Making Internet Explorer Safer
The components that make up Internet Explorer are tightly integrated into the Windows environment, so making changes to them affects many other programs including Outlook (Express) and Windows Media Player. Be aware of the changes you make!
Even if you mistype an address you might fall into the hands of someone who has bad intentions. A simple example is the well known search engine of Google. If you mistype this as Goggle, you’ll end up at a site for SpyBouncer…|
Every day, new security holes are found in Internet Explorer, so you should always keep Internet Explorer up-to-date, even if you use another browser like Opera or Firefox. By not updating you might leave holes to be used in other programs.
Another cause for trouble is active content. ActiveX controls and Java applets can bring the net to life, but they also introduce possible risks in that they will have programming errors that can be used maliciously.
Security zones are the first line of defense in Internet Explorer. There are four zones in a normal installation of Windows.
- Local Intranet – all sites behind the firewall. For home users this would mean the other computers in your household. These sites are usually given a high level of trust.
- Trusted sites – sites you have given your trust. These are given the highest trust, and is empty after you installed Windows.
- Restricted sites – sites you distrust. This zone is empty after the Windows installation as well.
- Internet – the rest…
There is a fifth zone in the form of My Computer, but this is normally not configurable. ActiveX controls that were installed on the computer by Windows run in this zone. The controls you download do not! Also URLs that reference files on your computer run in My Computer (files you save from the Internet continue to run in the security zone attached to that site though).
What does all this mean? If you install a program such as Adobe Acrobat, you download the installer from the Internet. When you run that file, it will run in the Internet Zone (provided you didn’t put Adobe in the Restricted or Trusted Zone!). Once the program has been installed, when you start Acrobat it will run in My Computer. If Adobe also installed a file that will be opened by Internet Explorer, for example ReadMe.html, this will also run in My Computer.
With Windows XP SP-2, this zone now has the highest security level. Any content that uses Active Scripting or attempts to load an ActiveX Control is prevented from running unless the user explicitly allows it to be run by clicking the Information bar.
Because this can interfere with the operation of local running web applications, developers can add a Mark Of The Web to make files run in the Local Intranet zone instead of My Computer. For more information see http://msdn.microsoft.com.
To assign sites to zones or alter the configuration of their settings, open Internet Options by either choosing Tools within Internet Explorer or opening it from the Control Panel.
Configuring Local Intranet
After installation the Local Intranet Zone is set up to include the following site categories:
- All local sites which haven’t been assigned to another zone. URLs without dots like http://localhost are considered a local site.
All addresses on the Internet are in fact 32-bit integer values, which are usually interpreted in the byte values. This is why you see addresses like 22.214.171.124. The four bytes that make up the address are 124, 198, 20 and 57. With the use of some math these four bytes can be reconstructed into a single number (in this case 2093356089). Hey! No more dots! Now it runs in the Local Intranet!
- All sites bypassing a proxy
- All files opened by a UNC path or My Network Places
To remove one or more of these categories from the Local Intranet, select Local Intranet on the “Security” tab of Internet Options and click “Sites…”. Clear the appropriate checkboxes on the dialog and click OK.
Select the zone you want to append the site to and click “Sites…”. Type or copy and paste the site’s URL into “Add this Web site to the zone:” box and click “Add”. The site will appear in the “Web sites:” list box.
To remove a site select it in that list box and click “Remove”.
- Internet Explorer assumes the http protocol. Entering http://www.google.com is equivalent to http://www.google.com.
- “Require server verification (https:) for all sites in this zone” ensures that the zone you are entering is secured by SSL. This checkbox is selected in Trusted Sites. You can mix them by (un-)checking them when entering a site.
- Entering a full path to a page will add the complete site in the zone. Ergo, entering http://www.bbc.co.uk/doctorwho/characters/index.shtml will add http://www.bbc.co.uk to the list.
- If you use IP addresses directly they will not be the same as the name of the site. http://www.google.com will be different from 126.96.36.199. When you use IP addresses you will have to add both to the zone.
