Browsers Hardening (Edge, Chrome & Firefox)

Introduction

Browsers ship with a lot of functionality enabled by default. That convenience comes with trade-offs: every extra feature increases the attack surface, and some defaults can expose more data than you might expect. In this post, I’ll highlight 10 browser controls worth enforcing in a modern baseline along with the key considerations for whether each setting fits your environment. These baselines are inspired by the CIS Benchmarks, with a few additional tweaks and adjustments to better fit real-world environments and strengthen both security and privacy.

Prerequisites

To keep it practical, I’m also sharing four Intune-importable browser baselines.

• Firefox ADMX Files
• Windows ADMX Files
• Chrome Update ADMX Files

Step 1: Download the ADMX & ADML files (Firefox)

1. Download the Mozilla policy templates
   Use this link to automatically download the latest ADMX/ADML templates from Mozilla’s GitHub.
2. Extract the ZIP file
   Unzip the downloaded file so you can access the folder structure.
3. Locate the ADMX files
   In the Windows subfolder, copy:
   • firefox.admx
   • mozilla.admx
4. Locate the ADML (language) files
   Open the en-US folder (or your preferred language folder) and copy:
   • firefox.adml
   • mozilla.adml

Step 2: Import the ADMX/ADML files into Intune

1. Open the Intune admin center
   Go to the Microsoft Intune portal.
2. Navigate to ADMX import
   Devices → Windows → Configuration (or Configuration profiles, depending on your tenant UI)
3. Open the import tab
   Select Import ADMX.
4. Start a new import
   Click + Import.
5. Upload the files
   • Upload the .admx file first (e.g., mozilla.admx or firefox.admx)
   • Then upload the matching .adml file (e.g., en-US\mozilla.adml / en-US\firefox.adml)
6. Finish
   Click Next / Create to complete the import.

Repeat this steps for ChromeUpdate & Windows.
Download ChromeUpdate ADMX here
Download Windows ADMX here

Download Administrative Templates (.admx) for Windows 11 2024 Update (24H2) from Official Microsoft Download Center

Step 3: Import JSON

Go to the my GITHUB page to download the JSON files of the browser settings.

1. Open the Intune admin center
   Go to the Microsoft Intune portal.
2. Navigate to Import Policy
   Devices → Windows → Configuration –> Import Policy

That’s it your four baselines are now in Intune and ready to assign to your user groups. Below, you’ll find 10 browser controls that are especially worth calling out.

Do keep in mind: you should understand what each setting does before deploying it broadly, so you can properly judge the impact on usability and compatibility. These controls aren’t just about security they also include privacy-focused settings that may affect user experience and certain websites or extensions.

Browser Controls

I’m not going to walk through every single setting, but I’ve selected 10 controls that are most likely to have a noticeable impact. As always, review each one and validate that it’s a good fit for your organization—test with a pilot group, confirm business-critical sites still work, and then roll out gradually.

1. Configure Microsoft Defender SmartScreen

Microsoft Defender SmartScreen helps protect users against phishing, malicious websites and applications, and downloads that may contain malware. When you enable PUA (Potentially Unwanted Applications) protection alongside SmartScreen, it also blocks sites and downloads linked to unwanted software such as adware or bundlers.

From the Microsoft Defender portal, you can further strengthen this by adding custom indicators to block specific URLs/domains, file hashes, and IP addresses, giving you more control over what users can access or download.

SideNote.
For full protection of all of you browser Enable Network Protection Check out https://rockit1.nl/archieven/175

2. Site isolation: each site in its own process (SitePerProcess)

Site Isolation will reduces the blast radius if one site is compromised. But it does increase your Memory/CPU usage. You can also choose websites that are Tier0 for example and only run this process for these domains. But generally you can enable it for every site. Microsoft also recommend this setting in there baseline

login.microsoftonline.com

admin.microsoft.com

entra.microsoft.com

portal.azure.com

security.microsoft.com

endpoint.microsoft.com

outlook.office.com

*.sharepoint.com

teams.microsoft.com (or *.teams.microsoft.com)

Or

*.office.com

*.microsoft.com

3. Browser code integrity

Code Integrity Guard requires that binaries loaded into a process are Microsoft-signed. Any binary without a valid Microsoft digital signature is blocked, reducing the risk of unknown or tampered code being loaded and helping to prevent untrusted DLL/module injection into trusted processes.

4. Password manager

Disable the Password Manager. Passwords can be compromised if an attacker gets a foothold on the machine. Encourages a central enterprise password solution.

5. Extensions

Create an extension allow list. Browser extensions are a common attack vector and can introduce significant risk through excessive permissions, data access, or supply-chain compromise. Only approve extensions that are explicitly required for business use, and perform a risk assessment for each allowed extension (publisher validation, permissions review, update history, support/ownership, and ongoing monitoring).

6. Disable Sync

Reduces data leakage risk via personal accounts/sync.

7.Potentially Unwanted Downloads
When enabling this features files like .RDP are being blocked. This policy is usefull for Enterprise Users but for Admins this can be a challenge.

8. Require Minimal TLS 1.2 Version.

9. Disable Google Cast

Google Cast relies on multicast DNS (mDNS) for zero-configuration discovery on the local network. mDNS lets devices automatically find and identify nearby hosts and services—without a dedicated DNS server or manual setup—by resolving friendly names to IP addresses and advertising services within the same subnet. In practice, this is what makes Cast devices “just appear” and connect quickly on small networks.

10. Updates

Updates are critical for your security posture of your browser below you can find the edge settings. Chrome\Firefox updates settings you can find in the JSON file.

Edit: Minutes between update checks should be anything but “0”.

Results Edge

BONUS

11. Scareware Blocker (preview)
Microsoft Edge’s Scareware Blocker helps protect you from scareware attacks—those full-screen pop-ups that claim your device is infected or “compromised” and try to pressure you into calling fake support numbers or downloading malicious software.

Conclusion

There are plenty of settings you can use to harden your browser, and I hope this blog makes it a little easier to build a solid baseline. Just be careful when rolling these changes into production—test first with a pilot group, validate business-critical sites and extensions, and then phase the rollout.