Advice Request What are your Site Permission settings for daily browsing?

Please provide comments and solutions that are helpful to the author of this topic.

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
I have set Edge to delete all browsing data except site permissions when exiting/closing the browser

Site permission for daily browsing

Cookies and site data = allowed
Location = ask
Camera = ask
Microphone = ask
Motion or light sensors = blocked
Notifications = ask plus quiet notifications enabled
Javascript = allowed (with block rule for HTTP://*)
Images = show all
Pop-ups and redirects = block
Ads = block
Background sync =don't allow ... (block)
Automatic download = ask
Handlers = block
MIDI devices = block
Zoomlevels = ...
USB devices = block
Serial ports = block
File editing = block
Handlers = don't allow ... (block)
PDF-documents = disabled always download (show in browser)
Protected content = allow 2x
Clipboard = disable (block)
Payment handlers = don't allow ... (block)
Media autoplay = allow
Insecure content = default (blocked on secure websites)
Virtual reality = don't allow ... (block)
Augmented reality = (
defeault (do not allow ...)
Application links = default (allow)

What do you sue for daily browsing?
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Very similar to yours, Lenny_Fox, execpt that I do allow pdf in Edge and block camera and microphone.

It's a nice balance between secure and useability.
I have only enabled MicrosoftTeams access to Camera and Microphone, so I will change those two to block also (and keep teams meeting on the allow list)

I have changed the wording of my PDF setting, because I had disabled "Always download PDF" in Edge, so PDF's are displayed in the browser.

Thx for your input (y)
 
Last edited:
F

ForgottenSeer 97327

I have two profiles a 'default' profile and a 'secure' profile.

The profile setting of Edge has a "profile preference" option which has an option to enable 'automatic profile switching' and choose a default profile for external links. This is where I have chosen the 'secure' profile. This 'secure' profile also has all other Edge security options enabled. I use the the 'default' profile for daily browsing.

This is a simple set and forget hardening using the build-in option of Chromium 'based browsers. I thought to share it with you and I am also interested in what site permission forum members have set. Therefore I have three questions:

1. What profile do you use for daily browsing?
2. Do you use a 'hardened' more secure profile (e.g. for external links or risky browsing)?
3. If so: could you post your tweaks? (see mine below)


______________________________________________
My 'secure' profile site permissions
Cookies: allow for session (delete at browser close)
Location:blocked
Camera: blocked
Microphone: blocked
Sensors: blocked
Notifications: ask + reduced
Javascript: default (allowed)
Images: default (show all)
Popups: blocked
Ads: blocked
Sync: don't allow
Downloads: Ask (for multiple)
Protocal handlers: disabled
MDI devices: don't allow
Zoom levels: default (100%)
USB devices: don't allow
Serial ports: don't allow
File editing: don't allow
PDF docs: always download (I am using Perfect PDF Reader app which runs in AppContainer)
Pic in pic: default (show)
Content IDs: default (show)
Clipboard: don't allow
Payment handlers: don't allow
Autoplay: Limit
Insecure Content: default (block)
Virtual Reality: don't allow
Augmented reality: don't allow
Application links: default (automatic)
 
Last edited by a moderator:
  • Like
Reactions: Jan Willy

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,393
  • Like
Reactions: TairikuOkami
F

ForgottenSeer 97327

@Ink, sorry was not aware that this was discussed before :oops:

@plat and @Lenny_Fox do you still use this more secure/hardened site permission for daily browsing? Did you experience any problems (like website breakage)?

Using a more secure setting for daily is appealing to me. :) Because I have such a locked security setup, the idea of changing my default profile with your tips and use it for daily browsing is suddenly a new and appealing option to me (when you did not encounter problems since July 2021, it is most likely a problem free hardening option).
 

