Internet Explorer Desktop Security Guide

8/11/2019 Internet Explorer Desktop Security Guide

1/29

Internet Explorer 7 Desktop Security Guide

Enhancing Internet Explorer Security for Desktop Users

Published July 2007For the latest information, see http://www.microsoft.com/ie

Version 2.0


2/29

Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your

responsibility. By using or providing feedback on this documentation, you agree to the license agreement below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization,then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a

copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543

Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use

of the documentation cannot be understood as substituting for customized service and information that might be

developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent

permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND

STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION

WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter

within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does

not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos,

people, places and events depicted herein are fictitious.

Microsoft, Windows, ActiveX, Authenticode, Excel, Internet Explorer, MSDN, Outlook, Windows Server, and Windows Vista

are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the

documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the

right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties,

without charge, any patent rights needed for their products, technologies and services to use or interface with any

specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to

a license that requires Microsoft to license its software or documentation to third parties because we include yourFeedback in them.


3/29

Contents

Executive Summary ........................................................................................................................................ 1Introduction: Increasing Browser Security .......... ......... ........... ......... ............ ........... ......... ........... ......... ............ 2Managing Internet Explorer 7 .......................................................................................................................... 2Security Zones ................................................................................................................................................ 3

Modifying Zone Settings in Internet Explorer 7 ........... ......... ............ ......... ........... ............ ......... ........... ....... 4Zone Determination .................................................................................................................................... 4Changes to the Security Zone Model in Internet Explorer 7 ....................................................................... 5Other Security Settings .............................................................................................................................. 5

New Security Features in Internet Explorer 7.................................................................................................. 5Internet Explorer Protected Mode .............................................................................................................. 6ActiveX Opt-in ............................................................................................................................................ 6Cross-Domain Scripting Attack Protection ................................................................................................. 6Security Status Bar .................................................................................................................................... 6Phishing Filter ............................................................................................................................................ 7

Recommendations for Increased Security ...................................................................................................... 8

Zone Security Recommendations .............................................................................................................. 8Enable Zone Elevation Protection ......................................................................................................... 8Do not allow users to add/delete sites from Security Zones .................................................................. 9Do not allow users to change policies for Security Zones ..................................................................... 9Do Not Configure Security Zones: Use Only Machine Settings ......... ........... ......... ........... ......... ............ 9

Certificate Security Recommendations .....................................................................................................10Prevent users from navigating to sites that have certificate errors .......................................................10

Active Content Security Recommendations ..............................................................................................10Restrict ActiveX Install ..........................................................................................................................11Add ActiveX controls and plug-ins to pre-approved list ........................................................................11Disable active scripting in response to specific threats.........................................................................11Enable Scripted Window Security Restrictions .....................................................................................12

Reducing Application Privilege Recommendations ...................................................................................12Turn on Protected Mode in Windows Vista .......... .......... ........... ......... ........... ......... ........... ......... ...........12Use DropMyRights with Windows XP ......... ........... ......... ............ ........... ......... ............ ......... ........... ......13

Privacy Settings Recommendations ..........................................................................................................13Set the Privacy Slider to at least Medium .............................................................................................14Empty Temporary Internet Files folder when browser is closed ...........................................................14Set Form AutoComplete options to Disabled .......... ........... ......... ........... ......... ............ ......... ........... ......15Configure Logon options for each Security Zone .................................................................................15Enable the Phishing Filter ........... ......... ............ ......... ........... ......... ........... ............ ......... ........... ......... ....16

Other Security Settings Recommendations ........... .......... .......... .......... ......... ............ ......... ........... ......... ....18Do not save encrypted pages to disk....................................................................................................18Disable Automatic Install of Internet Explorer components ..................................................................18Disable Periodic Check for Internet Explorer software updates ......... ........... ......... ........... ......... ...........19Disable software update shell notifications on program launch ............................................................19Make proxy settings per machine (rather than per user) ......................................................................19Turn off Crash Detection ......................................................................................................................20Restrict File Download ..........................................................................................................................20Disable Allow File Downloads for Restricted Sites Zone ......................................................................20Enable Data Execution Prevention .......................................................................................................20Do not allow users to enable or disable add-ons ..................................................................................21Ensure Consistent MIME Handling .......................................................................................................21Enable MIME Sniffing Safety Features .................................................................................................22Display the Information Bar ..................................................................................................................22MK Protocol Security Restriction ..........................................................................................................22Object Caching Protection ....................................................................................................................22Block attachments that could contain a virus in Outlook Express .......... ......... ............ ......... ........... ......23

Summary........................................................................................................................................................23Appendix A: Internet Explorer 7 Settings Checklist ........................................................................................24


4/29


5/29

Executive SummaryOne of the biggest challenges facing Web browser vendors is defining default security settings. Ifthe default settings are too restrictive, users have basic problems with the functionality of thebrowser. But if the settings are not restrictive enough, users are susceptible to attack frommalicious software or malicious users. Finding the right balance of functionality and security iscritical to ensure both safety and ease of use, but it is often difficult to obtain due to varying userneeds. For example, home and business users will often have different requirements.

Vendors typically define default security settings to allow the greatest usability based oncalculated risk. Basing decisions on attack scenarios, weighting factors required to exploit andother user scenarios, a vendor selects values for default security settings for them to function wellin wide range of environments. For most home users, these default choices are usually sufficientto meet their browsing needs and keep them protected from most attacks.

However, some home and business users of Microsoft Internet Explorer have more specificrequirements, and typically they need to define their own settings based on unique requirements.

For example, users in large enterprise environments may be required to comply with governmentregulations to protect financial data and customer information stored on servers on their network.

In a continuing effort to increase browser security, Internet Explorer 7 offers users moreprotection than previous versions of the browser through a combination of new features and moresecure default settings. In keeping with the need to balance security and usability, the defaultvalues for these new features and settings have been configured to offer the best choice for abroad range of users. For more information about new features and settings, download theInternet Explorer 7 Technology Overview from the Windows Internet ExplorerWeb page.

This white paper examines some of these new features and settings that you can modify toprovide a more "locked down" security configuration. This paper does not provide a completereview of all settings, nor is the guidance in it specifically equivalent to the Enhanced ServerConfiguration for Windows Server 2003. The settings and features this paper discusses offeradditional security guidance for the broadest impact on most users and administrators.

