This learning guide details the
vulnerabilities associated with today's most commonly used Web
browser,Microsoft Internet
Explorer, and the ways in which you can
defend your network from Web-related security hacks. Any time a
user on your network has access to the Web, which these days is
almost always, a clever hacker can exploit inherent Windows
internet security flaws and gain access to your network. As a
Windows security administrator, you need to not only be aware of
Internet Explorer security flaws but also how to recover from
resulting breaches when a hacker decides to strike. The Internet
Explorer security learning guide offers advice onsecuring
IE7,surviving with IE6,
discusses Web browser security settings and controls and
outlines how proper Web browsing can lead to a safer
network.
Table of contents
Internet Explorer security settings and controls
Securing Microsoft Internet Explorer
7
Securing Microsoft Internet Explorer
6
| Internet Explorer security
settings and controls | |
Web browser security settings, tools and user
controls
In many cases, Web browser security falls in the user's hands.
You'll need to know not only how to prevent hackers from installing
malware through the myriad of Internet Explorer vulnerabilities but
also how to recover from these attacks. The crux of this issue, as
is the case with many security related IT issues, is the
relationship between security and functionality. If your Internet
Explorer security settings are too loose, then it is easy for
hackers to break through your network security. If your Web browser
security settings are too tight, then your IE users may become
frustrated or certain Web sites might not display properly (or at
all).
According to Windows security expert Brien Posey, "One of the
biggest keys to establishing
optimal Internet Explorer settings is to
make effective use of Internet Explorer zones." IE allows you to
configure each zone (Internet, Local Intranet, Trusted Sites and
Restricted sites) individually. Check out Posey's tip on
optimizing Internet Explorer security settings below, as well as
tips on how to deal with pop-ups and how to import restricted
sites into IE.
One of the biggest keys to establishing optimal
Internet Explorer security settings is to
make effective use of Internet Explorer zones. The Microsoft Web
browser offers four security zones; Internet, Local Intranet,
Trusted Sites, and Restricted Sites. IE allows you to set
separate security levels for each zone and to specify the sites
that fall into each zone.
Local Intranet zone
By default, the Local Internet zone has some rather loose
permissions set. If your company has a local Intranet set up, then
I recommend adding it's URL to the Local Intranet zone. After doing
so, you can adjust this zone so that permissions that are not
specifically required by your local Intranet are not given. In
doing so, you are
reducing your Web browser's attack surface
should someone slip an unauthorized site into this zone.
Trusted Sites zone
The Trusted Sites zone is a zone intended for Web sites that you
trust implicitly. If you are going to make use of the Trusted Sites
zone, then you can leave the zone's security settings wide open.
Otherwise, you should set the zone's security settings to the
highest possible level to reduce the attack surface.
Expert recommendation: The Trusted Sites zone is that you
should only add sites to the zone if you trust them implicitly.
This is a strong statement, because there aren't many sites that
you should trust implicitly. Security expert Brien Posey's personal
philosophy is that "you should only include sites that are under
your direct control to the Trusted Sites zone."
Restricted Sites zone
The Restricted Sites zone if for sites that you do not trust. A
lot of people think that if a site is listed in the Restricted
Sites list, that Internet Explorer won't allow users to visit that
site. This isn't the case though. The Restricted Sites zone won't
stop users from visiting the sites in the zone, it merely provides
a way for you to flag sites that you consider to be malicious.
You should set the security levels for the Restricted Sites zone
to the point that absolutely nothing can run. The real trick though
is figuring out which Web sites to add to the zone. After all, you
certainly don't want to go around visiting questionable Web sites
to find out if they are malicious or not.
Spyware Blaster is a tool that maintains a huge
list of Web sites that are known to be malicious and can
automatically import that list into Internet Explorer's Restricted
Sites zone. You can then import this information into a group
policy and use it to protect all of the computers on your
network.
See this guide for Brien's instructions on importing a restricted
site list and deploying it through Group Policy.