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
537
I have two profiles a 'default' profile and a 'secure' profile.
There's a separate (till now small) thread about browser profiles:
 
F

ForgottenSeer 97327

@Jan Willy I am tempted by the post of @plat and @Lenny_Fox who use a more secure profile for daily browsing. I have only specified a secure profile for external links. I read that you have an extra secured mode for banking. To be honest I had not thought about that, but it makes sense to further strenghten the browser settings when doing online banking,

On top of that Avast has a fork of Chromium directed to safe shopping. II forgot the company but Dutch ING bank offered in the past a software program to harden the browser for online banking. These examples proof your idea makes sense, hence my request, would you @Jan Willy please share your site permissions settings for safe online banking?
 

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
537
would you @Jan Willy please share your site permissions settings for safe online banking?

Perhaps it will surprise you, but on that point I keep using the default settings. In my banking / shopping profile I visit only few trusted sites. From those sites I don't expect malicious behavior. For me it's important that sites don't break (for random browsing in my other profile is breakage not so relevant). The other measures did I mention in the other thread.
 
Last edited:

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
537
Inspired by Lenny_Fox I've changed next settings in my random browsing profile. Although I'm not sure about the risk level of each item.
Protocolhandlers = block
MIDI devices = block
USB devices = block
Serial ports = block
File editing = block
PDF-documents = disabled always download (show in browser)
Clipboard = disable (block)
Payment handlers = block
Virtual reality = block
Augmented reality = block

Edit: Also very interesting (from Kees1958): Updates Thread - Microsoft Edge Stable (Chromium) Now Available for Download
 
Last edited:

oldschool

Level 80
Verified
Top Poster
Well-known
Mar 29, 2018
6,973
Inspired by Lenny_Fox I've changed next settings in my random browsing profile. Although I'm not sure about the risk level of each item.
Protocolhandlers = block
MIDI devices = block
USB devices = block
Serial ports = block
File editing = block
PDF-documents = disabled always download (show in browser)
Clipboard = disable (block)
Payment handlers = block
Virtual reality = block
Augmented reality = block

Edit: Also very interesting (from Kees1958): Updates Thread - Microsoft Edge Stable (Chromium) Now Available for Download
@Jan Willy thanks for the info and the interesting link. When you have not run into problems for so long, those tweaks are safe to use for general browsing. I will change them in my default profile also.
I've used these on all chromium browsers for quite some time.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,437
1. What profile do you use for daily browsing?
Just one, other profiles and guest blocked. I use different browsers for different purposes: Brave for Youtube/Google, LibreWolf for Facebook, TOR.
2. Do you use a 'hardened' more secure profile (e.g. for external links or risky browsing)?
Yes, strict only, tracking prevention disabled for privacy reasons. NextDNS only for anti-tracking/malware.
3. If so: could you post your tweaks?
Cookie AutoDelete (cleans cache, cookies, indexedDB, localstorage, plugindata, service workers)
Cookie Dialog Monster (Helps you to remove those irritating cookie consent dialogs automatically)
Microsoft Outlook (Windows notifications, read or delete emails without opening Outlook)
NX Enhanced (adds quality-of-life features to NextDNS website for a more practical usability)
Selection Search (use the right-click menu to search for selected text in any search engines)
rem Disabled #edge-haptics-api
rem Disabled #edge-launch-timings
rem Disabled #edge-omnibox-ui-hide-steady-state-url-scheme
rem Disabled #edge-omnibox-ui-hide-steady-state-url-trivial-subdomains
rem Disabled #edge-share-menu
rem Disabled #edge-show-feature-recommendations
rem Disabled #edge-toast-winrt
rem Disabled #enable-first-party-sets
rem Disabled #enable-quic
rem Disabled #edge-prenav
rem Disabled #file-handling-api
rem Disabled #storage-access-api
rem Disabled #tab-hover-card-images
rem Enabled #block-insecure-private-network-requests
rem Enabled #disallow-doc-written-script-loads
rem Enabled #dns-https-svcb
rem Enabled #edge-automatic-https
rem Enabled #edge-autoplay-user-setting-block-option
rem Enabled #edge-reduce-user-agent-minor-version
rem Enabled #edge-overlay-scrollbars-win-style
rem Enabled #edge-visual-rejuv-materials-menu
rem Enabled #partitioned-cookies
rem Enabled #post-quantum-cecpq2
rem Enabled #strict-origin-isolation
rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------