- To move a site from a zone to another you will have to delete it from the current zone and append it to the new zone.
Tips: Check your Trusted Zone periodically. Programs can add sites to the Trusted Zones and thereby give sites powers you don’t want them to have!
It could be that the default zones do not match what you need. If that happens, you can always create your own zone. Internet Explorer doesn’t let you create a zone on your own, but you can create one relatively easily.
The zones are in the Registry in the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones. This key has the following subkeys:
1) Local Intranet
2) Trusted sites
4) Restricted Sites
The simplest way to create a new zone is by exporting one of the keys with Registry Editor, changing it and importing the new key.
- If you’re using Windows XP use System Restore to create a new restore point.
- Open the Registry Editor and navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2. It’s best to clone either 2 (Trusted sites) or 4 (Restricted Sites). Other zones have properties that you don’t want duplicated.
- Choose File, Export and save the selected key as a .reg file. Close Registry Editor.
- Locate the exported file and right-click on it. Choose Edit to open it in your editor of choice (by default that is Notepad).
After loading it will look like this:
REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
“Description”=”This zone contains Web sites that can possibly damage you computer or data.”
- Edit the line that begins with [HKEY_CURRENT_USER changing the 4 to 5 at the end. You can use any number but 5 will do.
- Edit the “DisplayName” and “Description” to what you want.
- Change the “Icon” to something you’d like. This is the icon that will be displayed in the Internet Options dialog box.
- Edit “MinLevel” and “RecommendedLevel”. MinLevel specifies the lowest security you can set for the zone without a warning prompt. RecommendedLevel is the default settings which will be set when you click on “Default Level”.
The available levels are:
- Edit the Flags line. This sets various properties for the zone. To set the Flags value, add the values from this table and convert them to hexadecimal notation.
The possible values are:
1 (0x01) Allow changes to custom settings
2 (0x02) Allow users to add sites to the zone
4 (0x04) Require https protocol
8 (0x08) Include sites that pass the proxy server
16 (0x10) Include sites not listed in other zones
32 (0x20) Do not show this zone in the Internet Options dialog
64 (0x40) Include the “Require Server verification (https:) for all sites listed in this zone” checkbox
128 (0x80) Treat UNC paths as Intranet connections.
The notations between brackets are the hexadecimal versions.
Example, to create a zone that lets you add sites and customize security you would make “Flags” look like this dword:00000003
A simple way to convert hexadecimal and decimal would be to use the Windows Calculator. Start Calculator (click on the Start menu, All Program, Accessories, Calculator) and make sure that you are looking at the scientific view by clicking View, Scientific. In the top left of the window there are four radiobuttons (Hex, Dec, Oct, Bin). By clicking these the value in the edit box will change to the equivalent amount.
- Save the edited file. And double-click it to import it into the Registry.
The other settings in the file specify various security settings. You can adjust them from Internet Options.
There are four default settings available:
Local Intranet – Medium-Low
Trusted sites – Low
Restricted sites – High
Internet – Medium
You can change the setting by moving the slider under “Security Level For This Zone”. If you don’t see a slider then there are custom settings active. To make it re-appear click on Default Level. Also note that settings applied to Trusted sites are more lenient than the ones applied to the Local Intranet! So, don’t put sites in Trusted sites unless you trust them more than the machines on your own intranet!
I’m not discussing the various individual settings because they change from version to version. To change the settings for a selected zone, click Custom Level and fill in your preferences in the dialog box that shows up.
There are significant differences between Internet Explorer 5 and Internet Explorer 6. Settings for cookies have been removed. Internet Explorer 6 has a new tab (Privacy) where you can adjust your settings for cookies. Also, some of the settings for security have been tightened. Most settings are retained, but Java and scripting have been disabled in the Restricted sites, regardless of the previous settings.
ActiveX security settings
These are very restrictive by default because of the power of the controls.
