Objective 2.11: Given a scenario, configure relevant security settings in a browser

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, configure. The candidate must apply browser security settings including download verification, patching, extension management, password tools, secure connections, privacy features, and feature management.

What this objective tests

You should know how to harden browsers (Chrome, Edge, Firefox, Safari) for business use: trusted-source download discipline, patch management, extension governance, password handling, certificate verification, privacy settings, ad/script blocking, secure DNS, and browser feature toggles.

Key facts

Browser download / installation from trusted sources:

• Download installers only from the official vendor site or a trusted distribution channel.
• Avoid third-party download portals (cnet.com style); they sometimes bundle PUPs or modified installers.

Hashing (verifying downloads):

• Vendors publish SHA-256 (or similar) hashes for installer files.
• Compute the hash of your downloaded file and compare. Match = integrity verified.
• Use Get-FileHash file.exe -Algorithm SHA256 in PowerShell or shasum -a 256 file on macOS/Linux.

Untrusted sources:

• Sites with no signature, mismatched hash, or no vendor reputation.
• Treat installers from untrusted sources as suspect; scan in a sandbox before using.

Browser patching:

• Browsers patch frequently (every 2-4 weeks for major browsers) because they're a primary attack surface.
• Modern browsers auto-update by default. Verify auto-update is on.
• Enterprise: deploy browsers via Intune/SCCM/Group Policy with managed update channels (Edge Stable, Chrome Stable).

Extensions and plug-ins from trusted sources:

• Browser extensions have wide access. Install only from the official store (Chrome Web Store, Edge Add-ons, Firefox Add-ons).
• Review extension permissions before installing.

Extensions and plug-ins from untrusted sources:

• Manually-loaded extensions (developer mode) can ship anything.
• Enterprise: block sideloaded extensions via Group Policy / Intune.

Password managers (browser-integrated):

• Modern browsers offer built-in password managers (Chrome, Edge, Safari, Firefox).
• Dedicated managers (1Password, Bitwarden) are usually better: cross-browser, cross-device, more features, often more secure.
• The principle: any password manager beats users reusing weak passwords.

Secure connections / valid certificates (HTTPS):

• HTTPS encrypts traffic and verifies the site identity via TLS certificate.
• Browser shows a padlock when the cert is valid; warning when not.
• Don't bypass certificate warnings; understand why the warning appeared (expired cert, wrong hostname, untrusted CA).

Pop-up blocker:

• Built-in browser feature. Blocks unsolicited pop-up windows.
• On by default in modern browsers. Per-site exceptions for legitimate apps that use pop-ups (banking, some SaaS).

Clearing browsing data:

• Delete history, cookies, cached files, saved passwords, autofill data.
• Useful for troubleshooting (stale cache), privacy (shared computer), or after suspected compromise.

Clearing cache:

• Removes stored copies of web resources. Solves "I see the old version" issues. First step in many web-page-not-loading-correctly scenarios.

Private-browsing mode (Incognito):

• Browser session that doesn't save history, cookies, or autofill data.
• Doesn't make you anonymous to the network or to the sites you visit. Just doesn't keep local records.
• Useful for sign-in to a second account or to test what an anonymous visitor sees.

Sign-in / browser data synchronization:

• Sign in to the browser with a Google account, Microsoft account, or Firefox account.
• Syncs bookmarks, history, passwords, extensions across devices.
• Convenience vs security tradeoff: sync extends compromise surface; protect the account with MFA.

Ad blockers:

• Block ads at the browser level. uBlock Origin, AdBlock, browser-built-in (Brave, Edge tracker prevention).
• Side benefit: blocks malvertising (malicious ads).

Proxy (browser):

• Route browser traffic through a proxy server. Configured in OS network settings (Windows) or browser settings (Firefox).
• Used for corporate web filtering, regional access, debugging.

Secure DNS (DoH / DoT):

• DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts DNS queries to prevent eavesdropping.
• Modern browsers (Chrome, Edge, Firefox) offer built-in DoH with selectable providers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9, etc.).

Browser feature management (enable / disable plug-ins / extensions / features):

• Browser settings let admins toggle features per-site or globally: camera, microphone, location, notifications, autoplay, USB devices, MIDI, etc.
• Per-site permission prompts the first time a site requests; admin can pre-allow or pre-deny via Group Policy.

Common gotchas

• Installer downloaded from "download portal." Bundled with PUPs or modified payloads. Use the vendor's official site.
• "Just click through the certificate warning." Don't. Understand why; if a corporate cert decryption proxy is intercepting, that's expected; otherwise, abort.
• Extension permissions over-broad. A weather extension that asks for "read all your data on every site" is too much. Skip it.
• Browser sync without MFA on the account. Account compromise = all your saved passwords compromised.
• Saved passwords in browser-built-in manager exported to a phishing form. Browser autofill on a lookalike domain can leak credentials. URL-pinned password managers (Bitwarden, 1Password) only autofill on the right domain.
• Private browsing assumed anonymous. Network, ISP, and visited sites still see traffic. Use Tor or a trusted VPN for actual anonymity (with caveats).
• DoH bypasses corporate DNS filtering. Some orgs disable browser DoH to enforce DNS-level content filtering.

Real-world context

Browser hardening for a business workstation:

1. Standardize on one or two browsers (e.g., Edge + Chrome). Avoid letting users install random browsers.
2. Auto-update on for the browser engine.
3. Approved extensions only; enforce via Group Policy / Intune.
4. Block sideloaded extensions.
5. Enterprise password manager (1Password Business, Bitwarden Teams) instead of browser-built-in for primary password storage.
6. Browser sync allowed only with corporate identity + MFA.
7. Secure DNS configured to corporate DoH endpoint or company DNS for filtering compatibility.
8. Disable autofill of payment cards (or restrict to approved cards) for high-security roles.

Troubleshooting common browser issues:

• "Site won't load correctly after a recent change." Clear cache and cookies for that site.
• "Browser is slow / showing odd ads." Check extensions; disable suspicious ones. Clear cache.
• "Certificate warning." Inspect the cert. Most often a corporate proxy decrypting; sometimes a phishing site.
• "Password autofill not working." Check that the password is saved for the right URL; some sites change auth domain mid-flow.

Sources

• [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.11](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
• [Google: Chrome Security](https://www.chromium.org/Home/chromium-security/)
• [Microsoft Learn: Edge enterprise documentation](https://learn.microsoft.com/en-us/deployedge/)
• [Mozilla: Firefox for Enterprise](https://support.mozilla.org/en-US/products/firefox-enterprise)
• [Wikipedia: DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)