Internet Explorer Defenses
IE is a complex piece of popular software. Hackers are never going to stop attacking it, and it is unlikely to suddenly become unexploitable. Odds are that IE will always remain one of the most exposed and attacked pieces of software in Microsoft's platform. Still, running IE doesn't mean getting a guaranteed successful attack. Following are the many defenses you can take to prevent IE exploitation, going from most useful to least.
Don't Browse Untrusted Web Sites
The number one way to prevent malicious exploitation is to not visit unknown and untrusted web sites. Don't click on "weird" links sent to you in e-mail. Look out for strange-looking phishing URLS, like those listed in Tables 10-2 and 10-3. Too many encoded characters or sound-alike names and URLs should set off warning bells. Any company asking for your financial information unexpectedly is probably a fraud. Verify your SSL links by scrutinizing the accompanying digital certificate. Make sure all the information is valid and points to the correct web site. IE 7.x, with its anti-phishing filter, is making great strides in preventing users from visiting fraudulent web sites. But fake web sites can be made in seconds and more than likely can stay well ahead of IE's real-time checking behavior.
If you just have to visit an untrusted web site, consider running the IE session in a virtual environment such as Microsoft's Virtual PC or VMware's VMWorkstation. That way, if anything ugly happens, you can reset the session and minimize the potential risk to the real underlying OS. Microsoft has already released the Shared Computer Toolkit for Windows XP (www.microsoft.com/windowsxp/sharedaccess/overview.mspx), which, among other features, prevents permanent changes (i.e., made by malware) from being saved in between reboots. Also, consider using a less functional alternate browser or one that has been set to run no active content at all (e.g., Lynx) when visiting untrusted web sites.
Many people run less-functional browsers all the time with the hope that it will prevent malicious exploitation. While it may minimize the risk, at the expense of functionality, IE's coding cannot be removed from Windows. Even when you run an alternate browser, it is very possible for a malicious program to call IE's coding (e.g., via e-mail or an embedded link in Microsoft Office, etc.). Even if IE isn't your main browser, be sure to install all patches and updates. Not doing so, even if you don't use it, will increase exposure risk.
Don't Let Non-Admin Users Be Logged in as Administrators
Most IE malware will fail to work if the logged in user is not logged in as administrator. Several exploit types, such as buffer overflows, can still happen, but the vast majority of popular malware (i.e., spyware, adware, etc.) will fail to work if the user is not an administrator. Windows Vista's Protected Mode will run IE in a restricted user mode (with even fewer rights than a normal user) by default. The Microsoft Shared Computer Toolkit for Windows XP previously mentioned can also force IE to run in a restricted user's mode. You can also use Software Restriction Policies and the Basic User security identity (as shown in Chapter 9) to run any IE version on XP Pro and later in a restricted user mode.
Use IE 6 XP SP2 or IE 7
Microsoft's latest browsers are their most secure built to date. All Windows workstations should be running the latest version of IE possible. Fully patched versions of Windows 98 and later (including Windows NT 4.0) can run IE 6.x SP1. Windows XP Pro SP2 and later can run IE 6.x SP2 or IE 7.x. There is no excuse for running an earlier browser version unless you are running Windows 95, Windows 3.x, or Windows NT 3.x. Many resources suggest using a non-Microsoft browser, but as Table 10-1 showed, you lose functionality and end up having to patch the other browsers just as much as they become popular.
Keep IE Patches Updated
Once you are running IE 6.x or 7.x, keep on top of the patches. Patch any critical vulnerabilities as soon as you can after testing. These days, many IE exploits are getting released within three days of patch announcement. In the past you could afford to wait a few weeks. No longer. Immediate testing and deployment of critical patches should be a priority of any organization.
Customize Default Internet Explorer Security Zones
The default settings in IE's five security zones are often set at the right usability/security level for most users. However, administrators and users concerned with security are usually extremely, and rightly, paranoid about malware. Understanding each of the security settings in IE, and setting them to an acceptable level, can make surfing the Internet more enjoyable and secure. There are two major sets of security settings: those that can be set in each security zone and those available under the Advanced tab (both are available under Tools ð Internet Options). The Advanced options apply to all security zones.
Many of the setting options are Enable, Disable, or Prompt. Enable means the corresponding action described will occur without needing approval from the user. Disable means the action will be declined without user interaction. Prompt means the user will be prompted to approve or reject the action.
Let's start with the zone settings first. I'll discuss each feature, describe the potential vulnerability, give the default settings in each zone, and finish with my default recommendations for the Internet zone. A table will summarize the defaults and recommendations after the larger discussions.
| Note | The security settings discussed here are the ones available in IE 7 beta 1. Not all settings are available in all IE versions. The settings new in IE 7 will be noted. |
.NET Framework-Reliant Components - Run Components not Signed with Authenticode
The .NET Framework is Microsoft's new client-server programming environment (loosely comparable to Java's virtual machine environment). Although .NET is not a dominant form of programming across the Windows platform at the time of this writing, it is expected to become dominant over the next few years. Code is signed to prove authorship. Authenticode is Microsoft's digital signing mechanism for authenticating code, scripts, and ActiveX controls. Any software publisher (i.e., vendor) can purchase an Authenticode digital certificate for code signing.
Running an unsigned component means that you cannot automatically authenticate who created and initially distributed the component (i.e., it is untrusted). Microsoft allows unsigned components to run automatically in all zones but the Restricted zone. I believe Microsoft was too lax on this setting. It should be set to disabled in Internet and Restricted sites zones.
| Note | This option and the next may not be available unless you have also installed the .NET Framework client software. |
.NET Framework-Reliant Components - Run Components Signed with Authenticode
Signed code is rarely a problem. Signed code can contain bugs and viruses (hopefully, both unknown to the signer at the time the code was signed), but it is rarely malicious. If you trusted signed code to be non-malicious, you can accept it to run automatically. There have been some instances where spyware and adware companies used signed code to distribute their largely unwanted software. Microsoft enables this in all zones but the Restricted zone. Because of the spyware and adware issues, I suggest this setting be set to Prompt in the Internet zone.
