Introduction to Computer Security
Lab 2:
Web Browser Security/Configuration (IE) and Operating System Security
Instructions: • The Lab 2 Write-up (template for answering lab questions - .doc) can be found on the course website under the “Assignment’s” section. • Lab Write-up’s must be uploaded to Blackboard in the Assignment’s folder where the laboratory assignment description is located. ALL resources used to complete this assignment must be referenced and sited, this includes, books, articles, websites, etc.) • Lab submissions must be typed using the Lab 2 Write-up template! • Only submit ONE Lab Write-up per team
Background: The use of the Internet and the World Wide Web (WWW) has grown exponentially in recent years and has become a central component of many organization’s IT strategy. Whenever a technology becomes widespread and is used to handle information that has value, attackers will work on ways to compromise those systems. The WWW is no exception and there are many types of Web-based attacks being executed today. Some of these include: • Cross-site scripting (XSS) – Usually occurs via concealed code in Web site links, forms, and so on, XSS allows an attacker to gather data from a Web user for malicious purposes. • Information theft – Through techniques such as phishing, malicious attackers can masquerade as legitimate Web sites or applications and harvest user data. • Session hijacking – Small text files called cookies are placed on a user’s machine when visiting many Web sites in order to maintain information about the user or site for future visits. These can be manipulated for malicious purposes including privacy violations and the actual hijack of a user’s browser session, where an attacker uses information stored in customized cookies to mislead a user in some way. The most popular Web browser today is Microsoft Internet Explorer (IE). This software has been plagued with security problems such as buffer overflows, remotely exploitable vulnerabilities, and so forth. This has become such a volatile piece of software that the US Department of Homeland Security recommended users switch to another browser in July 2004.
Many Web-based sites and applications are configured to work specifically with IE, however. For this reason, many people choose to patch the software and live with the security problems. Knowing how to properly configure some of the security settings available in IE can drastically reduce the potential threat of compromise.
IE has a number of simple settings that can be configured to increase its overall security posture. Security Zones enable users to define sites that are known to be safe, as well as those known to be unsafe. It is simple to also define sites that are based on a user’s local network or intranet, as well as generalized Internet (or external) sites.
Other settings that can be configured include the acceptable encryption level, how cookies are used and/or stored, a content rating system called Content Advisor, and other miscellaneous settings.
Goals: In this lab you will explore some of the security settings of Internet Explorer and learn about the default security settings for Windows. Procedures: I. Internet Explorer
1. Open Internet Explorer. Go to “Tools” “Internet Options”. Click the “Security” tab. Under the “Security” tab, there are four Web content zones specified and the security settings for each zone.
2. Under the “Security” tab perform the following steps:
“Trusted Sites” • Click on the “Trusted sites” icon, which is the green circle with the check mark enclosed. • If the button that is entitled “Default Level” is not disabled or not shaded, then click on the “Default Level” button and go to the next step, else if it is disabled or shaded go to the next step. • Next, click the button entitled: “Custom level….”, which allows a user to specify custom security settings for the selected zone. • Notice for this zone what is disabled, enabled, or prompt. The options for each settings suggests the following: Disabled: To skip prompting and automatically refuse the action or download. Enabled: To automatically proceed without prompting. Prompt: To be prompted for approval before proceeding.
QUESTION? • Write a summary or brief description of the “Trusted Sites” zone.
“Restricted Sites” • Click on the “Restricted sites” icon, which is the red circle with the minus sign enclosed. • If the button that is entitled “Default Level” is not disabled/black text, then click on the “Default Level” button (which sets the settings for this zone to the default values) and go to the next step/bullet, else if it is disabled or shaded go to the next step/bullet. • Click the button entitled: “Custom level….”, which allows a user to specify custom security settings for the selected zone. • Notice for this zone what is disabled, enabled, or prompt. The options for each settings suggests the following: Disabled: To skip prompting and automatically refuse the action or download. Enabled: To automatically proceed without prompting. Prompt: To be prompted for approval before proceeding.
QUESTION? • Write a summary or brief description of the “Restricted Sites” zone.
• What do you notice is the biggest difference in the settings between “Trusted sites” and “Restricted sites”?
3. Under the “Security” tab perform the following steps:
“Internet” • Click on the “Internet” icon, which is a globe. • In the section entitled: “Security level for this zone”, move the slider to read about the different security levels for this zone.
QUESTION? • What security level settings do you recommend for the Internet using the slider and why?
4. In Internet Explorer, Go to “Help” “Contents and Index “. Perform the following: • Under the “Search” tab, type in UNDERSTANDING SECURITY ZONES. • Read the search results to get an understanding of internet browser security zones.
QUESTION? . List and explain each security zone.
. What is the current security status of Internet Explorer and what other browsers are considered more secure? (Research this question online outside of the laboratory!)
II. Privacy, Cookies, and Miscellaneous Settings in IE 1. Open Internet Explorer. Go to “Tools” “Internet Options”. 2. Click the “Privacy” tab. Under the “Privacy” tab, you should see a slider there with various settings. 3. The default level for this setting is Medium. Move the slider up until the setting is “High”.
QUESTION? • Describe the policies at this level. • Describe the policies at the ”Low” setting.
III. OS Security: Default Security Settings
1. Go to Start Help Search tab. 2. Under the “Search” tab, type in “Default security settings”, being sure to include the QUOTES. 3. Read the section entitled “Groups and default security settings”. Make sure to read all of the subsections.
QUESTION? • What is the difference between an Administrator and a Power User? • Why does Microsoft suggest that users do not connect to the Internet as logged in as a Power User? • List some of the capabilities of an Administrator.
**Close Internet Explorer.**