rem Microsoft Edge release notes for Stable Channel
rem Microsoft Edge Browser Policy Documentation
rem Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center
rem rem Microsoft Edge for Business Group Policy Administrative Templates
rem edge://policy

rem reg delete "HKCU\Software\Policies\Microsoft\Edge" /f
rem reg delete "HKLM\Software\Policies\Microsoft\Edge" /f

rem ________________________________________________________________________________________
rem 1 - Allow users to access the games menu
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AllowGamesMenu" /t REG_DWORD /d "0" /f

rem 1 - AllowJavaScriptJit / 2 - BlockJavaScriptJit (Do not allow any site to run JavaScript JIT)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultJavaScriptJitSetting" /t REG_DWORD /d "0" /f

rem 1 - Allow users to open files using the DirectInvoke protocol
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DirectInvokeEnabled" /t REG_DWORD /d "0" /f

rem 1 - Disable taking screenshots
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DisableScreenshots" /t REG_DWORD /d "1" /f

rem 1 - DNS interception checks enabled
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DNSInterceptionChecksEnabled" /t REG_DWORD /d "0" /f

rem 1 - Drop lets users send messages or files to themselves
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeEDropEnabled" /t REG_DWORD /d "0" /f

rem 1 - Microsoft Edge can automatically enhance images to show you sharper images with better color, lighting, and contrast
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeEnhanceImagesEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allows the Microsoft Edge browser to enable Follow service and apply it to users
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeFollowEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow Google Cast to connect to Cast devices on all IP addresses (Multicast), Edge trying to connect to 239.255.255.250 via UDP port 1900
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EnableMediaRouter" /t REG_DWORD /d "0" /f

rem The Experimentation and Configuration Service is used to deploy Experimentation and Configuration payloads to the client / 0 - RestrictedMode / 1 - ConfigurationsOnlyMode / 2 - FullMode
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ExperimentationAndConfigurationServiceControl" /t REG_DWORD /d "0" /f

rem 1 - Allows Microsoft Edge to prompt the user to switch to the appropriate profile when Microsoft Edge detects that a link is a personal or work link
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "GuidedSwitchEnabled" /t REG_DWORD /d "0" /f

rem 1 - Hide restore pages dialog after browser crash
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "HideRestoreDialogEnabled" /t REG_DWORD /d "1" /f

rem 1 - Show Hubs Sidebar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d "0" /f

rem 1 - Show Hubs Sidebar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d "0" /f

rem 1 - Enable Grammar Tools feature within Immersive Reader
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ImmersiveReaderGrammarToolsEnabled" /t REG_DWORD /d "0" /f

rem 1 - Enable Picture Dictionary feature within Immersive Reader
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ImmersiveReaderPictureDictionaryEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow sites to be reloaded in Internet Explorer mode (IE mode)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "InternetExplorerIntegrationReloadInIEModeAllowed" /t REG_DWORD /d "0" /f

rem 1 - Shows content promoting the Microsoft Edge Insider channels on the About Microsoft Edge settings page
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MicrosoftEdgeInsiderPromotionEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow QUIC protocol
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "QuicAllowed" /t REG_DWORD /d "0" /f

rem 1 - Configure Related Matches in Find on Page, the results are processed in a cloud service
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "RelatedMatchesCloudServiceEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow remote debugging
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "RemoteDebuggingAllowed" /t REG_DWORD /d "0" /f

rem 1 - Launches Renderer processes into an App Container for additional security benefits
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "RendererAppContainerEnabled" /t REG_DWORD /d "1" /f

rem 0 - Enable search in sidebar / 1 - DisableSearchInSidebarForKidsMode / 2 - DisableSearchInSidebar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SearchInSidebarEnabled" /t REG_DWORD /d "2" /f

rem 1 - Allow screen capture
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ScreenCaptureAllowed" /t REG_DWORD /d "0" /f