ActiveX Controls and Plug-Ins - Automatic Prompting for ActiveX Controls
ActiveX controls can be virtually any content, executable, or script delivered over a network through IE. Java applets are even delivered as ActiveX controls, in most cases. Windows uses dozens to hundreds of ActiveX controls. Most aren't needed in IE and one of the big changes in IE 7.x is to not allow any ActiveX control to run in IE by default, except those expressly authorized by the user or admin. This is the opposite behavior for IE 6.x and earlier.
This particular setting determines whether or not the user will be prompted (see Figure 10-7) by a popup dialog box to install an ActiveX control or plug-in. If disabled, the web site will attempt to download and execute the content, but IE will not prompt the user with a dialog box. Instead (when IE 6.x XP SP2 or later is installed), the user will be warned on the yellow information bar about an ActiveX control needing to be installed. The information bar warning is less obvious than a pop-up dialog box in the middle of the browser window.
Figure 10-7
Microsoft enables this option in the Local Intranet and Trusted sites zones and disables it in the rest. Configuring this setting is up to the user, although I always like to be prompted in an obvious manner for any ActiveX controls that are trying to be installed. Otherwise, a web site feature may fail and it might not be readily apparent what is wrong.
ActiveX Controls and Plug-Ins - Binary and Script Behaviors
Binary behaviors (http://msdn.microsoft.com/workshop/browser/behaviors/howto/creating.asp) were introduced in IE 5.5 and allow binary programs to be linked to and control HTML content. A binary behavior is a compiled object that can interact directly with the underlying OS. Its code cannot be read or examined using normal view source commands. They can be used to do many malicious things from a web page. Prior to Windows XP SP2 and Windows Server 2003 SP1 (where this setting first arrived), there was no way to prevent a binary behavior in any IE security zone, including sites residing in the Restricted sites zone. Now, by default, binary behaviors are disabled in the Restricted sites zone but allowed in the rest. I think binary behaviors are too powerful to allow from any Internet site. Accordingly, this option should be set to Disabled (or administrator approved).
ActiveX Controls and Plug-Ins - Download Signed ActiveX Controls
Signed ActiveX controls usually present little risk unless signed by a spyware or adware vendor. Microsoft prompts the user to approve these on Internet sites and Local Intranet sites zones, enables them on Trusted sites, and disables them for web sites residing in the Restricted sites zone. These defaults are acceptable.
ActiveX Controls and Plug-Ins - Download Unsigned ActiveX Controls
Unsigned ActiveX controls are highly risky and should be disabled usually or prompted if you expect to come in contact with needed unsigned controls. Microsoft disables them in all zones except Trusted sites, where the option is set to Prompt. The default settings are good.
ActiveX Controls and Plug-Ins - Initialize and Script ActiveX Controls not Marked as Safe
Once an ActiveX control or plug-in (plug-ins are usually ActiveX controls) is downloaded (the options being decided in the two previous paragraphs), there is still the matter of whether to execute them. Vendors can mark their ActiveX controls as Safe for Initialization and Safe for Scripting. The first option determines whether the control can be initialized (i.e., started and executed). The second option determines whether it can be directed by scripting, which means it could have different outcomes based upon the script. If both options are selected, any web page can invoke them.
The idea is if the vendor determines the control is safe (i.e., can't be used in a harmful way), why not let other web pages and programmers re-use the control? Unfortunately, there is no official guidance or testing tool that a vendor can run to find out if their "safe" control is really safe. In over a dozen different exploits over the years, a control marked safe for scripting was used to do something malicious. In this particular option, IE is asking whether or not to allow web pages to initialize and script controls that are not marked safe. Considering that controls marked safe for scripting are potentially dangerous, ones that were tested and not found to be safe by their vendors definitely should not be allowed to run. Microsoft disables them in all zones, excepted Trusted sites, where the option is set to Prompt. The default settings are good.
ActiveX Controls and Plug-Ins - Run ActiveX Controls and Plug-Ins
This setting has a huge impact on IE. It determines whether IE can run ActiveX controls and plug-ins at all, regardless of their safety, and regardless of whether they are signed or unsigned. Disabling this feature defeats many, if not most, exploits that have attacked IE over the years. Unfortunately, it is such an all-or-nothing proposition that disabling it causes problems with most complex (i.e., popular) web sites.
Microsoft enables this option by default in all zones but the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that can be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied. Alternately, IE can be instructed only to allow administrator-approved controls to run. In order to use this option, you must use group policy, an administrative template, a security template, or the IE Administrator's Kit — and know the control's CLSID.
ActiveX Controls and Plug-Ins - Script ActiveX Controls Marked Safe for Scripting
This setting covers whether controls previously marked "safe" can be scripted (i.e., one-half of the marked safe for scripting and initialization dilemma). This is one of the toughest calls because it has been involved in many vulnerabilities, but to disable it is to cause problems with many legitimate web sites. Microsoft enables it by default in all zones but the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that can be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied. Microsoft left this as Enabled in the High template used in Restricted Zones until comparatively recently, perhaps as late as (but not including) Windows XP. Always check this in older versions of Windows, especially after re-installing the OS or IE.
