programming4us
programming4us
SECURITY

Internet Explorer Security Settings

7/28/2010 9:28:25 AM
Internet Explorer Security Settings
IE has very granular security settings that outpace any of its rivals. You can place Web sites in one of five IE security zones, and modify nearly 50 settings for each zone.

Security Zones

Internet Explorer has five different security zones:

  • Internet

  • Local intranet

  • Trusted sites

  • Restricted sites

  • Local computer

Internet security zones allow users to granularly define specific permissions for different Internet or intranet resources. Internet Explorer allows users (or administrators) to define ahead of time particular security permissions and privileges for various Web sites.

Local Computer Zone

The first four zones are readily accessible in IE (see Figure 1) by choosing the Tools menu option, then Internet Options, and then clicking on the Security tab. This unlisted zone is not easily end-user definable and represents content residing on the local computer. Also known as the My Computer zone, Windows now warns the user if content in the Local Computer zone wants to execute in IE. In earlier versions of IE, content from the Local Computer zone ran in the security context of the active user, but in IE 6 on XP SP2 and later versions, it is locked down with additional restrictions to prevent malware execution.

Image from book
Figure 1: Internet Explorer security zones

The Local Computer zone lock down establishes the following default behaviors:

  • ActiveX controls may not run.

  • Java applets may not run.

  • Users may be prompted before they can run a script.

  • Users may be prompted before they can open a data source belonging to a different domain than the original server.

The Local Computer zone cannot be manipulated in IE by the end user, but can be configured using registry edits and programmatically. The zones can be manipulated in the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones. Each Zone is represented by the number 0 to 4, going from least to most restrictive. 0 is the My Computer zone, 1 is the Intranet sites zone, 2 is the Trusted Sites zone, 3 is the Internet zone, and 4 is the Restricted sites zone. If you are interested in manipulating zones using the registry read Microsoft KB article #182569 (http://www.support.microsoft.com/?id=182569). Editing zones via the registry allows a higher level of granularity than you can obtain through IE (that is, defining of acceptable TCP/IP port numbers and protocols for each zone), but for most users IE zones settings are best configured in IE.

Internet Site Zone

The Internet site is the default zone for all content not previously defined as residing in one of the other zones. Most of the time when you are surfing on the Internet using IE, the content being downloaded will reside in the Internet zone. The permissions and privileges in the Internet zone are moderately restricted (with a default of Medium-High security) as compared to the other zones. The security level is appropriate for most Internet sites, but is too lax when unpatched vulnerabilities are encountered or overall risk is high.

The Internet zone allows all scripts, signed ActiveX controls and Add-ons to run, although unsigned controls and plug-ins are disabled by default. Many Internet attacks can be stymied if scripting and ActiveX controls are disabled, but doing so will cause problems with many legitimate Web sites. If a widespread vulnerability is present, users can benefit greatly by customizing the security (covered next) to disable scripting and other non-HTML content. Most users could benefit by customizing the Internet security zone to an acceptable level of usability and security.

Local Intranet Zone

The Local intranet zone is a zone with elevated default privileges. The default security level is Medium-low. The intent is that users (or administrators) place internal trusted Web sites in the Local intranet zone, and any sites in this zone will have elevated privileges. By default, all Web sites residing on the local LAN (and other defined private IP subnets) will be placed in the Local intranet zone without the user having to specifically add the Web site. External Web sites can be added as well (see Figure 2), although users should remember that sites in this zone have elevated privileges.

Image from book
Figure 2: Adding a Web site to the Local intranet zone

As Figure 2 shows, along with the default selections, there are several options under the Local intranet zone. The first is "Include all local (intranet) sites not listed in other zones." This means that any server sites on the local network not listed in the Trusted Sites or Restricted sites zone will automatically be included here. If you disable this option, sites on the local network will not automatically be included in the Local intranet zone.

The "Include all sites that bypass the proxy server" option assumes that IE uses a non-transparent proxy to access non-local sites. By enabling the option, IE will add any sites to the Local intranet zone that are excluded from having to be filtered through the proxy server. The thinking is that only trusted sites would be excluded from being handled by the proxy server, and because they are trusted, they should be included by default in the Local intranet zone.

The Include all network paths (UNCs) option instructs Windows to include any NetBIOS shares in the Local intranet zone. This setting means that any security choices made on the Local intranet zone might impact regular Windows drive mappings. The Advanced button allows sites to be added manually. By default, the sites added to this location must be protected by using the HTTPS protocol to ensure site location authenticity, but this option is often deselected.


Note 

The Local intranet zone is disabled by default for non-domain computers.