This paper discusses both the Windows Vista and Windows XP versions of Internet Explorer.Administrators and system owners can use the guidance in this paper to tighten security settingsin the browser to meet their specific needs. The document is structured to provide a descriptionand review of the settings and features the paper discusses. Microsoft recommendations forenhancing the default security settings in some common deployment scenarios are also provided.

Note: In many cases, administrators can use the Internet Explorer Administration Kit (IEAK) to create acustomized build of Internet Explorer to deploy across the enterprise, and then use Group Policy toenforce those settings. This paper does not discuss the IEAK in detail, but you can use many of thesettings described in this paper to create a custom package.


6/29

2 Internet Explorer 7 Security

Introduction: Increasing Browser SecurityInternet Explorer 7 builds on the security improvements made to the browser that are available tousers running Windows XP Service Pack 2 (SP2). Windows XP SP2 introduced hundreds ofsecurity enhancements to both the operating system and Internet Explorer 6. The securityenhancements to the browser focused on tightening security settings and allowed behaviors,along with introducing new features such as the pop-up blocker.

These changes helped users gain more control over their systems and close off attack vectors,but attackers continue to find vectors they can exploit. Some of the changes made to InternetExplorer 7 were simply modifications to default settings to further close off avenues of attack.Internet Explorer 7 also contains several new features designed to deal with new exploits, andsome features designed to prevent entire classes of attacks. Each new feature has defaultsettings to protect users and prevent security compromise.

As mentioned previously, the default security settings for Internet Explorer 7 are designed toprovide users with a powerful balance between usability and security. Microsoft invests a great

deal of effort to find the proper balance to meet the needs of most users and organizations.This paper examines ways to increase security by modifying settings grouped into four maincategories:

Security Zones

ActiveX Controls

Privacy Settings

Other Security Settings

Each area contains at least one subcategory that provides fine levels of control over eachsecurity setting. For example, The Privacy Settings section covers security settings for featuresand functionality such as Cookies, User History, Form entry, and Password data.

This paper focuses on Internet Explorer 7 security. However, any review of securing anapplication must also include information about host level security. To avoid any gaps between

the application and the operating system, you must maintain and update both regularly. Microsoftrecommends installing all operating system updates using tools such as Windows Server UpdateServices (WSUS), Systems Management Server (SMS) 2003 or Automatic Updates to keepsystems current with all available updates. In addition, customers are encouraged to register toreceive technical security notifications from the Microsoft Technical Security Notificationspage.

Managing Internet Explorer 7Internet Explorer is one of the most used applications on the desktop system. Although thebrowser does not produce business documents like Microsoft Word or Excel, it is at the centerof many business activities. Proper administration is required to ensure that systems function asexpected and users are prevented from making changes that would create support issues.Microsoft provides business customers with tools that help meet these needs, depending on the

size and complexity of the organization. The two main options that you can use for centralizedadministration of the settings in Internet Explorer 7 are the Internet Explorer Administration Kit(IEAK) 7 and Group Policy objects (GPOs) in an Active Directory Domain Service (AD DS)infrastructure. This paper is intended to be a resource for administrators to use to increase thesecurity of desktop deployments regardless of company size. There are some settings that youcan only configure using either the IEAK or GPOs, but not both. However, this paper providessetting information for both resources wherever possible.

To help administrators select the right setting management solution for their environment, it isimportant to understand more about both of these resources. In general, the IEAK is fororganizations that manage environments without an AD DS infrastructure, or for those groupsand organizations that want to provide a customized version of the browser, complete withcustom settings and options. The IEAK allows administrators to easily build a customconfiguration settings file that is applied during installation setup. Administrators using the IEAK to


7/29

Security Zones 3

build custom packages can define settings for many, but not all, Internet Explorer 7 settings. Formore information about the configuration options for the browser, see the Internet ExplorerAdministration Kit GuidelinesWeb page on Microsoft TechNet. Installations performed with an

IEAK package only maintain settings until the user changes them. For installations created usingthe Internal Distribution Corporate Intranetmode, IEAK settings can be reapplied atspecified intervals to ensure that user configurations align with company defined standards.Selecting the new Reset Internet Explorer Settingsoption reverts the installation to thecustomized settings applied by your organization, reverts ActiveX Opt-In settings to their defaultsand disables, but does not remove, all toolbars and extensions installed on the computer.

Using GPOs provides you with the ability to create well defined installation configurations that areregularly updated by policy controls to prevent user changes. You can use GPO settings tocontrol hundreds of settings and options within Internet Explorer 7. Working with GPO settings ismore complex than using the IEAK. Once you define and apply a GPO template, all affectedmanaged systems follow that configuration unless an administrator changes it. Many attempteduser changes are simply ignored or disallowed. In other cases, changes may be possible but theywill be reset to enterprise defaults at the next policy application.

Microsoft recommends that enterprise customers use GPOs in an AD DS infrastructure wherepossible to ensure that security settings remain enforced or unchanged.

Security ZonesInternet Explorer 7 offers administrators a unique security feature that is unavailable in most otherbrowsers: the ability to define security settings for different Web site classes. Unlike otherbrowsers, Internet Explorer 7 determines the level of security for a given Web page bycategorizing it into a URL security zone based on the origin of the Web page.

The five security zones are Local Machine (not visible in the Internet Explorer user interface),Internet, Local intranet, Trusted sites, and Restricted sites. Web sites on the local computerare grouped into the Local Machine zone, remote servers are in the Internet security zone, andWeb sites on a local network are in the Intranet zone. Web sites on servers identified by the user

or administrator as potentially malicious are placed in the Restricted sites zone. Web sites onservers identified by the user or administrator as trusted are in the Trusted sites zone.

Note: On computers that are not joined to a domain, the Local intranet zone is disabled, and the sitesthat would normally be accessed in the Local intranet zone are opened in the Internet zone instead. TheLocal Machine zone is not visible in the Internet Explorer user interface.

