Internet Explorer 7 Desktop Security Guide Enhancing Internet Explorer Security for Desktop Users
Published July 2007 For the latest information, see http://www.microsoft.com/ie
Version 2.0
Copyright © 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Windows, ActiveX, Authenticode, Excel, Internet Explorer, MSDN, Outlook, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
Contents Executive Summary ...... 1 Introduction: Increasing Browser Security ...... 2 Managing Internet Explorer 7 ...... 2 Security Zones ...... 3 Modifying Zone Settings in Internet Explorer 7 ...... 4 Zone Determination ...... 4 Changes to the Security Zone Model in Internet Explorer 7 ...... 5 Other Security Settings ...... 5 New Security Features in Internet Explorer 7...... 5 Internet Explorer Protected Mode ...... 6 ActiveX Opt-in ...... 6 Cross-Domain Scripting Attack Protection ...... 6 Security Status Bar ...... 6 Phishing Filter ...... 7 Recommendations for Increased Security ...... 8 Zone Security Recommendations ...... 8 Enable Zone Elevation Protection ...... 8 Do not allow users to add/delete sites from Security Zones ...... 9 Do not allow users to change policies for Security Zones ...... 9 Do Not Configure Security Zones: Use Only Machine Settings ...... 9 Certificate Security Recommendations ...... 10 Prevent users from navigating to sites that have certificate errors ...... 10 Active Content Security Recommendations ...... 10 Restrict ActiveX Install ...... 11 Add ActiveX controls and plug-ins to pre-approved list ...... 11 Disable active scripting in response to specific threats...... 11 Enable Scripted Window Security Restrictions ...... 12 Reducing Application Privilege Recommendations ...... 12 Turn on Protected Mode in Windows Vista ...... 12 Use DropMyRights with Windows XP ...... 13 Privacy Settings Recommendations ...... 13 Set the Privacy Slider to at least Medium ...... 14 Empty Temporary Internet Files folder when browser is closed ...... 14 Set Form AutoComplete options to Disabled ...... 15 Configure Logon options for each Security Zone ...... 15 Enable the Phishing Filter ...... 16 Other Security Settings Recommendations ...... 18 Do not save encrypted pages to disk...... 18 Disable Automatic Install of Internet Explorer components ...... 18 Disable Periodic Check for Internet Explorer software updates ...... 19 Disable software update shell notifications on program launch ...... 19 Make proxy settings per machine (rather than per user) ...... 19 Turn off Crash Detection ...... 20 Restrict File Download ...... 20 Disable Allow File Downloads for Restricted Sites Zone ...... 20 Enable Data Execution Prevention ...... 20 Do not allow users to enable or disable add-ons ...... 21 Ensure Consistent MIME Handling ...... 21 Enable MIME Sniffing Safety Features ...... 22 Display the Information Bar ...... 22 MK Protocol Security Restriction ...... 22 Object Caching Protection ...... 22 Block attachments that could contain a virus in Outlook Express ...... 23 Summary...... 23 Appendix A: Internet Explorer 7 Settings Checklist ...... 24
Executive Summary One of the biggest challenges facing Web browser vendors is defining default security settings. If the default settings are too restrictive, users have basic problems with the functionality of the browser. But if the settings are not restrictive enough, users are susceptible to attack from malicious software or malicious users. Finding the right balance of functionality and security is critical to ensure both safety and ease of use, but it is often difficult to obtain due to varying user needs. For example, home and business users will often have different requirements. Vendors typically define default security settings to allow the greatest usability based on calculated risk. Basing decisions on attack scenarios, weighting factors required to exploit and other user scenarios, a vendor selects values for default security settings for them to function well in wide range of environments. For most home users, these default choices are usually sufficient to meet their browsing needs and keep them protected from most attacks. However, some home and business users of Microsoft® Internet Explorer® have more specific requirements, and typically they need to define their own settings based on unique requirements. For example, users in large enterprise environments may be required to comply with government regulations to protect financial data and customer information stored on servers on their network. In a continuing effort to increase browser security, Internet Explorer 7 offers users more protection than previous versions of the browser through a combination of new features and more secure default settings. In keeping with the need to balance security and usability, the default values for these new features and settings have been configured to offer the best choice for a broad range of users. For more information about new features and settings, download the Internet Explorer 7 Technology Overview from the Windows Internet Explorer Web page. This white paper examines some of these new features and settings that you can modify to provide a more "locked down" security configuration. This paper does not provide a complete review of all settings, nor is the guidance in it specifically equivalent to the Enhanced Server Configuration for Windows Server® 2003. The settings and features this paper discusses offer additional security guidance for the broadest impact on most users and administrators. This paper discusses both the Windows Vista® and Windows® XP versions of Internet Explorer. Administrators and system owners can use the guidance in this paper to tighten security settings in the browser to meet their specific needs. The document is structured to provide a description and review of the settings and features the paper discusses. Microsoft recommendations for enhancing the default security settings in some common deployment scenarios are also provided. Note: In many cases, administrators can use the Internet Explorer Administration Kit (IEAK) to create a customized build of Internet Explorer to deploy across the enterprise, and then use Group Policy to enforce those settings. This paper does not discuss the IEAK in detail, but you can use many of the settings described in this paper to create a custom package. 2 Internet Explorer 7 Security
Introduction: Increasing Browser Security Internet Explorer 7 builds on the security improvements made to the browser that are available to users running Windows XP Service Pack 2 (SP2). Windows XP SP2 introduced hundreds of security enhancements to both the operating system and Internet Explorer 6. The security enhancements to the browser focused on tightening security settings and allowed behaviors, along with introducing new features such as the pop-up blocker. These changes helped users gain more control over their systems and close off attack vectors, but attackers continue to find vectors they can exploit. Some of the changes made to Internet Explorer 7 were simply modifications to default settings to further close off avenues of attack. Internet Explorer 7 also contains several new features designed to deal with new exploits, and some features designed to prevent entire classes of attacks. Each new feature has default settings to protect users and prevent security compromise. As mentioned previously, the default security settings for Internet Explorer 7 are designed to provide users with a powerful balance between usability and security. Microsoft invests a great deal of effort to find the proper balance to meet the needs of most users and organizations. This paper examines ways to increase security by modifying settings grouped into four main categories: • Security Zones • ActiveX® Controls • Privacy Settings • Other Security Settings Each area contains at least one subcategory that provides fine levels of control over each security setting. For example, The Privacy Settings section covers security settings for features and functionality such as Cookies, User History, Form entry, and Password data. This paper focuses on Internet Explorer 7 security. However, any review of securing an application must also include information about host level security. To avoid any gaps between the application and the operating system, you must maintain and update both regularly. Microsoft recommends installing all operating system updates using tools such as Windows Server Update Services (WSUS), Systems Management Server (SMS) 2003 or Automatic Updates to keep systems current with all available updates. In addition, customers are encouraged to register to receive technical security notifications from the Microsoft Technical Security Notifications page. Managing Internet Explorer 7 Internet Explorer is one of the most used applications on the desktop system. Although the browser does not produce business documents like Microsoft Word or Excel®, it is at the center of many business activities. Proper administration is required to ensure that systems function as expected and users are prevented from making changes that would create support issues. Microsoft provides business customers with tools that help meet these needs, depending on the size and complexity of the organization. The two main options that you can use for centralized administration of the settings in Internet Explorer 7 are the Internet Explorer Administration Kit (IEAK) 7 and Group Policy objects (GPOs) in an Active Directory Domain Service (AD DS) infrastructure. This paper is intended to be a resource for administrators to use to increase the security of desktop deployments