| ||
After years of researching and writing about the various past and future challenges of online client security, we've assembled the following "10 Steps to a Safer Internet Experience" that weaves together advice we've covered in detail previously in this chapter, plus some general best practices:
Deploy a personal firewall, ideally one that can also manage outbound connection attempts. The updated Windows Firewall in XP SP2 and later is a good option.
Keep up-to-date on all relevant software security patches. Windows users should configure Microsoft Automatic Updates to ease the burden of this task.
Run anti-virus software that automatically scans your system (particularly incoming mail attachments) and keeps itself updated. We also recommend running anti-adware/spyware and anti-phishing utilities discussed in this chapter.
Configure Windows "Internet Options" Control Panel (also accessible through IE and Outlook/OE) wisely.
Run with least privilege. Never log on as Administrator (or equivalent highly-privileged account) on a system that you will use to browse the Internet or read e-mail. Use reduced-privilege browser options where possible.
Administrators of large networks of Windows systems should deploy the above technologies at key network choke points (e.g., network-based firewalls in addition to host-based, anti-virus on mail servers, and so on) to more efficiently protect large numbers of users.
Read e-mail in plaintext.
Configure office productivity programs as securely as possible; for example, set the Microsoft Office programs to "Very High" macros security under the Tools menu, macro, Security.
Don't be gullible. Approach Internet- borne solicitations and transactions with high skepticism. Don't click links in e- mails from untrusted sources!
Keep your computing devices physically secure.
Links to more information about some of these steps can be found in "References and Further Reading" at the end of this chapter. Below, we'll expand a bit on some of the items in this list that we have not discussed yet in this chapter.
Call us old-fashioned, but we think one of the most overlooked aspects of Windows security are Security Zones . OK, maybe you've never heard of Security Zones, or maybe you've never been exposed to how elegantly they can manage the security of your Internet experience, but it's high time you found out.
Essentially, the zone security model allows users to assign varying levels of trust to software behavior within any of four zones: Local Intranet, Trusted Sites, Internet, and Restricted Sites. As we've seen, a fifth zone called the Local Machine Zone (LMZ) exists, but it is not available in the user interface because it is only configurable using special tools or direct tweaks to the Windows Registry.
Sites can be manually added to every zone except the Internet zone. The Internet zone contains all sites not mapped to any other zone, and any site containing a period (.) in its URL. (For example, http://local is part of the Local Intranet zone by default, whereas http://www.microsoft.com is in the Internet zone because it has periods in its name .) When you visit a site within a zone, the specific security settings for that zone apply to your activities on that site. (For example, "Run ActiveX controls" may be allowed.) Therefore, the most important zone to configure is the Internet zone, because it contains all the sites a user is likely to visit by default. Of course, if you manually add sites to any other zone, this rule doesn't apply. Be sure to carefully select trusted and untrusted sites when populating the other zonesif you choose to do so at all. (Typically, other zones will be populated by network administrators for corporate LAN users.)
To configure security for the Internet zone, open Tools Internet Options Security within IE (or the Internet Options control panel), highlight the Internet zone, click Default Level, and move the slider up to an appropriate point. We recommend setting it to High and then using the Custom Level button to manually go back and disable all other active content, plus a few other usability tweaks, as shown in Table 10-2.
Category | Setting Name | Recommended Setting | Comment |
---|---|---|---|
ActiveX controls and plug-ins | Script ActiveX controls marked "safe for scripting" | Disable | Client-resident "safe" controls can be exploited. |
Cookies | Allow per-session cookies (not stored) | Enable | Less secure but more user friendly. |
Downloads | File download | Enable | IE will automatically prompt for download based on the file extension. |
Scripting | Active scripting | Enable | Less secure but more user friendly. |
Miscellaneous | Allow scripting of Internet Explorer web browser control | Disable | Powerful ActiveX control that should be restricted. |
Miscellaneous | Allow META REFRESH | Disable | Can be used to load unexpected pages. |
Some of the Internet Zone settings related to ActiveX are shown in Figure 10-4.
The bad news is that disabling, say, ActiveX may result in problems viewing sites that depend on controls for special effects. One solution to this problem is to manually enable ActiveX when visiting a trusted site and then to manually shut it off again. The smarter thing to do is to use the Trusted Sites security zone. Assign a lower level of security (we recommend Medium) to this zone and add trusted sites such as windowsupdate.microsoft.com (where you get your patches) to it. This way, when visiting a site that implements ActiveX (such as Microsoft's Windows Update patching site), the weaker security settings apply, and the site's ActiveX features still work. Similarly, adding auto.search.msn.com to Trusted Sites will support IE's autosearch feature that leads the browser from a typed-in address such as "mp3" to http://www.mp3.com. Aren't security zones convenient ?
Caution | Be very careful to assign only highly trusted sites to the Trusted Sites zone, because there will be fewer restrictions on active content downloaded and run by them. Be aware that even respectable-looking sites may have been compromised by malicious hackers or might just have one rogue developer who's out to harvest user data (or worse ). |
The Restricted Sites zone is the opposite of the Trusted Sites zonesites viewed in this zone are completely untrustworthy and thus the security settings for Restricted Site should be set to the most aggressive possible. In fact, we recommend that the Restricted Sites zone be configured to disable all settings! This means set it to High, then use the Custom Level button to go back and manually disable everything that High leaves open (or set them to "high safety" if Disable is not available).
You won't actually assign sites to the Restricted Sites zone as we recommended with Trusted Sites, but you should use Restricted Sites for performing any high-risk activity, such as reading e-mail (think of Restricted Sites like a "security sandbox"). Fortunately, you can also assign zone-like behavior to Outlook/Outlook Express (OE) for purposes of reading mail securely. With Outlook/OE, you select which zone you want to apply to content displayed in the mail readereither the Internet zone or the Restricted Sites zone. Of course, we recommend setting it to a completely locked-down Restricted Sites (this has been the default in Outlook and OE since roughly 2000). Figure 10-5 shows how to configure Outlook for Restricted Sites.