Different levels of security are appropriate for each of these zones. To facilitate this, InternetExplorer uses URL security zone templates. Five templates are available by default: high,medium-high, medium, medium-low, and low. The security zones are mapped to these URLtemplates to determine the security level as shown in the following table:

Security zone Security level (URLsecurity zone template)

Description

Local Machine Custom Content found on the user's computer

(except for content that Internet Explorercaches on the local system) is treated witha high level of trust. This zone cannot beconfigured from within Internet Explorer.

Internet Medium-High The Internet zone consists of all Web sitesthat are not included in the other zones.

Local intranet(only available fordomain-joinedcomputers)

Medium-low All sites in this zone should be inside thefirewall, and proxy servers should beconfigured so that an external DomainName System (DNS) name cannot beresolved to this zone.


8/29


Security zone Security level (URLsecurity zone template)

Description

Trusted sites Medium Sites in the Trusted sites zone are allowedto perform a wider range of operations andprompt users to make fewer securitydecisions. Sites should only be added tothis zone if you trust all of its content neverto perform any harmful operations on yourcomputers.

Restricted sites High This zone is designed to contain sitesconsidered untrustworthy The defaultsettings for this zone control and restrictWeb features, but do not block access tothe site. Sites can be added by the user orenforced by Group Policy.

Note: In addition to these zones, there are corresponding locked-down zones that are not visible in theInternet Explorer user interface. The locked down zones are used for protocols specified in the NetworkProtocol Lockdown setting in Group Policy.

The URL security zone templates specify which actions Web pages can perform. For example,the High URL Security Zone template specifies that Web pages cannot run or use MicrosoftActiveX controls or scripting, so by default if a user visits a site in the restricted sites zone, theywill be unable to use that functionality.

For more information about URL security zones and templates, see the MSDN article "AboutURL Security Zones."

Modifying Zone Settings in Internet Explorer 7

There are three ways that users can modify the zone settings in the Internet Optionsdialog box: The user can use the security zone slider on the Securitytab to change which URL Security

Zone template (security level) is used for the zone. For example, the user could change thesecurity level for the Internet Zone from Medium-High to Medium.

The user can enter custom settings for a particular zone by clicking the Custom Levelbuttonon the Securitytab.

The user can add specific sites to a zone by clicking the Sitesbutton on the Securitytab(this option is not available for the Internet zone, because that zone is for all sites notcontained in the other zones).

Note: The behavior of the Sitesbutton is different for the Local intranet zone. In this case the Sitesbutton allows you to determine if the intranet network is automatically detected (the default) or whichcriteria should be used. You can choose to include all local (intranet) sites not included in other zones, allsites that bypass the proxy server, and all Universal Naming Convention (UNC) network paths. It is still

possible to add specific sites to the Local intranet zone by clicking the Advancedbutton in the settingsdialog box.

Often, administrators want to restrict the ability of users to modify zone settings. For moreinformation about how you can achieve this, see the "Recommendations for Increased Security"section later in this paper.

Zone DeterminationWhile the basic concept of zone security permissions is easy to understand, the logic behindzone determination is often unexplained but useful to understand for effective desktop systemmanagement. The core of the determination process is based on input to the Address bar inInternet Explorer, not based on DNS IP value responses or netmask values. As a general rule,zone determination rules center around the user input to the Address bar.


9/29

New Security Features in Internet Explorer 7 5

The following rules are used by default to determine the zone in which a site opens:

Any sites listed in the Restricted sites zone open in that zone.

Any sites listed in the Trusted sites zone open in that zone.

Any sites listed in the Local intranet zone open in that zone.

Sites that are on the proxy bypass list open in the Local intranet zone.

Entries in the Address bar that do not include a period and can be resolved to a site open inthe Local intranet zone (for example http://local)

Other sites open in the Internet zone.

Note: It is not possible to add a site to more than one zone.

It is important to note that these rules sometimes mean that intranet sites open in the Internetzone. For example, if an intranet site is referred to by an IP address or a fully qualified domainname (FQDN), the site will open in the Internet zone, because the name includes periods.

Changes to the Security Zone Model in Internet Explorer 7

Internet Explorer 7 introduces some important changes to the Security Zone model to helpincrease security and avoid unwanted exposure of sensitive data. The most notable change isthat the Local intranet zone for computers that are not joined to a domain has been removed.Removing this zone helps to improve security by reducing the attack surface of the browserthrough eliminating the possibility that Web sites can be viewed in the lower security context thattypically applies to the Local intranet zone.

After reviewing attack vectors and configuration options, there was no viable scenario requiringthe low or medium-low settings for the Internet zone. Therefore the security zone slider for theInternet security zone cannot be set any lower than medium.

Other Security SettingsNot all security settings are zone-specific. Internet Explorer 7 also includes security-relatedsettings that are not zone-specific. These settings are found on the Privacy, Content, andAdvancedtabs in the Internet Optionsdialog box, and are discussed in more detail later in thispaper.

New Security Features in Internet Explorer 7It is possible for malicious Web sites to compromise the client computers that you manage.Internet Explorer 7 includes technologies that help prevent the installation of unwanted software,and technologies that help guard against unauthorized transmission of personal data to greatlyincrease browser security and privacy protection. New security technologies in Internet Explorer 7include:

Internet Explorer Protected Mode

ActiveX Opt-in

Cross-domain scripting attack protection Security Status bar

Phishing Filter

Additional security features

Internet Explorer 7 is available for both the Windows Vista and Windows XP operating systems.Windows Vista enhances the Internet Explorer experience. For example, some features availablein Internet Explorer 7, such as Protected Mode and Parental Controls, are not available whenusing the browser on client computers running Windows XP. This section of the paper discusseseach of these security technologies and features.


10/29


Internet Explorer Protected ModeInternet Explorer Protected Mode is only available for Internet Explorer 7 in Windows Vista. Itadds additional defenses to help enable a safer Internet browsing experience for users. Inaddition, Protected Mode helps to prevent malicious users from taking over a users browser andexecuting code through elevated privileges.

Protected Mode helps reduce previous software vulnerabilities in the extensions for the browserby eliminating the possibility of using them for the silent installation of malicious code. ProtectedMode uses mechanisms with higher integrity levels in Windows Vista that restrict access toprocesses, files, and registry keys to accomplish this goal. The Protected Mode applicationprogramming interface (API) enables software vendors to develop extensions and add-ons forInternet Explorer that can interact with the file system and registry while the browser is inProtected Mode.