regardless of company size. There are some settings that you can only configure using either the IEAK or GPOs, but not both. However, this paper provides setting information for both resources wherever possible. To help administrators select the right setting management solution for their environment, it is important to understand more about both of these resources. In general, the IEAK is for organizations that manage environments without an AD DS infrastructure, or for those groups and organizations that want to provide a customized version of the browser, complete with custom settings and options. The IEAK allows administrators to easily build a custom configuration settings file that is applied during installation setup. Administrators using the IEAK to Security Zones 3 build custom packages can define settings for many, but not all, Internet Explorer 7 settings. For more information about the configuration options for the browser, see the Internet Explorer Administration Kit Guidelines Web page on Microsoft TechNet. Installations performed with an IEAK package only maintain settings until the user changes them. For installations created using the Internal Distribution – Corporate Intranet mode, IEAK settings can be reapplied at specified intervals to ensure that user configurations align with company defined standards. Selecting the new Reset Internet Explorer Settings option reverts the installation to the customized settings applied by your organization, reverts ActiveX Opt-In settings to their defaults and disables, but does not remove, all toolbars and extensions installed on the computer. Using GPOs provides you with the ability to create well defined installation configurations that are regularly updated by policy controls to prevent user changes. You can use GPO settings to control hundreds of settings and options within Internet Explorer 7. Working with GPO settings is more complex than using the IEAK. Once you define and apply a GPO template, all affected managed systems follow that configuration unless an administrator changes it. Many attempted user changes are simply ignored or disallowed. In other cases, changes may be possible but they will be reset to enterprise defaults at the next policy application. Microsoft recommends that enterprise customers use GPOs in an AD DS infrastructure where possible to ensure that security settings remain enforced or unchanged. Security Zones Internet Explorer 7 offers administrators a unique security feature that is unavailable in most other browsers: the ability to define security settings for different Web site classes. Unlike other browsers, Internet Explorer 7 determines the level of security for a given Web page by categorizing it into a URL security zone based on the origin of the Web page. The five security zones are Local Machine (not visible in the Internet Explorer user interface), Internet , Local intranet , Trusted sites , and Restricted sites . Web sites on the local computer are grouped into the Local Machine zone, remote servers are in the Internet security zone, and Web sites on a local network are in the Intranet zone. Web sites on servers identified by the user or administrator as potentially malicious are placed in the Restricted sites zone. Web sites on servers identified by the user or administrator as trusted are in the Trusted sites zone. Note: On computers that are not joined to a domain, the Local intranet zone is disabled, and the sites that would normally be accessed in the Local intranet zone are opened in the Internet zone instead. The Local Machine zone is not visible in the Internet Explorer user interface. Different levels of security are appropriate for each of these zones. To facilitate this, Internet Explorer uses URL security zone templates. Five templates are available by default: high, medium-high, medium, medium-low, and low. The security zones are mapped to these URL templates to determine the security level as shown in the following table: Security zone Security level (URL Description security zone template) Local Machine Custom Content found on the user's computer (except for content that Internet Explorer caches on the local system) is treated with a high level of trust. This zone cannot be configured from within Internet Explorer. Internet Medium-High The Internet zone consists of all Web sites that are not included in the other zones. Local intranet Medium-low All sites in this zone should be inside the (only available for firewall, and proxy servers should be domain-joined configured so that an external Domain computers) Name System (DNS) name cannot be resolved to this zone. 4 Internet Explorer 7 Security
Security zone Security level (URL Description security zone template) Trusted sites Medium Sites in the Trusted sites zone are allowed to perform a wider range of operations and prompt users to make fewer security decisions. Sites should only be added to this zone if you trust all of its content never to perform any harmful operations on your computers. Restricted sites High This zone is designed to contain sites considered untrustworthy The default settings for this zone control and restrict Web features, but do not block access to the site. Sites can be added by the user or enforced by Group Policy.
Note: In addition to these zones, there are corresponding locked-down zones that are not visible in the Internet Explorer user interface. The locked down zones are used for protocols specified in the Network Protocol Lockdown setting in Group Policy. The URL security zone templates specify which actions Web pages can perform. For example, the High URL Security Zone template specifies that Web pages cannot run or use Microsoft ActiveX controls or scripting, so by default if a user visits a site in the restricted sites zone, they will be unable to use that functionality. For more information about URL security zones and templates, see the MSDN® article "About URL Security Zones ."
Modifying Zone Settings in Internet Explorer 7 There are three ways that users can modify the zone settings in the Internet Options dialog box: • The user can use the security zone slider on the Security tab to change which URL Security Zone template (security level) is used for the zone. For example, the user could change the security level for the Internet Zone from Medium-High to Medium. • The user can enter custom settings for a particular zone by clicking the Custom Level button on the Security tab. • The user can add specific sites to a zone by clicking the Sites button on the Security tab (this option is not available for the Internet zone, because that zone is for all sites not contained in the other zones). Note: The behavior of the Sites button is different for the Local intranet zone. In this case the Sites button allows you to determine if the intranet network is automatically detected (the default) or which criteria should be used. You can choose to include all local (intranet) sites not included in other zones, all sites that bypass the proxy server, and all Universal Naming Convention (UNC) network paths. It is still possible to add specific sites to the Local intranet zone by clicking the Advanced button in the settings dialog box. Often, administrators want to restrict the ability of users to modify zone settings. For more information about how you can achieve this, see the "Recommendations for Increased Security" section later in this paper.
Zone Determination While the basic concept of zone security permissions is easy to understand, the logic behind zone determination is often unexplained but useful to understand for effective desktop system management. The core of the determination process is based on input to the Address bar in Internet Explorer, not based on DNS IP value responses or netmask values. As a general rule, zone determination rules center around the user input to the Address bar. New Security Features in Internet Explorer 7 5
The following rules are used by default to determine the zone in which a site opens: • Any sites listed in the Restricted sites zone open in that zone. • Any sites listed in the Trusted sites zone open in that zone. • Any sites listed in the Local intranet zone open in that zone. • Sites that are on the proxy bypass list open in the Local intranet zone. • Entries in the Address bar that do not include a period and can be resolved to a site open in the Local intranet zone (for example http://local ) • Other sites open in the Internet zone. Note: It is not possible to add a site to more than one zone. It is important to note that these rules sometimes mean that intranet sites open in the Internet zone. For example, if an intranet site is referred to by an IP address or a fully qualified domain name (FQDN), the site will open in the Internet zone, because the name includes periods.
Changes to the Security Zone Model in Internet Explorer 7 Internet Explorer 7 introduces some important changes to the Security Zone model to help increase security and avoid unwanted exposure of sensitive data. The most notable change is that the Local intranet zone for computers that are not joined to a domain has been removed. Removing this zone helps to improve security by reducing the attack surface of the browser through eliminating the possibility that Web sites can be viewed in the lower security context that typically applies to the Local intranet zone. After reviewing attack vectors and configuration options, there was no viable scenario requiring the low or medium-low settings for the Internet zone. Therefore the security zone slider for the Internet security zone cannot be set any lower than medium.
