This learning guide details the vulnerabilities associated with today's most commonly used Web browser, Microsoft Internet Explorer, and the ways in which you can defend your network from Web-related security hacks. Any time a user on your network has access to the Web, which these days is almost always, a clever hacker can exploit inherent Windows internet security flaws and gain access to your network. As a Windows security administrator, you need to not only be aware of Internet Explorer security flaws but also how to recover from resulting breaches when a hacker decides to strike. The Internet Explorer security learning guide offers advice on securing IE7, surviving with IE6, discusses Web browser security settings and controls and outlines how proper Web browsing can lead to a safer network.
Table of contents
|Internet Explorer security settings and controls|
Web browser security settings, tools and user controls
In many cases, Web browser security falls in the user's hands. You'll need to know not only how to prevent hackers from installing malware through the myriad of Internet Explorer vulnerabilities but also how to recover from these attacks. The crux of this issue, as is the case with many security related IT issues, is the relationship between security and functionality. If your Internet Explorer security settings are too loose, then it is easy for hackers to break through your network security. If your Web browser security settings are too tight, then your IE users may become frustrated or certain Web sites might not display properly (or at all).
According to Windows security expert Brien Posey, "One of the biggest keys to establishing optimal Internet Explorer settings is to make effective use of Internet Explorer zones." IE allows you to configure each zone (Internet, Local Intranet, Trusted Sites and Restricted sites) individually. Check out Posey's tip on optimizing Internet Explorer security settings below, as well as tips on how to deal with pop-ups and how to import restricted sites into IE.
One of the biggest keys to establishing optimal Internet Explorer security settings is to make effective use of Internet Explorer zones. The Microsoft Web browser offers four security zones; Internet, Local Intranet, Trusted Sites, and Restricted Sites. IE allows you to set separate security levels for each zone and to specify the sites that fall into each zone.
Local Intranet zone
By default, the Local Internet zone has some rather loose permissions set. If your company has a local Intranet set up, then I recommend adding it's URL to the Local Intranet zone. After doing so, you can adjust this zone so that permissions that are not specifically required by your local Intranet are not given. In doing so, you are reducing your Web browser's attack surface should someone slip an unauthorized site into this zone.
Trusted Sites zone
The Trusted Sites zone is a zone intended for Web sites that you trust implicitly. If you are going to make use of the Trusted Sites zone, then you can leave the zone's security settings wide open. Otherwise, you should set the zone's security settings to the highest possible level to reduce the attack surface.
Expert recommendation: The Trusted Sites zone is that you should only add sites to the zone if you trust them implicitly. This is a strong statement, because there aren't many sites that you should trust implicitly. Security expert Brien Posey's personal philosophy is that "you should only include sites that are under your direct control to the Trusted Sites zone."
Restricted Sites zone
The Restricted Sites zone if for sites that you do not trust. A lot of people think that if a site is listed in the Restricted Sites list, that Internet Explorer won't allow users to visit that site. This isn't the case though. The Restricted Sites zone won't stop users from visiting the sites in the zone, it merely provides a way for you to flag sites that you consider to be malicious.
You should set the security levels for the Restricted Sites zone to the point that absolutely nothing can run. The real trick though is figuring out which Web sites to add to the zone. After all, you certainly don't want to go around visiting questionable Web sites to find out if they are malicious or not.
Spyware Blaster is a tool that maintains a huge list of Web sites that are known to be malicious and can automatically import that list into Internet Explorer's Restricted Sites zone. You can then import this information into a group policy and use it to protect all of the computers on your network.
See this guide for Brien's instructions on importing a restricted site list and deploying it through Group Policy.