In Protected Mode, Internet Explorer 7 runs with reduced permissions to help prevent user orsystem files or settings from changing without the users explicit permission. The new browserarchitecture also introduces a "broker" process that helps to enable existing applications to

elevate out of Protected Mode in a more secure way. This prevents downloading data outside ofthe low-rights directories in the browser, such as the Temporary Internet Files folder.

Protected Mode is enabled by default for all users, except when a user is logged on to the built-inAdministrator account. Other accounts with administrator permissions run in Protected Mode bydefault. You can disable Protected Mode by using either launch option or in a registry/GPOconfiguration. Starting Internet Explorer 7 on Windows Vista without Protected Mode requires theuser to right-click the icon, click Run as Administrator, type valid higher permissionauthentication credentials, and then press ENTER.

Protected Mode is enabled by default in Internet Explorer 7 for all security zones except theTrusted sites zone. However, users can disable the mode, which reduces overall security. Moreinformation about locking down Protected Mode is included later in this paper.

ActiveX Opt-inIn previous versions of Internet Explorer, administrators would need to disable ActiveX controls toprotect against attacks. Internet Explorer 7 offers a powerful new security mechanism for theActiveX platform to help protect user information and computer systems. ActiveX Opt-inautomatically disables all controls that are not explicitly allowed by the user. This mitigates thepotential misuse of preinstalled controls.

The Information bar in Internet Explorer prompts users before they can access a previouslyinstalled ActiveX control that has not yet been used on the Internet. This notification mechanismenables the user to permit or deny access on a control-by-control basis, which helps furtherreduces the available surface area for attacks. Malicious users cannot use Web sites to launchautomated attacks with ActiveX controls that were never intended to be used on the Internet.

Cross-Domain Scripting Attack ProtectionNew cross-domain script barriers help limit the ability of malicious Web sites to manipulatevulnerabilities in other Web sites. For example, before cross-domain scripting attack protection auser might visit a page on a malicious Web site that opens a new browser window containing alegitimate page (such as a banking Web site) that prompts the user to enter account information.This information could then be extracted by a script and made available to the attacker. WithInternet Explorer 7, cross-domain scripting attack protection helps to ensure that these types ofattacks will fail.

Security Status BarThe Security Status bar provides users with clearer, more prominent visual cues about theidentity of Web sites and the encryption they use. To learn more about the different colors andtheir meaning, please see the Internet Explorer 7 Security Status Baron Microsoft.com.


11/29

New Security Features in Internet Explorer 7 7

One of the new features visualized by the Security Status Bar is Internet Explorers support forstrong website identification through the use of Extended Validation SSL Certificates. To learnmore about EV SSL, please visit the Extended Validation SSL Certificatespage.

Phishing FilterPhishing is a technique that many attackers use to trick computer users into revealing personal orfinancial information through an e-mail message or Web site. Phishers masquerade as alegitimate person or business to deceive people into revealing personal information, such asaccount passwords and credit card numbers. The Phishing Filter in Internet Explorer 7 advisesusers about suspicious or known phishing Web sites to help them more safely browse content onthe Internet. The filter analyzes Web site content for known phishing techniques, and uses aglobal network of data sources to assess the trustworthiness of Web sites.

Developers who create fraudulent e-mail, online advertisements, and Web sites thrive on lack ofcommunication and limited information sharing. The Phishing Filter in Internet Explorer 7, whichuses an online service that is frequently updated, consolidates the latest industry informationabout fraudulent Web sites, and shares it with Internet Explorer 7 customers to help proactivelywarn and protect them.

The Phishing Filter combines client computer scans for suspicious Web site characteristics withan opt-in online service. The filter helps protect users from phishing scams in three ways:

It compares the addresses of Web sites that a user attempts to visit with a list of sites knownhigh-traffic sites stored on the users computer. If the site is found in that list, no furtherchecks are performed.

It analyzes Web sites that users want to visit by checking them for characteristics that arecommon to phishing sites.

It sends the Web site address that a user attempts to visit to an online service Microsoftmaintains that immediately checks it against a frequently updated list of phishing sites. Thesesites have been confirmed by reputable sources as fraudulent and reported to Microsoft.

Note: The online service used to track phishing Web sites is contacted asynchronously. If the service

cannot be contacted, the page renders normally, and a message balloon appears in the status barindicating that the service cannot be contacted.

Even if the site is unknown to the Phishing Filter service, Internet Explorer 7 can examine thebehavior of the site and report to the user if it is doing anything suspicious, such as collectinguser information without a Secure Socket Layer (SSL) certificate. In this way, the Phishing Filterhelps to prevent a site from collecting user information before it has been officially reported.

When users run Internet Explorer 7, the Phishing Filter is configured by default to prompt users toenable or disable the filter. For more information about locking down Internet Explorer to preventusers from disabling the Phishing Filter, see the "Recommendations for Increased Security"section in this paper.


12/29


Recommendations for Increased SecurityIncreasing security from the default settings in Internet Explorer 7 requires more than simplyadjusting the slider positions from one setting to another on the Securitytab of the InternetOptionsdialog boxor merely moving the slider for each security zone to High. A dramatic

security change such as this prevents most navigation and effectively renders the browseruseless. This section discusses a variety of changes that enterprise customers can make to theirbrowser environment to increase general browser security without drastically affecting thefunctionality of Internet Explorer 7.

The setting and feature recommendations are grouped into five categories:

Zone Security

Certificate Security

Active Content Security

Reducing Application Privilege

Privacy Settings

Other Security Settings

For a checklist of all the settings that Microsoft recommends that you consider, see "Appendix A:Internet Explorer 7 Settings Checklist" at the end of this paper. Each setting is explained in moredetail in this section.

Note: In addition to configuring the settings discussed in this section, you may also want to use GroupPolicy to prevent some of the tabs (such as the Connectionsand Advancedtabs) in the InternetOptionsdialog box from displaying. However, even if you remove the corresponding tabs, you should alsoenforce the individual settings to prevent changes from being made through edits to the local registry.