As with IE, the same drawbacks exist to setting Outlook to the most restrictive level. However, active content is more of an annoyance when it comes in the form of an e-mail message, and the dangers of interpreting it far outweigh the aesthetic benefits.
Prior to Windows XP SP2, the only supported mechanisms for managing Security Zone settings across large numbers of machines was via the Internet Explorer user interface, or via the Internet Explorer Administration Kit (IEAK). With XP SP2, Security Zone settings are managed using the Group Policy Management Console and, if set, can only be changed by a Group Policy object (GPO) or by an administrator. Of course, Group Policy requires Windows Server Active Directory, so this is not a truly lightweight management option, but we think it's important to highlight for administrators of large numbers of Windows systems.
Firefox users don't have the equivalent of IE's centralized zone configuration interface. The closest equivalent (as of Firefox version 1.5) is under the Tools menu, Options Content. This interface is shown in Figure 10-6.
On this screen, we recommend checking the boxes as shown in Figure 10-6. Further, you should ensure that only trusted sites are listed under "Allowed Sites" for installing software, and that all "Advanced" options for JavaScript are disabled ("Change images" might be OK to leave on).
Because of the potential for abusive manipulation of user interface via XUL, we recommend disabling certain XUL status elements in Firefox. First, enter about:config in Firefox's address bar; this will display several configuration values. For better XUL security, set the following values to true:
dom.disable_window_open_feature.titlebar
dom.disable_window_open_feature.close
dom.disable_window_open_feature.toolbar
dom.disable_window_open_feature.location
dom.disable_window_open_feature.directories
dom.disable_window_open_feature.personalbar
dom.disable_window_open_feature.menubar
dom.disable_window_open_feature.scrollbars
dom.disable_window_open_feature.resizable
dom.disable_window_open_feature.minimizable
dom.disable_window_open_feature.status
These preferences can also be set via the user.js file.
It's slowly dawning on the dominant browser vendors that perhaps the web browser wields too much power in many scenarios, and they've recently started taking steps to limit the privileges of their software to protect against the inevitable 0-day exploit.
Firefox's Safe Mode is positioned as a stripped-down mode used for troubleshooting or debugging. The stripped-down functionality offered by Safe Mode also lowers the attack surface of the product, though, since potentially vulnerable extensions and themes are disabled.
Starting Firefox in Safe Mode can be done by running the Firefox executable with the "safe-mode" parameter. For example, on Windows, you would click Start Run, and then type the following:
"C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
The standard Firefox installer also creates a Windows shortcut icon that automates this into one-click simplicity.
Caution | When launching Firefox in Safe Mode, you should make sure Firefox or Thunderbird is not running in the background. Firefox 1.5 and later pops up a window letting you know you're running in Safe Mode to be sure. |
On Windows Server 2003, Microsoft's default deployment of IE runs in Enhanced Security Configuration (ESC). This is an extremely restricted configuration that requires interactive user validation to visit just about any site. Effectively, the user must manually add every site requiring even moderate active functionality to the Trusted Sites Zone. While this user experience is probably unacceptable for casual web browsing, it's something we highly advise for servers, where activities like web and e-mail browsing should be forbidden by policy. See "References and Further Reading" for more about ESC, including how to enforce it using Group Policy.
Protected Mode IE (PMIE, formerly Low-Rights IE, LRIE) is an IE7 feature that leverages the Windows Vista "User Account Control" (UAC) infrastructure to limit IE's default privileges. (UAC was formerly called Least-Privilege User Account, or LUA). PMIE uses the Mandatory Integrity Control (MIC) feature of UAC so that it cannot write to higher integrity objects. Effectively, this means that PMIE can only write to the Temporary Internet Files (TIF) and Cookies folders for a given user. It cannot write to other folders (like %userprofile% or %systemroot%), sensitive Registry hives (like HKEY Local Machine or HKEY Current User), or even other processes of higher integrity. PMIE thus provides a nice sandbox for browsing untrusted resources. By default in Vista, PMIE is configured for browsing sites in the Internet, Restricted, and Local Machine Zones. At the time of this writing, Microsoft did not plan to ship PMIE to pre-Vista Windows versions like XP SP2, since it requires the UAC infrastructure of Vista.
Last but not least, web application developers and administrators should not forget their obligations to help promote client security. As we've seen throughout this book, web attacks are increasingly targeting vulnerabilities that exist on the server, but impact the client most directly. Some great examples of this include cross-site scripting (XSS) and HTTP Response Splitting, which are discussed in Chapters 6 and 12. Server-side input validation techniques like those discussed in Chapters 6 and 12 should be employed.
Sites should also provide clear and easily accessible policy and educational resources to their users to combat social engineering attacks like phishing. Technical enforcement of such policies is of course also highly recommended (we discussed some server-side authentication technologies like CAPTCHA and Passmark that are being used to mitigate against phishing in Chapter 4).
Finally, web application developers and administrators should carefully consider the type of information that should be gathered from users. It's become quite trendy to "own the customer relationship" nowadays, and this has resulted in a proliferation of marketing efforts to gather and warehouse as much information as possible about online consumers. One particularly noxious practice is the use of personally identifiable information (PII) as "secrets" to protect online identity (in the age of Google, consider how "secret" such information really is). Business will be business, of course, but in our consulting experience, we've found that not all of this information is really useful to the bottom line (marketers basically just want age, gender, and ZIP code). And it can become a serious business liability if breached via a security vulnerability. If you never collect sensitive data in the first place, you don't bear the burden of protecting it!
| ||