Tips on hardening and securing IE7

The MHTML hole

In late 2006, Secunia, a security firm based in Denmark, discovered a non-critical yet important vulnerability in IE7. Essentially, the vulnerability involves the potential for Web sites with malicious code to steal data from other sites opened in another window of IE7. Its level of seriousness is debatable, and Microsoft claims that the vulnerability exists in Outlook Express rather than IE. Whatever the reason, the vulnerability is demonstrated at this sample site hosted by Secunia.

To work around this, disable the ability for ActiveX content to run automatically. The setting is covered in my checklist, which I explain a bit later in this article.

Protected mode and the phishing filter

Rarely will I advise upgrading to a new operating system just to take advantage of a new feature. But if you are a die-hard Internet Explorer aficionado, then you'll like a new feature, available only in IE in Windows Vista called Protected Mode; it helps create what is arguably the safest browsing environment bar none.

Living safe with IE7 A step-by-step guide to configuring IE7 security in Vista

Protected Mode could be described as IE7 running in an extremely limited security context, lower than even that of a Limited User-based account. It removes a lot of capabilities from potentially dangerous applications and effectively limits Web browser-based applications and scripts to writing to the Temporary Internet Files folder only. It's enabled by default on Windows Vista; if you refuse to use Firefox or, for some reason are unable to do so, then the security is worth the price of admission to Windows Vista.

Another feature available in all versions of Internet Explorer, not just in IE coupled with Windows Vista, is the Phishing Filter. Microsoft has a database of the names of suspect Web sites. It works to notify the user if he or she opens a Web site deemed problematic by Microsoft after running the name through the database. The address bar will turn red and a warning will appear that the Web site is problematic. You can see the status of the phishing filter in the status bar at the bottom of the window; click it to turn it on and off. (Experienced users may find the behavior annoying, and there is a slight lag in loading pages while the URL is checked against Microsoft's phishing site database.)

Settings checklist

Here is a list of my recommended settings for a custom level within IE7. To implement these recommendations, select Options from the Tools menu in IE7. Navigate to the Security tab. Click the Custom Level tab after ensuring that the Internet zone is selected, and then select the following choices from the list (some less important settings can be left alone):

ActiveX controls and plug-ins:

• Binary and script behaviors: Disable
• Run ActiveX controls and plug-ins: Disable
• Script ActiveX controls marked safe for scripting: Disable

Miscellaneous:

• Allow Web pages to use restricted protocols for active content: Disable
• Display mixed content: Disable
• Installation of desktop items: Disable
• Launching applications and unsafe files: Disable
• Launching programs and files in an IFRAME: Disable
• Navigate sub-frames across different domains: Disable
• Software channel permissions: Maximum Safety
• Submit non-encrypted form data: Disable
• Web sites in less privileged Web content zone can navigate into this zone: Disable

Scripting:

• Active scripting: Disable
• Scripting of Java applets: Disable

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2 Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.