– Automatic Prompting For ActiveX Controls: Determines whether users are prompted with the Information Bar before installing an ActiveX Control. If this setting is disabled the control will be handled as defined by other settings. If enabled it will show the Information Bar.
– Binary And Script Behaviors: Restricts binary and script behavior in Restricted Sites and Local Machine. Binary and script behaviors are compiled HTML components, Windows Script Components or COM components that are delivered from a website instead of on the client. The settings are as follows: Enabled allows all behaviors, Disabled prevents them and Administrator Approved allows behaviors for a list pre-approved by the System Administrator.
– Download Signed ActiveX Controls: Can you download controls which are signed? This means that you can assume that the control has not been tampered with; it does not mean the control doesn’t have a harmful effect. Internet Explorer only downloads without a confirmation from sites in your Trusted sites-zone; consider changing this to Prompt for added security.
– Download Unsigned ActiveX Controls: Internet Explorer blocks downloading without a prompt in all zones but Trusted Sites. If you develop and/or test ActiveX controls, you might want to change this setting for the Local Intranet. Definitely, you don’t download unsigned controls from outside sources though!
– Initialize And Script ActiveX Controls Not Marked As Safe: This determines whether Internet Explorer allows initialization and/or scripting for controls that does not have the “Safe for” signature. Unless you’re testing controls there’s no need to change this setting.
– Run ActiveX Controls And Plug-ins: Internet Explorer allows downloaded ActiveX controls and plugins to run in all zones but the Restricted Sites. You can change this option to allow only Administrator-approved controls to run. A Plug-in is an application to handle Internet content; an example would be Acrobat Reader, which is used to open .pdf-files from the Internet.
– Script ActiveX Controls Marked Safe For Scripting: This enables controls loaded with the
| tag to interact with scripts. Only in Restricted Sites it is disabled. If you upgrade from Internet Explorer 5 to Internet Explorer 6, this is a setting which is not changed, so you might want to set it like that in Restricted Sites.
Java Security Settings
High Safety corresponds to the Java Sandbox. Medium Safety allows what High Safety allows plus Access Scratch Space (a place in your file system where the applet can create temporary files without full use of your system) and perform user directed file input/output. Low Safety additionally has: perform non user directed file input/output, execute other applications on your system, create and use dialog boxes, provide thread group access in the current execution context, open network connections with other computers, load libraries, make calls to Windows libraries (dll-files), create popups without the warning that the window was created by an applet, exit Microsoft VM, read/write in the Registry, print and create class loaders.
In other words, under Low Safety a Java applet can become just as powerful as an ActiveX Control. When you take into account that Java asks permission for applets if the applet cannot do what it wants, you can safely set this to the High Safety.
Miscellaneous Security Settings
– Access Data Sources Across Domains: This setting determines whether Internet Explorer will allow a component to access data sources on other domains than the site it comes from. Because this is potentially hazardous, this is not permitted in Internet and Restricted Sites zones by default
– Allow META REFRESH: A META REFRESH tag redirects you to a different server after a delay. Usually this is benign, and it’s a service to redirect you to a new site after the website has been moved.
– Allow Scripting Of Internet Explorer Webbrowser Control: Determines whether scripts can access the Webbrowser control that renders the content and interface of Internet Explorer.
– Allow Script Initiated Windows Without Size Or Position Constraints: This controls if a script can create popup windows that are larger than the screen is. If enabled it is possible to create windows that block out toolbars, Start menu, taskbar, etc. It is a trick often used to trick the user into installing malware.
– Allow Webpages To Use Restricted Protocols For Active Content: Determines whether a webpage accessed through a protocol restricted in a security zone can run active content. To add protocols, use Group Policy.
– Display Mixed Content: Internet Explorer prompts for permission to show both secure and non-secure content on the same page. This can happen when a secure page is loading an image from a non secure place, or when frames are being used and one frame is secure while the other is not. The risk is that when you are in a mixed page you are not aware if you are answering questions on a secure part of the page or not. If you find the prompt annoying, you can turn it off.