Zone Security RecommendationsAs mentioned earlier in this document, most of the security related settings in Internet Explorerare contained in the security zones. By default, users have the ability to make changes to these

zones by altering the security level assigned to each zone, creating custom settings for eachzone, and by adding sites to the Local intranet, and the Trusted sites and Restricted sites zones.In most enterprise environments, administrators should use Group Policy to lock down zonesecurity, and prevent users from making many of these changes.

Enable Zone Elevation ProtectionInternet Explorer places restrictions on each Web page that it opens. These restrictions dependon the location of the Web page (such as in the Internet zone, Local intranet zone, or LocalMachine zone). Web pages on a local computer have the fewest security restrictions and residein the Local Machine zone, which makes this zone a prime target for malicious attackers.

If you enable the Internet Explorer Processes (Zone Elevation Protection)setting, InternetExplorer processes can protect any zone from zone elevation. This approach helps prevent

content that runs in one zone from gaining elevated privileges of another zone. If you disable thispolicy setting, no zone receives such protection for Internet Explorer processes.

Because of the severity and relative frequency of zone elevation attacks, Microsoft recommendsconfiguring the Internet Explorer Processes (Zone Elevation Protection)setting to Enabled.

The following table includes the policy object name, and its location in Group Policy.

Policy object Location Recommended setting

InternetExplorerProcesses(Zone ElevationProtection)

Computer Configuration\AdministrativeTemplates\Windows Components\InternetExplorer\Security Features\Protection FromZone Elevation

Enabled


13/29

Recommendations for Increased Security 9

Do not allow users to add/delete sites from Security ZonesBy default users can add and delete sites from the Local intranet, Trusted sitesand Restrictedsiteszones. Adding a site to the Trusted sites zone or removing one from the Restricted sites

zone, could potentially cause malicious code to run on a computer.

Microsoft recommends using Group Policy to prevent users from adding or deleting sites fromsecurity zones. Using Group Policy to enable the Do not allow users to add/delete sitessettingalso prevents a user from altering settings in the Local intranet zone.



Security Zones:Do not allowusers toadd/delete sites

Computer Configuration\AdministrativeTemplates\WindowsComponents\Internet Explorer

Enabled

Although Microsoft recommends enabling this setting, it can have an impact on user productivity,

particularly when combined with additional restrictions to the Internet zone. In some cases, usersmay add sites to a less restricted zone when they cannot access the site in the Internet zone. Ifthis capability is disabled, users may be unable to access some Web sites until an administratoradds the site to a less restrictive zone on their behalf.

Note:If you enable the Disable the Securitypagesetting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Securitytab is removed from the interface and the Disablesetting option takes precedence over this security zonesetting.

Do not allow users to change policies for Security ZonesBy default, users can change the security level for each zone by moving the zone slider on theSecuritytab in the Internet Optionsdialog box. They can also create custom settings for eachzone. These options allow users to change any settings, potentially lowering security, and

allowing malicious code to run.Microsoft recommends using Group Policy to prevent users from changing the security level ormodifying security for security zones.



Security Zones:Do not allowusers to changepolicies

Computer Configuration\AdministrativeTemplates\Windows Components\InternetExplorer

Enabled

Note:If you enable the Disable the Securitypagesetting (located in \User Configuration\

Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Securitytab is removed from the interface and the Disablesetting option takes precedence over this security zonesetting.

Do Not Configure Security Zones: Use Only Machine SettingsThis policy setting affects how security zone changes apply to different users. It is intended toensure that security zone settings remain uniformly in effect on the same computer and do notvary from user to user.

This setting ensures that only HKEY_LOCAL_MACHINEregistry entries are evaluated whensetting up security zones. However, if the setting is not configured or if it is disabled, bothHKEY_LOCAL_MACHINEand HKEY_CURRENT_USERare evaluated.

This setting may be valuable in an environment in which multiple users use the same Windowsaccount (such as for a Windows Terminal for guest access in a lobby), and for this reason, the


14/29


Windows Vista Security Guidedoes enable this setting. However, under normal circumstances,when users are isolated from one another using separate Windows User Accounts, they do notinfluence each others HKEY_CURRENT_USERsettings. For this reason, this paper

recommends not to configure this setting. Instead you can use other Group Policy settings torestrict users from changing zone settings, such as the other settings specified in this section.



Security Zones: Useonly machine settings

Computer Configuration\Administrative Templates\WindowsComponents\Internet Explorer

Not Configured

Certificate Security RecommendationsSecure communications between the browser and server require using certificates and SSL orTransport Layer Security (TLS) technology. Internet Explorer 7 supports SSL and TLS, and the

new default settings have deprecated default support for SSL v2. Other changes to InternetExplorer 7 attempt to make users more aware of security issues or errors such as "expired" or"name mismatch" on certificates. The default setting for Internet Explorer 7 is to show the user acertificate error warning advising to use caution before proceeding. The user is able to select anoption and continue navigation. There are many valid reasons why a certificate contains errors,but publicly accessible well-maintained Web sites should not generate certificates with errors.This feature setting allows administrators to prevent users from "clicking through" a certificatewarning, reducing the potential for malicious attack.

Prevent users from navigating to sites that have certificate errorsOver time certificates may be revoked or expire. In other cases the wrong certificate may be usedfor a particular Web page. By default, users are warned of certificate errors and allowed tocontinue navigating to the Web page.

Although a revoked or expired certificate is not a security issue in its own right, it can be anindication that a site should no longer be trusted. Therefore, Microsoft recommends using GroupPolicy to prevent users from navigating to sites that have certificate errors.

Enabling this policy object will not cause performance issues, but may result in additional supportrequests from users unable to visit particular sites. Because sites listed in the Trusted sites zoneare not affected by this setting, if a business critical site contains a certificate that has expired orhas a name mismatch, you can add this site to the Trusted sites zone as a temporary workarounduntil the correct certificate is in place.



Prevent Ignoring

Certificate Errors

Computer Configuration\Administrative

Templates\WindowsComponents\Internet Explorer InternetControl Panel

Enabled

Active Content Security RecommendationsMicrosoft introduced the ActiveX platform to provide Web developers with the ability to extendapplications and functionality beyond that which is built in to the browser. Using the ActiveXplatform developers have built rich, interactive applications and integrated data from nearly anysource. Although the ActiveX platform is designed with security in mind, and features such asAuthenticode help ensure code security, it is crucial that users follow guidelines to maintain itssafety. This section provides security recommendation for ActiveX controls and other activecontent.


