Web Browser Security

Web browsers are perhaps the most frequently used tools in a business environment. Access to the Internet is a necessity for completing everyday tasks.

However, the Internet is a gold mine of threats. The first defense against Internet threats is proper cybersecurity education and following best practices. However, additional settings should be configured on the browsers themselves to help enhance their security.

The average business environment typically uses a combination of Microsoft Edge, Google Chrome, and Firefox. All three browsers have their pros and cons and have mixed reputations with user security and data privacy.

Regardless of browser, some security best practices should be followed:

1. Do not log in to a user profile on a browser. Browsers provide users with the option to register and sign in to an email account with their email addresses. The benefits of doing this are tempting. Users can sync bookmarks, favorites, and preferences between different instances of the browser running on other devices. However, doing this is bad practice, as an attacker who compromises the browser can then have access to sensitive data and saved credentials. It is best to set a policy preventing users from signing into browser accounts, instructing them to use browsers as isolated instances on their work machines.
2. Avoid using built-in Password Managers. Utilizing password managers is a great way to decrease the volume of forgotten user passwords and help desk calls. Browsers usually include a built-in password manager. However, these browser password managers have a questionable past when it comes to security. Users should avoid using them and instead opt for a third-party password manager like BitWarden or LastPass.
3. Block Third-Party Cookies. Cookies can help enhance a web browsing experience, but for the most part, many of them are unnecessary. Third-party cookies in particular often contain tracking functionality to target users with advertisements. It is a best practice to block these cookies on web browsers in the workplace.
4. Turn on Safe Browsing. Safe Browsing is a functionality built into browsers and search engines to block harmful content like malware. There are usually various levels to Safe Browsing; Google Chrome offers No Protection, Standard Protection, and Enhanced Protection. Sometimes, Enhanced Protection levels can impact the usability of the web browsing experience. For the best results, workplace computers should have Standard/Balanced Protection Modes enabled in their browsers.
5. Block Websites From Asking For Your Location. Turning on location tracking is sometimes recommended for areas like online shopping. However, revealing location through a web browser is a blatant risk to privacy. Most browsers have location tracking enabled by default. It is recommended to go into the browser settings and disable it on workplace computers.
6. Implement Reputable Security Extensions. Extensions for web browsers are a double-edged sword. Some extensions are nothing but adware that will slow down a user’s browsing experience. However, some extensions offer fantastic functionalities to improve online efficiency. There are many free security extensions present in most web browser stores that can help harden the web browsing experience. (Remember, always vet the reliability of browser extensions before installing.)
   • Ublock Origin: a resource-light ad blocker with impressive results (No longer available on Google Chrome).
   • Privacy Badger:  blocks advertisements and third-party trackers.
   • Malwarebytes Browser Guard: web-focused antimalware that also provides input into the reliability of websites.
   • Shodan: a browser-embedded extension of the Shodan.io website that provides security information on the back-ends of websites, including open ports and vulnerabilities.

Automatically Apply Browser Security Baselines with Group Policy

.ADML and ADMX templates can be imported into the Local Group Policy and used to apply granular security controls to specific web browsers. As part of this framework, I have provided a master Local Group Policy that has been exported from a clean Windows 11 machine and can be imported into as many of your Windows machines as you want. The policy contains industry-standard benchmark settings for Google Chrome, Firefox, and Microsoft Edge.

Download the LGPO file here: GPO_UMPI

To import the settings from the policy, follow the provided steps on each machine where you wish to import the policy:

1. Download both our folder and the Microsoft Security Compliance Toolkit from Microsoft.
2. Extract the Compliance Toolkit to a nearby folder.
3. Open the Command Prompt as an Administrator.
4. Navigate to the location where you extracted the Security Compliance Toolkit and change directory to the LGPO_30 folder.
5. Run the following command:
   • LGPO.exe /g C:\Path\To\Our\File ......... (Replace C:\Path with the path of our GPO file.)

Google Chrome Baseline

Firefox Baseline

Microsoft Edge Baseline