Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,442
Everyone on Windows10 Pro with 8 GB RAM and higher has easy access to VM-sandboxed Edge using Application Guard (link). I think it was @harlan4096 who made a nice setup guide (which I followed, forgot the link). Only thing I did was enabling keeping data (persistent between sessions) in Group Policy. I also have three profiles
1. Strict (the Ninja icon) - with most settings maxed out for security (nearly all site permissions on block except content related permission) with uBlockOrigin and Blank New Tab as extensions
2. Default (Panda icon) - with everything on default without extensions
3. Sandbox (Cactus icon) - same settings as strict only this one runs in VM-Sandbox of Application Guard
You don't have to use group policy for enabling keeping data with Edge Application Guard. Settings are available in Windows security:
 

Amahl Farouk

Level 1
Jan 11, 2021
34
Everyone on Windows10 Pro with 8 GB RAM and higher has easy access to VM-sandboxed Edge using Application Guard (link). I think it was @harlan4096 who made a nice setup guide (which I followed, forgot the link). Only thing I did was enabling keeping data (persistent between sessions) in Group Policy. I also have three profiles
1. Strict (the Ninja icon) - with most settings maxed out for security (nearly all site permissions on block except content related permission) with uBlockOrigin and Blank New Tab as extensions
2. Default (Panda icon) - with everything on default without extensions
3. Sandbox (Cactus icon) - same settings as strict only this one runs in VM-Sandbox of Application Guard
I really like the idea of Edge WDAG, but I have several issues with it that make me doubt it's usefulness outside of an Enterpise managed environment.

The idea of a completely disposable sandbox for more secure browsing is great, however, from what I can tell the sandbox only gets completely flushed on system restart.

Extensions don't persist, so you have to rely group policy to install them at each recreation of the sandbox or just go naked with pretty much the "Strict" security settings on Edge and hope for the best.

Windows 10 Pro users don't have the Managed policy option which would make the separation from secure/insecure environment less tedious...so phishing and other crappy links will still open in your non-WDAG version of Edge by default. You can set some policies up so that when you are in WDAG and navigate to a whitelisted website, it will open in your non-WDAG Edge, but not the reverse...which makes is pretty useless for me.

P.S. Of course, enabling HW acceleration or data persistence opens you up to a whole new level of insecurity so that's a no-go for me. The most painful being software acceleration which makes websites feel sluggish at best.
 
F

ForgottenSeer 85179

@Amahl Farouk
WDAG isn't designed for extensions and you can block stuff over DNS anyway.

I also wouldn't shop at WDAG, for that i use my Banking profile in normal Edge.
The most powerful feature is a very secure environment without leaving any traces and a completely stock Edge. That's the reason WDAG is recommend for visit insecure & untrusted sites ;)
 

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
From what I can tell the sandbox only gets completely flushed on system restart.

Extensions don't persist, so you have to rely group policy to install them at each recreation of the sandbox or just go naked with pretty much the "Strict" security settings on Edge and hope for the best.
See GPO documentation link, with allow persistence enabled, you can use WDGA-Edge like a normal profile because all data persists (settings, extensions, etc).

1610663145623.png
 

HarborFront

Level 60
Verified
Top poster
Content Creator
Oct 9, 2016
4,911
What happens to the different profiles if the browser gets corrupted and cannot open? Won't having different browsers running different uses be better?

Don't put all the eggs in the same basket is safer
 
Last edited:
F

ForgottenSeer 85179

What happens to the different profiles if the browser gets corrupted and cannot open? Won't having different browsers running different uses be better?

Don't put all the eggs in the same basket is safer
Your files are safe as profiles use own subfolders.
Different browsers increase attack surface and maintenance.
 

Amahl Farouk

Level 1
Jan 11, 2021
34
See GPO documentation link, with allow persistence enabled, you can use WDGA-Edge like a normal profile because all data persists (settings, extensions, etc).

Yes, but I just want persistence for my extensions, not for user data in general (cache, cookies, etc.) As I said, if I enable this group policy it makes the whole auto-purging sandbox thing useless as malware could persist until I manually flush via powershell. :unsure:
 

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
Yes, but I just want persistence for my extensions, not for user data in general (cache, cookies, etc.) As I said, if I enable this group policy it makes the whole auto-purging sandbox thing useless as malware could persist until I manually flush via powershell. :unsure:
Sandbox is separated from real system in VM including the data on your disk. Edge has an option to auto delete all browsing session data (including cache, cookies, etc).So session data is flushed everytime you close Edge, while your settings and extensions persist over sessions and reboots. Application Guard Window only 'sees' the OS-drive (C in my case). It can't even read from other data partitions (in my case F for office files, M for Media files, R for Reserve (image and office files data backup).

Better read the documentation.
 
Last edited:

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
What happens to the different profiles if the browser gets corrupted and cannot open? Won't having different browsers running different uses be better?

Don't put all the eggs in the same basket is safer
You are confusing Edge with Firefox. Chromium based browsers (except Opera) have a much lower profile corruption frequency than Firefox :) So yes when your primary browser is Firefox or Opera it is better to have a second browser. To be fair a second browser is always more reliable than two profiles at the same browser. Simply because they don't share program code the chance of corrupting them both at the same time is near zero.
 
Last edited:
F

ForgottenSeer 85179

It's time for a big update! (the first one this year)

Why?
  • easier
  • better hiding in the masses - keyword fingerprinting

What's new?
  • data is no longer deleted when Edge is terminated
  • extensions are no longer used by default. NextDNS is recommend as "blocker"
  • fewer changes under "website permissions"
  • "flags" are no longer used
  • the privacy slider in Edge goes back to default for "Default" & "Banking" - at the same time "Strict" is enforced for InPrivate windows
  • the use of encrypted DNS is recommended
  • under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
  • under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
  • under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled

What remains the same?
  • block third party cookies in Edge settings
  • block payment provider in Edge settings
  • DNT header in Edge settings
  • in Edge permissions -> JavaScript: enable + add http://* to block list
  • in Edge permissions -> Popups and redirection add http://* to block list
  • no website navigation error help in Edge settings
  • PUP & SmartScreen enabled in Edge settings


Result in comparison to Edge's default settings:
- block payment provider in Edge settings
- block third party cookies in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled


- block third party cookies in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled


- block payment provider in Edge settings
- block third party cookies in Edge settings
- DNT header in Edge settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- Strict Privacy in Edge settings
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled

Happy browsing 🍻
 
Top