Downloads - Automatic Prompting for File Downloads
This setting determines whether the user will be prompted by a pop-up dialog box for normal file downloads. In most cases, the answer should be yes. It is always nice to know when a web site is trying to download content. If this option is disabled and the next option is enabled, then the user will download and potentially execute files without acknowledgment. That particular situation would be harder to defend. This option should be enabled on all zones. Interestingly, when this setting is disabled, most file downloads still prompt the user before proceeding. Internet Explorer contains the following hard-coded list of file types (by file extension) for which the warning dialog box cannot be disabled:
ASP, BAS, BAT, CHM (IE5 only), CMD, COM, EXE, LNK, INF, REG, ISP, PCD, MST, PIF, SCR, HLP, HTA (IE5 only), JS, JSE, URL, VBS, VBE, WS, and WSH.
Downloads - File Download
Disabling this option prevents all file downloads. If the previous option is enabled, it is usually safe to enable this option. Microsoft enables this option in all zones but the Restricted sites zone, where it is disabled. The defaults are acceptable.
Downloads - Font Download
This option determines whether IE HTML fonts, normally needed for the correct presentation of a web page, can be downloaded automatically. It is enabled in all zones by default except the Restricted sites zone, where it is set to Prompt. The default settings are good.
Miscellaneous - Access Data Sources Across Domains
This setting determines whether a web page can retrieve data from another server located in a different domain. If set to disabled, it will only allow data to be retrieved from the same server the originating web page is being served from or from another server in the same domain. A few exploits have been accomplished when this setting is enabled. Most web sites access data on servers in the same domain. If this feature is not needed, keep it disabled. Microsoft disables it in most zones, including the Internet zone, but enables it in the Trusted sites zone and prompts in the Local Intranet zone. The default settings are acceptable in most cases.
Miscellaneous - Allow META REFRESH
A Meta-Refresh is an HTML command that instructs a browser to refresh the current web page after a periodic interval. It can also be used to redirect a user, without their permission, to another web page. It has been used maliciously many times, but as long as other critical vulnerabilities are patched, there is little risk. Legitimate use of Meta-Refreshes is common. Microsoft enables this option in all zones but the Restricted sites zone. The default option is normally okay.
Miscellaneous - Allow Scripting of Internet Explorer Web Browser Control
This is a new option in IE 6.x XP SP2, although the control is not. The Webbrowser control is a standalone ActiveX control that can be used by programmers to add a mini-HTML browser to their application. After a few vulnerabilities were found by enabling this option by default, Microsoft disables it in the Internet and Restricted sites zones. The default option is acceptable.
Miscellaneous - Allow Script-Initiated Windows without Size or Position Constraints
New in IE 6.x XP SP2, this option determines whether or not a web site can open a new IE window anywhere and of any size. Unscrupulous web advertisers often did this to make it difficult for the user to close the pop-up advertising window. It is disabled by default in the Internet and Restricted sites zones. This is an acceptable default choice.
Miscellaneous - Allow Web Pages to Use Restricted Protocols for Active Content
This is a new option in IE 6.x XP SP2 and later. You can define, in the zone registry settings, which protocols and port numbers are allowed in a particular zone. Using this setting you can define whether or not web sites in this zone can use protocols and port numbers not explicitly defined in the registry. Microsoft has this new option set to Prompt in most zones, and disabled in the Restricted sites zone. The default options are acceptable.
Miscellaneous - Display Mixed Content
This option determines whether or not you will be prompted when a web page tries to display content from an HTTP and HTTPS communications streams at the same time. If it is set to Prompt, you may receive the following "Security Information" message on the web pages that contain both secure (https) and nonsecure (http) content:
This page contains both secure and nonsecure items. Do you want to display the nonsecure items?
This is a very common occurrence on HTTPS web sites, although to be truly secure they should never mix content types. All but the security paranoid disable this feature, even though Microsoft's default on all zones is Prompt. The default is acceptable unless you are particularly worried about spoofed HTTPS web sites.
This option has been enhanced in IE 7. Users will no longer see the mixed-content dialog box prompt shown above. IE7 will only render the secure content by default, and offers the user the opportunity to unblock the nonsecure content using the new Information Bar. This is an excellent change because in previous versions of IE, the user was asked the question without really knowing the difference between the secure and nonsecure content. Now users will see the secure content first, separated from the nonsecure content. Besides preventing some types of malicious attacks, it will prevent a lot of web site advertising.
Miscellaneous - Don't Prompt for Client Certificate Selection When no Certificates or Only One Certificate Exists
This setting was introduced in IE 5.5 SP1. When this option is set to Enable, IE does not prompt the user with a "Client Authentication" message when it connects to a web site that has no certificate or only one certificate. When Disabled, IE will display the following "Client Authentication" message even if the web site does not have a certificate or has only one certificate:
Identification The Web site you want to view requests identification. Select the certificate to use when connecting.
Microsoft enables it in the Local Intranet and Trusted sites zones and disables it elsewhere. This is an acceptable setting.
Miscellaneous - Drag and Drop or Copy and Paste Files
This determines whether files and folders can be dragged and dropped between client and server, or whether files and folders can be copied and pasted between client and server. Strangely, if disabled in the Internet zone, it will not allow the described options between mapped drives on your computer if the NetBIOS shares were mapped using IP addresses instead of names. Dragging and dropping files is also helpful for FTP and WebDAV operations. Microsoft enables this setting in all zones except Restricted sites, where it is set to Prompt. There is little misuse possible, so the defaults are acceptable.
Miscellaneous - Installation of Desktop Items
This setting determines whether or not a web site can install shortcuts and content to the user's desktop. It should be disabled or set to Prompt in most zones. Microsoft enables it only in the Trusted sites zone, disables it in the Restricted sites zone, and sets it to Prompt in the other two zones. The defaults are acceptable.
