1.100 Ensure 'Enhanced Security Mode configuration for Intranet zone sites' is set to 'Disabled'

Information

This policy setting controls whether Microsoft Edge will apply enhanced security mode on Intranet zone sites. Enhanced security mode in Microsoft Edge mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser.

The recommended state for this setting is Disabled.

Rationale:

Enhanced security mode provides 'defense-in-depth' protection that makes it more difficult for a malicious site to use an unpatched vulnerability to write to executable memory.

Impact:

Disabling this setting could lead to Intranet zone sites acting in an unexpected manner.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Enhanced Security Mode configuration for Intranet zone sites

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Disabled. (Microsoft Edge will apply enhanced Security Mode on Intranet zone sites.)

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: e23efcb42b5d820e552686b66b2c40e4a7445efbf52e7f48d70d3118e8374013