Security

5 Things To Check In Your Microsoft Edge Configuration

Posted on by Adam Fowler

In what has now become a ‘5 Things To Check’ series, this time we’re looking at Microsoft Edge. The Center for Internet Security’s (CIS) Microsoft Edge benchmark is up to v2.0.0, so again I’ll pick my favourite 5 things listed, along with giving my own explanation of why they matter and other considerations.

By the way, did you know there’s now a whole ‘Policies for Microsoft Edge’ area of the Microsoft 365 admin center? More details on the Microsoft Edge management service here.

OK let’s jump into the top 5!

1. Ensure ‘Configure extension management settings’ is set to ‘Enabled: *’

Browser extensions can do a bunch of useful things, including potentially reading everything you do and sending it off to a third party. Even if it’s not for malicious purposes, your users certainly aren’t looking into what an extension does permission wise, and thinking about data sovereignty (I know there will be exceptions to this!). Just like any other app, extensions should be controlled and go through an approval process before they’re allowed on a work device. Moreso, the tie-in with using Microsoft Edge with a work profile to both be required to access certain resources, as well as pulling down policies automatically to configure the profile in a secure state goes a long way to providing a full secure experience.

By default, all users can install whatever extensions they like.

Microsoft have full documentation on how to manage Microsoft Edge extensions here Detailed guide to the ExtensionSettings policy | Microsoft Learn but this setting is the start of enabling it, and blocking all by default unless there’s an exception – which is why it’s being set to a wildcard *. Exceptions to the global block can be granted with the setting ‘Allow specific extensions to be installed.’. There’s several ways to manage and deploy this:

Group Policy – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-policies#allow-or-block-extensions-in-group-policy

Intune – https://support.imperosoftware.com/hc/en-au/articles/10590384691347-Managing-Edge-extensions-in-Microsoft-InTune

Microsoft Edge management service (the new way!) https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service#manage-settings-for-all-extensions

Yes there is management overhead in blocking all extensions and looking at each case on what you should allow, and yes you need to consider other browsers like Google Chrome – you can’t just lock down Microsoft Edge and leave Google Chrome to be a free for all, or users will go there instead.

2. Ensure ‘Enable profile creation from the Identity flyout menu or the Settings page’ is set to ‘Disabled’

I called out profiles in the first tip – Edge profiles are a core component of Microsoft Edge security. A work or school account signed into Microsoft Edge can pull down Microsoft 365 tenant settings, including the new Microsoft Edge Management Service which to quote the start of the learn.microsoft.com article:

The Microsoft Edge management service is a platform in the Microsoft 365 admin center that enables admins to easily configure Microsoft Edge browser settings for their organization. These configurations are stored in the cloud and the settings can be applied to a user’s browser through group assignment or group policy. Users must be logged into Microsoft Edge to retrieve these settings.

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service

Either Single Sign-on should enforce Edge to automatically sign in with the same account as the PC is logged in as, or on BYOD the requirement to create a profile with the work account can allow for application management – things like stopping data exiting the browser session, screenshots, the blocking of extensions etc.

On the flip side, letting users create profiles throws all that security and control out the window. If someone can create a new profile even as a guest, a lot of the controls drop off – as well as potentially treating the browser session as a consumer one, and things like Microsoft Rewards turn up. You also have history, bookmarks, password managers etc potentially being saved against a Microsoft account (rather than a work/school one). That Microsoft account may not even have MFA on it – so a compromised Microsoft account used to sync browser information could grab a lot of company related data if it’s being used for the wrong purposes.

The setting can be set by Group Policy if you download the Microsoft Edge for Business pack (worth doing if you’re living in Group Policy land still) – Download Edge for Business (microsoft.com), or the registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
“BrowserAddProfileEnabled”=0

You can also set this via Microsoft Edge management service https://admin.cloud.microsoft/#/Edge/PolicyConfiguration/

3. Ensure ‘Enable AutoFill for addresses’ is set to ‘Disabled’

Ever walked up to an iPad at a business that you need to register your details on, and as you click on the first part of the form it shows you a bunch of other people’s data? That’s AutoFill enabled by default, when it definitely should not be.