Miscellaneous - Launching Programs and Files in an IFRAME
This determines whether programs and files can be executed in an inline floating IE frame (i.e., IFRAME). Several vulnerabilities have used this feature over the years. It should be set to Prompt or Disabled. Microsoft enables it only in the Trusted sites zone, disables it in the Restricted sites zone, and sets it to Prompt in the other two zones. The defaults are acceptable.
Miscellaneous - Launching Programs and Unsafe Files
This determines whether or not the hard-coded file types listed above can be launched or their associated programs executed. This is Enabled on the Local Intranet and Trusted Intranet sites zones, disabled on the Restricted sites zone, and set to Prompt on the Internet zone. The default is acceptable.
Miscellaneous - Navigate Sub-Frames Across Different Domains
This setting determines whether it is possible to open a child subframe that references a server located in a different domain than its parent. A malicious web site could mimic a legitimate web site by inserting a window as a frame within the legitimate web site's window. This feature was used in a few exploits years ago, but now is not considered overly dangerous. Microsoft enables this feature by default in all zones but the Restricted sites zone. I prefer to set the option to Prompt in the Internet zone.
Miscellaneous - Open Files Based on Content, not File Extension
New in IE 6.x XP SP2, this option determines whether IE will read the first 200 bytes of a file's header to determine whether the file matches the MIME Type the web site claims it to be. If the content never tries to execute using a MIME type other than the one it was downloaded with, IE does not check the file header. But if there is a disagreement, IE will read the file header in an attempt to determine the correct MIME Type. It has rightly been enabled in all zones except for the Restricted sites zone. I would enable it there as well.
Miscellaneous - Software Channel Permissions
This setting specifies the computer's level of access for web-based software distribution channels. The possible values are: High safety, Low safety, and Medium safety.
-
High safety — This setting prevents users from being notified about software updates by e-mail, prevents software packages from being automatically downloaded to users' computers, and prevents software packages from being automatically installed on users' computers.
-
Medium safety — Notifies users about software updates by e-mail, and allows software packages to be automatically downloaded to (but not installed on) users' computers. The software packages must be validly signed; users are not prompted about the download.
-
Low safety — This setting notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users' computers, and allows software packages to be automatically installed on users' computers.
The Internet zone and Local Intranet zones are set to Medium safety. The Trusted sites zone is set to Low safety. The Restricted sites zone is set to High safety. The selections are reasonable.
| Note | Thanks to www.websecurealert.com for the detailed information on channel permissions displayed above. However, be aware that some of the free software at this location contains adware. |
Miscellaneous - Submit Nonencrypted form Data
This option determines whether HTML pages in the zone can submit unencrypted forms to, or accept unencrypted forms from, servers in the zone. Forms sent using SSL are always allowed. This option is usually enabled so that unencrypted data can be submitted without a warning. The defaults are good.
Miscellaneous - Use Phishing Filter
New in IE 7.x, enabling this filter tells IE to send each new domain URL to Microsoft's anti-phishing servers for inspection before allowing the page to be displayed. If a site has been defined as fraudulent, the user will be warned. It slows down web surfing, but increases security significantly. It should be enabled on Internet and Restricted sites zone, and these are the Microsoft defaults.
Miscellaneous - Use Pop-up Blocker
A new setting in IE 6.x XP SP2, this determines whether the built-in pop-up blocker is turned on. Like the previous setting, it should be enabled for Internet and Restricted sites zones. This is the Microsoft default as well.
Miscellaneous - Userdata Persistence
This setting determines whether a web site can save data about the user or the current session on the user's hard drive, much like a cookie would be able to do. This feature is used by many legitimate web sites, and although it can possibly be used maliciously, it's best to leave it turned on. Microsoft leaves it turned on by default for all zones except the Restricted sizes zone, and this is acceptable.
Miscellaneous - Web Sites in Less Privileged Web Content Zone can Navigate into this Zone
This is a new setting that prevents less privileged content from initiating new connections into higher-privileged zones. This was created to defeat a new type of malicious attack. Microsoft has this option enabled in most zones but disabled in the Restricted sites zone. I believe it should be disabled by default in the Internet zone.
Scripting - Active Scripting
Another important setting. This determines whether scripting is allowed in IE. If turned off, it will disable JavaScript and VBScript engines. Although many IE exploits rely on scripting to work, so do most web sites. Leave enabled unless you are trying to defend against a widespread attack that cannot be stopped using alternative defenses. Microsoft enables this setting on all zones except the Restricted sites zone, and this is acceptable.
Scripting - Allow Paste Operations Via Script
This determines whether a web page script (see the Privacy Test at www.anonymizer.com) can copy information off the user's clipboard. It is interesting to see a web page "retrieve" information residing on the clipboard, especially if it contains a now plaintext password or information we forgot about. Microsoft enables this option in all zones except the Restricted sites zone. I believe it should be disabled across most zones.
Scripting - Allow Status Bar Updates Via Script
This new option determines whether web sites can update the status bar using a script. Some malicious web sites use scripts to fraudulently modify IE's status bar, such as indicating whether SSL is enabled or not. This setting should be disabled for Internet sites, and is by Microsoft.
Scripting - Scripting of Java Applets
This determines whether Java applets can be scripted. Although dozens of Java exploits have been discovered over the years, only one has ever been widespread. The overall risk is low. You can enable the scripting of Java applets on all zones except the Restricted sites zone, which is the Microsoft default.
User Authentication
Lastly, this option determines how IE will respond to a request for the browser to authenticate the user. In previous versions of IE, IE would always respond to authentication requests by trying to log in with the current user's name and password. Unfortunately, it is possible for malicious web sites to force unprotected Windows computers to use older, weaker authentication protocols (i.e., LAN Manager), which are easy to crack.