15/29


Restrict ActiveX InstallUsers often choose to install software such as ActiveX controls that are not permitted by thesecurity policy of their organization. This software can pose significant security and privacy risks

to networks. To prevent unauthorized ActiveX controls from being installed, Microsoftrecommends that you use Group Policy to block ActiveX control installation prompts for InternetExplorer Processes, which means that users cannot install ActiveX controls from InternetExplorer. This restriction includes legitimate ActiveX controls that may provide critical businessfunctionality, such as Windows Update. If you do restrict ActiveX installations in this way, youshould also use a mechanism such as Group Policy to push any required ActiveX controls to userdesktops (for more information on this, see the next recommendation). You also need analternative way to provide security updates, such as Windows Server Update Services (WSUS).



Internet ExplorerProcesses

(Restrict ActiveXInstall)

Computer Configuration\AdministrativeTemplates\Windows Components

\Internet Explorer\SecurityFeatures\Restrict ActiveX Install

Enabled

Add ActiveX controls and plug-ins to pre-approved listThe previous setting ensures that ActiveX controls cannot run on a client computer unless it ispre-approved by the organization. However, some organizations find this setting too restrictive. Ifthis is the case, you should at least ensure that the setting Allow previously unused ActiveXcontrols to run without promptis disabled for the Internet and Restricted sites zones, which isthe default configuration. This setting, otherwise known as ActiveX Opt-In, ensures that controlsoperate as intended and systems are not attacked by simply visiting a Web site. However, one ofthe tradeoffs associated with the ActiveX Opt-In feature is that users may experience well knownor harmless sites that dont "just work" without approving a control.

However you restrict ActiveX installation, there is the potential for impacting business criticalfunctionality. Therefore, Microsoft recommends pushing a list of pre-approved controls out to userdesktops with a tool such as Group Policy, and adding them to the pre-approved list for Windows,by adding the CLSID (the globally unique identifier that identifies a COM class object) of thecontrol to the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved

Note: If Microsoft determines that a control has a vulnerability and presents a danger to users, Microsoftreserves the right to remove that control from the pre-approved list.

Installed controls can be enabled or disabled by changing their registry flags, using the globallyunique identifier (GUID) key identifier. If you do not already have a catalog of GUIDs that yourorganization uses, identifying them is an important process to establish. One solution for creatingyour GUID list is to build a new computer, manually configure/enable your line-of-businessapplications, and then review the GUIDs in the Internet Explorer registry branch. That list will helpensure that you have the least number of controls required for your environment. You can thenuse this list of GUIDs to populate the pre-approved list.

Microsoft recommends using the GPO infrastructure to manage an internal approved list forcontrols to increase the security and effectiveness of the ActiveX Opt-In feature. For moreinformation about ActiveX security and best practices for managing ActiveX controls in yourorganization, see the "ActiveX Security: Improvements and Best Practices" page on MSDN..

Disable active scripting in response to specific threatsMicrosoft introduced the Security Design Lifecycle (SDL) several years ago to help increasesoftware security quality and reduce the impact of vulnerabilities. The SDL has proven to beeffective, but no software or process is perfect. The important goal for security protection must


16/29


include a response plan in the event of compromise or vulnerability. There are times where avulnerability is exploited before it is responsibly disclosed. This is known as a "zero day"vulnerability.

Other times a vulnerability is disclosed properly, but the update requires time to develop andproperly test before it can be released. To help reduce potential exposure, users should beadvised to avoid unknown Web sites and exercise caution before clicking links. Administratorscan also use the Allow active scriptingsetting to protect against a discovered vulnerability thatdoes not yet have an update to address it. Microsoft recommends using Group Policy to changethe setting to Disablefor response to zero day attacks or other critical security scripting attacks.



Allow ActiveScripting

Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet ControlPanel\Security Page\

Disabled in response tozero day attack

Enable Scripted Window Security RestrictionsInternet Explorer allows scripts to programmatically open, resize, and reposition windows ofvarious types. This allows popup windows to appear, and provides the potential for scripts todisplay windows in which the title and status bars are not visible to the user or obfuscate the titleand status bars of other windows.

Microsoft recommends using Group Policy to prevent these scripts from running in InternetExplorer and Windows Explorer processes.



Internet Explorer

Processes(Scripted WindowSecurityRestrictions)


Templates\Windows Components\InternetExplorer\Security Features\Scripted WindowSecurity Restrictions

Enabled

Reducing Application Privilege RecommendationsOne way to help keep the client computers in your organization secure is to reduce potentialexposure. Security experts frequently remind users to log on to the system with the least possibleprivilege and increase it only when necessary. Internet Explorer 7 in Windows Vista enablesusers to easily follow this advice with the new Protected Mode feature. Windows XP users ofInternet Explorer 7 can find valuable protections using the DropMyRights application. You candownload the source code for this application from the "Browsing the Web and Reading E-mail

Safely as an Administrator" page on MSDN. While each solution operates differently, they bothhelp users to reduce the potential impact of an attack. Therefore, Microsoft recommends usingthe solution that is appropriate for your operating system.

Turn on Protected Mode in Windows Vista

Protected Mode is enabled by default in Internet Explorer 7 on Windows Vista for all securityzones except the Trusted sites zone. However, users can disable the mode, which reducesoverall security. For this reason, Microsoft recommends using Group Policy to ensure thatProtected Mode is enabled in all of the Web content zones for the browser, except the Trustedsites zone, and prevent users from disabling it.


17/29




Turn on ProtectedMode *

Computer Configuration\AdministrativeTemplates\WindowsComponents\Internet Explorer\InternetControl Panel\Security Page\

Enabled

* This setting only works in Internet Explorer 7 with Windows Vista.

Protected Mode is available for the following security areas and zones in Internet Explorer 7:

Internet

Intranet

Local Machine

Locked-down Internet

Locked-down intranet

Locked-down Local Machine Locked-down Restricted sites

Locked-down Trusted sites

Restricted sites

Trusted sites

Note: If a business critical site is prevented from running properly due to protected mode, you should notdisable protected mode, as it will lower overall security. Instead you should contact the site owner toensure that the owner is updating the site to work correctly in Protected Mode. As a temporaryworkaround, you can add the site to the Trusted sites zone.