This is a tough one, because AutoFill is so handy. You go to a website and need to fill in a form, but instead you get a dropdown, pick your name and the form is mostly filled out! In a work environment though, this can be a big catch. Are you ever putting in personally identifiable information for someone else? It could be as simple as an email address. That data gets saved in a manner that isn’t that much different to having a text file in your profile that contains the same data – so it shouldn’t be allowed.

You’d probably get user pushback on this, but a decent password manager should also have AutoFill functionality, but where it prompts you before it saves the data, and it’s easily readable against a profile rather than the more obfuscated method that Edge (and other browsers) generally use.

The AutofillAddressEnabled is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service (and untick that ‘Allow users to override’ option which is ticked by default!).

4. Ensure ‘Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads’ is set to ‘Enabled’

Microsoft Defender SmartScreen

Microsoft’s support site explains to users about Defender SmartScreen, including the Screening downloads part. Seems like a pretty good idea, if a user downloads something and it matches a file that Microsoft has already found unsafe, it’ll warn you:

Screening downloads: SmartScreen checks your downloads against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns you that the download has been blocked for your safety. SmartScreen also checks your downloaded files against a list of well-known and popular downloads by Microsoft Edge users and warns you if your download is not on this list. 

https://support.microsoft.com/en-au/microsoft-edge/how-can-smartscreen-help-protect-me-in-microsoft-edge-1c9a874a-6826-be5e-45b1-67fa445a74c8#:~:text=Screening%20downloads%3A%20SmartScreen%20checks%20your,been%20blocked%20for%20your%20safety.

You can just bypass this warning and download the file anyway. A home user may want this experience to make the decision themselves, but this probably isn’t the decision you want an end user to make in a corporate environment and on a work device. Arguably, several other layers should protect you anyway including Defender for Endpoint or whatever EDR solution is in place, but this is a pretty safe extra layer to have in place.

Preventing user bypass of a SmartScreen detected suspicious download seems like an obvious one. Again, PreventSmartScreenPromptOverrideForFiles is a single setting via registry, Group Policy, or Microsoft Edge management service:

5. Ensure ‘Enhance the security state in Microsoft Edge’ is set to ‘Enabled: Balanced mode’

This is disabled by default. Clicking the ? next to ‘Enhance your security on the web’ will tell you:

What is enhanced security mode?
This runs your unfamiliar sites without the just in time (JIT) compilation to provide added protection. Running JIT-less reduces attack surface, making it difficult for malicious sites to exploit.
The additional protection includes Windows operating system mitigations such as Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG).

Although there is a caveat ‘Most sites work as expected’, it’s an adaptive setting that learns behavour and what’s common the more it gets used. Admins can also add exceptions or forced enhanced security to certain sites: Browse more safely with Microsoft Edge | Microsoft Learn

I’ve been running this setting on at home for several months and haven’t noticed any issues, but I’m sure there are some sites that would be affected by this. You can decide if you let users toggle the option off on a per-website basis too.

The ‘Balanced mode option under ‘EnhanceSecurityMode’ setting can be set via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

Bonus because I couldn’t pick between this and #5!
6. Ensure ‘Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft’ is set to ‘Disabled’

This is enabled by default. Regardless of trust in Microsoft or not, unnecessarily sending information such as browser history, favorites/collections etc is worth blocking. At the cost of ad personalisation, which should be irrelevant in a corporate setting. Enable this one!

The PersonalizationReportingEnabled setting is easy to disable via registry, Group Policy with Download Edge for Business (microsoft.com) or via Microsoft Edge management service:

It’s also worth calling out that Microsoft have their own Security Baseline for Microsoft Edge included in this: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center which lists out all the policies with recommended settings, along with a bunch of other products. You should be keeping track of the Security Baseline for Microsoft Edge and following the guidance where possible on each release.

5 Things To Check In Your Microsoft 365 Tenant

Posted on by Adam Fowler

I’ve been diving into the Center for Internet Security’s (CIS) benchmarks lately – which are a set of benchmarks to use against different technologies (including Microsoft 365 and freely available for non-commercial use). They are a good set of checks to go through in a tenant to review configuration with a security focus; including how to remediate.