Other Security Settings Not all security settings are zone-specific. Internet Explorer 7 also includes security-related settings that are not zone-specific. These settings are found on the Privacy , Content , and Advanced tabs in the Internet Options dialog box, and are discussed in more detail later in this paper. New Security Features in Internet Explorer 7 It is possible for malicious Web sites to compromise the client computers that you manage. Internet Explorer 7 includes technologies that help prevent the installation of unwanted software, and technologies that help guard against unauthorized transmission of personal data to greatly increase browser security and privacy protection. New security technologies in Internet Explorer 7 include: • Internet Explorer Protected Mode • ActiveX Opt-in • Cross-domain scripting attack protection • Security Status bar • Phishing Filter • Additional security features Internet Explorer 7 is available for both the Windows Vista and Windows XP operating systems. Windows Vista enhances the Internet Explorer experience. For example, some features available in Internet Explorer 7, such as Protected Mode and Parental Controls, are not available when using the browser on client computers running Windows XP. This section of the paper discusses each of these security technologies and features. 6 Internet Explorer 7 Security
Internet Explorer Protected Mode Internet Explorer Protected Mode is only available for Internet Explorer 7 in Windows Vista. It adds additional defenses to help enable a safer Internet browsing experience for users. In addition, Protected Mode helps to prevent malicious users from taking over a user’s browser and executing code through elevated privileges. Protected Mode helps reduce previous software vulnerabilities in the extensions for the browser by eliminating the possibility of using them for the silent installation of malicious code. Protected Mode uses mechanisms with higher integrity levels in Windows Vista that restrict access to processes, files, and registry keys to accomplish this goal. The Protected Mode application programming interface (API) enables software vendors to develop extensions and add-ons for Internet Explorer that can interact with the file system and registry while the browser is in Protected Mode. In Protected Mode, Internet Explorer 7 runs with reduced permissions to help prevent user or system files or settings from changing without the user’s explicit permission. The new browser architecture also introduces a "broker" process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. This prevents downloading data outside of the low-rights directories in the browser, such as the Temporary Internet Files folder. Protected Mode is enabled by default for all users, except when a user is logged on to the built-in Administrator account. Other accounts with administrator permissions run in Protected Mode by default. You can disable Protected Mode by using either launch option or in a registry/GPO configuration. Starting Internet Explorer 7 on Windows Vista without Protected Mode requires the user to right-click the icon, click Run as Administrator , type valid higher permission authentication credentials, and then press ENTER. Protected Mode is enabled by default in Internet Explorer 7 for all security zones except the Trusted sites zone. However, users can disable the mode, which reduces overall security. More information about locking down Protected Mode is included later in this paper.
ActiveX Opt-in In previous versions of Internet Explorer, administrators would need to disable ActiveX controls to protect against attacks. Internet Explorer 7 offers a powerful new security mechanism for the ActiveX platform to help protect user information and computer systems. ActiveX Opt-in automatically disables all controls that are not explicitly allowed by the user. This mitigates the potential misuse of preinstalled controls. The Information bar in Internet Explorer prompts users before they can access a previously installed ActiveX control that has not yet been used on the Internet. This notification mechanism enables the user to permit or deny access on a control-by-control basis, which helps further reduces the available surface area for attacks. Malicious users cannot use Web sites to launch automated attacks with ActiveX controls that were never intended to be used on the Internet.
Cross-Domain Scripting Attack Protection New cross-domain script barriers help limit the ability of malicious Web sites to manipulate vulnerabilities in other Web sites. For example, before cross-domain scripting attack protection a user might visit a page on a malicious Web site that opens a new browser window containing a legitimate page (such as a banking Web site) that prompts the user to enter account information. This information could then be extracted by a script and made available to the attacker. With Internet Explorer 7, cross-domain scripting attack protection helps to ensure that these types of attacks will fail.
Security Status Bar The Security Status bar provides users with clearer, more prominent visual cues about the identity of Web sites and the encryption they use. To learn more about the different colors and their meaning, please see the “Internet Explorer 7 Security Status Bar” on Microsoft.com. New Security Features in Internet Explorer 7 7
One of the new features visualized by the Security Status Bar is Internet Explorer’s support for strong website identification through the use of Extended Validation SSL Certificates. To learn more about EV SSL, please visit the “Extended Validation SSL Certificates” page. Phishing Filter Phishing is a technique that many attackers use to trick computer users into revealing personal or financial information through an e-mail message or Web site. Phishers masquerade as a legitimate person or business to deceive people into revealing personal information, such as account passwords and credit card numbers. The Phishing Filter in Internet Explorer 7 advises users about suspicious or known phishing Web sites to help them more safely browse content on the Internet. The filter analyzes Web site content for known phishing techniques, and uses a global network of data sources to assess the trustworthiness of Web sites. Developers who create fraudulent e-mail, online advertisements, and Web sites thrive on lack of communication and limited information sharing. The Phishing Filter in Internet Explorer 7, which uses an online service that is frequently updated, consolidates the latest industry information about fraudulent Web sites, and shares it with Internet Explorer 7 customers to help proactively warn and protect them. The Phishing Filter combines client computer scans for suspicious Web site characteristics with an opt-in online service. The filter helps protect users from phishing scams in three ways: • It compares the addresses of Web sites that a user attempts to visit with a list of sites known high-traffic sites stored on the user’s computer. If the site is found in that list, no further checks are performed. • It analyzes Web sites that users want to visit by checking them for characteristics that are common to phishing sites. • It sends the Web site address that a user attempts to visit to an online service Microsoft maintains that immediately checks it against a frequently updated list of phishing sites. These sites have been confirmed by reputable sources as fraudulent and reported to Microsoft. Note: The online service used to track phishing Web sites is contacted asynchronously. If the service cannot be contacted, the page renders normally, and a message balloon appears in the status bar indicating that the service cannot be contacted. Even if the site is unknown to the Phishing Filter service, Internet Explorer 7 can examine the behavior of the site and report to the user if it is doing anything suspicious, such as collecting user information without a Secure Socket Layer (SSL) certificate. In this way, the Phishing Filter helps to prevent a site from collecting user information before it has been officially reported. When users run Internet Explorer 7, the Phishing Filter is configured by default to prompt users to enable or disable the filter. For more information about locking down Internet Explorer to prevent users from disabling the Phishing Filter, see the "Recommendations for Increased Security" section in this paper. 8 Internet Explorer 7 Security
Recommendations for Increased Security Increasing security from the default settings in Internet Explorer 7 requires more than simply adjusting the slider positions from one setting to another on the Security tab of the Internet Options dialog box—or merely moving the slider for each security zone to High . A dramatic security change such as this prevents most navigation and effectively renders the browser useless. This section discusses a variety of changes that enterprise customers can make to their browser environment to increase general browser security without drastically affecting the functionality of Internet Explorer 7. The setting and feature recommendations are grouped into five categories: • Zone Security • Certificate Security • Active Content Security • Reducing Application Privilege • Privacy Settings • Other Security Settings For a checklist of all the settings that Microsoft recommends that you consider, see "Appendix A: Internet Explorer 7 Settings Checklist" at the end of this paper. Each setting is explained in more detail in this section. Note: In addition to configuring the settings discussed in this section, you may also want to use Group Policy to prevent some of the tabs (such as the Connections and Advanced tabs) in the Internet Options dialog box from displaying. However, even if you remove the corresponding tabs, you should also enforce the individual settings to prevent changes from being made through edits to the local registry. Zone Security Recommendations As mentioned earlier in this document, most of the security related settings in Internet Explorer are contained in the security zones. By default, users have the ability to make changes to these zones by altering the security level assigned to each zone, creating custom settings for each zone, and by adding sites to the Local intranet, and the Trusted sites and Restricted sites zones. In most enterprise environments, administrators should use Group Policy to lock down zone security, and prevent users from making many of these changes.