rem 1 - Allow notifications to set Microsoft Edge as default PDF reader
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowPDFDefaultRecommendationsEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow Speech Recognition
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpeechRecognitionEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow video capture
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "VideoCaptureAllowed" /t REG_DWORD /d "0" /f

rem 1 - Allow Microsoft Edge Workspaces
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeWorkspacesEnabled" /t REG_DWORD /d "0" /f

rem 1 - DNS-based WPAD optimization (Web Proxy Auto-Discovery)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WPADQuickCheckEnabled" /t REG_DWORD /d "0" /f

rem 0 - Prevent Desktop Shortcut creation upon install default
reg add "HKLM\Software\Policies\Microsoft\EdgeUpdate" /v "CreateDesktopShortcutDefault" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\EdgeUpdate" /v "CreateDesktopShortcut{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\EdgeUpdate" /v "RemoveDesktopShortcutDefault" /t REG_DWORD /d "1" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ..................................... Appearances ......................................

rem 0 - Show share button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ConfigureShare" /t REG_DWORD /d "1" /f

rem 1 - Show Collections button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeCollectionsEnabled" /t REG_DWORD /d "0" /f

rem 1 - Show favorites bar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "FavoritesBarEnabled" /t REG_DWORD /d "1" /f

rem 1 - Show Math Solver button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MathSolverEnabled" /t REG_DWORD /d "0" /f

rem 1 - The performance detector detects tab performance issues and recommends actions to fix the performance issues
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PerformanceDetectorEnabled" /t REG_DWORD /d "0" /f

rem 1 - Show mini menu when selecting text
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "QuickSearchShowMiniMenu" /t REG_DWORD /d "0" /f

rem 1 - Show home button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowHomeButton" /t REG_DWORD /d "0" /f

rem 1 - Show feedback button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "UserFeedbackAllowed" /t REG_DWORD /d "0" /f

rem 1 - Show tab actions menu (Show vertical tabs)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "VerticalTabsAllowed" /t REG_DWORD /d "0" /f

rem 1 - Show web capture button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebCaptureEnabled" /t REG_DWORD /d "0" /f

rem 1 - Show web select button
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebSelectEnabled" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem 1 - Enables background updates to the list of available templates for Collections and other features that use templates
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BackgroundTemplateListUpdatesEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow the Edge bar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebWidgetAllowed" /t REG_DWORD /d "0" /f

rem 1 - Allow the Edge bar at Windows startup
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebWidgetIsEnabledOnStartup" /t REG_DWORD /d "0" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem .............................. Cookies and site permissions ............................

rem PDF Documents
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AlwaysOpenPdfExternally" /t REG_DWORD /d "1" /f

rem Ads setting for sites with intrusive ads / 1 - Allow ads on all sites / 2 - Block ads on sites with intrusive ads. (Default value)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AdsSettingForIntrusiveAdsSites" /t REG_DWORD /d "1" /f

rem Clipboard / 2 - BlockClipboard / 3 - AskClipboard
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultClipboardSetting" /t REG_DWORD /d "2" /f

rem File Editing / 2 - BlockFileSystemRead / 3 - AskFileSystemRead
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultFileSystemReadGuardSetting" /t REG_DWORD /d "2" /f

rem File Editing / 2 - BlockFileSystemWrite / 3 - AskFileSystemWrite
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultFileSystemWriteGuardSetting" /t REG_DWORD /d "2" /f

rem Location / 1 - AllowGeolocation / 2 - BlockGeolocation / 3 - AskGeolocation
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultGeolocationSetting" /t REG_DWORD /d "2" /f

rem Insecure Content / 2 - BlockInsecureContent / 3 - AllowExceptionsInsecureContent
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultInsecureContentSetting" /t REG_DWORD /d "2" /f

rem Notifications / 1 - AllowNotifications / 2 - BlockNotifications / 3 - AskNotifications
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultNotificationsSetting" /t REG_DWORD /d "2" /f

rem Motion or light sensors / 1 - AllowSensors / 2 - BlockSensors
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultSensorsSetting" /t REG_DWORD /d "2" /f