The only remaining zone on the list is the Internet zone. Any site that does not fall into the zones that we have already discussed becomes a part of the Internet zone by default. Microsoft sets the Internet zone to a security level of Medium so that most Web sites will display correctly, without being able to do too much damage. Of course PCs can be become infected by spyware just by visiting a malicious site, so the medium security level doesn't really offer as much protection as it should. You can tweak the security level to meet your needs, but at a minimum, it is recommended that you disable anything related to Active X. Few legitimate Web sites use Active X any more, but Active X is a favorite tool for spyware authors. If you are concerned about functionality, you could always try disabling it on a trial basis.
Prevent network hacks with secure Web browsing
Secure Web browsing is often overlooked when mapping out security priorities in the enterprise. A few extra minutes here and there, however, can help you prevent network hacks that give attackers access to your business critical data.
With this series of tips, you can decrease the likelihood that the Web and Internet Explorer will be used as ways to take down your network. Get additional information on troubleshooting the latest version of Internet Explorer, Internet Explorer 7 (IE7), configuring IE7 for Vista, best practices for secure Web browsing in the enterprise and more.
Controlling Web surfing with Content Advisor
One tool that helps you mitigate the security threats lurking on the Web is Microsoft's Content Advisor.
Controlling Internet surfing
Unfortunately, there isn't a magical Group Policy setting within the Windows operating system that allows you to instantly ban casual Web surfing. The closest thing that Microsoft gives us is Internet Explorer's Content Advisor. The basic idea behind the Content Advisor feature is that it allows you to set the level of language, nudity, sex and violence that users can view.
While this probably sounds like a perfect solution, you need to be aware of two issues. First, Content Advisor only addresses language, nudity, sex and violence. It does not make any provision for other types of offensive content. The other problem with the Content Advisor is that it works based on site ratings. When Web developers create a Web site, they pick their own ratings in each of these four categories. The developers of some potentially offensive Web sites will purposely assign their sites ratings that reflect inoffensive content as a way of circumventing the Content Advisor. More often, though, a Web site simply will not have a rating at all.
Content Advisor does address sites with no ratings though. It can be configured so that users are not permitted to visit sites that have no rating. Of course, if users have a legitimate business need to surf the Web, then a blanket denial of sites with no content ratings could pose a problem. You do, however, have the option of adding a list of approved Web sites or of allowing a supervisor to enter a password that allows a user to view otherwise restricted content.
Content Advisor can be configured either at the individual workstation level or through a Group Policy. To configure the Content Advisor on an individual PC, open Internet Explorer and select the Internet Options command from the Tools menu. Then, select the properties sheet's Content tab and click the Settings button found in the tab's Content Advisor section. This will reveal the various Content Advisor settings.
You can manipulate the same settings through a Group Policy. You can find the necessary settings in the Group Policy Editor at User Configuration | Windows Settings | Internet Explorer Maintenance | Security. The settings you need are found under the Security Zones and Content Ratings Group Policy Object.
Controlling spyware in IE
Response: It sounds like your system is infected with spyware that's not easily removable. Check out my Malware removal handbook to learn various steps you can take to get your system up and running. Of the steps, I recommend running the free PestPatrol for starters. I've found it to be very beneficial in finding and removing spyware. You could also try the free Windows Defender beta as well. The more tools you use to scan the better off you'll be in this situation.
Additional information on spyware removal:
System Configuration Utility: An unexpected antispyware tool
The System Configuration Utility, a tool designed to manage programs during Windows system startup, can also be used in the battle against spyware. Contributor Brien M. Posey suggests using the SCU and Sysinternals' Autoruns as spyware discovery tools that help detect spyware that automatically boots up with your system.
- Which is the best
How do you choose the best antispyware product? Don't compare the products, compare the reviews of the products. This consolidation of antispyware reviews and rankings points to a top product.
- Windows Security Clinic: Rooting
out a rootkit
As if you didn't have enough to worry about with all the viruses, worms and spyware dilemmas plaguing your Windows environment -- now you have to think about rootkits. In this Windows Security Clinic, our "doctors" diagnose and troubleshoot a user problem that reeks of a rootkit.
This was first published in July 2007