Trusted Sites Zone

Sites placed in the Trusted Sites zone have minimal restrictions and a Medium security level, but are not protected by Vista's Protected Mode. Most actions and content will be allowed to execute without user intervention. Even the highest risk actions only require the user to acknowledge before they proceed. Unlike the Local intranet zone, the Trusted Sites zone does not include Web sites by default. New sites can be required to be protected by HTTPS, the default, or just unsecured HTTP.


Note 

The Trusted Sites zone's default security level in IE 6 was Low.

Restricted Sites Zone

The Restricted sites zone, as its name implies, restricts most non-HMTL content and activity by default. The security level is High. The only activity allowed without user intervention is pop-up ad blocking and font downloading. By default, no sites are within this zone. The Restricted sites zone has no HTTPS requirement option.

Most users won't have any entries here because if the Web site is high risk, they should not go there. With that said, if a user plans on visiting a high-risk Web site, they should put the Web site's domain name here, although don't expect IE's High security level setting to prevent all attacks. Malicious Web sites often have unknown "zero-day" attacks or use social engineering methods to trick the user into executing malicious code.

You can also create your own IE security zones programmatically or using registry edits, however, these zones are not easy to configure and cannot be accessed using the IE GUI. For more information, see http://www.blogs.msdn.com/ie/archive/2005/01/26/361228.aspx. I hope that Microsoft creates an easy way for an unlimited number of new zones to be easily created and configured in the future. Why they have not done this already is a mystery. Next, this chapter will cover in detail each IE security setting and their default settings in each of default zones.

Zone Security Settings

IE 7 has over 45 separate security settings that can be customized for each IE security zone. Each one is summarized here along with general recommendations. Recommendations differing from Microsoft's default settings will be noted where applicable.

.NET Framework-Loose XAML

XAML files are markup files that use Extensible Application Markup Language (XAML), which is the user interface markup language for .NET 3.0's Windows Presentation Foundation (WPF) platform. See http://www.en.wikipedia.org/wiki/XAML for more details. Loose XAML is a new .NET capability that allows a user to launch any XAML file on their hard disk (or a URL link on a web page) and run it within a browser without compilation. Loose XAML is a markup language and can only render existing content, making it a low security risk. It is enabled for all zones except for Restricted sites.

.NET Framework-XAML Browser Applications

This security setting covers, for lack of a better description, non-loose XAML, which is compiled and must be run within the confines of a browser. As with Loose XAML, it is low risk, and enabled by default in all zones except for Restricted sites.

.NET Framework-XPS Documents

The XML Paper Specification (XPS) is Microsoft's newest document format. Royalty-free, XPS uses WPF to render a document on the screen the same as when it is printed. Many see XPS as competitor to Adobe's PDF format. XPS doesn't appear to have the sophistication of PDF, and as such, probably isn't much of a security risk. Microsoft has enabled it in all security zones except for Restricted sites.

.NET Framework-Reliant Components-Run Components Not Signed with Authenticode

The .NET Framework is Microsoft's client-server programming environment (with some loose comparison to Java's virtual machine environment). .NET is the dominant form of programming across the Windows platform.

Code is signed to prove authorship. Authenticode is Microsoft's digital signing mechanism for authenticating code, scripts, and ActiveX controls. Any software publisher (vendor) can purchase an Authenticode digital certificate for code signing.

Running an unsigned component means that you cannot automatically authenticate who created and initially distributed the component (and whether or not it is untrusted). Microsoft allows unsigned components to run automatically in all zones but the Restricted zone. I believe Microsoft was too lax on this setting. It should be set to disabled in Internet and Restricted sites zone.


Note 

This option and the next may not be available unless you have also installed the .NET Framework client software.

.NET Framework-Reliant Components-Run Components Signed with Authenticode

Signed code is rarely a problem. Signed code can contain bugs and viruses (we hope that these would be unknown to the signer at the time the code was signed), but it is not common. If you trust the signed code to be non-malicious, you can accept it to run automatically. There have been instances where spyware and adware companies used signed code to distribute their largely unwanted software. Microsoft enables this in all zones, but the Restricted zone. Because of the spyware and adware issues, we suggest this setting be set to Prompt in the Internet zone.

ActiveX Controls and Plug-Ins-Allow Previously Unused ActiveX Controls to Run Without Prompting

This setting instructs IE to allow previously installed ActiveX controls that have never been run before to execute without warning the user. Hackers often take advantage of rarely used, but installed controls. Microsoft has rightly disabled this setting in the Internet and Restricted sites zones.