Tip: to see if a part of the page is secure or not, right-click and choose Properties. Check the URL; if it begins with https:// it’s secure.
– Don’t Prompt For Client Certificate Selection When No Certificate Or Only One Certificate Exists: Some secure sites want proof that you are who you say you are. They request a client certificate, a file that tells the server that you are indeed you and is signed by a root that is trusted by the server. If this setting is disabled Internet Explorer will show you a list of certificates to choose from.
– Drag And Drop Or Copy And Paste Files: With this setting enabled (default in Local Intranet and Trusted Sites), a control or script could move itself from a zone to a zone with less severe security. If you don’t have a full 100% trust in your Trusted Sites and Local Intranet consider changing this to Prompt.
– Installation Of Desktop Items: This is only enabled in the Trusted Sites zone, and allows you to guard against a security flaw where users could gain unauthorized privileges on a Windows 2000 or Windows XP machine. See Microsoft Security Bulletin MS00-020 for more information.
– Launching Programs And Files In An IFRAME: IFRAMEs are in-line ,or floating, frames often used in popups. Security problems involving IFRAMES usually exploit buffer overflow and/or hostile scripts vulnerabilities. The IFRAME is only enabled by default in the Trusted Sites zone. See Microsoft Security Bulleting MS99-042 for more information.
– Navigate Sub-Frames Across Different Domains: Just as with ‘Access Data Sources Across Domains’ it is possible for sites to show content from another site in a frame. Disable to prevent. By default this is disabled in Restricted Sites.
– Open Files Based On Content, Not File Extension: When enabled the MIME type of the file will be checked to determine which application should be used for opening the file. If disabled the specified program will be used.
– Software Channel Permissions: Three options are available: High Safety, Low Safety and Medium Safety. High Safety prevents from being notified by e-mail on software updates, and keeps programs from automatically getting downloaded and installed. Low Safety does allow this, and Medium Safety gets you the e-mails and downloads (provided it is digitally signed), but no automatic installation.
– Submit Non-Encrypted Form Data: As it says… Disable prevents, Enable permits, and Prompt prompts.
– Userdata Persistence: If enabled, web sites can create XML files on your system that can store large quantities of information about you. These files (“Supercookies”) are no security threat, since they can only contain what you enter. If you see this as a circumvention of Internet Explorer 6’s support for the Platform for Privacy Preferences (P3P), disable this setting.
– Web Sites In Less Privileged Web Content Zones Can Navigate Into This Zone: Specifies if Websites running in a security zone with a higher security settings can change the zone to one with less security. For example, changing from Internet to Local Intranet.
Scripting Security Settings
– Active Scripting: Determines whether scripts are allowed to run on a web page. Enabled in all but Restricted Sites
– Allow Paste Operations Via Script: A security flaw that allowed scripts to copy data from the user’s clipboard to their website… If you are concerned about this, disable it. This is only disabled in Restricted Sites.
– Scripting Of Java Applets: this sets whether scripts are allowed to interact with Java applets. Enabled in all but Restricted Sites.
User Authentication Settings
What happens when you have to login to a website. You might think it is convenient to have you logged in automatically, but don’t allow it anywhere but the Local Intranet and Trusted Sites. A malicious web site can ask for your login credentials and steal these without you knowing. For more information about this exploit, see Microsoft Security Bulletin MS01-001.
In addition to the settings for every security zone you can change global settings on the Advanced tab in Internet Options. These settings apply to every security zone on the computer. The settings are basic on/off checks. The default values are also given. Most descriptions are self-explanatory so I only give extra information if needed.
– Allow Active Content From CDs To Run On My Computer (off): Allows active content to be run automatically from CD without prompting, as would happen with other active content.
– Allow Active Content To Run Files In My Computer (off).
– Allow Software To Run Or Install Even If Signature Is Invalid (off): Running and installing active content is prevented if the signature is invalid regardless of the security zone.
– Check For Publisher’s Certificate Revocation (on): Checks to see if a certificate is revoked when you download an ActiveX control.
