Tips on hardening and securing IE7

The MHTML hole

In late 2006, Secunia, a security firm based in Denmark, discovered a non-critical yet important vulnerability in IE7. Essentially, the vulnerability involves the potential for Web sites with malicious code to steal data from other sites opened in another window of IE7. Its level of seriousness is debatable, and Microsoft claims that the vulnerability exists in Outlook Express rather than IE. Whatever the reason, the vulnerability is demonstrated at this sample site hosted by Secunia.

To work around this, disable the ability for ActiveX content to run automatically. The setting is covered in my checklist, which I explain a bit later in this article.

Protected mode and the phishing filter

Rarely will I advise upgrading to a new operating system just to take advantage of a new feature. But if you are a die-hard Internet Explorer aficionado, then you'll like a new feature, available only in IE in Windows Vista called Protected Mode; it helps create what is arguably the safest browsing environment bar none.

Protected Mode could be described as IE7 running in an extremely limited security context, lower than even that of a Limited User-based account. It removes a lot of capabilities from potentially dangerous applications and effectively limits Web browser-based applications and scripts to writing to the Temporary Internet Files folder only. It's enabled by default on Windows Vista; if you refuse to use Firefox or, for some

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer management Four Internet Explorer 8 group policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 Phishing filter: Step 2 General security configuration: Step 1 Windows Vista and IE7: Step 5 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Protection against international domain names, URL handling: Step 3 IE8 brings focus to cross-browser compatibility and Web standards Cross-site Scripting 102: How to defend against cross-site scripting Windows desktop security tips How Windows 7 stands up to security tests Securing sensitive data on Windows-based laptops Gathering and documenting your Windows desktop security policies Windows desktop security standards documentation best practices Desktop security preparation for a new wave of Windows apps Four Internet Explorer 8 group policy security settings The state of enterprise security and emerging threats in 2009 Why should Windows shops use Microsoft Baseline Security Analyzer? A first look at Windows 7 security enhancements Using Sysinternals tools in security management scenarios

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

reason are unable to do so, then the security is worth the price of admission to Windows Vista.

Another feature available in all versions of Internet Explorer, not just in IE coupled with Windows Vista, is the Phishing Filter. Microsoft has a database of the names of suspect Web sites. It works to notify the user if he or she opens a Web site deemed problematic by Microsoft after running the name through the database. The address bar will turn red and a warning will appear that the Web site is problematic. You can see the status of the phishing filter in the status bar at the bottom of the window; click it to turn it on and off. (Experienced users may find the behavior annoying, and there is a slight lag in loading pages while the URL is checked against Microsoft's phishing site database.)

Settings checklist

Here is a list of my recommended settings for a custom level within IE7. To implement these recommendations, select Options from the Tools menu in IE7. Navigate to the Security tab. Click the Custom Level tab after ensuring that the Internet zone is selected, and then select the following choices from the list (some less important settings can be left alone):

ActiveX controls and plug-ins:

Miscellaneous:

Scripting:

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.