Email Phishing Protection Guide – Part 10: Enable/Enforce SmartScreen for Microsoft Internet Explorer, Microsoft Edge, and Google Chrome

The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.

Email Phishing Protection Guide Index:

Introduction: Email Phishing Protection Guide – Enhancing Your Organization’s Security Posture

Part 1: Customize the Office 365 Logon Portal

Part 2: Training Users with the Office 365 Attack Simulator

Part 3: Deploy Multi Factor Authentication (MFA)

Part 4: Deploy Windows Hello

Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services

Part 6: Deploy Outlook Plug-in to Report Suspicious Emails

Part 7: Deploy ATP Anti-Phishing Policies

Part 8: Deploy ATP Safe Link Policies

Part 9: Deploy ATP Safe Attachment Policies

Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome

Part 11: Monitor Phishing and SPAM Attacks in Office 365

Part 12: Discover Who is Attacking Your Office 365 User Identities

Part 13: Update Your User Identity Password Strategy

Part 14: Prevent Brute Force and Spray Attacks in Office 365

Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)

Part 16: Disable Office 365 Legacy Email Authentication Protocols

Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure

Part 18: Increase Security with Microsoft Secure Score

Part 19: Email Phishing Protection Security Checklist

Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018

Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome

Within this blog series we are setting up a variety of locks that a phishing attack will need to pick for a successful email phishing attack. The previous blog in this series discusses how to configure ATP Safe Links, ATP Safe Attachments, and ATP Anti-Phishing policies (features within Office 365 ATP) to protect links in email and Office files in Office 365. But, we need to also consider another phishing attack vector. Suppose a user is checking his or her private email account in an Internet browser installed on your organization’s equipment. The user’s personal email may contain malicious phishing links, that once clicked, will install malware to devices within your organization. Instead of clicking on a phishing link, suppose the user is searching the web and clicks on a website that attempts to install malware on your organization’s device in what we call a drive-by infection. Let’s walk through how we can setup another padlock of protection against these scenarios.

Internet Explorer and Microsoft Edge have long had a feature called SmartScreen available to protect web surfers from malicious links. In April 2018, the protection scanning capability in these two browsers was made available in a Google Chrome extension called Windows Defender Browser Protection. By defining an Active Directory Group Policy Object (GPO), we can deploy and define these security settings in the environment (i.e. prevent a user from disabling the protection). We can also use a GPO to deploy the extension to Google Chrome to users. Below are steps about how to setup the GPO and deploy it. I highly recommend this first be done in a lab environment to verify settings and intended behavior.

Before we move on with the deployment steps, I encourage you to learn more about the great capabilities of SmartScreen and how it can protect your users from malicious sites that can install drive-by malware infections (including protection from zero-day attacks).

• Evolving Microsoft SmartScreen to Protect You From Drive-By Attacks
• Windows Defender Smart Screen Group Policy and Mobile Device Management Settings
• What is Microsoft SmartScreen?

Optional configuration and deployment settings are listed below for Microsoft Internet Explorer, Microsoft Edge, and Google Chrome. To further secure the environment, you may want to consider limiting the use of browsers in your organization to only those with these types of enhanced security features.

With today’s ever evolving threats we all need to be vigilant and increase our organization security posture using a variety of advanced features (the goal of this blog series). The goal being, to add as many locks as possible in an organization without impacting user productivity. The security of your organization is only as good as the weakest link which is often the unsuspecting user.

Windows Defender SmartScreen Group Policy Setup for Microsoft Internet Explorer and Microsoft Edge

1. Download the Microsoft Windows 10 ADMX files to expose the Microsoft Internet Explorer and Microsoft Edge settings to configure in a GPO. The latest ADMX files for Windows 7, 8.1, and 10 are located in this site. Also included are instructions about how to manage the Central Store for Group Policy Administration.
2. Install the downloaded file to your client. By default, the new ADMX files will be located in c:Program Files (x86)Microsoft Group PolicyWindows 10 April 2018 Update (1803) v2Policy Definitions.
3. Within the folder above:
   a. Locate the Windows.admx and Edge.admx file and copy it to %logonserver%sysvolyourdomainnamePoliciesPolicyDefinitions. If PolicyDefinitions does not exist, create it.
   b. Enter the language folder you will be using in the environment to locate the Windows.adml and Edge.adml file. For my lab environment, I will be using English so I opened the EN-US folder to locate the Windows.adml and Edge.adml files. Copy this file to %logonserver%sysvolyourdomainnamePoliciesPolicyDefinitions. If you need multiple languages, be sure to copy additional Windows.adml and Edge.adml files as well.
4. Configure Internet Explorer settings for Windows Defender SmartScreen:

   If it was my organization to manage from a technical security point of view (this is my personal opinion), my recommendation would be to enable each of these policies to prevent users from installing applications that are not in the Windows Store as well as to prevent users from bypassing SmartScreen Warnings. These settings may vary based on your organization and technical governance. There is always a balance between too much technical control in the name of security and a negative impact to business productivity, so be sure to discuss these settings with your organization.