Use DropMyRights with Windows XP

DropMyRights is a simple application to help users who must run their computers as anadministrator run applications in a much safer context as a non-administrator. Microsoftrecommends using this application on computers that run Internet Explorer 7 with Windows XP,because these computers cannot take advantage of Protected Mode.

DropMyRights takes the current user's token, removes various privileges and security identifiers(SIDs) from the token, and then uses the token to start another process. For more informationabout DropMyRights and to download the source code for this application, see the "Browsing theWeb and Reading E-mail Safely as an Administrator" page on MSDN. Once installed, launchingInternet Explorer with DropMyRights requires simply creating a new shortcut that points to theDropMyRights executable file, followed by the path to the application you want to run with lowerprivilege.

Privacy Settings RecommendationsSecurity guidance is often limited to a review of settings geared toward preventing specifictechnical manipulation of a system. A full security settings review must include a review of "soft"security settings that affect privacy and the disclosure of personal data. Internet Explorer 7includes several new enhancements to safeguard personal data against entire categories ofunwanted disclosure. These enhancements include the Phishing Filter that notifies users aboutknown and suspicious Web sites.

You also can increase browser security by making changes to the default actions that controlprivacy settings for purging data when you exit the browser and form data handling. Deleting theTemporary Internet Files data helps ensure personal data is removed from the system regularlyand prevents unwanted disclosure or retrieval. Similarly, preventing the ability to autocompleteforms and store passwords helps reduce the risk of third parties accessing private accountcredentials and information.


18/29


Set the Privacy Slider to at least MediumIn the attempt to offer a more a robust personalized online experience, some Web sites storeinformation in a small text file on your computer. These files are called cookies, and they can be

used to correlate online activities for a specific user. Microsoft strongly supports the use ofcookies and believes they do not represent a security or malicious software threat. However,Internet Explorer 7 has several mechanisms to control the use of cookies and allow users tomanage their use and function as they choose by managing privacy settings.

There are two different types of cookies. A first-party cookie either originates on or is sent to theWeb site you are currently viewing. These cookies are commonly used to store information, suchas your preferences when visiting that site. A third-party cookie either originates on or is sent to aWeb site that is different from the one you are currently viewing. Third-party Web sites usuallyprovide some content on the Web site you are viewing. For example, many sites use advertisingfrom third-party Web sites, and those third-party Web sites may use cookies. A common use forthis type of cookie is to track your Web page use for advertising or other marketing purposes.

Security settings that affect privacy issues can be found on the Privacytab in the InternetOptionsdialog box of the browser. That tab contains the Privacy slider, which allows the user toselect one of six options that range from Block AllCookiesto Accept All Cookies. The Privacyslider works only for the Internet zone. All cookies are automatically accepted from Web sites inboth the Local intranet and Trusted sites zones, and all cookies are automatically blocked fromWeb sites in the Restricted sites zone.

Each organization must determine their own policy regarding cookies. Microsoft recommendsusing at least the default setting of Medium, which does the following:

Blocks third-party cookies that do not have a compact privacy policy.

Blocks third-party cookies that use personally identifiable information without implicit consent.

Restricts first-party cookies that use personally identifiable information without implicitconsent.

The Highsetting limits all cookies, whereas the rest of the settings allow them under certainconditions. The Lowsetting allows all cookies without condition.

Note: By default, users can change the default setting of the privacy slider, although you can use GroupPolicy to prevent this by disabling the Privacytab in Internet Optionsdialog box.

Specific sites can be added to bypass the overall setting. The choices for adding a site are toAlwaysBlockor AlwaysAllow. Regardless of whether you choose to be more restrictive or lessrestrictive, you will be able to add sites. You can use Group Policy to enforce not only the cookiesettings, but also to add sites. For maximum privacy while maintaining the benefits of cookies (forexample, retaining logon information, user preferences, and so on) Microsoft recommendsblocking all third-party cookies and allowing all first-party cookies.

Empty Temporary Internet Files folder when browser is closedTo increase page load speed and reduce network bandwidth, Internet Explorer keeps a localcache copy of many Web document objects (HTML, video, images, and so on) as the viewer

navigates between sites. This storage area is designed to be volatile and may be overwritten atany time. Although not considered a remotely accessible threat, these files represent a potentialdisclosure of personal information or privacy when viewed by other users who may access thecomputer. These local files are placed by default in the C:\Documents and Settings\\Local Settings\Temporary Internet Files folder, but you can use the IEAK or a GPO to modify thelocation through a setting in the Internet Control Panel of the browser. Microsoft recommendschanging the default setting for this feature to Enable, so that all locally stored files are removed.Changing this setting will have no impact on functionality, but may affect application performancespeed and result in additional user support calls.


19/29




Empty TemporaryInternet Filesfolder whenbrowser is closed

Computer Configuration\AdministrativeTemplates\WindowsComponents\Internet Explorer\InternetControl Panel\Advanced Page

Enabled

Set Form AutoComplete options to DisabledSimilar to the previous setting, this feature allows Internet Explorer to remember form entry datafor later retrieval and submission. A common data value used in many forms is the StreetAddress field. This feature enables Internet Explorer to read that form entry value andautomatically enter the information so the user does not need to type it again. Although fieldssuch as Street Address do not pose a direct security threat, this information can be useful to amalicious Web site.

More importantly, this feature is unable to discriminate between highly sensitive data such as aSocial Security Number and more publicly accessible information like a telephone number. It isfor precisely these limitations that users may be exposed to an unnecessary and unintentionalrelease of private information. These options are available in the AutoComplete settingsdialogbox, which you can access by clicking on the Settingsbutton of the AutoCompletearea on theContenttab of the Internet Optionsdialog box.

Internet Explorer 7 can also remember user names and passwords on forms. Users face anincreasing number of systems for which they need to remember user names and passwords.Internet Explorer offers users the ability to store credentials and automatically fill in forms whenthe information is requested. There are some basic security mechanisms defining which data istyped in a given form to prevent the wrong credentials from being used for a given Web site.Despite these security measures, a well-crafted Web site may be able to mimic enoughparameters and trick the user into submitting their logon credentials to a malicious Web site. The

credential data store is also secured, kept locally on the system and it is not accessible from aremote system.

