Enterprise-level Hardening of Web Browsers for Microsoft Windows

Abstract

Today, web browsers are a major avenue for cyber-compromise and data breaches. Web browser hardening, through high-granularity and tailored configurations, can help prevent or mitigate many of these attack avenues. For example, an enforced configuration that allows users to use one browser to connect to critical and trusted websites and a different browser for untrusted websites, with the former web browser restricted to trusted sites and the latter with JavaScript and Plugins disabled by default, can help prevent JavaScript- and Plugin-based attacks. However, most organizations today, still allow web browsers to run with their default configurations and allow users to use the same web browser to connect to trusted and untrusted websites alike. In this tutorial article, we describe in detail the steps needed for hardening the enterprise browser ecosystem using such tailored and high-granularity hardening approach at the enterprise scale by using the Windows Group Policy Editor and Active Directory Services, which are in widespread use in most organizations. We hope that system administrators use this guide to jump-start an enterprise-wide strategy for implementing high-granularity application-level hardening. This will help secure enterprise systems at the client-side, in addition to the network perimeter and server-side.