Enable Zone Elevation Protection Internet Explorer places restrictions on each Web page that it opens. These restrictions depend on the location of the Web page (such as in the Internet zone, Local intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes this zone a prime target for malicious attackers. If you enable the Internet Explorer Processes (Zone Elevation Protection) setting, Internet Explorer processes can protect any zone from zone elevation. This approach helps prevent content that runs in one zone from gaining elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. Because of the severity and relative frequency of zone elevation attacks, Microsoft recommends configuring the Internet Explorer Processes (Zone Elevation Protection) setting to Enabled . The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Computer Configuration\Administrative Enabled Explorer Templates\Windows Components\Internet Processes Explorer\Security Features\Protection From (Zone Elevation Zone Elevation Protection) Recommendations for Increased Security 9
Do not allow users to add/delete sites from Security Zones By default users can add and delete sites from the Local intranet , Trusted sites and Restricted sites zones. Adding a site to the Trusted sites zone or removing one from the Restricted sites zone, could potentially cause malicious code to run on a computer. Microsoft recommends using Group Policy to prevent users from adding or deleting sites from security zones. Using Group Policy to enable the Do not allow users to add/delete sites setting also prevents a user from altering settings in the Local intranet zone. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Security Zones: Computer Configuration\Administrative Enabled Do not allow Templates\Windows users to Components\Internet Explorer add/delete sites Although Microsoft recommends enabling this setting, it can have an impact on user productivity, particularly when combined with additional restrictions to the Internet zone. In some cases, users may add sites to a less restricted zone when they cannot access the site in the Internet zone. If this capability is disabled, users may be unable to access some Web sites until an administrator adds the site to a less restrictive zone on their behalf. Note: If you enable the Disable the Security page setting (located in \User Configuration\ Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Security tab is removed from the interface and the Disable setting option takes precedence over this security zone setting.
Do not allow users to change policies for Security Zones By default, users can change the security level for each zone by moving the zone slider on the Security tab in the Internet Options dialog box. They can also create custom settings for each zone. These options allow users to change any settings, potentially lowering security, and allowing malicious code to run. Microsoft recommends using Group Policy to prevent users from changing the security level or modifying security for security zones. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Security Zones: Computer Configuration\Administrative Enabled Do not allow Templates\Windows Components\Internet users to change Explorer policies Note: If you enable the Disable the Security page setting (located in \User Configuration\ Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Security tab is removed from the interface and the Disable setting option takes precedence over this security zone setting.
Do Not Configure Security Zones: Use Only Machine Settings This policy setting affects how security zone changes apply to different users. It is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. This setting ensures that only HKEY_LOCAL_MACHINE registry entries are evaluated when setting up security zones. However, if the setting is not configured or if it is disabled, both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are evaluated. This setting may be valuable in an environment in which multiple users use the same Windows account (such as for a Windows Terminal for guest access in a lobby), and for this reason, the 10 Internet Explorer 7 Security
Windows Vista Security Guide does enable this setting. However, under normal circumstances, when users are isolated from one another using separate Windows User Accounts, they do not influence each others HKEY_CURRENT_USER settings. For this reason, this paper recommends not to configure this setting. Instead you can use other Group Policy settings to restrict users from changing zone settings, such as the other settings specified in this section. The following table includes the policy object name, and its location in Group Policy.
Policy object Location Recommended setting Security Zones: Use Computer Configuration\ Not Configured only machine settings Administrative Templates\Windows Components\Internet Explorer
Certificate Security Recommendations Secure communications between the browser and server require using certificates and SSL or Transport Layer Security (TLS) technology. Internet Explorer 7 supports SSL and TLS, and the new default settings have deprecated default support for SSL v2. Other changes to Internet Explorer 7 attempt to make users more aware of security issues or errors such as "expired" or "name mismatch" on certificates. The default setting for Internet Explorer 7 is to show the user a certificate error warning advising to use caution before proceeding. The user is able to select an option and continue navigation. There are many valid reasons why a certificate contains errors, but publicly accessible well-maintained Web sites should not generate certificates with errors. This feature setting allows administrators to prevent users from "clicking through" a certificate warning, reducing the potential for malicious attack.
Prevent users from navigating to sites that have certificate errors Over time certificates may be revoked or expire. In other cases the wrong certificate may be used for a particular Web page. By default, users are warned of certificate errors and allowed to continue navigating to the Web page. Although a revoked or expired certificate is not a security issue in its own right, it can be an indication that a site should no longer be trusted. Therefore, Microsoft recommends using Group Policy to prevent users from navigating to sites that have certificate errors. Enabling this policy object will not cause performance issues, but may result in additional support requests from users unable to visit particular sites. Because sites listed in the Trusted sites zone are not affected by this setting, if a business critical site contains a certificate that has expired or has a name mismatch, you can add this site to the Trusted sites zone as a temporary workaround until the correct certificate is in place. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Prevent Ignoring Computer Configuration\Administrative Enabled Certificate Errors Templates\Windows Components\Internet Explorer Internet Control Panel
Active Content Security Recommendations Microsoft introduced the ActiveX platform to provide Web developers with the ability to extend applications and functionality beyond that which is built in to the browser. Using the ActiveX platform developers have built rich, interactive applications and integrated data from nearly any source. Although the ActiveX platform is designed with security in mind, and features such as Authenticode® help ensure code security, it is crucial that users follow guidelines to maintain its safety. This section provides security recommendation for ActiveX controls and other active content. Recommendations for Increased Security 11
Restrict ActiveX Install Users often choose to install software such as ActiveX controls that are not permitted by the security policy of their organization. This software can pose significant security and privacy risks to networks. To prevent unauthorized ActiveX controls from being installed, Microsoft recommends that you use Group Policy to block ActiveX control installation prompts for Internet Explorer Processes, which means that users cannot install ActiveX controls from Internet Explorer. This restriction includes legitimate ActiveX controls that may provide critical business functionality, such as Windows Update. If you do restrict ActiveX installations in this way, you should also use a mechanism such as Group Policy to push any required ActiveX controls to user desktops (for more information on this, see the next recommendation). You also need an alternative way to provide security updates, such as Windows Server Update Services (WSUS). The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes Templates\Windows Components (Restrict ActiveX \Internet Explorer\Security Install) Features\Restrict ActiveX Install
Add ActiveX controls and plug-ins to pre-approved list The previous setting ensures that ActiveX controls cannot run on a client computer unless it is pre-approved by the organization. However, some organizations find this setting too restrictive. If this is the case, you should at least ensure that the setting Allow previously unused ActiveX controls to run without prompt is disabled for the Internet and Restricted sites zones, which is the default configuration. This setting, otherwise known as ActiveX Opt-In, ensures that controls operate as intended and systems are not attacked by simply visiting a Web site. However, one of the tradeoffs associated with the ActiveX Opt-In feature is that users may experience well known or harmless sites that don’t "just work" without approving a control. However you restrict ActiveX installation, there is the potential for impacting business critical functionality. Therefore, Microsoft recommends pushing a list of pre-approved controls out to user desktops with a tool such as Group Policy, and adding them to the pre-approved list for Windows, by adding the CLSID (the globally unique identifier that identifies a COM class object) of the control to the following registry location: HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved Note: If Microsoft determines that a control has a vulnerability and presents a danger to users, Microsoft reserves the right to remove that control from the pre-approved list. Installed controls can be enabled or disabled by changing their registry flags, using the globally unique identifier (GUID) key identifier. If you do not already have a catalog of GUIDs that your organization uses, identifying them is an important process to establish. One solution for creating your GUID list is to build a new computer, manually configure/enable your line-of-business applications, and then review the GUIDs in the Internet Explorer registry branch. That list will help ensure that you have the least number of controls required for your environment. You can then use this list of GUIDs to populate the pre-approved list. Microsoft recommends using the GPO infrastructure to manage an internal approved list for controls to increase the security and effectiveness of the ActiveX Opt-In feature. For more information about ActiveX security and best practices for managing ActiveX controls in your organization, see the "ActiveX Security: Improvements and Best Practices " page on MSDN..