ActiveX Controls and Plug-Ins-Allow Scriptlets

Scriptlets refers to Dynamic HTML (DHTML) scriptlets, which were deprecated in IE 5. In the past, there were a few malicious exploits that used DHTML scriptlets. For that reason, Microsoft has correctly disabled them in all security zones except the Local intranet zone.

ActiveX Controls and Plug-Ins-Automatic Prompting for ActiveX Controls

ActiveX controls can be virtually any content, executable, or script delivered over a network through IE. Java applets are even delivered as ActiveX controls, in most cases. Windows uses dozens to hundreds of ActiveX controls. Most aren't needed in IE and one of the big changes in IE 7 is to not allow any ActiveX control to run in IE by default, except those expressly authorized by the user or admin. This is the opposite behavior for IE 6.x and before.

This particular setting determines whether or not the user will be prompted by a pop-up dialog box to install an ActiveX control or plug-in. If disabled, the Web site will attempt to download and execute the content, but IE will not prompt the user with a dialog box. Instead (if IE 6.x XP SP2 or higher is installed) the user will be warned on the yellow information bar about an ActiveX control needing to be installed. The information bar warning is less obvious than a pop-up dialog box in the middle of the browser window.

Microsoft enables this option in the Local intranet zone and disables it in the rest. How this setting is configured to is up to the user, although I always like to be prompted in an obvious manner for any ActiveX controls that are trying to be installed. Otherwise, a Web site feature may fail and the cause of the failure might not be readily apparent.

ActiveX Controls and Plug-Ins-Binary and Script Behaviors

Binary behaviors (http://www.msdn.microsoft.com/workshop/browser/behaviors/howto/creating.asp) were introduced in IE 5.5 and allow binary programs to be linked to and control HTML content. A binary behavior is a compiled object that can interact directly with the underlying OS. Its code cannot be read or examined using normal view source commands. They can be used to do many malicious things from a web page.

Prior to Windows XP SP2 and Windows Server 2003 SP1 (where this setting first arrived), there was no way to prevent a binary behavior in any IE security zone, including sites residing in the Restricted sites zone. Now, by default, binary behaviors are disabled in the Restricted sites zone, but allowed in the rest. We believe that binary behaviors are too powerful to be allowed from any Internet site. Accordingly, this option should be set to Disabled (or Administrator approved) for all zones, unless needed.

ActiveX Controls and Plug-Ins-Display Video and Animation on a Web Page That Does Not Use External Media Player

If enabled, this setting could allow an untrusted media player to execute active content within a Web site. Microsoft has correctly disabled this setting for all security zones.

ActiveX Controls and Plug-Ins-Download Signed ActiveX Controls

Signed ActiveX controls usually present little risk unless signed by a spyware or adware vendor. IE prompts the user to approve on zones except for the Restricted sites. These defaults are acceptable.

ActiveX Controls and Plug-Ins-Download Unsigned ActiveX Controls

Unsigned ActiveX controls are highly risky and, generally, should be disabled, or set up to prompt if you plan to come in contact with needed unsigned controls. Microsoft correctly disables them in all zones.

ActiveX Controls and Plug-Ins-Initialize and Script ActiveX Controls Not Marked as Safe for Scripting

Once ActiveX controls or plug-ins (plug-ins are usually ActiveX controls) are downloaded-which is the option being decided in the two options mentioned previously-there is still the matter of whether to execute them. Vendors can mark their ActiveX controls as Safe for Initialization and Safe for Scripting. The first option determines whether the control can be initialized (i.e., started and executed). The second option is whether it can be directed by scripting, which means it could have different outcomes based upon the script. If both options are selected, then any web page can invoke them.

The idea is that if the vendor determines the control is safe (that is, can't be used in a harmful way), then why not let other web pages and programmers re-use the control? Unfortunately, there is no official guidance or testing tool that a vendor can run to find out if their "safe" control is really safe. In more than a dozen different exploits over the years, a control marked safe for scripting, was used to do something malicious.

In this particular option, IE is asking whether or not to allow web pages to initialize and script controls that are not marked safe? Considering that controls marked safe for scripting are potentially dangerous, ones that were tested and not found to be safe by their vendors definitely should not be allowed to run. Microsoft disables them in all zones. The default settings are good.

ActiveX Controls and Plug-Ins-Run ActiveX Controls and Plug-Ins

This setting has a huge impact on IE. It determines whether IE can run ActiveX controls and plug-ins at all, regardless of their safety, and regardless of whether they are signed or unsigned. Disabling this feature defeats many, if not most, exploits that have attacked IE over the years. Unfortunately, it is such an all-or-nothing proposition that disabling it causes problems with many popular Web sites.

Microsoft enables this option by default in all zones, but the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that cannot be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied.