Internet Zone
The only remaining zone on the list is the Internet zone. Any
site that does not fall into the zones that we have already
discussed becomes a part of the Internet zone by default. Microsoft
sets the Internet zone to a security level of Medium so that most
Web sites will display correctly, without being able to do too much
damage. Of course PCs can be become infected by spyware just by
visiting a malicious site, so the medium security level doesn't
really offer as much protection as it should. You can tweak the
security level to meet your needs, but at a minimum, it is
recommended that you disable anything related to Active X. Few
legitimate Web sites use Active X any more, but Active X is a
favorite tool for spyware authors. If you are concerned about
functionality, you could always try disabling it on a trial
basis.
Prevent network hacks with secure Web browsing
Secure Web browsing is often overlooked when
mapping out security priorities in the enterprise. A few extra
minutes here and there, however, can help you prevent network
hacks that give attackers access to your business critical
data.
With this series of tips, you can decrease the likelihood that
the Web and Internet Explorer will be used as ways to take down
your network. Get additional information on troubleshooting the
latest version of Internet Explorer, Internet Explorer 7 (IE7),
configuring IE7 for Vista, best practices for secure Web browsing
in the enterprise and more.
Controlling Web surfing with Content Advisor
One tool that helps you mitigate the security threats lurking on
the Web is
Microsoft's Content Advisor.
Controlling Internet surfing
Unfortunately, there isn't a magical Group Policy setting within
the Windows operating system that allows you to instantly ban
casual Web surfing. The closest thing that Microsoft gives us is
Internet Explorer's Content Advisor. The
basic idea behind the Content Advisor feature is that it allows
you to set the level of language, nudity, sex and violence that
users can view.
While this probably sounds like a perfect solution, you need to
be aware of two issues. First, Content Advisor only addresses
language, nudity, sex and violence. It does not make any provision
for other types of offensive content. The other problem with the
Content Advisor is that it works based on site ratings. When Web
developers create a Web site, they pick their own ratings in each
of these four categories. The developers of some potentially
offensive Web sites will purposely assign their sites ratings that
reflect inoffensive content as a way of circumventing the Content
Advisor. More often, though, a Web site simply will not have a
rating at all.
Content Advisor does address sites with no ratings though. It
can be configured so that users are not permitted to visit sites
that have no rating. Of course, if users have a legitimate business
need to surf the Web, then a blanket denial of sites with no
content ratings could pose a problem. You do, however, have the
option of adding a list of approved Web sites or of allowing a
supervisor to enter a password that allows a user to view otherwise
restricted content.
Content Advisor can be configured either at the individual
workstation level or through a Group Policy. To configure the
Content Advisor on an individual PC, open Internet Explorer and
select the Internet Options command from the Tools menu. Then,
select the properties sheet's Content tab and click the Settings
button found in the tab's Content Advisor section. This will reveal
the various Content Advisor settings.
You can manipulate the same settings through a Group Policy. You
can find the necessary settings in the Group Policy Editor at User
Configuration | Windows Settings | Internet Explorer Maintenance |
Security. The settings you need are found under the Security Zones
and Content Ratings Group Policy Object.
Controlling spyware in IE
Response: It sounds like your system is infected with
spyware that's not easily removable. Check out my
Malware removal handbook to learn various
steps you can take to get your system up and running. Of the
steps, I recommend running the free PestPatrol for starters.
I've found it to be very beneficial in finding and removing
spyware. You could also try the free Windows Defender beta as
well. The more tools you use to scan the better off you'll be in
this situation.
Additional information on spyware removal:
- Windows System Configuration Utility: An
unexpected antispyware tool
The System Configuration Utility, a tool designed to manage
programs during Windows system startup, can also be used in the
battle against spyware. Contributor Brien M. Posey suggests using
the SCU and Sysinternals' Autoruns as spyware discovery tools that
help detect spyware that automatically boots up with your
system. - Which is the
best antispyware?
How do you choose the best antispyware product? Don't compare the
products, compare the reviews of the products. This consolidation
of antispyware reviews and rankings points to a top product. - Windows Security Clinic:
Rooting out a rootkit
As if you didn't have enough to worry about with all the viruses,
worms and spyware dilemmas plaguing your Windows environment -- now
you have to think about rootkits. In this Windows Security Clinic,
our "doctors" diagnose and troubleshoot a user problem that reeks
of a rootkit.