There is of course a lot more to it than reading a document and configuring items the way it says to; you need to understand what you’re changing, and what impact that may have to the business and it’s end users. For example; blocking the ability to share anonymous links from SharePoint/OneDrive is generally ‘a good idea’ security wise, but if your users are actually doing that you probably don’t want to just shut that off. You need to assess what’s being used and how, and have a strategy to get to a more secure point.

Anyway, I’ve picked my favourite 5 settings from their comprehensive list that I feel people could miss; I may have missed these myself when I used to be a Microsoft 365 administrator.

For PowerShell commands, if you’re not sure how to get to the right module (e.g. Exchange Online from my first example) then check out msshells.net which will show you how to install and connect.

The headings are quoted from CIS, but the rest of the material is my own:

1 – 3.1.1 Ensure Microsoft 365 audit log search is Enabled
If you’re a Microsoft 365 focused admin, Azure and log search may not be a front of mind for you unless you go looking to solve a problem that arises.

This should be enabled in new tenants, but older ones may not have it. First check it’s status with the PowerShell command in Exchange Online:

Get-AdminAuditLogConfig | Select UnifiedAuditLogIngestionEnabled

This will show a True or Fasle value – if it’s True, it’s on. If it’s off/false, enable it with this command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

This should have no user impact and just enables the ingestion of the Audit Logs.

To view these logs you can use PowerShell commands, but this is generally one I’d rather use a GUI for – go to the Microsoft Purview portal and the Audit section, and trigger a search. Without getting into too much detail, there’s two tiers of Audit – Standard and Premium. Read further information here.

2. Ensure modern authentication for SharePoint applications is required

This is another that many old tenants may have disabled. SharePoint has ‘legacy authentication’ similar to other services that are planning or already deprecated legacy auth – Exchange Online being the common one most people know about.

To check if you have this disabled, connect via PowerShell to SharePoint Online and run the command:

Get-SPOTenant | ft LegacyAuthProtocolsEnabled

True means it’s enabled, False means disabled – and we want it to be False. The command to enable it is:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Entra ID’s Conditional Access should be configured to block all Legacy Auth requests also, but this is an extra layer to make sure SharePoint won’t work that way anyway (plus holes are poked through Conditional Access all the time!). There seems to be very little official public documentation about this option from Microsoft – I could find this example where they show how to set it to $true to avoid some login issues which is a bit concerning.

This is one that may have some user impact or application impact if systems are connecting to SharePoint Online in legacy ways. Users should be used to modern auth and match their experiences in other Microsoft 365 services – applications however would need to be redesigned or updated to accommodate this. You can search the Entra ID authentication logs for any attempts to connect to SharePoint Online using legacy authentication over as long as possible before changing this setting.

3. Ensure sign-in to shared mailboxes is blocked (Automated)

Shared Mailboxes are both a delight for having a central area for emails to go to, and multiple staff having access to them, but also a dismay in user expectations of being able to send as the account, and potentially log in as it. A reception desk or similar may have multiple people jumping in and out of the location, but they want to access the same contents without the time-taking task of logging in and out of the computer each time. Regardless – security wise each user should have a unique login, and all their actions performed under that login.

Although it can be a fight and go way beyond a technical issue – shared mailboxes should be disabled from logging in. A disabled from login shared mailbox can still send and receive emails; you’re only disabling the ability to log in using that account itself, and the mailbox can still be accessed as a delegate.

As this is a per account setting, you’ll need to check all shared mailboxes. As per Microsoft Learn, you can block a single account from the Microsoft 365 Admin Center and go to Users > Active Users, select a Shared Mailbox, and click the ‘Block Sign-In’ option:

… but this doesn’t really scale to check all Shared Mailboxes and change the setting. Instead, as per Microsoft Learn, we have to use Exchange Online PowerShell to find the shared mailboxes, then we can use Microsoft Graph PowerShell SDK to disable them. After connecting to Exchange Online and Microsoft Graph with the below scope:

Connect-Graph -Scopes User.ReadWrite.All

You can then run the one command to use Exchange Online to find all Shared mailboxes and then use Microsoft Graph to set the account to disabled:

Get-EXOMailbox -RecipientTypeDetails "SharedMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

You could also do the same for Room and Equipment mailboxes if they don’t need to sign in:

Get-EXOMailbox -RecipientTypeDetails "RoomMailbox","EquipmentMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

Also note that Exchange Online has it’s own ‘AccountDisabled’ variable which you could set to true, but this blocks sign in to the mailbox, and not the entire account to any M365 service/Entra ID authentication.