Alternately, IE can be instructed only to allow administrator-approved controls to run. In order to use this option, you must use group policy, an administrative template, a security template, or the IE Administrator's Kit-and know the control's CLSID.

ActiveX Controls and Plug-Ins-Script ActiveX Controls Marked Safe for Scripting

This setting discusses whether controls previously marked "safe" can be scripted. This is one of the toughest calls because ActiveX controls that were thought to be safe for scripting have been involved in many vulnerabilities over the years, but disabling it causes problems with many legitimate Web sites. Microsoft enables it by default in all zones except the Restricted sites zone, where it is disabled. This is an acceptable default. However, if you are worried about a widespread, malicious IE vulnerability that can be stopped by disabling this option, consider disabling this option until a patch or other alternative defense can be applied.

Downloads-Automatic Prompting for File Downloads

This setting determines whether the user will be prompted by a pop-up dialog box for normal file downloads. In most cases, the answer should be yes. It is always nice to know when a Web site is trying to download content. If this option is disabled, and the next option is enabled, then the user will download and potentially execute files without a primary acknowledgement (although the user may be prompted to confirm a download location). That particular situation would be harder to defend. Microsoft disables this for all zones, except for the Local intranet. This option should be enabled on all zones.

Interestingly, when this setting is disabled, most file downloads still prompt the user before proceeding. Internet Explorer contains a hard coded list of file types (by file extension) that the warning dialog box cannot be disabled for. They are:

  • ASP

  • BAS

  • BAT

  • CHM (IE5 only)

  • CMD

  • COM

  • EXE

  • LNK

  • INF

  • REG

  • ISP

  • PCD

  • MST

  • PIF

  • SCR

  • HLP

  • HTA (IE5 only)

  • JS

  • JSE

  • URL

  • VBS

  • VBE

  • WS

  • WSH

Downloads-File Download

Disabling this option prevents all file downloads. If the previous option is enabled, it is usually safe to enable this option. Microsoft enables this option in all zones, but in the Restricted sites zone where it is disabled. The defaults are acceptable.

Downloads-Font Download

This option determines whether IE HTML fonts, normally needed for the correct presentation of a web page, can be downloaded automatically. It is enabled in all zones by default, except the Restricted sites zone where it is set to Prompt. The default settings are good.

Enable .Net Framework Setup

If enabled, this will prevent .NET Framework from being installed. It is enabled in all zones except Restricted sites.

Java VM-Java Permissions

This setting will not appear unless the Java Virtual Machine (JVM) component has been installed. Microsoft's default settings are acceptable.

Miscellaneous-Access Data Sources Across Domains

This setting determines whether a web page can retrieve data from another server located in a different domain. If set to disabled, it will only allow data to be retrieved from the same server the originating web page is being served from or from another server in the same domain. A few exploits have been accomplished when this setting is enabled. Most Web sites access data on servers in the same domain. If this feature is not needed, keep it disabled. Microsoft disables it in most zones, but prompts it in the Local intranet zone. The default settings are acceptable in most cases.

Miscellaneous-Allow META REFRESH

A Meta-Refresh is an HTML command that instructs a browser to refresh the current web page after a periodic interval. It can also be used to re-direct a user, without their permission, to another web page. It has been used maliciously many times, but as long as other critical vulnerabilities are patched, there is little risk. Legitimate use of Meta-refreshes is common. Microsoft enables this option in all zones, but the Restricted sites zone. The default option is normally okay.

Miscellaneous-Allow Scripting of Internet Explorer Web Browser Control

This is a new option in IE 6.x XP SP2, although the control is not. The Web browser control is a stand-alone ActiveX control that can be used by programmers to add a mini-HTML browser to their application. After a few vulnerabilities were found by enabling this option by default, Microsoft disables it in all zones except for the Local intranet. The default option is acceptable.

Miscellaneous-Allow Script-Initiated Windows Without Size or Position Constraints

This option determines whether or not a Web site can open a new IE window anywhere and of any size. Unscrupulous web advertisers often make oddly sized browser screens (i.e. either very small or very large) to make it difficult on the user to close the pop-up advertising window. It is disabled by default in all zones except Restricted sites. This is an acceptable default choice.

Miscellaneous-Allow Web Pages to Use Restricted Protocols for Active Content

You can define, in the zone registry settings, which protocols and port numbers are allowed in a particular zone. Using this setting you can define whether or not Web sites in this zone can use protocols and port numbers not explicitly defined in the registry. Microsoft has this option set to Prompt in most zones, and disabled in the Restricted sites. The default options are acceptable.