A common ploy was for a spammer to send the victim a spam e-mail that contained a one-pixel graphic (called a web spider or beacon) that needed to be downloaded from the spammer's malicious web server to display in the e-mail. Previous versions of Outlook and Outlook Express would attempt to download the graphic automatically to display in the e-mail. The hostile web site would request user authentication to download the web spider, and tell the victim's computer that it only understands the LM authentication protocol. Thus, all the victim does is open an e-mail and their computer sends back their logon name and password in an easily hackable format.
Now IE will only send the user's current logon name and password if the site is listed in the user's Local Intranet sites zone. Otherwise, IE will try to logon anonymously or prompt the user for their logon name and password. IE's default settings are acceptable.
Table 10-4 shows the default settings for each Internet security zone and their recommended settings. Asterisks appear next to the recommendations that deviate from Microsoft's defaults.
| Security Zone Setting | Default Internet Zone Setting | Default Local Intranet Zone Setting | Default Trusted Sites Zone Setting | Default Restricted Sites Zone Setting | Recommended Internet Zone Setting |
|---|---|---|---|---|---|
| .NET Framework-reliant components - Run components not signed with Authenticode | E | E | E | D | *D |
| .NET Framework-reliant components - Run components signed with Authenticode | E | E | E | D | *P |
| ActiveX controls and plug-ins - Automatic prompting for ActiveX controls | D | E | E | D | *E |
| ActiveX controls and plug-ins - Binary and script behaviors | E | E | E | D | *D |
| ActiveX controls and plug-ins - Download signed ActiveX controls | P | P | E | D | P |
| ActiveX controls and plug-ins - Download unsigned ActiveX controls | D | D | P | D | D |
| ActiveX controls and plug-ins - Initialize and script ActiveX controls not marked as safe | D | D | P | D | D |
| ActiveX controls and plug-ins - Run ActiveX controls and plug-ins | E | E | E | D | E |
| ActiveX controls and plug-ins - Script ActiveX controls marked safe for scripting | E | E | E | D | E |
| Downloads - Automatic prompting for file downloads | D | E | E | D | E |
| Downloads - File download | E | E | E | D | E |
| Downloads - Font download | E | E | E | P | E |
| Miscellaneous - Access data sources across domains | D | P | E | D | D |
| Miscellaneous - Allow META REFRESH | E | E | E | D | E |
| Miscellaneous - Allow scripting of Internet Explorer Webbrowser control | D | E | E | D | D |
| Miscellaneous - Allow script-initiated windows without size or position constraints | D | E | E | D | D |
| Miscellaneous - Allow Web pages to use restricted protocols for active content | P | P | P | D | P |
| Miscellaneous - Display mixed content | P | P | P | P | P |
| Miscellaneous - Don't prompt for client certificate selection when no certificates or only one certificate exists | D | E | E | D | D |
| Miscellaneous - Drag and drop or copy and paste files | E | E | E | P | E |
| Miscellaneous - Installation of desktop items | P | P | E | D | P |
| Miscellaneous - Launching programs and files in an IFRAME | P | P | E | D | P |
| Miscellaneous - Launching programs and unsafe files | P | E | E | D | P |
| Miscellaneous - Navigate subframes across different domains | E | E | E | D | *P |
| Miscellaneous - Open files basedon content, not file extension | E | E | E | D | E |
| Miscellaneous - Software channel permissions | Medium safety | Medium safety | Low safety | High safety | Medium safety |
| Miscellaneous - Submit non-encrypted form data | E | E | E | P | E |
| Miscellaneous - Use Phishing Filter | E | D | D | E | E |
| Miscellaneous - Use Pop-up Blocker | E | D | D | E | E |
| Miscellaneous - Userdata persistence | E | E | E | D | E |
| Miscellaneous - Web sites in less-privileged web content zone can navigate into this zone | E | E | P | D | *D |
| Scripting - Active scripting | E | E | E | D | E |
| Scripting - Allow paste operations via script | E | E | E | D | *D |
| Scripting - Allow status bar updates via script | D | E | E | D | D |
| Scripting - Scripting of Java applets | E | E | E | D | E |
| User Authentication | Automatic logon only in Intranet zone | Automatic logon only in Intranet zone | Automatic logon with current username and password | Prompt for user name and password | Automatic logon only in Intranet zone |
| E=Enabled, D=Disabled, P=Prompt User for decision | |||||
Open table as spreadsheet
Advanced Settings
Advanced settings apply consistently across all IE security zones. Some of the settings complement or override the options available in the separate security zones. In general, settings chosen here supersede the individual settings in the security zones (but not always). For that reason, a user or administrator must be aware not to set configuration options in conflict with one another. These issues are noted when applicable.
There are over 60 different advanced settings in IE 7.x. This section of the chapter will cover only the settings that can purposely affect IE's overall security.
Browsing - Always Send URLs as UTF-8
UTF-8 encoding allows a user to use URLs that include non-ASCII and foreign language characters, regardless of the language of the user's' operating system and browser language. Without UTF-8 encoding, a web server must be based on the same language code page as that of the user's in order to correctly render URLs containing non-ASCII or foreign characters. Disabling this would prevent some URL obscurity spoofing attacks, such as double-byte encoding, but it would cause problems with many legitimate web sites. Microsoft has it enabled by default, and it should probably stay that way.