Disable active scripting in response to specific threats Microsoft introduced the Security Design Lifecycle (SDL) several years ago to help increase software security quality and reduce the impact of vulnerabilities. The SDL has proven to be effective, but no software or process is perfect. The important goal for security protection must 12 Internet Explorer 7 Security include a response plan in the event of compromise or vulnerability. There are times where a vulnerability is exploited before it is responsibly disclosed. This is known as a "zero day" vulnerability. Other times a vulnerability is disclosed properly, but the update requires time to develop and properly test before it can be released. To help reduce potential exposure, users should be advised to avoid unknown Web sites and exercise caution before clicking links. Administrators can also use the Allow active scripting setting to protect against a discovered vulnerability that does not yet have an update to address it. Microsoft recommends using Group Policy to change the setting to Disable for response to zero day attacks or other critical security scripting attacks. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Allow Active Computer Configuration\Administrative Disabled in response to Scripting Templates\Windows Components zero day attack \Internet Explorer\Internet Control Panel\Security Page\
Enable Scripted Window Security Restrictions Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. This allows popup windows to appear, and provides the potential for scripts to display windows in which the title and status bars are not visible to the user or obfuscate the title and status bars of other windows. Microsoft recommends using Group Policy to prevent these scripts from running in Internet Explorer and Windows Explorer processes. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes Templates\Windows Components\Internet (Scripted Window Explorer\Security Features\Scripted Window Security Security Restrictions Restrictions)
Reducing Application Privilege Recommendations One way to help keep the client computers in your organization secure is to reduce potential exposure. Security experts frequently remind users to log on to the system with the least possible privilege and increase it only when necessary. Internet Explorer 7 in Windows Vista enables users to easily follow this advice with the new Protected Mode feature. Windows XP users of Internet Explorer 7 can find valuable protections using the DropMyRights application. You can download the source code for this application from the "Browsing the Web and Reading E-mail Safely as an Administrator " page on MSDN. While each solution operates differently, they both help users to reduce the potential impact of an attack. Therefore, Microsoft recommends using the solution that is appropriate for your operating system.
Turn on Protected Mode in Windows Vista
Protected Mode is enabled by default in Internet Explorer 7 on Windows Vista for all security zones except the Trusted sites zone. However, users can disable the mode, which reduces overall security. For this reason, Microsoft recommends using Group Policy to ensure that Protected Mode is enabled in all of the Web content zones for the browser, except the Trusted sites zone, and prevent users from disabling it. Recommendations for Increased Security 13
The following table includes the policy object name, and its location in Group Policy.
Policy object Location Recommended setting Turn on Protected Computer Configuration\Administrative Enabled Mode * Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\
Use DropMyRights with Windows XP
DropMyRights is a simple application to help users who must run their computers as an administrator run applications in a much safer context as a non-administrator. Microsoft recommends using this application on computers that run Internet Explorer 7 with Windows XP, because these computers cannot take advantage of Protected Mode.
DropMyRights takes the current user's token, removes various privileges and security identifiers (SIDs) from the token, and then uses the token to start another process. For more information about DropMyRights and to download the source code for this application, see the "Browsing the Web and Reading E-mail Safely as an Administrator " page on MSDN. Once installed, launching Internet Explorer with DropMyRights requires simply creating a new shortcut that points to the DropMyRights executable file, followed by the path to the application you want to run with lower privilege.
Privacy Settings Recommendations Security guidance is often limited to a review of settings geared toward preventing specific technical manipulation of a system. A full security settings review must include a review of "soft" security settings that affect privacy and the disclosure of personal data. Internet Explorer 7 includes several new enhancements to safeguard personal data against entire categories of unwanted disclosure. These enhancements include the Phishing Filter that notifies users about known and suspicious Web sites. You also can increase browser security by making changes to the default actions that control privacy settings for purging data when you exit the browser and form data handling. Deleting the Temporary Internet Files data helps ensure personal data is removed from the system regularly and prevents unwanted disclosure or retrieval. Similarly, preventing the ability to autocomplete forms and store passwords helps reduce the risk of third parties accessing private account credentials and information. 14 Internet Explorer 7 Security
Set the Privacy Slider to at least Medium In the attempt to offer a more a robust personalized online experience, some Web sites store information in a small text file on your computer. These files are called cookies , and they can be used to correlate online activities for a specific user. Microsoft strongly supports the use of cookies and believes they do not represent a security or malicious software threat. However, Internet Explorer 7 has several mechanisms to control the use of cookies and allow users to manage their use and function as they choose by managing privacy settings. There are two different types of cookies. A first-party cookie either originates on or is sent to the Web site you are currently viewing. These cookies are commonly used to store information, such as your preferences when visiting that site. A third-party cookie either originates on or is sent to a Web site that is different from the one you are currently viewing. Third-party Web sites usually provide some content on the Web site you are viewing. For example, many sites use advertising from third-party Web sites, and those third-party Web sites may use cookies. A common use for this type of cookie is to track your Web page use for advertising or other marketing purposes. Security settings that affect privacy issues can be found on the Privacy tab in the Internet Options dialog box of the browser. That tab contains the Privacy slider, which allows the user to select one of six options that range from Block All Cookies to Accept All Cookies . The Privacy slider works only for the Internet zone. All cookies are automatically accepted from Web sites in both the Local intranet and Trusted sites zones, and all cookies are automatically blocked from Web sites in the Restricted sites zone. Each organization must determine their own policy regarding cookies. Microsoft recommends using at least the default setting of Medium , which does the following: • Blocks third-party cookies that do not have a compact privacy policy. • Blocks third-party cookies that use personally identifiable information without implicit consent. • Restricts first-party cookies that use personally identifiable information without implicit consent. The High setting limits all cookies, whereas the rest of the settings allow them under certain conditions. The Low setting allows all cookies without condition. Note: By default, users can change the default setting of the privacy slider, although you can use Group Policy to prevent this by disabling the Privacy tab in Internet Options dialog box. Specific sites can be added to bypass the overall setting. The choices for adding a site are to Always Block or Always Allow . Regardless of whether you choose to be more restrictive or less restrictive, you will be able to add sites. You can use Group Policy to enforce not only the cookie settings, but also to add sites. For maximum privacy while maintaining the benefits of cookies (for example, retaining logon information, user preferences, and so on) Microsoft recommends blocking all third-party cookies and allowing all first-party cookies.
