Four Internet Explorer 8 Group Policy security settings

Note: I only list partial paths for the Group Policy settings because most of these policies can be applied at both the user and machine levels of the Group Policy hierarchy. To find the policy settings that I will be discussing, look under either Computer Configuration \ Administrative Templates or User Configuration \ Administrative Templates within the Group Policy Object Editor.)

The SmartScreen Filter
The biggest new Internet Explorer 8 (IE8) security feature is the SmartScreen Filter. The SmartScreen Filter is essentially an enhanced version of the phishing filter that debuted in Internet Explorer 7.

The SmartScreen Filter is a reputation-based anti-malware component that is designed to complement traditional anti-malware software. As you may be aware, more and more cases are emerging in which malicious files are being posted on otherwise safe sites, such as social networking sites. As such, Microsoft designed the SmartScreen Filter to identify and completely block websites that are known to be malicious or to block only the malicious portion of an otherwise safe site. The SmartScreen Filter can be used to monitor file downloads as well.

The Group Policy settings that control the SmartScreen Filter are as follows:

Policy Name Location
Prevent Bypassing SmartScreen Filter Warnings Windows Components\Internet Explorer
Turn Off Managing SmartScreen Filter Windows Components\Internet Explorer
Use SmartScreen Filter Windows Components\Internet Explorer\Internet Control Panel\Security Page\ (There is a separate SmartScreen Filter setting for each Internet ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Secure Windows XP before a Windows 7 upgrade Nine common password oversights to avoid Endpoint security management tools MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Microsoft releases WSUS 3 SP2 with Win 7, R2 support Using System Center Essentials as a patch management tool Troubleshooting Microsoft WSUS connectivity issues Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Phishing filter: Step 2 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Protection against international domain names, URL handling: Step 3 IE8 brings focus to cross-browser compatibility and Web standards

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Explorer zone).

Data Execution Prevention
One of the most common types of attacks against Windows, over the last several years, has been a buffer overflow attack. Generally speaking, this type of attack works by inserting malicious code into an unchecked buffer, causing that buffer to overflow into other memory space, where the malicious code can then be executed.

Windows Vista protects against this type of attack by using Data Execution Prevention. Using this feature, Windows knows which memory areas code should and should not be executed in and takes steps to prevent code from running in memory locations that should be off limits.

Data Execution Prevention has been used by 64-bit versions of Windows Vista from the beginning, but Internet Explorer 7 was somehow exempt because of compatibility issues. Internet Explorer 8 resolves these problems and adds Data Execution Prevention capabilities to the browser.

Data Execution Prevention is enabled by default and enabling it at the higher levels of the Group Policy hierarchy may prevent future malware from disabling it at the local computer level. The following Group Policy setting controls it:

Policy Name Location
Turn Off Data Execution Prevention Windows Components \ Internet Explorer \ Security Features

InPrivate Browsing and InPrivate Filtering
InPrivate Browsing is a new feature that protects the user's privacy. When the user enables InPrivate Browsing, Internet Explorer opens a new browser window and does not record the Web pages that are viewed or any searches that are performed during that session.

InPrivate Filtering is a similar feature. It gives users a choice as to the types of information that websites can use to track the user's browsing habits. Like InPrivate Browsing, InPrivate Filtering must be enabled and only applies to the current session. The Group Policy settings that are related to InPrivate Browsing and InPrivate Filtering are as follows:

Policy Name Location
Prevent Deleting InPrivate Blocking Data Windows Components \ Internet Explorer \ Delete Browsing History
Turn Off InPrivate Filtering Windows Components \ Internet Explorer \ InPrivate
Do Not Collect InPrivate Filtering Data Windows Components \ Internet Explorer \ InPrivate
InPrivate Filtering Threshold Windows Components \ Internet Explorer \ InPrivate
Disable Toolbars and Extensions When InPrivate Filtering Starts Windows Components \ Internet Explorer \ InPrivate
Turn Off InPrivate Browsing Windows Components \ Internet Explorer \ InPrivate

Suggested Sites
The Suggested Sites feature isn't a security feature, but I felt I should address it anyway. When you enable the Suggested Sites feature, Internet Explorer suggests other websites that the user might enjoy based on the sites that they have visited.

Several websites have raised privacy concerns over this feature because of the way it transmits your browsing history and your IP address to Microsoft for analysis. There have also been allegations that this feature might someday be used to serve targeted advertising, although Microsoft denies these claims. The following Group Policy setting controls the Suggested Sites feature:

Policy Name Location
Turn On Suggested Sites Windows Components \ Internet Explorer (This setting only applies to the user configuration.)

If you would like to see a more comprehensive list of the policy settings that are available, check out the Microsoft TechNet article Group Policy and Internet Explorer 8.

ABOUT THE AUTHOR:   

[IMAGE]Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.