– Check For Server Certificate Revocation (off): Checks the Certificate Revocation List for the status of the certificate on web sites that use SSL or TLS
– Check For Signatures On Downloaded Programs (on): Checks signatures on downloaded ActiveX controls.
– Do Not Save Encrypted Pages To Disk (off): prevents saving of secure pages in the Temporary Internet Files folder.
– Empty Temporary Internet Files Folder When Browser Is Closed (off): This option should be enabled on all public computers or computers with high security requirements.
– Enable Integrated Windows Authentication (on): Ensures that only NTLM-based authentication is used to authenticate a user.
– Enable Profile Assistant (on): Allows you to use the Profile Assistant to store and maintain personal information.
– Use SSL 2.0 (on), Use SSL 3.0 (on), Use TLS 1.0 (off): Allows the use of these protocols when creating secure channels.
– Warn About Invalid Site Certificates (on): Warns users on secure websites if the Site’s certificate is invalid.
– Warn If Changing Between Secure And Not Secure Methods (off).
– Warn If Forms Submittal Is Being Redirected (on): shows a message when the submitted form is beng redirected to another website or location to retrieve content.
Because the Internet is uncontrolled, there will be something on it to offend anyone. This is not just an issue for parents who want to protect their offspring, it can be an issue for everyone. Internet Explorer handles this through Content Advisor.
When Content Advisor finds the user going to a restricted page, it will issue a warning. Users who know the Supervisor password can bypass this and go to the site anyway.
To install ICRA follow these steps:
By default Content Advisor blocks unrated pages because it has no way of knowing what the content is. When you go to an unrated page, you will be presented with a dialog saying you cannot view the page. You can enter the supervisor password and say whether this page is allowed or not.
If you don’t want this protection you can change the default behavior. Go to Internet Options, Content, and click Settings. On the General tab select Users Can See Sites That Have No Rating.
You can create your own ratings by setting up a list of sites and specifying Always or Never on the Approved Sites tab. You can also delete sites from this list on the tab.
Turning Content Advisor off can be done by clicking the Disable button and specifying the password.
ActiveX controls are Windows programs, therefore they are able to do what any program can do. They are only limited by the permissions of your account. Already hundreds of them will be on your computer, because ActiveX controls are an important part of Windows. Apart from installing programs, you can also download these controls from the Internet when you visit a website.
To help decide if a download is risky or not, Microsoft employs a digital signing strategy called Authenticode. On downloading, Internet Explorer checks to see whether it can download the control or not. If it can’t find information on it, Internet Explorer will ask you if it can be downloaded.
Note that the signature does not tell you it can be trusted, it only attests to the integrity and authenticity of the control you are about to download. In the default security settings for the Internet, Internet Explorer prompts you for permission to download and blocks unsigned downloads. On the dialog box you can click the name of the component’s publisher to see the certificate that was used to sign the download. Remember that once the control is downloaded you cannot see the certificate again, so if you want to see it, that would be the time. You can import the certificate by clicking Install Certificate.
Once the control is downloaded you can see more about it by going to the General tab of Internet Options and clicking Settings, View Objects. Alternatively you can go to %SystemRoot%\Downloaded Program Files .
Updating ActiveX Controls
In the Details view of the Downloaded Program Files folder, you can find several types of information about a control. The Status column tells you if the control has been damaged. Creation Date tells when you downloaded it. If the control has become damaged, or you think you should update it, you can right-click the control and choose Update from the menu. When updates are available, you’ll be presented with the already familiar Certificate window, and after that the control will be updated.
Deleting ActiveX Controls
ActiveX Control Properties
Right-clicking a control and choosing Properties reveals more information about it. The Properties dialog box shows on the General tab if it is a Java applet or an ActiveX control (Type), where you downloaded the control (CodeBase). Internet Explorer uses the security zone that the CodeBase belongs to to determine what the permissions are for the control. Note that the CodeBase might be different from the website where you downloaded the control. In such a case Internet Explorer applies the most restrictive of the settings.