Empty Temporary Internet Files folder when browser is closed To increase page load speed and reduce network bandwidth, Internet Explorer keeps a local cache copy of many Web document objects (HTML, video, images, and so on) as the viewer navigates between sites. This storage area is designed to be volatile and may be overwritten at any time. Although not considered a remotely accessible threat, these files represent a potential disclosure of personal information or privacy when viewed by other users who may access the computer. These local files are placed by default in the C:\Documents and Settings\
The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Empty Temporary Computer Configuration\Administrative Enabled Internet Files Templates\Windows folder when Components\Internet Explorer\Internet browser is closed Control Panel\Advanced Page
Set Form AutoComplete options to Disabled Similar to the previous setting, this feature allows Internet Explorer to remember form entry data for later retrieval and submission. A common data value used in many forms is the Street Address field. This feature enables Internet Explorer to read that form entry value and automatically enter the information so the user does not need to type it again. Although fields such as Street Address do not pose a direct security threat, this information can be useful to a malicious Web site. More importantly, this feature is unable to discriminate between highly sensitive data such as a Social Security Number and more publicly accessible information like a telephone number. It is for precisely these limitations that users may be exposed to an unnecessary and unintentional release of private information. These options are available in the AutoComplete settings dialog box, which you can access by clicking on the Settings button of the AutoComplete area on the Content tab of the Internet Options dialog box. Internet Explorer 7 can also remember user names and passwords on forms. Users face an increasing number of systems for which they need to remember user names and passwords. Internet Explorer offers users the ability to store credentials and automatically fill in forms when the information is requested. There are some basic security mechanisms defining which data is typed in a given form to prevent the wrong credentials from being used for a given Web site. Despite these security measures, a well-crafted Web site may be able to mimic enough parameters and trick the user into submitting their logon credentials to a malicious Web site. The credential data store is also secured, kept locally on the system and it is not accessible from a remote system. Microsoft recommends disabling the autocomplete feature for forms and preventing autocomplete for user names and passwords on forms. Changing these settings will not affect application performance but may result in user complaints, or potentially in users resorting to low strength passwords that are easier to remember. Administrators are advised to examine their password requirement/validation processes to ensure that users do not use passwords that are not secure. The following table includes the policy object names, and their location in Group Policy. Policy object Location Recommended setting Disable User Configuration\Administrative Enabled AutoComplete for Templates\Windows Components\ forms Internet Explorer Turn on the auto- User Configuration\Administrative Disabled complete feature for Templates\Windows Components\ user names and Internet Explorer passwords on forms
Configure Logon options for each Security Zone Enterprise and business customers are able to use Windows domains to keep intranet information secure while users seamlessly access network documents without repeatedly typing user credentials. Internet Explorer can use system authentication credentials and provide users with NTLM authentication information for Intranet zone sites. This feature setting provides a greater level of control beyond the basic Enable or Disable options. By default the Automatic 16 Internet Explorer 7 Security logon only in Intranet zone setting is set for the Internet, Local intranet and Trusted sites zones, while Prompt for Username and Password is set for use in the Restricted sites zone. Microsoft recommends changing these settings, so that Logon Options is enabled and configured to Prompt for Username and Password for the Internet zone, Anonymous logon for the Restricted sites zone, and Automatic Logon with Current Username and Password for Local intranet zone, and Automatic Logon only in Intranet Zone for the Trusted sites zone. Changing these logon options will not affect application performance or system capabilities and should not result in additional support calls. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Logon Options Computer Configuration\Administrative Enabled\Prompt for Templates\Windows Components\ Username and Password Internet Explorer\Internet Control Panel\Security Page\Internet Zone Logon Options Computer Configuration\Administrative Enabled\Automatic Logon Templates\Windows Components\ with Current Username and Internet Explorer\Internet Control Password Panel\Security Page\Intranet Zone Logon Options Computer Configuration\Administrative Enabled\Anonymous Logon Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone Logon Options Computer Configuration\Administrative Enabled\Automatic Logon Templates\Windows Components\ only in Intranet Zone Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Enable the Phishing Filter Users are exposed to an increasing number of online threats and malicious Web sites attempting to steal identification credentials. One of the new security features included with Internet Explorer 7 is the Phishing Filter, a combination of client computer heuristic analysis and online services to help protect users against emerging threats and Web sites that attempt to steal personal information. By default when you first run it, the Phishing Filter alerts the user to enable automatic checking, require manual checking or disable it entirely—there is no preset selection. The feature offers an "all or nothing" situation where automatic checking is enabled or disabled. In the case where the Phishing Filter is disabled, the user can still use the feature on a case by case basis, manually forcing a check for any given Web site. It is important that a system or network administrator understand the applications running in their environments. Internet Explorer and the Phishing Filter feature are no exception—understanding how this feature works enables you to get more value from it and greater protection of user personal data. This is especially important given the importance, and potential legal requirements, of protecting confidential information in today’s online environments. Due to the nature of the feature, it would be counter productive to provide detailed explanations of exactly how the Phishing Filter works. The information in this section covers the structural workings of the feature without divulging specifics on the engines or analytical techniques used to determine result values. The Phishing Filter comprises two main elements: a client computer heuristics logic engine and the online URL Reputation Service (URS). The URS is an online service run by Microsoft and is the only service option for use with the Phishing Filter. When enabled, the Phishing Filter checks locally to analyze the content of a page as well as performs an online validation of the URL against the URS. An update to the Phishing Filter feature was released to help performance, in Recommendations for Increased Security 17 addition to steps designed to avoid client computer performance issues. To prevent latency, the URS checks are done asynchronously so user navigation is not adversely affected. To prevent excess network traffic, a client computer encrypted DAT file contains thousands of the most visited Web sites—any Web site in this file is exempt from Phishing Filter checks. The Phishing Filter also uses a URL local cache mechanism in an attempt to match a previous request rating and prevent unnecessary traffic. The purpose of the Phishing Filter is to protect users and prevent them from viewing Web sites that attempt to steal their personal data. To accomplish this, the feature requires passing certain information to the URS. Microsoft has taken extensive measures to ensure that data is secure and remains private to the user. Those steps include: • All URS transactions are done through a HTTPS connection. • URLs sent to the URS are stripped of any personally identifiable information (PII). • No referrer information is sent to the URS. • Microsoft does not record the source IP or track users in any way. • Microsoft does not record or track activity in aggregate to determine general online trends. Microsoft feels strongly about the privacy implications of the Phishing Filter and contacted an outside auditor to review the service and privacy claims. The goal was to ensure that the user privacy designs and objectives of the service were met in operational practice. The study concluded that all claims were accurate and no privacy violations were present. For more information about the Jefferson Wells Audit, see the User Privacy and the Phishing Filter on the MSDN IEBlog. As mentioned previously, the Phishing Filter must either be enabled or disabled. When enabled, all sites that do not appear in the local encrypted DAT file are validated locally and against the URS. No checking is performed when the Phishing Filter is disabled. Although Microsoft strongly encourages always using the Phishing Filter to help protect users, there may be situations in which administrators want to manage the feature in their environments. By design, the Phishing Filter can be enabled or disabled for each security zone, but the global feature setting must be enabled for it to work. By default, the Phishing Filter is enabled for all zones except the Intranet zone. Microsoft recommends that administrators enable the Phishing Filter feature in their environments. If you want to exclude a certain list of sites from being checked by the Phishing Filter (such as B2B sites that your company has a trust relationship with), instead of disabling the Phishing Filter, it is recommended to enable the Phishing Filter overall, disabling Phishing Filter for the Trusted Sites zone only, and adding those sites to the Trusted Sites zone. Microsoft also recommends using Group Policy to prevent users from turning off the Phishing Filter , and setting the operating mode to Automatic . However, administrators should be aware that this configuration automatically causes the browser to send information to Microsoft without prompting the user. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Turn off Computer Configuration\Administrative Enabled\Automatic managing Templates\Windows Components\ phishing filter. Internet Explorer\ 18 Internet Explorer 7 Security
Other Security Settings Recommendations
In addition to the security setting categories discussed earlier in this paper, there are other security settings options that you can use to help secure desktop deployments. These settings do not correlate well any of the categories mentioned earlier. This section looks at some of these "other" feature settings, and provides recommendations on how you can adjust their default values to increase user security.