   There are several settings to review in this area I have highlighted below. When you open each item, there is a detailed description of what each setting does.

• Prevent bypassing SmartScreen Filter warnings: Enabled
• Prevent managing the phishing filter: Enabled
• Prevent managing SmartScreen filter: Enabled

      5. Configure Microsoft Edge for Windows Defender SmartScreen

Similar to the settings for Internet Explorer, there are several areas for the Microsoft Edge policy to configure.

• Configure Windows Defender SmartScreen: Enabled
• Prevent bypassing Windows Defender SmartScreen prompts for sites: Enabled

For the same reasons above, I have enabled these policies to help protect an organization from users who may unknowingly click on malicious sites. Again, please evaluate these settings for proper usage in your organization.

6.  With the policies defined I am ready to assign the GPO to a pilot user(s). Before we assign the policy, let’s first verify the user ability to disable SmartScreen in Microsoft Internet Explorer and Microsoft Edge with the steps below.

  Microsoft Internet Explorer

• Open Internet Explorer and click on the Gear icon as highlighted below
• Click Safety
• Notice the option to Turn off Windows Defender SmartScreen is available to the user.

Microsoft Edge

• Click on the menu option in the browser (…)
• Click on Settings
• Under Advanced Settings, click on View Advanced Settings

7.  In the new SmartScreen Settings GPO, I created an Active Directory Users Group called SmartScreenPilot and added a test user to it. From there, I defined the group in the Security Filtering area and added the target computer account as well.

8. To force the new GPO to install, I opened a Command Prompt and ran the command gpupdate /force command.

9. Verify the policy is now in place for Microsoft Internet Explorer and Microsoft Edge with the steps below.

Microsoft Internet Explorer

• Open Internet Explorer and click on the Gear icon as highlighted below
• Click on Safety
• Notice the option to Turn off Windows Defender SmartScreen is now disabled/greyed-out

Microsoft Edge

• Click on the menu option in the browser (…)
• Click on Settings
• Under Advanced Settings, click on View Advanced Settings
• At the bottom of the screen, verify the option Help protect me from malicious sites and downloads with Windows Defender SmartScreen is now disabled/greyed-out

10.  To verify the settings are working:

• • In each browser visit the site: https://demo.smartscreen.msft.net/
  • Then click on each option to see the result

    

Windows Defender Browser Protection Extension for Google Chrome

This extension enables you to use the intelligent SmartScreen capabilities found in the Microsoft Edge and Internet Explorer browsers on Google Chrome as an extension called Windows Defender Browser Protection. Remember the breadth of the Microsoft Security Story and the vast array of intelligence analyzed for malicious behavior that is then used to protect all of us. This same protection now extends into the Chrome browser and in turn, helps to protect your organization.

Note: In the Internet Explorer and Edge browsers there are controls in place to prevent users from disabling SmartScreen. While this protection can be deployed to Google Chrome in the Windows Defender Browser Protection extension, there is no capability to prevent users from disabling it or removing it. In my view, I’d rather have the ability to provide further default protection in the Chrome browser than not, even if a user could disable it at a later time.

This extension can be enabled installed using two methods:

1.  The first is to open the Chrome web store and search for Windows Defender Browser Protection extension. From there, you can install the extension. The extension can be found in this site with additional information to review. This is useful for testing or single instance installations. I have included installation instructions below.

2.  The second option is to deploy this extension remotely to a large group of users. While I have already outlined information above for how to deploy the plug in using a GPO, I have provided information in the next section about how to install this remotely to all users in your organization. Installation instructions below.

Installing Windows Defender Browser Protection for Google Chrome for a Single User

1. From within Google chrome, go to https://chrome.google.com/webstore/category/extensions?hl=en
2. In the Chrome Web Store search area, enter Microsoft Defender Browser.

   

3. Click the button to Add to Chrome

   

4. Click the option to Add Extension

   

5. When complete, you will receive a notification of successful installation. To verify the extension has been added and is enabled, click on the extension in the upper right screen and verify settings.

   

Installing Windows Defender Browser Protection for Google Chrome Across an Organization Using a GPO

Many organizations allow their users to select from a variety of Internet browsers they feel is safe for the environment and compatible with most sites (lowering help desk requests). As described above, SmartScreen is a feature that utilizes the large breadth of cyber intelligence Microsoft analyzes and makes use of to provide safer environments for customers. The recent addition of SmartScreen capabilities as an extension in the Chrome browser is an extension of that capability. Below are instructions about how to locate and install the new extension to protect Chrome.

