For many years, Microsoft has given us the ability to lock down Internet Explorer using Group Policy settings. With more than 1,300 Group Policy settings that can be applied to Internet Explorer 8, I can't possibly cover all of them, so here are four security settings that I think are worthy of highlighting.
Note: I only list partial paths for the Group Policy settings because most of these policies can be applied at both the user and machine levels of the Group Policy hierarchy. To find the policy settings that I will be discussing, look under either Computer Configuration \ Administrative Templates or User Configuration \ Administrative Templates within the Group Policy Object Editor.)
The SmartScreen Filter
The biggest new Internet Explorer 8 (IE8) security feature is the SmartScreen Filter. The SmartScreen Filter is essentially an enhanced version of the phishing filter that debuted in Internet Explorer 7.
The SmartScreen Filter is a reputation-based anti-malware component that is designed to complement traditional anti-malware software. As you may be aware, more and more cases are emerging in which malicious files are being posted on otherwise safe sites, such as social networking sites. As such, Microsoft designed the SmartScreen Filter to identify and completely block websites that are known to be malicious or to block only the malicious portion of an otherwise safe site. The SmartScreen Filter can be used to monitor file downloads as well.
The Group Policy settings that control the SmartScreen Filter are as follows:
|Prevent Bypassing SmartScreen Filter Warnings||Windows Components\Internet Explorer|
|Turn Off Managing SmartScreen Filter||Windows Components\Internet Explorer|
|Use SmartScreen Filter||Windows Components\Internet Explorer\Internet Control Panel\Security Page\ (There is a separate SmartScreen Filter setting for each Internet Explorer zone).|
Data Execution Prevention
One of the most common types of attacks against Windows, over the last several years, has been a buffer overflow attack. Generally speaking, this type of attack works by inserting malicious code into an unchecked buffer, causing that buffer to overflow into other memory space, where the malicious code can then be executed.
Windows Vista protects against this type of attack by using Data Execution Prevention. Using this feature, Windows knows which memory areas code should and should not be executed in and takes steps to prevent code from running in memory locations that should be off limits.
Data Execution Prevention has been used by 64-bit versions of Windows Vista from the beginning, but Internet Explorer 7 was somehow exempt because of compatibility issues. Internet Explorer 8 resolves these problems and adds Data Execution Prevention capabilities to the browser.
Data Execution Prevention is enabled by default and enabling it at the higher levels of the Group Policy hierarchy may prevent future malware from disabling it at the local computer level. The following Group Policy setting controls it:
|Turn Off Data Execution Prevention||Windows Components \ Internet Explorer \ Security Features|
InPrivate Browsing and InPrivate Filtering
InPrivate Browsing is a new feature that protects the user's privacy. When the user enables InPrivate Browsing, Internet Explorer opens a new browser window and does not record the Web pages that are viewed or any searches that are performed during that session.
InPrivate Filtering is a similar feature. It gives users a choice as to the types of information that websites can use to track the user's browsing habits. Like InPrivate Browsing, InPrivate Filtering must be enabled and only applies to the current session. The Group Policy settings that are related to InPrivate Browsing and InPrivate Filtering are as follows:
|Prevent Deleting InPrivate Blocking Data||Windows Components \ Internet Explorer \ Delete Browsing History|
|Turn Off InPrivate Filtering||Windows Components \ Internet Explorer \ InPrivate|
|Do Not Collect InPrivate Filtering Data||Windows Components \ Internet Explorer \ InPrivate|
|InPrivate Filtering Threshold||Windows Components \ Internet Explorer \ InPrivate|
|Disable Toolbars and Extensions When InPrivate Filtering Starts||Windows Components \ Internet Explorer \ InPrivate|
|Turn Off InPrivate Browsing||Windows Components \ Internet Explorer \ InPrivate|
The Suggested Sites feature isn't a security feature, but I felt I should address it anyway. When you enable the Suggested Sites feature, Internet Explorer suggests other websites that the user might enjoy based on the sites that they have visited.
Several websites have raised privacy concerns over this feature because of the way it transmits your browsing history and your IP address to Microsoft for analysis. There have also been allegations that this feature might someday be used to serve targeted advertising, although Microsoft denies these claims. The following Group Policy setting controls the Suggested Sites feature:
|Turn On Suggested Sites||Windows Components \ Internet Explorer (This setting only applies to the user configuration.)|
If you would like to see a more comprehensive list of the policy settings that are available, check out the Microsoft TechNet article Group Policy and Internet Explorer 8.
|ABOUT THE AUTHOR:|
| Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in May 2009