Miscellaneous-Allow Websites to Open Windows Without Address or Status Bars

Many malicious Web sites and adware try to fool users by opening windows without addresses or status bars. This is disabled for Internet and Restricted sites zones, and enabled for Local intranet and Trusted Sites zones. The defaults are acceptable.

Miscellaneous-Display Mixed Content

This option determines whether or not you will be prompted if a web page tries to display content from a HTTP and HTTPS communications streams at the same time. In IE 6, if it was set to Prompt, they could receive the following "Security Information" message on the web pages that contain both secure (https) and nonsecure (http) content:

     This page contains both secure and nonsecure items.

Do you want to display the nonsecure items?

This is a very common occurrence on HTTPS Web sites, although to be truly secure they should never mix content types. All but the security paranoid disable this feature, even though Microsoft's default on all zones is Prompt. The default is acceptable unless you are particularly worried about spoofed HTTPS Web sites.

This option has been enhanced in IE 7 and users will no longer see the mixed-content dialog box prompt shown previously. IE7 will only render the secure content by default, and offers the user the opportunity to unblock the not secure content using the new Information Bar. This is an excellent change because in previous versions of IE, the user was asked the question without really knowing the difference between the secure and not secure content. Now, they will see the secure content first, separated from the non-secure content. Besides preventing some types of malicious attacks, it will prevent a lot of Web site advertising.

Miscellaneous-Don't Prompt for Client Certificate Selection When No Certificates or Only One Certificate Exists

This setting was introduced in IE 5.5 SP1. When this option is set to Enable, IE does not prompt the user with a "Client Authentication" message when it connects to a Web site that has no certificate or only one certificate. When Disabled, IE will display the following "Client Authentication" message even if the Web site does not have a certificate or has only one certificate:

     Identification

The Web site you want to view requests identification.
Select the certificate to use when connecting.

Microsoft enables it in the Local intranet zone and disables elsewhere. This is an acceptable setting, although it also means that you may be sending your identity to the connected server.

Miscellaneous-Drag and Drop or Copy and Paste Files

Determines whether files and folders can be dragged and dropped between client and server, or whether files and folders can be copied and pasted between client and server. Strangely, if disabled in the Internet zone, it will not allow the described options between mapped drives on your computer if the NetBIOS shares were mapped using IP addresses instead of names. Dragging and dropping files is also helpful for FTP and WebDAV operations. Microsoft enables this setting in all zones except Restricted sites, where it is set to prompt. There is little misuse possible, so the defaults are acceptable. The one attack type the authors are aware of involves a timing attack where the user is tricked into overwriting an unintended file in an unintended location. This has been proven in theory, and even demonstrated a few times. However, this type of attack has never been used in a widespread manner, so Prompt should be acceptable.

Miscellaneous-Include Local Directory Path When Uploading Files to a Server

Enabled on all zones except for Restricted sites by default, it passes along the local directory path when uploading files using HTTP or FTP (within IE). Defaults are acceptable.

Miscellaneous-Installation of Desktop Items

Determines whether or not a Web site can install shortcuts and content to the user's desktop. Should be disabled or set to Prompt in most zones. Microsoft set it to Prompt in all zones, except for the Restricted sites zone, where it is disabled. The defaults are acceptable.

Miscellaneous-Launching Applications and Unsafe Files

Determines whether or not the hard coded file types listed previously can be launched or their associated programs executed. This is Enabled on the Local intranet, disabled on Restricted sites zone, and set to Prompt on the Internet and Trusted Sites zones. The defaults are acceptable.

Miscellaneous-Launching Programs and Files in an Iframe

Determines whether programs and files can be executed in an inline floating IE frame (IFRAME). Several vulnerabilities have used this feature over the years. It should be set to Prompt or Disabled. Microsoft sets it to prompt in all zones except where it disables it in the Restricted sites zone. The defaults are acceptable.

Miscellaneous-Navigate Sub-Frames Across Different Domains

Determines whether it is possible to open up a child sub-frame that references a server located in a different domain than its parent. A malicious Web site could mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window. This feature was used in a few exploits years ago, but now is not considered overly dangerous. Microsoft disables this setting in all zones, except for the Local intranet zone. I prefer to set the option to Prompt in the Internet zone for usability reasons.

Miscellaneous-Open Files Based on Content, Not File Extension

This option determines whether IE will read the first 200 bytes of a file's header to determine if the file meets the MIME Type the Web site claims it to be. If the extension matches the MIME type, IE does not check the file header. But if there is a disagreement, IE reads the file header in an attempt to determine the correct MIME Type. It has been enabled in all zones except for the Restricted sites zone. We would Enable it there as well.