Browsing - Automatically Check for Internet Explorer Updates
This option, which is enabled by default, tells IE to run Windows Update periodically to check for new Microsoft patches. This is a great feature to leave enabled. Disable it if patching is handled by a centralized management software program (e.g., SUS, WSUS, SMS, etc.) or if the logged in user is never logged in as a local administrator. Windows Update initiated patches require that the end user be logged in as a local administrator to install.
Browsing - Disable Script Debugging (Internet Explorer or Other)
These two separate options tell IE whether or not to check for script errors. If enabled (the default), it disables this ability. This is usually only useful for programmers. If enabled, IE will warn the user when script errors are located. Malicious web sites often have code bugs, so disabling this feature would show an interested programmer the coded mistake automatically if they were so inclined. The delineation between IE script debugging and other foreign debuggers is new to the latest versions of IE.
Browsing - Display a Notification about Every Script Error
If enabled, IE will display a notification message about every error it encounters in a script. It is disabled by default and this is usually an acceptable choice. Like the last option, there is little to gain by enabling this feature unless the user is a programmer and looking for security coding issues.
Browsing - Display Enhanced Security Configuration Dialog
If you have Enhanced Security Configuration enabled and a previously untrusted web site tries to use scripting or ActiveX Controls, a dialog box will appear to notify you. You can add the web site to the Trusted sites zone directly from this dialog box. If the Enhanced Security Configuration feature is disabled, it will have no effect on the browsing experience. It is enabled by default. It causes more problems than it solves, so disable. Read "IE Enhanced Security Configuration," later in this chapter, for more information on this setting.
Browsing - Enable Install on Demand (Internet Explorer or Other)
This feature specifies whether to automatically download and install web components that can be installed by Internet Explorer Active Setup by using the component's cabinet information file (CIF) for setup instructions. Often, a web page needs to download new components to the browser in order to display the page properly or to perform a particular task. For example, a new language character set may need to be installed in order for IE to display a new language, or a media player may be needed to support multimedia content. If the component is not already installed, the Install on Demand feature can install the new components automatically. If the option is disabled, the user will be prompted to approve the new install prior to it actually installing. The Microsoft default is Enabled. Set to Disable in order to be notified of and approve new installed components.
Browsing - Enable Third-Party Browser Extensions
Enabled by default, this feature allows non-Microsoft signed browser add-ons (i.e., Browser Helper Objects). Turning if off can cause many problems with legitimate web sites, but also increases security, as all add-ons increase security risks. It can be disabled if a spyware problem involving BHO is suspected.
| Note | Note that this option has no effect on BHOs that modify Outlook Express directly. |
Browsing - Use Inline AutoComplete
Disabled by default, this determines whether IE's AutoComplete feature (which automatically tries to fill in requested information, such as a user's name and address) automatically fills in known information when a web site form requests it. It can be used maliciously by a remote web site or locally by an unauthorized user. Keep disabled unless needed.
Java (or Java-Sun) — Use JRE x.x for <applet>
This setting only appears when a Java Virtual Machine (JVM) environment is installed. There is some additional risk from running Java, but if you keep Java patched, you can leave this option enabled. It is often needed for legitimate web sites. If you use Java, be sure to keep up on the latest Java JVM and patches.
Security - Allow Active Content from CDs to Run on My Computer
This new IE setting determines whether browser content can run in the Local Computer zone when launched from local CDs. If disabled, active content runs in the Internet zone. Leave disabled unless needed.
Security - Allow Active Content to Run in Files on My Computer
This new IE setting determines whether browser content can run in the Local Computer zone when launched locally. If disabled, all active content runs in the Internet zone. It has often been the cause of many exploits. Leave disabled unless needed.
Security - Allow Software to Run or Install Even if the Signature is Invalid
This option is disabled by default and should be left that way. If enabled, it allows unsigned and untrusted software to run.
Security - Check for Publisher's Certificate Revocation
This checks to see if the publisher's (i.e., software vendor who signed the program) digital certificate has been revoked by the Certificate Authority (CA). You would never want to run a program whose publisher's certificate was revoked. This could mean that the publisher's private key was stolen and has been fraudulently used to sign a malicious executable. Unfortunately, when this setting is enabled, users will often get a message saying the certificate revocation could not be verified. Then it is up to the user whether to run the signed code or not. If the user is on a legitimate web site, it is normally okay to do so. It is enabled by default and should be left enabled.
Security - Check for Server Certificate Revocation
If enabled, which it isn't by default, this will determine whether a server's SSL or TLS digital certificate is revoked, during the initial handshake connection. I recommend this feature be enabled, although when enabled it is not uncommon for many legitimate web sites' revocation to "fail" for one reason or another. Usually it is because the revocation link (called the certificate revocation link distribution point) is unreachable at the moment or not defined correctly. If the web site is legitimate and the digital certificate is legitimate, you can usually choose to ignore the certificate revocation message. Usually, the additional warning messages, if they occur, encourage users to further verify the SSL connection status, and anything that makes the end user more involved in verifying digital certificates without always accepting them by default is a good thing.
Security - Check for Signatures on Downloaded Programs
This option is enabled by default and should remain that way. It ensures that any downloaded programs have verified digital signatures. Otherwise, it displays a warning about what is invalid about the digital certificate (or the digital signature may be missing all together). An invalid or missing digital signature means the software is at a higher risk for maliciousness (although most downloadable software on the Internet is not signed). Figure 10-8 shows the details of a digital signature as they were reviewed during an ActiveX control's download.
Figure 10-8
Security - Do not Save Encrypted Pages to Disk
Disabled by default, this option ensures that pages encrypted by SSL/TLS are also stored encrypted on the local disk. This option can be left disabled in most organizations unless the security risk of a local intrusion is higher than average. Normally, in order for an intruder to search and find downloaded Internet content belonging to another user, they must have admin rights to search the user's profile. If the intruder has local admin rights, this is just one of the many attacks that they can launch. Still, enabling this security option causes only slightly higher disk and CPU utilization. Most administrators only turn it on for computers with shared access.