The Version tab allows you to find information about the control’s publisher and the Dependency tab identifies the file(s) used by the component.
Safe For Initialization and Safe For Scripting Flags
ActiveX controls can be instantiated with local or remote data. If this data comes from an untrustworthy source this could cause a breach in the security. As a way of dealing with these risks, publishers can sign the controls as Safe For Initialization and/or Safe For Scripting.
If a control is marked Safe For Initialization, the publisher asserts that the control will do no harm, regardless of how it was initialized. If a control is marked Safe For Scripting, the publisher asserts that the control will do no harm no matter how the properties, methods and events are scripted.
Under default security settings controls without these flags will be blocked in the Local Intranet, Internet and Restricted Sites zones. In the Trusted Sites zone you will be prompted to obtain permission.
If a control is marked safe for scripting, the Registry key for the has the following key:
Likewise safe for initialization is indicated by this key:
Note that these keys do not have any keys or values under them. If you want to demote the control you just delete the key that indicates it is safe. Do not delete other parts, just the key marking it as safe!
Permitting Only Administrator Approved ActiveX Controls To Run
You can restrict the use of ActiveX controls to a set approved by the Administrator by using Microsoft Internet Explorer Administration Toolkit (which you can download at http://www.microsoft.com/windows/ieak/default.mspx) or with Group Policy.
Start Group Policy by choosing Run… from the Start menu and entering gpedit.msc. In Group Policy navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls. You’ll see a list of controls which you can add to the approved list by double-clicking an entry and selecting Enabled from the popup window.
You can add Controls which are not on this list by editing the Registry. Get the CLSID from the Control by right-clicking the Control and choosing Properties. Select and copy the CLSID. Open Registry Editor and navigate to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls. If that key doesn’t exist you can create it. Add a DWORD value for the CLSID you want, and set the data to 0. To prohibit the use of that Control set the data to 1.
To limit Internet Explorer to the use of those Controls configure the Run ActiveX Controls And Plug-ins setting to Administrator Approved. This is a per-security-zone setting, so you will have to set it for every zone you want limited.
Inactivating an ActiveX Control
If you want to make sure that an ActiveX Control never runs on your system again copy the CLSID from the Control by going to %SystemRoot%\Downloaded Program Files, double-clicking the Control to be removed and copying the ID field from the General tab.
Run Registry Editor and navigate to HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility. In this key add a new Key and paste the copied CLSID as name. If the key already exists, Registry Editor will refuse to add it, so delete the newly appended key and select the other key. Add a DWORD value named Compatibility Flags. Double-click that value to edit it and enter the hexadecimal value 400 (or 1024 after selecting decimal). When the value is 0x00000400 the Control will become inactive. To make it active again, delete the value Compatibility Flags.
Just like ActiveX Controls, downloaded Java Applets are located in %SystemRoot%\Downloaded Program Files, where you can view, update and remove them. Java Applets don’t have unrestricted access to your system because they run in a “sandbox”. In this sandbox an applet can do the following:
For more details about the security of Java Applets see Java Security Settings in this article.
A script is embedded in a web page, and is written in VBScript or JScript. Scripts can also be saved as stand alone files (the extensions used are .vbs for VBScript and .js for Jscript). With the Windows Scripting Host they can executed as well. Many viruses are written as scripts, so use a good Anti-Virus program to protect you from scripted email.
Because scripts normally make use of known exploits and security breaches, keep up to date with Windows and Internet Explorer patches!
Internet Explorer includes a number of security settings that affect scripting, see earlier in this article.
You can configure the Internet Zone to prompt when a site wants to execute a script. And create a security zone with sites that you deem trustworthy. After the site has been proven to be benign, you add it to the newly created security zone, and it will run as normal.
As an alternative you can use Jason Levine’s Script Sentry (http://www.jasons-toolbox.com/scriptsentry.asp). Script Sentry allows you to run scripts without interruption, and display alerts when other scripts want to run.