Miscellaneous-Software Channel Permissions

This setting specifies the computer's level of access for Web-based software distribution channels. The possible values are: High Safety/Low Safety/Medium Safety

  • High Safety: Prevents users from being notified about software updates by e-mail, software packages from being automatically downloaded to users' computers, and software packages from being automatically installed on users' computers.

  • Medium Safety: Notifies users about software updates by e-mail, and allows software packages to be automatically downloaded to (but not installed on) users' computers. The software packages must be validly signed; users are not prompted about the download.

  • Low Safety: Notifies users about software updates by e-mail, allows software packages to be automatically downloaded to users' computers, and allows software packages to be automatically installed on users' computers.

The Internet zone and Local intranet zones are set to Medium safety. The Trusted Sites zone is set to Low safety. The Restricted sites zone is set to High safety. The selections are reasonable.

Miscellaneous-Submit Non-Encrypted Form Data

This option determines whether HTML pages in the zone can submit unencrypted forms to or accept unencrypted forms from servers in the zone. Forms sent using SSL are always allowed. This option is usually enabled, except for Restricted sites where it is set to Prompt. The defaults are good.

Miscellaneous-Use Phishing Filter

Enabling this filter tells IE 7 to send each new domain URL to Microsoft's anti-phishing servers for inspection before allowing the page to be displayed. If a site has been defined as fraudulent, the user is warned. It slows down web surfing, but increases security significantly. It should be enabled on zones except Local intranet sites (because it isn't needed and only affects performance), and these are the Microsoft defaults.

Miscellaneous-Use Pop-Up Blocker

Determines whether the built-in pop-up blocker is turned on. As with the previous setting, this should be enabled for all zones, except the Local intranet. This is the Microsoft default, as well.

Miscellaneous-Userdata Persistence

Determines whether a Web site can save a data about the user or the current session on the user's hard drive, much like a cookie would be able to do. This feature is used by many legitimate Web sites, and although it can possibly be used maliciously, it's best to leave it turned on. The mischief caused by enabling this is limited to tracking-no code execution or exposure of local data (unless you count browsing habits). Microsoft leaves it turned on by default for all zones, but the Restricted sizes zone and this is acceptable.

Miscellaneous-Web Sites in Less Privileged Web Content Zone Can Navigate into This Zone

This setting prevents less privileged content from initiating new connections into higher privileged zones. This was created to defeat a new type of malicious attack. Microsoft has this option enabled in most zones, but disabled in the Restricted sites zone. It should be disabled by default in the Internet zone.

Scripting-Active Scripting

This setting determines whether scripting is allowed in IE. If turned off, this disables JavaScript and VBScript engines. Although many IE exploits rely on scripting to work, so do most Web sites. Leave this enabled unless you are trying to defend against a widespread attack that cannot be stopped by using alternative defenses. Microsoft enables on all zones except the Restricted sites zone and this is acceptable.

Scripting-Allow Programmatic Clipboard Access

In previous versions of IE, a malicious Web site could script language to copy the data last used in the Clipboard application (from user's Edit, Copy, Edit, Paste operation) to their Web site. Users and administrators often use the Clipboard to copy long and complex passwords during a logon sequence. This vulnerability could potentially let a malicious Web site see confidential data.

This option used to be called "Allow paste operations via script" in previous versions. See http://www.sourcecodesworld.com/special/clipboard.asp to determine if your browser is vulnerable to paste operations manipulations. In IE 6, Microsoft enabled this option in all zones except the Restricted sites zone. In IE 7, this value is set to Prompt in the Internet and Trusted Sites zones, enabled in the Local intranet zone, and Disabled in the Restricted sites zone. It should be disabled on all zones unless needed. When set to prompt, the user will see a dialog box, similar to Figure 4, when a Web site attempts to access the Clipboard.

Image from book
Figure 4: Internet Explorer asking for confirmation before letting a Web site use the Clipboard for pasting operations

Note 

A developer, malicious or legitimate, can add their program's executable to the \HKLM\Software\Microsoft\Windows\Internet Explorer\Main\FeatureControl\registry key (see http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/cols/dnexpie/clipboard_scriptaccess.asp for more details) to bypass the warning prompts.

Scripting-Allow Status Bar Updates Via Script

This option determines whether a Web site can update the status bar using a script. Some malicious Web sites use scripts to fraudulently modify IE's status bar, such as indicating whether SSL is enabled or not. It is correctly disabled for Internet and Restricted sites zones.

Scripting-Allow Websites to Prompt for Information Using Scripted Window

This setting determines whether a Web site can query IE for personal information (for example, your e-mail address). Microsoft has appropriately turned it off in the Internet and Restricted sites zones.