Security - Empty Temporary Internet Files Folder When Browser is Closed
Like the preceding option, this feature is disabled by default and only needs to be enabled if local admin attack risk is higher than normal. If turned on, the TIF area will be deleted every time IE is closed. This option does have a moderate to substantial performance penalty during the erasing actions. Most administrators only turn it on for computers with shared access.
| Note | Windows Vista will do more digital signature and certificate revocation checking, even outside of IE. |
Security - Enable Integrated Windows Authentication
This setting works in conjunction with the security zone setting User Authentication, which defines whether authentication would happen automatically or not, and to which zones. This setting determines whether Windows logon authentication can be used, if prompted.
There are four types of Windows logon authentication protocols: LM, NTLM, NTLMv2, and Kerberos. If this feature is enabled, which it is not by default in IE 7.x, users can log on using Windows authentication to web sites that support integrated Windows authentication (such as IIS). The integrated logon will present the user's currently logged on name and password for authentication if requested. If the related zone setting is set to automatic, the authentication will occur without the end user having even been aware of the exchange. If the automatic authentication has not been approved, the user will be prompted for logon credentials.
By default, all newer versions of IE will connect to all web servers using anonymous authentication first. If the web server requires Windows logon authentication, in most cases users will be prompted for a logon name and password unless they are connecting to an intranet site. When enabled, the automatic use or prompting of integrated login can be controlled by an IE security zone. Even if this feature is turned on, Windows logon authentication methods normally only work on the local network (or forest), and over VPNs; and are not normally allowed over the Internet (without much planning, configuration, and management).
Although there is little risk to most environments by enabling this feature, you can leave it disabled unless needed. Remember to turn it on if needed (i.e., for SharePoint Services, IIS, etc.). If allowed to non-intranet sites, disable the use of LM and NTLM authentication protocols (covered in Chapters 4 and 14) to prevent malicious remote web sites from requesting insecure versions of user logon credentials.
Security - Enable Profile Assistant
Enabled by default, this option allows users to manage their My Profile (see Figure 10-9) settings in IE (from the Tools menu, select Internet Options, and then the Content tab). If disabled, the option will be grayed out, preventing the user from entering or managing contained information. If enabled, the user can enter in personal profile information that can be used by the AutoComplete feature to automatically fill in web site information.
Figure 10-9
There have been a few spyware and adware attacks, including one used a zero-day JavaScript exploit, that have been successful at getting access to the information contained here. In most cases they "steal" the user's e-mail address to send spam. Some security-minded users will fill in the profile section with fake information to fool spyware and adware. You can choose whether to leave it enabled or disable depending on your risks and user population education.
Security - Phishing Filter Settings
New with IE 7.x, this option enables or disables IE's new anti-phishing filter option. I can think of no reason to disable it, other than the one-or two-second delay it incurs sometimes on new web site connections.
| Note | Occasionally, the phishing filter will not check on the web site and report whether the web site is a known phishing site until many seconds after the web page is loaded. It might appear as if a web page is not a suspected phishing site, and then 2–10 seconds later, the web site is accurately marked as a known phishing site. This may be a result of the performance trade-off that allows the web site to load at the same time the filter check is made, meaning there is the slight chance that a user could use the malicious web page for a few seconds prior to the warning. |
There are three Phishing Filter options:
-
Check Websites Automatically
-
Do Not Check Websites Automatically
-
Turn off Phishing Filter
If you turn the filter off completely, the Check This Website option (see Figure 10-10), which can be done manually on a per-site basis, is disabled. Choose the Do Not Check Websites Automatically option (from the Phish Filtering options in the preceding list) if you want to allow per-site manual checking. I frequently use the Report This Website option to report phishing and fraudulent web sites to Microsoft to benefit other users. After reporting the suspected web site, it goes through a review process before being made available as a confirmed phishing site to other users.
Figure 10-10
The anti-phishing filter can also be enabled or disabled using IE zone security settings. If the phishing filter is turned off in Advanced settings, it overrides setting(s) in the separate security zones. The current behavior (I hope it is fixed before general release) is that it could appear as if the phishing filter were turned on in a particular security zone, when in fact it is disabled across all zones.
Security - Use SSL 2.0, SSL 3.0, TLS 1.0
This option determines what version of SSL is allowed or if Transport Layer Security (TLS) is enabled. The last two options are enabled by default in IE 7.x. In prior IE versions, TLS wasn't enabled by default. TLS is the next version of SSL (i.e., there will be no SSL 4.0 standard). It works more securely at a lower layer of the OSI model and has many improved security features. SSL 2.0 should be disabled. A few web sites are still using it, but the overall percentage is not overwhelming. All the good commercial sites have long supported SSL 3.0 and later.
Security - Warn About Invalid Site Certificates
This option is enabled by default and warns the user when a web server's digital certificate is invalid (if SSL/TLS are enabled in the previous setting). Legitimate sites with invalid certificates abound, unfortunately, usually because of expired useful life dates or because the current web site doesn't make the certificate's web site address. Still, warning users that a digital certificate is invalid raises awareness and may alert them to a spoofing or man-in-the-middle attack.
Security - Warn if Changing Between Secure and not Secure Mode
This setting determines whether or not IE will notify the user that they are being directed between SSL/TLS and non-SSL/TLS sites. The default option of Enabled is acceptable.
