Tuesday, October 31, 2006

How to harden IE 7 Security

Excellent article on hardening IE7 at http://www.helpwithwindows.com/techfiles/ie7-surf-safe.html

The article got my attention from Brian Livingston's newsletter on windowssecrets.com, which added some extra bits.

Most useful bit:



How to configure IE 7 to protect yourself



Just because certain features are enabled in IE 7, that doesn't mean you have to leave them on and expose yourself to
rogue examples of such code in the future. Shown below is a concise list of the way Arie
recommends that you configure Internet Options in IE 7 to protect your system.


In IE 7, click Tools, Internet Options, and then select the Security tab. With
the Internet zone selected, the security level by default should be set to
Medium-High. Click the Custom Level button. Set the following choices:




  • .NET Framework
    • Loose XAML: Disable
    • XAML browser applications: Disable
    • XPS documents: Disable




  • ActiveX controls and plug-ins
    • Binary and script behaviors: Disable
    • Run ActiveX controls and plug-ins: Disable
    • Script ActiveX controls marked safe for scripting: Disable





  • Downloads
    • Font download: Disable
    • Enable .NET Framework setup: Disable




  • Enable .NET Framework setup: Disable




  • Miscellaneous
    • Allow META REFRESH: Disable
    • Allow Web pages to use restricted protocols for active content: Disable
    • Display mixed content: Disable
    • Drag and drop or copy and paste files: Disable
    • Installation of desktop items: Disable
    • Launching applications and unsafe files: Disable
    • Launching programs and files in an IFRAME: Disable
    • Navigate sub-frames across different domains: Disable
    • Software channel permissions: Maximum Safety
    • Submit non-encrypted form data: Disable
    • Userdata persistence: Disable
    • Web sites in less privileged Web content zone can navigate into this zone: Disable




  • Scripting
    • Active scripting: Disable
    • Allow programmatic Clipboard access: Disable
    • Scripting of Java applets: Disable



Some of the above settings will interfere will the operation of some legitimate
Web sites. I'll describe in the following section how to work around this.






Firefox is still a better browser than IE 7



Changing IE 7's default settings can remove
some functionality from Web sites you may regularly visit. For example,
disabling "active scripting" turns off _JavaScript. Many sites use _JavaScript to
activate various menu options. For example, the menu at the WindowsSecrets.com
site (but not in the newsletter) shows you what second-level options are
available when you hover your mouse over a top-level option.

We've designed the menu at our site so it works (less slickly) even if _JavaScript is disabled
in a visitor's browser. For example, you can simply click a top-level menu item
and the resulting page then shows your
second-level choices.

But not all sites have this kind of fall-back design. Here are my
recommendations on how to use the Web effectively, despite the fact that you've
made IE 7 more secure:


• Use Firefox, not IE 7. Firefox is inherently a more secure browser that
Internet Explorer, even version 7.0. For example,
Firefox is not vulnerable to Secunia's test of the MHTML hole that IE 7 (and IE
6 and IE 5) suffers from.

Most sites today work with both Firefox and IE (and other major browsers, such
as Opera, Netscape, and Mac Safari). Sites that really
require IE are declining. If you haven't already installed Firefox, the new version 2.0 can
be downloaded from the Mozilla
release notes page. (Be sure
to read
the notes before installing.)


• Add legitimate IE-only sites to the Trusted Sites zone. If you encounter
a site that you know to be responsible — but it requires Internet Explorer for
some reason — you can easily add the site to IE's Trusted Sites zone. In IE 7,
pages in the Trusted Sites zone run at the Medium security level (not
Medium-High as in the Internet zone) and aren't restricted by the customizations
you've applied to the Internet zone.

To add a Web address to the Trusted Sites zone in IE, click Tools, Internet
Options, and then select the Security tab. Select the Trusted Sites zone, click
the Sites button, and add the address of the site you wish to visit. If the site
doesn't use encrypted pages, turn off the option Require server verification
(https:) for all sites in this zone.


It's even easier to add an address to your Trusted Sites if you install
Microsoft's Power Tweaks Web Accessories from the company's
download page. This applet inserts an option called Add to Trusted Zone
right on IE's Tools menu. (Microsoft's download page says the download is only
for IE 5, but it works fine on IE 6 and IE 7.)


• Easily open pages in IE while in Firefox. If you use Firefox routinely,
you can quickly open an IE-only page in IE by clicking an icon on the Firefox
toolbar. To do this, install IE View, an
extension available from Mozdev.org. You can even set specific sites to
automatically open in IE, if you absent-mindedly surf to them in Firefox.


• Install IE 7 just to protect yourself against IE 6. If you run
Firefox or some other secure browser, you may wonder why you should upgrade to
IE 7 at all. The answer is that you might be induced to visit an IE-only site
some day, and that site turns out to be infected (deliberately or accidentally).
Browsing with IE 7 instead of IE 6 does provide you with better protection,
especially if you've made the changes shown above. To install IE 7, visit
Microsoft's download page.


• Why not just set IE 7's security level to "High"? It's always
possible to crank IE's Internet Zone up to the High security level instead of
Medium-High. Doing
this, however, makes most Web sites unusable, because IE then pops up a warning
every time some harmless page script runs. Sometimes, several warnings
appear on every page of a site. Using the customized settings shown above — and
adding respected companies to your Trusted Sites zone — provides
you with fairly good protection without subjecting you to such pointless
harassment.


No comments:

Post a Comment