Do not save encrypted pages to disk To increase the usability of the browsing experience, Internet Explorer can cache content in a local store (Temporary Internet Files) for immediate local retrieval rather than incur potential delays when repeatedly accessing the network for the same resource. Internet Explorer offers the option to cache both encrypted and unencrypted content, and by default both content types are cached. Although caching encrypted content could leave HTTPS documents with confidential information in the Temporary Internet Files folder, Microsoft does not enable the setting to cache encrypted files in order to respect Web server caching instructions. (Also, caching encrypted data helps prevent user performance issues when repeatedly viewing identical content (such as images). The risk of local cache files being decrypted is not normally considered a significant concern, based on both the difficulty required to accomplish it and the value of the information contained in those files. User name and password data would not normally be visible, even if a malicious attacker were to decrypt the document payload. They would only be able to see the content of pages. However pages may contain sensitive information, such as account balances or transaction details. For companies that want to increase Internet Explorer security settings for their users, enabling this Group Policy setting will prevent local file caching and eliminate the opportunity for malicious users to try and access these files. When enabling this option, companies should be aware of potential performance issues, latency, additional network traffic, and a potential increase in help desk calls. Any public Web sites expecting this value to remain disabled may be doing so to reduce their network traffic burden, but it should not cause serious application failures. Enabling this setting can cause problems accessing "on demand" content such as account history reports. The problem occurs where users view the report and then navigate away from that page and then press the Back button to view it again. In properly configured server environments the user will see a specific error message telling them the page has expired or that they need to click the Refresh button to view the content. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Do not save Computer Configuration\Administrative Enabled for environments encrypted pages Templates\Windows Components\Internet with sensitive data on to disk Explorer\Internet Control Panel\Advanced Page Web pages.
Disable Automatic Install of Internet Explorer components In some cases, when a user visits a Web site, this will trigger the automatic install of an Internet Explorer component. Typically an organization will want to control when this happens, so Microsoft recommends that you prevent the automatic install of Internet Explorer components through Group Policy. However, before you enable this policy setting, Microsoft recommends setting up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service. Recommendations for Increased Security 19
The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Disable Automatic Computer Configuration\Administrative Enabled Install of Internet Templates\Windows Components\ Explorer components Internet Explorer
Disable Periodic Check for Internet Explorer software updates By default, Internet Explorer checks every 30 days to determine if a new version of software updates is available and then notifies the user. However, typically an organization will want to control when updates are installed, and for this reason, Microsoft recommends that you use Group Policy to disable this check. However, before you enable this policy setting, Microsoft recommends setting up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Disable Periodic Computer Configuration\Administrative Enabled Check for Templates\Windows Internet Explorer Components\Internet Explorer software updates
Disable software update shell notifications on program launch By default users are notified if a program uses Microsoft software distribution channels to install new components, and therefore have the option of refusing the update. Microsoft recommends that you disable shell notifications to ensure that the software is installed as required. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Disable software Computer Configuration\Administrative Enabled update shell Templates\Windows notifications on Components\Internet Explorer program launch
Make proxy settings per machine (rather than per user) If a user changes proxy settings, they may be unable to access Web sites. However, for users that are traveling, they may need to alter proxy settings to allow them to access the Web in different locations. For computers that are in a fixed location, Microsoft recommends that you use Group Policy to ensure that proxy settings are determined on a per computer (rather than a per-user) basis. However, for mobile laptops, you should allow users to change their proxy settings. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Make proxy Computer Configuration\Administrative Enabled for computers settings per- Templates\Windows in a fixed location. machine (rather Components\Internet Explorer Disabled for mobile than per-user) laptops. 20 Internet Explorer 7 Security
Turn off Crash Detection Internet Explorer 7 has a crash detection feature that generates crash report information that may be of use for troubleshooting problems with Internet Explorer. However, the crash reports may contain sensitive information from the computer’s memory, so for enterprise computers, Microsoft recommends that you disable the crash detection feature. If the crash detection feature is disabled, a crash in Internet Explorer will be similar to one on a computer that runs Windows XP Professional with Service Pack 1 (SP1) or earlier: it will invoke Windows Error Reporting. If you experience frequent crashes and need to report them for follow-up troubleshooting, you may want to temporarily reconfigure the affected computers to enable crash detection. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Turn off Crash Detection Computer Configuration\Administrative Enabled Templates\Windows Components\ Internet Explorer
Restrict File Download In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on a user’s hard disk drive if they click the wrong button and accept the download. Microsoft recommends that you configure the Internet Explorer Processes (Restrict File Download) setting to Enabled . This ensures that download prompts that are not user-initiated are blocked for Internet Explorer processes. The following table includes the policy object name, and its location in Group Policy.. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes (Restrict File Templates\Windows Components Download) \Internet Explorer\Security Features\ Restrict File Download
Disable Allow File Downloads for Restricted Sites Zone By default, file downloads are disabled for the Restricted sites zone. However, Microsoft recommends enforcing this setting in Group Policy to ensure that users cannot download files when in the Restricted sites zone. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Allow File Computer Configuration\Administrative Disabled Downloads Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone.