rem Serial ports / 2 - BlockSerial / 3 - AskSerial
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultSerialGuardSetting" /t REG_DWORD /d "2" /f

rem USB Devices / 2 - BlockWebUsb / 3 - AskWebUsb
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultWebUsbGuardSetting" /t REG_DWORD /d "2" /f

rem ________________________________________________________________________________________
rem 1 - Allow audio capture
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AudioCaptureAllowed" /t REG_DWORD /d "0" /f

rem Bluetooth / 2 - BlockWebBluetooth / 3 - AskWebBluetooth
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultWebBluetoothGuardSetting" /t REG_DWORD /d "2" /f

rem Access to HID devices via the WebHID API / 2 - BlockWebHid / 3 - AskWebHid
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultWebHidGuardSetting" /t REG_DWORD /d "2" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ...................................... Downloads .......................................

rem Set download directory
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DownloadDirectory" /t REG_SZ /d "Z:\Desktop" /f

rem 1 - Ask me what to do with each download (Ignored when download directory is set)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PromptForDownloadLocation" /t REG_DWORD /d "1" /f

rem 1 - Open Office files in the browser
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "QuickViewOfficeFilesEnabled" /t REG_DWORD /d "0" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ..................................... Extensions .......................................

rem 1 - Allow extensions from other stores
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ControlDefaultStateOfAllowExtensionFromOtherStoresSettingEnabled" /t REG_DWORD /d "0" /f

rem 1 - DeveloperToolsAllowed / 2 - DeveloperToolsDisallowed (Don't allow using the developer tools)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DeveloperToolsAvailability" /t REG_DWORD /d "2" /f

rem ________________________________________________________________________________________
rem 1 - Blocks external extensions from being installed
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BlockExternalExtensions" /t REG_DWORD /d "1" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ...................................... Languages .......................................

rem 1 - Enable spellcheck
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpellcheckEnabled" /t REG_DWORD /d "0" /f

rem 1 - Offer to translate pages that aren't in a language I read
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "TranslateEnabled" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem 1 - The Microsoft Editor service provides enhanced spell and grammar checking for editable text fields on web pages
rem Google, Microsoft can get your passwords via web browser's spellcheck
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MicrosoftEditorProofingEnabled" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MicrosoftEditorSynonymsEnabled" /t REG_DWORD /d "0" /f

rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ..................................... New tab page .....................................

rem Page Layout / 1 - DisableImageOfTheDay / 2 - DisableCustomImage / 3 - DisableAll
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageAllowedBackgroundTypes" /t REG_DWORD /d "1" /f

rem 1 - Allow Microsoft News content on the new tab page
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageContentEnabled" /t REG_DWORD /d "0" /f

rem 1 - Preload the new tab page for a faster experience
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPagePrerenderEnabled" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem 1 - Hide the default top sites from the new tab page
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageHideDefaultTopSites" /t REG_DWORD /d "1" /f

rem 1 - Allow quick links on the new tab page
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageQuickLinksEnabled" /t REG_DWORD /d "0" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ....................................... Personal .......................................

rem 1 - Add profile
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BrowserAddProfileEnabled" /t REG_DWORD /d "0" /f

rem 1 - Browse as guest
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BrowserGuestModeEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow users to configure Family safety and Kids Mode
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "FamilySafetySettingsEnabled" /t REG_DWORD /d "0" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ............................ Privacy, search, and services .............................

