing login credentials from a locked PC or Mac just got easier
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

Some possible remediations could be:
– Block the USB\Class_02 device using a Device Installation restrictions GPO as a countermeasure based on the following info:
https://isc.sans.edu/diary/Collecting%2BUsers%2BCredentials%2Bfrom%2BLocked%2BDevices/21461

Another proposed protection was:
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

These are both UN-tested, and were suggested by a two fellow MVPs (not me.)

You’ll learn about Device Installation Restrictions in my Group Policy class. And a billion other security tips and tricks.

So.. what are you waiting for?
Dec 12 – 15 in Atlanta… !

Get Training

See you there !!