Scripting-Scripting of Java Applets

This determines whether Java applets can be scripted. Although there have been dozens of Java exploits found over the years, only one has ever been widespread. The overall risk is low. You can enable the scripting of Java applets on all zones except the Restricted sites zone, which is the Microsoft default.

User Authentication

Last, this option determines how IE responds to a request for the browser to authenticate the user. In previous versions of IE, IE would always respond to authentication requests by trying to log in with the current user's name and password. Unfortunately, it is possible for malicious Web sites to force unprotected Windows computers to use older, weaker authentication protocols (LAN Manager), which are easy to crack.

A common ploy for a spammer was to send the victim a spam e-mail that contained a 1-pixel graphic (called a web spider or beacon) that needed to be downloaded from the spammer's malicious web server to display in the e-mail. Previous versions of Outlook and Outlook Express would attempt to download the graphic automatically to display in the e-mail. The hostile Web site would request user authentication to download the web spider, and tell the victim's computer that it only understands the LM authentication protocol. Thus, all the victim did was open an e-mail and their computer was sending back their login name and password in an easily hackable format.

Now IE will only send the user's current logon name and password if the site is listed in the user's Local intranet sites zone. Otherwise, IE will try to logon anonymously or prompt the user for their logon name and password. IE's default settings are acceptable.

Table 1 summarizes IE's default zone security settings. We make practical recommendation changes as highlighted in parenthesis where appropriate.

Table 1: Summary of Internet Explorer 7's Security Zone Settings
Open table as spreadsheet

DEFAULT SETTING PER ZONE (AND RECOMMENDATION IF THEY VARY FROM MICROSOFT'S DEFAULTS)

SETTING

INTERNET

LOCAL INTRANET

TRUSTED SITES

RESTRICTED SITES

Default Security level

Medium-High

Medium-Low

Medium

High

Protected Mode

On

On

Off

Off

.NET Framework-Loose XAML

Enable

Enable

Enable

Disable

.NET Framework-XAML browser applications

Enable

Enable

Enable

Disable

.NET Framework-XPS documents

Enable

Enable

Enable

Disable

.NET Framework-reliant components-Run components not signed with Authenticode

Enable (Disable or Prompt)

Enable (Disable or Prompt)

Enable (Disable or Prompt)

Disable

.NET Framework-reliant components-Run components signed with Authenticode

(Enable Prompt)

Enable

Enable

Disable

ActiveX controls and plug-ins-Allow previously unused ActiveX controls to run without prompting

Disable

Enable

Enable

Disable

ActiveX controls and plug-ins-Allow Scriptlets

Disable

Enable

Disable

Disable

ActiveX controls and plug-ins-Automatic prompting for ActiveX controls

Disable

Enable

Disable

Disable

ActiveX controls and plug-ins-Binary and script behaviors

Enable (Disable or Prompt)

Enable (Disable or Prompt)

Enable (Disable or Prompt)

Disable

ActiveX controls and plug-ins-Display video and animation on web page that does not use external media player

Disable

Disable

Disable

Disable

ActiveX controls and plug-ins-Download signed ActiveX controls

Prompt

Prompt

Prompt

Disable

ActiveX controls and plug-ins-Download unsigned ActiveX controls

Disable

Disable

Disable

Disable

ActiveX controls and plug-ins-Initialize and script ActiveX controls not marked safe for scripting

Disable

Disable

Disable

Disable

ActiveX controls and plug-ins-Run ActiveX controls and plug-ins

Enable

Enable

Enable

Disable

ActiveX controls and plug-ins-Script ActiveX controls marked safe for scripting

Enable

Enable

Enable

Disable

Downloads-Automatic prompting for file downloads

Disable (Enable)

Enable (Enable)

Disable (Enable)

Disable

Downloads-File download

Enable

Enable

Enable

Disable

Downloads-Font download

Enable

Enable

Enable

Disable

Enable .NET Framework setup

Enable

Enable

Enable

Disable

Java VM-Java Permissions*

High safety

Medium safety

High safety

Disable Java

Miscellaneous-Access data sources across domains

Disable

Prompt

Disable

Disable

Miscellaneous-Allow META REFRESH

Enable

Enable

Enable

Disable

Miscellaneous-Allow scripting of Internet Explorer web browser control

Disable

Enable

Disable

Disable

Miscellaneous-Allow script-initiated windows with size or position constraints

Disable

Enable

Disable

Disable

Miscellaneous-Allow web pages to use restricted protocols for active content

Prompt

Prompt

Prompt

Disable

Miscellaneous-Allow Web sites to open windows without address or status bars

Disable

Enable

Enable

Disable

Miscellaneous-Display mixed content

Prompt

Prompt

Prompt

Prompt

Miscellaneous-Don't prompt for client certificate selection when no certificates or only one certificate exists