rem 1 - Suggest similar sites when a website can't be found
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AlternateErrorPagesEnabled" /t REG_DWORD /d "0" /f

rem Automatically switch to more secure connections with Automatic HTTPS / 0 - Disabled / 1 - Switch to supported domains / 2 - Always
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutomaticHttpsDefault" /t REG_DWORD /d "2" /f

rem Diagnostic Data / 0 - Off / 1 - RequiredData / 2 - OptionalData
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DiagnosticData" /t REG_DWORD /d "0" /f

rem Enhance the security state in Microsoft Edge / 0 - Standard mode / 1 - Balanced mode / 2 - Strict mode
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EnhanceSecurityMode" /t REG_DWORD /d "2" /f

rem Search on new tabs uses search box or address bar / redirect - address bar / bing - search box
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageSearchBox" /t REG_SZ /d "redirect" /f

rem 1 - Use a web service to help resolve navigation errors
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ResolveNavigationErrorsUseWebService" /t REG_DWORD /d "0" /f

rem 1 - Show me search and site suggestions using my typed characters
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SearchSuggestEnabled" /t REG_DWORD /d "0" /f

rem 1 - Turn on site safety services to get more info about the sites you visit
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SiteSafetyServicesEnabled" /t REG_DWORD /d "0" /f

rem Tracking prevention / 0 - Off / 1 - Basic / 2 - Balanced / 3 - Strict
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "TrackingPrevention" /t REG_DWORD /d "0" /f

rem 1 - Typosquatting Checker (just sending what you type to MS)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "TyposquattingCheckerEnabled" /t REG_DWORD /d "0" /f

rem 1 - Visual search (sending what you are looking at to MS)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "VisualSearchEnabled" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem Enable Microsoft Search in Bing suggestions in the address bar
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AddressBarMicrosoftSearchInBingProviderEnabled" /t REG_DWORD /d "0" /f

rem Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PersonalizationReportingEnabled" /t REG_DWORD /d "0" /f

rem Enable full-tab promotional content
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PromotionalTabsEnabled" /t REG_DWORD /d "0" /f

rem Allow recommendations and promotional notifications from Microsoft Edge
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowRecommendationsEnabled" /t REG_DWORD /d "0" /f

rem Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services)
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpotlightExperiencesAndRecommendationsEnabled" /t REG_DWORD /d "0" /f

rem Use secure DNS (DoH)
rem reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BuiltInDnsClieDnsClientEnabled" /t REG_DWORD /d "1" /f
rem reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DnsOverHttpsMode" /t REG_SZ /d "secure" /f
rem reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DnsOverHttpsTemplates" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx?" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ...................................... Profiles ........................................

rem 1 - Save and fill personal info
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutofillAddressEnabled" /t REG_DWORD /d "1" /f

rem 1 - Save and fill payment info
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutofillCreditCardEnabled" /t REG_DWORD /d "1" /f

rem 1 - Let users compare the prices of a product they are looking at, get coupons or rebates from the website they're on
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeShoppingAssistantEnabled" /t REG_DWORD /d "0" /f

rem 1 - Suggest strong passwords
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordGeneratorEnabled" /t REG_DWORD /d "1" /f

rem 1 - Offer to save passwords
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordManagerEnabled" /t REG_DWORD /d "1" /f

rem 1 - Show alerts when passwords are found in an online leak
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordMonitorAllowed" /t REG_DWORD /d "0" /f

rem 1 - Show alerts when passwords are found in an online leak
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordMonitorAllowed" /t REG_DWORD /d "0" /f

rem 1 - Show the "Reveal password" button in password fields
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordRevealEnabled" /t REG_DWORD /d "0" /f

rem Sign in: / 0 - Automatically / 1 - With device password
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PrimaryPasswordSetting" /t REG_DWORD /d "1" /f

rem 1 - Show Microsoft Rewards experience and notifications
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowMicrosoftRewards" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem 1 - Single sign-on for work or school sites using this profile enabled
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AADWebSiteSSOUsingThisProfileEnabled" /t REG_DWORD /d "0" /f

rem 1 - Allow single sign-on for Microsoft personal sites using this profile
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MSAWebSiteSSOUsingThisProfileAllowed" /t REG_DWORD /d "0" /f

rem Configure the list of domains where Microsoft Edge should disable the password manager
reg add "HKLM\Software\Policies\Microsoft\Edge\PasswordManagerBlocklist" /v "1" /t REG_SZ /d "Steam Community" /f
reg add "HKLM\Software\Policies\Microsoft\Edge\PasswordManagerBlocklist" /v "2" /t REG_SZ /d "Steam Store" /f


rem =================================== Windows Policies ===================================
rem ------------------------------------ Microsoft Edge ------------------------------------
rem ................................ System and performance ................................