Part I: Locate the Chrome Plug-In Extension Unique Identifier

1. From within Chrome, let’s go back to the Chrome Web Store by clicking on this link:

   https://chrome.google.com/webstore/category/extensions?hl=en

2. In the Chrome Web Store search area, search for Microsoft Defender Browser.
3. When found, click on the name of the Extension to view the details. With the details of the extension displayed, the end of the URL has a Unique ID we need (highlighted below). For this version it is bkbeeeffjjeopflfhgeknacdieedcoml. Copy this area of the link (highlighted below) and paste it into a Notepad file to use later.

   

4. We now need to locate the URL used for the extension to download from. On the computer with Chrome now installed, open the directory below. Several of these folders are hidden, so make sure you have enabled the option to View Hidden Folders in Windows Explorer. Note the Username will change according to the user you are logged in as. Also note that the version number below (1.63_0) may change over time (this was current as of July 2018).

   C:UserskmartinsAppDataLocalGoogleChromeUser DataDefaultExtensionsbkbeeeffjjeopflfhgeknacdieedcoml1.63_0

   

5. Within the directory above, locate the file named: manifest.json. Open it in NotePad or other text reader.

6. Copy the value entered for update_url which (for this extension) most likely will be https://clients2.google.com/service/update2/crx Again, be aware that this URL may change over time.

7. Paste the extension unique identifier copied earlier in step three into a new NotePad file. Add a semi-colon (;) to the end of it. Then, paste the URL you copied from the manfiest.json file in step six behind the semi-colon. There are no spaces needed anywhere in this line when complete.

   My completed string is: bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

8. With the string completed, we will now add this to the GPO for deployment to all users. I highly recommend you perform this action in a lab first, followed by a group of pilot users and computers.

Part II: Install Google Chrome Group Policy Templates

1. Download the ZIP file of Google Chrome policy templates and documents from the site below:

   https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip

2. Within the ZIP file, locate the chrome.ADMX file.

   

3. Copy the chrome.admx file to the central store in this directory:

   %logonserver%sysvolyourdomainnamePoliciesPolicyDefinitions

   

4. Back in the Chrome GPO Template ZIP file you downloaded earlier, locate the language folders you will need for your environment under the ADMX folder. Copy these folders into the PolicyDefinitions folder as well. In my example below, I am only copying the EN-US folder from the ZIP download and chrome.admx file to this location.

   

Part III: Create the Group Policy to Install the Google Chrome Extension for Windows Defender Browser Protection

1. On an Active Directory Domain Controller in your environment, open the Group Policy Management Console (GPMC). The fastest way to do this is to launch it from a Command Prompt by entering GPMC.msc.
2. Expand the Group Policy Objects area for your environment
3. Right click on Group Policy Objects and click New

   

4. Name your New GPO (for example, Google Chrome GPO Management)

   

5. Right click on the new GPO you just created and select Edit

   

6. We want this extension to apply to all users where Google Chrome is installed. In the new GPO, expand Computer Configuration->Policies->Administrative Templates->Google Chrome->Extensions.

   

7. Choose the option “Configure the list of force-installed apps and extensions”

   

8. Change the option to be Enabled. Then click the Show.. option.

   

9. Using the script you created above in Part I, copy and paste it into the field. Click OK when done.

   

10. Verify the configuration option is now Enabled.

    

11. You can now close or minimize the Group Policy Management Editor, but keep the Group Policy Console open to apply the policy.
12. In the Google Chrome Management Group Policy, I created an Active Directory Users Group called ChromeExtensionPilot and added a test user and target computer account to it. From there, I defined the group in the Security Filtering area. This is part of my pilot of the new GPO to deploy these settings on a limited scale first.
13. To verify this is working correctly, I logged into a domain joined test system as the pilot user. This pilot user was only in the User’s group on the Windows 10 (1803) system, not an administrator. I first logged in as the pilot user to the test Windows 10 system, opened Google Chrome, and verified the extension was not listed.

    

14. To force the new GPO to install, I opened a Command Prompt and ran the command gpupdate /force

    

15. Within several minutes of issuing the command above, I was able to see the plug-in had installed (see icon in screen capture below). In my testing there was no restart of the Chrome browser needed.

    

16. By clicking on the icon version and additional information is now displayed. The installation is now successful.

    

Conclusion: In this blog about Microsoft SmartScreen we reviewed how this feature helps to further secure an organization from users searching the web on Microsoft Internet Explorer, Microsoft Edge, and Google Chrome. Also provided were steps about how to configure options for policy management and deployment to all three browsers.