Disable

Enable

Disable

Disable

Miscellaneous-Drag and drop or copy and paste files

Enable

Enable

Enable

Prompt

Miscellaneous-Include local directory path when uploading files to a server

Enable

Enable

Enable

Disable

Miscellaneous-Installation of desktop items

Prompt

Prompt

Prompt

Disable

Miscellaneous-Launching applications and unsafe files

Prompt

Enable

Prompt

Disable

Miscellaneous-Launching programs and files in an IFRAME

Prompt

Prompt

Prompt

Disable

Miscellaneous-Navigate sub-frames across

Disable (Prompt)

Enable

Disable

Disable

Miscellaneous-Open files based on content, not file extension

Enable

Enable

Enable

Disable (Enable)

Miscellaneous-Software channel permissions

Medium safety

Medium safety

Medium safety

High safety

Miscellaneous-Submit non-encrypted form data

Enable

Enable

Enable

Prompt

Miscellaneous-Use Phishing Filter

Enable

Disable

Enable

Enable

Miscellaneous-Use Pop-up Blocker

Enable

Disable

Enable

Enable

Miscellaneous-User data persistence

Enable

Enable

Enable

Disable

Miscellaneous-Web sites in less privileged web content zone can navigate into this zone

Enable (Disable)

Enable

Enable

Disable

Scripting-Active Scripting

Enable

Enable

Enable

Disable

Scripting-Allow Programmatic clipboard access

Prompt (Disable or Prompt)

Enable (Disable)

Prompt (Disable)

Disable

Scripting-Allow status bar updates via script

Disable

Enable

Enable

Disable

Scripting-Allow Web sites to prompt for information using scripted window

Disable

Enable

Enable

Disable

Scripting-Scripting of Java applets

Enable

Enable

Enable

Disable

User Authentication

Automatic only in Intranet zone

Automatic only in Intranet zone

Automatic only in Intranet zone

Prompt for username and password

IE Advanced Settings

Advanced settings apply consistently across all IE security zones. Some of the settings complement or override the options available in the separate security zones. In general, settings chosen here win over the individual settings in the security zones (but not always). For that reason, a user or administrator must be aware not to set configuration options in conflict with one another. These issues are noted when applicable.

There are over 60 different Advanced settings in IE 7. This section of the chapter will cover only the settings that can purposely affect IE's overall security.

Browsing-Disable Script Debugging (Internet Explorer or Other)

This is two separate options that tell IE whether or not to check for script errors. If enabled, as is the default, it disables this ability. This is usually only useful for programmers. If enabled, IE warns the user when script errors are located. Malicious Web sites often have code bugs so disabling this feature would show an interested programmer the coded mistake automatically, if they wanted to know. The delineation between IE script debugging and other foreign debuggers is new to the latest versions of IE.

Browsing-Display a Notification About Every Script Error

If enabled, IE displays a notification message about every error it encounters in a script. It is disabled by default and this is usually an acceptable choice. Like the last option, there is little to gain by enabling this feature unless the user is a programmer and looking for security coding issues.

Browsing-Enable Third-Party Extensions

Extensions allow a browser's functionality to be enhanced and extended. Although many legitimate programs install extensions, so too does malware, spyware, and adware. Microsoft enables this by default. If legitimate extensions are not needed, disable.

Browsing-Use Inline Autocomplete

Disabled by default, this feature determines whether IE's AutoComplete feature (which automatically tries to fill in requested information, such as a user's name and address) does so when a Web site form requests stored information. It can be used maliciously by a remote Web site by tricking the browser into serving up otherwise confidential information or locally by an unauthorized user. Keep disabled unless needed.

International-Send UTF-8 URLS

UTF-8 encoding allows a user to use URLs that include non-ASCII and foreign language characters, regardless of the language of the user's' operating system and browser language. Without UTF-8 encoding, a web server must be based on the same language code page as that of the user's to correctly render URLs containing non-ASCII or foreign characters. Disabling would prevent some URL obscurity spoofing attacks, such as the double-byte encoding, but would cause problems with many legitimate Web sites. Microsoft has it enabled by default and it should probably stay that way.

Other  
 
video
 
Video tutorials
- How To Install Windows 8

- How To Install Windows Server 2012

- How To Install Windows Server 2012 On VirtualBox

- How To Disable Windows 8 Metro UI

- How To Install Windows Store Apps From Windows 8 Classic Desktop

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
programming4us programming4us
programming4us
 
 
programming4us