User impact on this needs to be assessed by again checking the Entra ID logs against each Shared Mailbox, and working out how to set systems up to avoid the shared account login. There may be some user resistance to this, but one argument could be ‘what if someone sent a nasty email to your boss under the account and they thought it was you – you couldn’t prove it wasn’t easily if others are also using that same account’.

4. Ensure ‘Per-user MFA’ is disabled

This is the ‘old’ MFA before Conditional Access was around. This only suported the MFA methods of ‘Call to phone, Text message to phone, Notification through mobile app, and Verification code deom mobile app or hardware token’.

You can check if any users have this enabled by going to https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx and ensuring all users show as ‘disabled’ for the ‘MULTI-FACTOR AUTHENTICATION STATUS’ column.

If you see any users enabled, then you should ensure Conditional Access is set up and ready to go, then change the users to disabled. You also shouldn’t be using this function at all when Conditional Access is enabled. A few warnings from Microsoft:

More details here: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

5. Ensure a dynamic group for guest users is created

I quite like this one. Yes, you can reasonably easily determine if an account is a guest account or not, but having an automated group means it’s easy to point other Conditional Access policies, or other monitoring, on what these accounts are doing in your tenant. It’s very little effort to create, doesn’t need maintenance, and can help in other scenarios when you want to review what guest accounts are around.

How to do this is well documented by Microsoft but you do need an Entra ID Plan 1 or Plan 2 license to create dynamic groups.

Simply create a New Group in the Entra Admin Center https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AddGroupBlade

and after selecting a Group Name and choosing Memebership type: Dynamics user, click ‘add dynamic query’:

Use the filters Property = userType, Operator = Equals, Value = Guest, and click ‘Save’, then ‘Create’.

Note that it can take a minute for the group to initially populate. You can now use this group to block from certain things as an extra layer of protection against accidental permissions, or have extra Conditional Access policies that always require certain MFA methods.

If you don’t have Entra ID Plan 2 to be able to have guest reviews, you could use the membership of this group as a simple way to review the guest accounts in your tenant.

That’s my top 5 picks – check out the CIS Benchmark for Microsoft 365 yourself along with their other benchmarks as there’s a lot to learn and check through. It’s also not a one-time thing, settings change, the benchmark itself grows (currently at v3.1 at the time of writing), plus there’s more security to check beyond this!

Hornetsecurity Overview – 365 Total Protection

Posted on by Adam Fowler


The Microsoft 365 Suite contains a lot of different solutions; and varying levels of security on those solutions, depending which tier of licensing you have. Microsoft’s security answers have varying levels of user experience, technical requirements, and administrative burdens.

For example, if you’ve used Microsoft native solutions to look at mailflow regularly compared to third-party solutions, you’d probably agree that Microsoft do not provide a quick and easy experience in troubleshooting why an email didn’t arrive. If you have to go back more than 2 days, then you’ll potentially have to wait a few hours just to get the results of the mailflow steps.

Third-party solutions must compete with Microsoft in their own space for security solutions, which means they need to be adding value somehow; cheaper, easier to use, more features, and/or quicker.

Hornetsecurity’s answer to this is their 365 Total Protection solution. I’m fairly experienced with Microsoft’s first party offerings, and a few other third-party mail security solutions, so was interested to see how this stacked up and where it might fit.

Hornetsecurity shows the 3 different tiers of licensing, and an option to start a free trial:

The above pricing based on the feature set seems quite reasonable to me, and from the page you can click on each feature and see more information including a screenshot.

The free trial process is well documented – the first page lays out what you’re in for which will unsurprisingly require tenant admin access to approve tenant permissions for Hornetsecurity.