Security - Warn if forms Submittal is Being Redirected
Like the separate identical security zone setting, this option determines whether the user will be notified that the data they are submitting to a web site is being redirected to another web site. Although this can occur on legitimate web sites, the default option of Enabled should be left turned on to warn users of spoofing or man-in-the-middle attacks. There is a similar (but different) zone setting that determines whether the user can submit forms data unencrypted or not.
Table 10-5 summarizes IE 7.x's default settings, lists the default setting as set by Microsoft, and makes a recommendation for most users who surf the untrusted Internet. Differences between Microsoft's defaults and the recommended settings begin with an asterisk (*). Like security zone settings, advanced settings are a trade-off between functionality and security. Most users can implement the settings recommended in Table 10-5 for an acceptable level of security.
| Advanced Setting | Default Setting | Recommended Setting |
|---|---|---|
| Browsing - Always send URLs as UTF-8 | E | E |
| Browsing - Automatically check for Internet | E | E |
| Explorer Updates Browsing - Disable Script Debugging (Internet Explorer or Other) | E | E |
| Browsing - Display a notification about every script error | D | D |
| Browsing - Display enhanced security configuration dialog | E | *D |
| Browsing - Enable Install on Demand (Internet Explorer or Other) | E | *D |
| Browsing - Enable third-party browser extensions | E | E |
| Browsing - Use inline AutoComplete | D | D |
| Java (or Java-Sun - Use JRE x.x for <applet> | E (if Java installed) | E |
| Security - Allow active content from CDs to run on My Computer | D | D |
| Security - Allow active content to run in files on My Computer | D | D |
| Security - Allow software to run or install even if the signature is invalid | D | D |
| Security - Check for publisher's certificate revocation | E | E |
| Security - Check for server certificate revocation | D | *E |
| Security - Check for signatures on downloaded programs | E | E |
| Security - Empty Temporary Internet Files folder when browser is closed | D | D |
| Security - Enable Integrated Windows Authentication | D | D |
| Security - Enable Profile Assistant | E | E |
| Security - Phishing Filter Settings | Do Not Check Websites Automatically | *Check Websites Automatically |
| Security - Use SSL 2.0, SSL 3.0, TLS 1.0 | E | E |
| Security - Warn about invalid site certificates | E | E |
| Security - Warn if changing between secure and not secure mode | E | E |
| Security - Warn if forms submittal is being redirected | E | E |
| E=Selected and enabled, D=Unselected, disabled Group Policy settings | ||
There are literally more than 100 group policy settings to handle how IE looks, acts, and is secured. Group Policy settings will be covered in Chapter 14, "Group Policy Explained."
IE Enhanced Security Configuration
By default in Windows Server 2003, Microsoft has enabled the IE Enhanced Security Configuration security template and feature. It can be enabled in Windows XP Pro, but is not turned on by default. The Enhanced Security Configuration feature significantly tightens down the Internet zone. Essentially, it prevents all non-HTML functionality (i.e., JavaScript, add-ons, etc.). The feature moves the Internet security zone's default security level from Medium to High and moves the Intranet zone from Low to Medium (i.e., more secure), among other changes. When enabled, it will display a dialog warning to the user whenever they visit a site not already placed in the Trusted sites or Local intranet zones.
When warned, the user will be shown a dialog box (see Figure 10-11) and allowed to add the site they wish to visit to the more liberal Trusted sites zone. If the site is added, the site will no longer produce a warning. If the site is not added to the Trusted sites zone, it remains in the tightened Internet zone and most functionality beyond plain-HTML text is disabled.
Figure 10-11
I do not like the IE Enhanced Security Configuration feature and recommend that it be disabled. This is because when it does appear, the user is allowed to conveniently add the desired web site to the Trusted sites zone. It was Microsoft's intention that on servers and other computers where this feature is enabled, IE users never visit web sites that should not be explicitly trusted. But real life is a different reality. Windows administrators frequently visit sites that they shouldn't be trusting from the server. Maybe it is to download a needed driver or piece of software, to conduct a search engine request, or to simply read a general news site (e.g., www.msnbc.com) while waiting for some administrative service to finish. What ends up happening is that all kinds of web sites that should never be marked as trusted end up in the Trusted sites zone. This is the exact opposite of what should be happening.
While the Trusted sites zone is modified to be more secure (i.e., Medium security level instead of Low, as is the case in IE 7 as well), it is all too easy for an administrator or group policy to accidentally reset the Internet zones back to their default security levels. I wish that Microsoft would instead change the Enhanced Security Configuration feature to allow newly visited web sites to be added to the normal (pre-Enhanced Security Configuration) Internet zone or make up a new zone. That way, most web sites that need to be visited can be added to the relatively secure new zone, instead of ending up in the modified Trusted sites zone. You can remove (or add) the IE Enhanced Security Configuration feature using the Add/Remove Windows Components feature available under Control Panel's Add/Remove Programs applet (see Figure 10-12).
Figure 10-12
| Note | Remember that any setting made to the Internet zone or security level affects all programs that rely on IE's security (e.g., Outlook, Windows Media Player, etc.) |
Third-Party Tools
Even though Microsoft is doing a better job at securing IE, historically there are usually many unpatched vulnerabilities at any given time. Correctly configuring IE security zones settings can offset a lot of those risks, but not all. There are many third-party products that purport to make IE more secure by default. Most either function as host-based intrusion prevention systems, such as Pivx's (www.pivx.com) preEmpt product (which the author highly recommends), or run IE in a virtual environment, such as Greenborder (www.greenborder.com), which allows all IE settings to be undone with a click of the button. Don't forget Microsoft's own Shared Computer Toolkit discussed above. Overall, I have more confidence in a product that prevents malware from being successful in the first place versus just cleaning up the resulting mess.
EAN: 2147483647
Pages: 122