The use of web browsers in the business environment SHALL be locked down through the use of baseline security settings commensurate with the business risk appetite.

Web browsers are one of the most widely used applications in business environments. Browsers provide an interface that allows users to access the Internet and interact with various web-based services. Browsers are also a major access vector for threat actors seeking to infiltrate business environments. Since browsers are basically a portal connecting local systems to public networks, they are vulnerable to numerous attacks that seek to compromise them and pivot to other resources, or use the browser to deliver a malicious payload to the system itself. Browsers are also major sources of data leakage and privacy violations. Sensitive data can be copied from the local system and pasted into unauthorized locations over the Internet using the browser. Malicious advertising sources tailor their intrusive advertising campaigns to take advantage of browser functionality. Data brokers do the same, using the browser's relationship with websites to harvest data about the browser and its end user. The list of cyber threats that use or involve web browsers goes on and on.

Businesses must take precautions by implementing security controls that harden web browser applications and reduce their attack surface. Generally, a web browser should follow the least functionality principle. They should only provide the minimum functionality users need to perform their workflows. For most businesses, this involves browsing a select group of work-related websites, downloading appropriate files, and sometimes using vetted extensions for user assistance. A business should clearly document the specific web browser functionalities required by its employees. This minimum level of functionality should then be enforced via a secure baseline configuration of web browsers. Baselines need to be created for all of the web browsers available to employees, and they need to be applied to all endpoint devices and operating systems in the business environment.

The security baselines for web browsers are generally applied using Domain or Local Group Policies, or Mobile Device Management (MDM) templates. The baselines should be based on checklists of specific security configurations outlined by reputable guidelines such as CIS Benchmarks or DoD STIGs. These baselines can be created and tailored manually by IT staff, or can be automatically configured by running scripts from various vendors. If a script from a public source, such as GitHub is utilized to configure baselines, the script must be verified to ensure it does not contain malicious commands. This can be done using cryptographic methods like checksums.

Web browser security baselines should be validated and tested to ensure they are enforcing the required security restrictions. They should be documented in configuration management systems and regularly applied to all new devices integrated in the business environment. Specific controls must also be reviewed and updated over time as needed to address emerging threats and business requirements.

Some standard best practice controls for web browser security baselines include:

  • Safe Browsing Mode should be enforced at a level providing a minimum Standard level of protection.
  • Safe Search Protection should be enforced to block adult content from the work environment.
  • Prevent users from deleting browsing and download history. This allows audit trails to be verified.
  • Configure pop-up blockers to block all pop-ups.
  • Configure the browser to block all third-party cookies.
  • Disable search suggestions and other intrusive browser features.
  • Disable the use of autofill for web forum data.
  • Disable the use of autofill for credit card data.
  • Disable the use of autofill for addresses.
  • Block the installation of external extensions. Allow the use of business-approved extensions on an exception basis.
  • Prevent web browsers from displaying desktop notifications.
  • Disable the use of built-in browser password managers. This connects user credentials to the web browser, meaning they are compromised if the browser itself is compromised. Businesses should use third-party secure password managers instead.
  • Disable the use of built-in browser digital wallets. This connects sensitive financial data to the web browser, meaning they are compromised if the browser itself is compromised. Businesses should utilize secure digital wallet solutions if they are needed.
  • Prevent users from proceeding past the SSL Warning Page displayed before a website with an untrusted certificate.
  • Enable the use of site isolation features to sandbox web browsing sessions.
  • Enforce automatic browser updates, with notifications displayed when a browser restart is required.
  • Disable the use of built-in browser accounts. Browsers allow users to sign into the browser with their digital identities, enabling features like personalization and syncing across devices. This unnecessarily widens the browser's attack surface despite its convenience.
  • Prevent the browser from sending usage or crash reports to the manufacturer. This exposes business data to external entities that may sell it to data brokers.