Once you accept the permission request, a synchronisation will start. As I’m doing this in my own tenant of 1 user, it took about 20 seconds to perform. You’ll then need to update MX records so mail flows through the Hornetsecurity service, so it can do many of the services listed.

Not all services rely on mail flow, there is also an Outlook add-in. For older versions of Outlook it can be downloaded and installed like a traditional add-in, or there’s the much nicer modern method that’s controlled from inside Microsoft 365 admin center to deploy and show for users (I wish more vendors did this!).

Either way, the Outlook add-in provides several functions such as being able to report emails, block/allow emails, and view archived emails.

Some other notable features of the 365 Total Protection solution:

  • Email Archiving – something Microsoft can do, but don’t do a great job of exposing the archived emails. 10 years of email retention should be more than enough for most companies, and even if you have archiving enabled in your tenant natively, this gives you a backup of all your emails.
  • Email Live Tracking – a real time view of mail flow that works quickly and doesn’t require reports to be generated after 2 days that are CSV files.
  • Individual User Signatures – Centralised signatures that are also monitored for people who decide to change them away from the company standard. Different groups can get their own style of signature too. Microsoft still has nothing in this space natively and is still in the early days of having a signature saved to someone’s profile.
  • eDiscovery – Being able to search quickly across all emails in the company for keywords is a handy thing. Another one that Microsoft can do, but it’s clunky and far from quick.
  • Email Continuity Service – If Microsoft’s mail services go down, you can keep going until they’re back – delivering and sending emails directly through Hornetsecurity, then syncing up what happened after the event.
  • Automated backups for mailboxes, Teams, OneDrive and Sharepoint – this is really where all your Microsoft 365 data will live. Again, it gives you somewhere this data can be backed up and restored outside of Microsoft’s ecosystem.

There is of course a lot of security aspects to the solution such as Forensic Analyses, URL Malware Control and Realtime Threat Reports, but I quite like the Malware ex-post alert and Malware ex-post deletion. Malicious emails that get through on any system (and I’ve seen this with other third-party solutions as well as Microsoft) need to be detected and cleaned up, as well as investigated on whether anyone clicked the link. This ties into URL Malware control, which will do URL rewriting. Microsoft do this natively, but I’ve found the cleanup aspect can take a little while to perform and isn’t a seamless process from detection to cleanup.

One last point – it is good to see that they have a data centre in Australia as I see many of these companies ignore our region, which makes it hard when you need to keep your data in-country.

I look forward to playing around with Hornetsecurity further. If you’re curious too, then check out their free trial here.

Windows Hello for Business – A less forceful rollout option

Posted on by Adam Fowler

How to roll out Windows Hello for Business as optional

To roll out Windows Hello for Business optionally:

  1. In Group Policy, enable the ‘Use Windows Hello for Business’ policy
  2. Tick the option ‘Do not start Windows Hello provisioning after sign-in’
  3. Users will then need to click the Windows Security icon to register

Applies To : Windows 10

When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

To roll out Windows Hello for Business, follow Microsoft’s documentation which is quite detailed due to the complexities of scenarios and requirements; such as Single-Sign On, MFA of some sort and Public Key Infrastructure.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Cyber Security Essential Eight and Microsoft

Posted on by Adam Fowler

I wrote a 2 part piece on Australia’s Cyber Security Essential Eight and Microsoft over at 24x7ITConnection. Here’s Part 1 and Part 2, where I covered what the Essential Eight are, why they’re a risk, and where Microsoft can help in both a on-premises sense as well as cloud.

I don’t normally cross post from here what I write on other areas, but I put a fair bit of effort into writing this up, and thought it was worth resharing. Regardless if you’re Australian or not, our government actually has practical recommendations on what you should be looking at to harden your IT environment.

If you haven’t looked at these before, see how many of the eight you can tick off. If you can’t tick all eight, then I encourage you to work towards those gaps. Here’s what the eight areas are:

Application whitelisting

Patching applications

Office macros

Harden user applications

Restricting administrative privilege

Patching operating systems

Multi-factor authentication

Backup daily

All pretty obvious, but getting these perfect is still a very big undertaking. We’re seeing more and more security breaches in all different ways, so please don’t think of these items as ‘something to worry about later’!