Enable Data Execution Prevention Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. The primary benefit of DEP is that it helps prevent code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected Recommendations for Increased Security 21 memory in kernel mode causes a Stop error. DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows. Although DEP is supported in Windows XP SP2, this Internet Explorer setting is only available to users running Internet Explorer 7 on Windows Vista. Data execution prevention configuration for computers running Windows XP SP2 is controlled through Boot.ini switches or the System control panel. For more information about managing DEP in Windows XP SP2, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 page. There are some known support issues with plug-in extensibility components when DEP is enabled. Administrators are encouraged to contact the component manufacturer for an updated DEP compatible plug-in version. To enable DEP in Internet Explorer 7, right click on the Internet Explorer icon and select “Run as Administrator” (otherwise the option appears grayed out). Now in the Internet Options dialog box, on the Advanced tab, select the Enable memory protection to help mitigate online attacks check box.
Do not allow users to enable or disable add-ons Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, Microsoft recommends using Group Policy to ensure that users do not have the ability to enable or disable add-ons. If Add-ons are specifically included in the add-on list policy setting, then user can still manage them. The following table includes the policy object names, and their location in Group Policy. Policy object Location Recommended setting Deny all add-ons Computer Configuration\Administrative Enabled unless specifically Templates\Windows Components\ allows in the add-on Internet Explorer\Security list Features\Add-on Management Add-on List Computer Configuration\Administrative Enabled with add-ons Templates\Windows Components\ listed Internet Explorer\Security Features\ Add-on Management
Ensure Consistent MIME Handling Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files that are received through a Web server. For example, the MIME file type could contain information in plain text, but the MIME data could indicate that the file is really an executable file. MIME file type spoofing is a potential threat to any organization. Microsoft recommends using Group Policy to ensure that files are consistent and properly labeled for Internet Explorer Processes. This ensures that Internet Explorer examines all received files and enforces consistent MIME data for them. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes (Consistent Templates\Windows Components MIME Handling) \Internet Explorer\Security Features\ Consistent MIME Handling 22 Internet Explorer 7 Security
Enable MIME Sniffing Safety Features MIME sniffing is a process that examines the content of a MIME file to determine its context— whether it is a data file, an executable file, or some other type of file. MIME sniffing is typically used in conjunction with MIME spoofing, and is a potential threat to any organization. Therefore, Microsoft recommends using Group Policy to enable MIME sniffing safety features, and ensure that these files are consistently handled to help prevent malicious file downloads that may infect your network. When set to Enabled, MIME sniffing will not promote a file of one type to a more dangerous file type. If you disable this policy setting, MIME sniffing configures Internet Explorer processes to allow promotion of a file from one type to a more dangerous file type. For example, a text file could be promoted to an executable file, which is dangerous because any code in the supposed text file would be executed. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes Templates\Windows Components\ (MIME Sniffing) Internet Explorer\Security Features\ MIME Sniffing Safety Feature
Display the Information Bar The Information bar provides information to users about the Web sites they are visiting, and can display warnings when there are problems with a Web site. Microsoft recommends that you ensure the Information bar is displayed for Internet Explorer processes in Group Policy. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes/Information Templates\Windows Components\Internet Bar Explorer\Security Features\Information Bar
MK Protocol Security Restriction Some older Web applications use the MK protocol to retrieve information from compressed files. However, the protocol is rarely used, so Microsoft recommends using Group Policy to block the protocol unless it is explicitly required. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes\MK Templates\Windows Components\Internet Protocol Security Explorer\Security Features\MK Protocol Restriction Security Restriction
Object Caching Protection This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain. This setting is enabled by default for Internet Explorer processes, and Microsoft recommends using Group Policy to enforce this behavior by enabling Object Caching protection. Summary 23
The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Internet Explorer Computer Configuration\Administrative Enabled Processes\Object Templates\Windows Components\Internet Caching Protection Explorer\Security Features\Object Caching Protection
Block attachments that could contain a virus in Outlook Express If users can open any attachment in Outlook® Express, they could potentially open an attachment that contains a virus, and therefore damage their own and other computers on the network. Microsoft recommends using Group Policy to prevent users from opening potentially damaging attachments in Outlook Express. The following table includes the policy object name, and its location in Group Policy. Policy object Location Recommended setting Configure Outlook User Configuration\Administrative Enabled\Block Express Templates\Windows Components\ attachments that could Internet Explorer contain a virus. Summary Increasing browser security is an important goal and Microsoft has spent a great deal of effort to develop the default settings in Internet Explorer 7 to meet the needs of most users. Clearly there is no "one size fits all" solution for security settings, and the purpose of this paper is to provide the specific descriptions and tools for users and administrators to modify their settings to enhance security to meet the requirements of their environments. An additional recommendation to increase the security of the browser can be taken directly from the Enhanced Security Configuration change the default home page to "about:blank" or to a file on the local system. Making this change helps ensure that the browser starts in a known and secure state each time. Even if you adopt all of the recommendations in this paper, your system security may still be at risk. Microsoft strongly recommends maintaining your systems with the most recent security updates at all times. The key to a secure system is to ensure that updates are applied and that the systems are checked regularly. In the end, security depends on the user. Microsoft encourages both enterprise customers and other consumers to follow some basic safety guidelines when browsing the Internet. Avoid suspicious Web sites and use caution when viewing files from unknown sources. Enterprise customers should regularly review their security training and education programs or create them if needed. This paper does not include recommendations for all possible security settings. For more information about the entire range of security settings for Internet Explorer 7, as well as detailed descriptions and settings value prescriptions, visit the Microsoft Web sites for MSDN and TechNet. 24 Internet Explorer 7 Security
Appendix A: Internet Explorer 7 Settings Checklist The following checklist includes all the settings that Microsoft recommends that you consider when you secure Enterprise client computers running Internet Explorer 7: • Zone Security: • Enable Zone Elevation Protection • Do not allow users to add or delete sites from Security Zones • Do not allow users to change policies for Security Zones • Certificate Security: • Enable Prevent Ignoring Certificate Errors • Active Content Security: • Restrict ActiveX Install • Add ActiveX controls and plug-ins to pre-approved list • Disable Allow active scripting in response to specific threats • Enable Scripted Window Security Restrictions • Reduce Application Privilege: • Use Protected Mode on Windows Vista • Use DropMyRights on Windows XP • Privacy Settings: • Set the Privacy Slider at least to Medium • Empty Temporary Internet Files folder when the browser is closed • Set Form Autocomplete options to Disabled • Disable Password Caching • Configure Logon options for Each Security Zone • Enable the Phishing Filter • Other Security Settings: • Disable Automatic Install of Internet Explorer Components • Disable Periodic Check for Internet Explorer Software Updates • Disable Software Update Shell Notifications on Program Launch • Make proxy settings per machine (rather than per user) • Turn off Crash Protection • Disable page transitions • Restrict File Downloads • Disable Allow File Downloads for Restricted Zone • Enable Data Execution Prevention • Do not allow users to enable or disable add-ons • Ensure Consistent MIME Handling • Enable MIME Sniffing Safety Features Appendix A: Internet Explorer 7 Settings Checklist 25
• Display Information Bar • Enable MK Protocol Security Restriction • Enable Object Caching Protection • Block attachments that could contain a virus in Outlook Express