rem 1 - Continue running background apps when Microsoft Edge is closed
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f

rem Efficiency Mode / 1 - Enables efficiency mode
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EfficiencyModeEnabled" /t REG_DWORD /d "0" /f

rem 1 - Use hardware acceleration when available
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "HardwareAccelerationModeEnabled" /t REG_DWORD /d "1" /f

rem 1 - Save resources with sleeping tabs
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SleepingTabsEnabled" /t REG_DWORD /d "0" /f

rem 1 - Startup boost
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f

rem ________________________________________________________________________________________
rem 1 - If ECH is enabled, Microsoft Edge might or might not use ECH depending on server support, the availability of the HTTPS DNS record
rem Enable: DOH + #dns-https-svcb + #use-dns-https-svcb-alpn + the paramater: --enable-features="EncryptedClientHello" - Welcome to defo.ie
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EncryptedClientHelloEnabled" /t REG_DWORD /d "1" /f

rem NetworkPrediction / 0 - Always / 1 - WifiOnly / 2 - Never
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NetworkPredictionOptions" /t REG_DWORD /d "2" /f
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --enable-features="EnableCsrssLockdown,EncryptedClientHello,GpuAppContainer,IsolatePrerenders,IsolateSandboxedIframes,RendererAppContainer,WinSboxDisableExtensionPoint" --site-per-process
 
F

ForgottenSeer 97327

@plat, @Jan Willy, @oldschool, @TairikuOkami

The link posted by Jan Willy of Kees1958 also shows an interesting tweak:

Using different uBO-levels hardening in different browser profiles (y), I had not thought af that either.

I also noticed Kees1958 used this uBO scriptlet in his most restricted profile: *##+js(noeval)

Blocking unsafe eval also limits the risk of XSS attacks, combined with the extra checks Edge can perform by disabling the Javascript Just in Time interpreter, this should block 99,9999% of all javascript attacks (99,9999% because in security 100% does not exist)
 
  • Thanks
Reactions: plat

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
537
I also noticed Kees1958 used this uBO scriptlet in his most restricted profile: *##+js(noeval)
Well worth reading:
 
F

ForgottenSeer 97327

@JanWilly thanks you a resource for Kees1958 tweaks (y)

I used his most EU-US most common blocklist until I started to getting problems on CNN where sometimes videos did not want to start. He does not post here anymore, but I noticed he published a MV3 version of his blocklist (I promised myself that I would not change filterlists for a month, so I have not tried it).

By the way I also noticed that RTLnieuws needs noeval exception to play videos from gigya as subdocument, so I will drop this rule. I am a bit disappointed that eval use is still common.
 
  • Like
Reactions: Jan Willy

Pixelman

Level 4
Verified
Well-known
Jun 7, 2022
151
Inspired by Lenny_Fox I've changed next settings in my random browsing profile. Although I'm not sure about the risk level of each item.
Protocolhandlers = block
MIDI devices = block
USB devices = block
Serial ports = block
File editing = block
PDF-documents = disabled always download (show in browser)
Clipboard = disable (block)
Payment handlers = block
Virtual reality = block
Augmented reality = block

Edit: Also very interesting (from Kees1958): Updates Thread - Microsoft Edge Stable (Chromium) Now Available for Download
What did you disable?
@Jan Willy:
im better star trek GIF
 

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
537
I also noticed Kees1958 used this uBO scriptlet in his most restricted profile: *##+js(noeval)
You can test this rule on Test Eval

Testresult:

1678637961402.png


uBO log:

1678638083283.png


There seem to be three other more or less suspicious script-methods: new Function(), setTimeout() and setInterval(). I didn't figure out how to make blocking rules.
But a browserextension will do the job: NoEval - Disable Eval()

Edit 2023-03-13: Even a block on malwaretips.com

1678704905060.png
 
Last edited:
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top