General Countermeasures

Configuring the Internet Zone

To configure security for the Internet zone, open Tools Internet Options Security within IE (or the Internet Options control panel), highlight the Internet zone, click Default Level, and move the slider up to an appropriate point. We recommend setting it to High and then using the Custom Level button to manually go back and disable all other active content, plus a few other usability tweaks, as shown in Table 10-2.

Some of the Internet Zone settings related to ActiveX are shown in Figure 10-4.

Achieving Compatibility with Trusted Sites

The bad news is that disabling, say, ActiveX may result in problems viewing sites that depend on controls for special effects. One solution to this problem is to manually enable ActiveX when visiting a trusted site and then to manually shut it off again. The smarter thing to do is to use the Trusted Sites security zone. Assign a lower level of security (we recommend Medium) to this zone and add trusted sites such as windowsupdate.microsoft.com (where you get your patches) to it. This way, when visiting a site that implements ActiveX (such as Microsoft's Windows Update patching site), the weaker security settings apply, and the site's ActiveX features still work. Similarly, adding auto.search.msn.com to Trusted Sites will support IE's autosearch feature that leads the browser from a typed-in address such as "mp3" to http://www.mp3.com. Aren't security zones convenient ?

Use Locked-down Restricted Sites for Reading E-mail

The Restricted Sites zone is the opposite of the Trusted Sites zonesites viewed in this zone are completely untrustworthy and thus the security settings for Restricted Site should be set to the most aggressive possible. In fact, we recommend that the Restricted Sites zone be configured to disable all settings! This means set it to High, then use the Custom Level button to go back and manually disable everything that High leaves open (or set them to "high safety" if Disable is not available).

You won't actually assign sites to the Restricted Sites zone as we recommended with Trusted Sites, but you should use Restricted Sites for performing any high-risk activity, such as reading e-mail (think of Restricted Sites like a "security sandbox"). Fortunately, you can also assign zone-like behavior to Outlook/Outlook Express (OE) for purposes of reading mail securely. With Outlook/OE, you select which zone you want to apply to content displayed in the mail readereither the Internet zone or the Restricted Sites zone. Of course, we recommend setting it to a completely locked-down Restricted Sites (this has been the default in Outlook and OE since roughly 2000). Figure 10-5 shows how to configure Outlook for Restricted Sites.

As with IE, the same drawbacks exist to setting Outlook to the most restrictive level. However, active content is more of an annoyance when it comes in the form of an e-mail message, and the dangers of interpreting it far outweigh the aesthetic benefits.

Managing Security Zones at Scale

Prior to Windows XP SP2, the only supported mechanisms for managing Security Zone settings across large numbers of machines was via the Internet Explorer user interface, or via the Internet Explorer Administration Kit (IEAK). With XP SP2, Security Zone settings are managed using the Group Policy Management Console and, if set, can only be changed by a Group Policy object (GPO) or by an administrator. Of course, Group Policy requires Windows Server Active Directory, so this is not a truly lightweight management option, but we think it's important to highlight for administrators of large numbers of Windows systems.

Disable XUL Status Elements

Because of the potential for abusive manipulation of user interface via XUL, we recommend disabling certain XUL status elements in Firefox. First, enter about:config in Firefox's address bar; this will display several configuration values. For better XUL security, set the following values to true:

• dom.disable_window_open_feature.titlebar

• dom.disable_window_open_feature.close

• dom.disable_window_open_feature.toolbar

• dom.disable_window_open_feature.location

• dom.disable_window_open_feature.directories

• dom.disable_window_open_feature.personalbar

• dom.disable_window_open_feature.menubar

• dom.disable_window_open_feature.scrollbars

• dom.disable_window_open_feature.resizable

• dom.disable_window_open_feature.minimizable

• dom.disable_window_open_feature.status

These preferences can also be set via the user.js file.

Firefox Safe Mode

Firefox's Safe Mode is positioned as a stripped-down mode used for troubleshooting or debugging. The stripped-down functionality offered by Safe Mode also lowers the attack surface of the product, though, since potentially vulnerable extensions and themes are disabled.

Starting Firefox in Safe Mode can be done by running the Firefox executable with the "safe-mode" parameter. For example, on Windows, you would click Start Run, and then type the following:

 "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode 

The standard Firefox installer also creates a Windows shortcut icon that automates this into one-click simplicity.

ESC and Protected Mode IE

On Windows Server 2003, Microsoft's default deployment of IE runs in Enhanced Security Configuration (ESC). This is an extremely restricted configuration that requires interactive user validation to visit just about any site. Effectively, the user must manually add every site requiring even moderate active functionality to the Trusted Sites Zone. While this user experience is probably unacceptable for casual web browsing, it's something we highly advise for servers, where activities like web and e-mail browsing should be forbidden by policy. See "References and Further Reading" for more about ESC, including how to enforce it using Group Policy.

Protected Mode IE (PMIE, formerly Low-Rights IE, LRIE) is an IE7 feature that leverages the Windows Vista "User Account Control" (UAC) infrastructure to limit IE's default privileges. (UAC was formerly called Least-Privilege User Account, or LUA). PMIE uses the Mandatory Integrity Control (MIC) feature of UAC so that it cannot write to higher integrity objects. Effectively, this means that PMIE can only write to the Temporary Internet Files (TIF) and Cookies folders for a given user. It cannot write to other folders (like %userprofile% or %systemroot%), sensitive Registry hives (like HKEY Local Machine or HKEY Current User), or even other processes of higher integrity. PMIE thus provides a nice sandbox for browsing untrusted resources. By default in Vista, PMIE is configured for browsing sites in the Internet, Restricted, and Local Machine Zones. At the time of this writing, Microsoft did not plan to ship PMIE to pre-Vista Windows versions like XP SP2, since it requires the UAC infrastructure of Vista.