Microsoft recommends disabling the autocomplete feature for forms and preventing autocompletefor user names and passwords on forms. Changing these settings will not affect applicationperformance but may result in user complaints, or potentially in users resorting to low strengthpasswords that are easier to remember. Administrators are advised to examine their passwordrequirement/validation processes to ensure that users do not use passwords that are not secure.

The following table includes the policy object names, and their location in Group Policy.


DisableAutoComplete forforms

User Configuration\AdministrativeTemplates\Windows Components\Internet Explorer

Enabled

Turn on the auto-complete feature foruser names andpasswords on forms

User Configuration\AdministrativeTemplates\Windows Components\Internet Explorer

Disabled

Configure Logon options for each Security ZoneEnterprise and business customers are able to use Windows domains to keep intranetinformation secure while users seamlessly access network documents without repeatedly typinguser credentials. Internet Explorer can use system authentication credentials and provide userswith NTLM authentication information for Intranet zone sites. This feature setting provides agreater level of control beyond the basic Enable or Disable options. By default the Automatic


20/29


logon only in Intranet zonesetting is set for the Internet, Local intranet and Trusted sites zones,while Prompt for Username and Passwordis set for use in the Restricted sites zone.

Microsoft recommends changing these settings, so that Logon Optionsis enabled and

configured to Prompt for Username and Passwordfor the Internet zone, Anonymous logon forthe Restricted sites zone, and Automatic Logon with Current Username and PasswordforLocal intranet zone, and Automatic Logon only in Intranet Zone for the Trusted sites zone.Changing these logon options will not affect application performance or system capabilities andshould not result in additional support calls.



Logon Options Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet ControlPanel\Security Page\Internet Zone

Enabled\Prompt forUsername and Password

Logon Options Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet ControlPanel\Security Page\Intranet Zone

Enabled\Automatic Logonwith Current Username andPassword

Logon Options Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet ControlPanel\Security Page\Restricted Sites Zone

Enabled\Anonymous Logon

Logon Options Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet ControlPanel\Security Page\Trusted Sites Zone

Enabled\Automatic Logononly in Intranet Zone

Enable the Phishing FilterUsers are exposed to an increasing number of online threats and malicious Web sites attemptingto steal identification credentials. One of the new security features included with InternetExplorer 7 is the Phishing Filter, a combination of client computer heuristic analysis and onlineservices to help protect users against emerging threats and Web sites that attempt to stealpersonal information. By default when you first run it, the Phishing Filter alerts the user to enableautomatic checking, require manual checking or disable it entirelythere is no preset selection.The feature offers an "all or nothing" situation where automatic checking is enabled or disabled.In the case where the Phishing Filter is disabled, the user can still use the feature on a case bycase basis, manually forcing a check for any given Web site.

It is important that a system or network administrator understand the applications running in theirenvironments. Internet Explorer and the Phishing Filter feature are no exceptionunderstanding

how this feature works enables you to get more value from it and greater protection of userpersonal data. This is especially important given the importance, and potential legalrequirements, of protecting confidential information in todays online environments. Due to thenature of the feature, it would be counter productive to provide detailed explanations of exactlyhow the Phishing Filter works. The information in this section covers the structural workings of thefeature without divulging specifics on the engines or analytical techniques used to determineresult values.

The Phishing Filter comprises two main elements: a client computer heuristics logic engine andthe online URL Reputation Service (URS). The URS is an online service run by Microsoft and isthe only service option for use with the Phishing Filter. When enabled, the Phishing Filter checkslocally to analyze the content of a page as well as performs an online validation of the URLagainst the URS. An update to the Phishing Filter feature was released to help performance, in


21/29


addition to steps designed to avoid client computer performance issues. To prevent latency, theURS checks are done asynchronously so user navigation is not adversely affected. To preventexcess network traffic, a client computer encrypted DAT file contains thousands of the most

visited Web sitesany Web site in this file is exempt from Phishing Filter checks. The PhishingFilter also uses a URL local cache mechanism in an attempt to match a previous request ratingand prevent unnecessary traffic.

The purpose of the Phishing Filter is to protect users and prevent them from viewing Web sitesthat attempt to steal their personal data. To accomplish this, the feature requires passing certaininformation to the URS. Microsoft has taken extensive measures to ensure that data is secureand remains private to the user. Those steps include:

All URS transactions are done through a HTTPS connection.

URLs sent to the URS are stripped of any personally identifiable information (PII).

No referrer information is sent to the URS.

Microsoft does not record the source IP or track users in any way.

Microsoft does not record or track activity in aggregate to determine general online trends.

Microsoft feels strongly about the privacy implications of the Phishing Filter and contacted anoutside auditor to review the service and privacy claims. The goal was to ensure that the userprivacy designs and objectives of the service were met in operational practice. The studyconcluded that all claims were accurate and no privacy violations were present. For moreinformation about the Jefferson Wells Audit, see the User Privacy and the Phishing Filteron theMSDN IEBlog.

As mentioned previously, the Phishing Filter must either be enabled or disabled. When enabled,all sites that do not appear in the local encrypted DAT file are validated locally and against theURS. No checking is performed when the Phishing Filter is disabled. Although Microsoft stronglyencourages always using the Phishing Filter to help protect users, there may be situations inwhich administrators want to manage the feature in their environments.

By design, the Phishing Filter can be enabled or disabled for each security zone, but the globalfeature setting must be enabled for it to work. By default, the Phishing Filter is enabled for all

zones except the Intranet zone. Microsoft recommends that administrators enable the PhishingFilter feature in their environments.

If you want to exclude a certain list of sites from being checked by the Phishing Filter (such asB2B sites that your company has a trust relationship with), instead of disabling the Phishing Filter,it is recommended to enable the Phishing Filter overall, disabling Phishing Filter for the TrustedSites zone only, and adding those sites to the Trusted Sites zone.

Microsoft also recommends using Group Policy to prevent users from turning off the PhishingFilter , and setting the operating mode to Automatic. However, administrators should be awarethat this configuration automatically causes the browser to send information to Microsoft withoutprompting the user.



Turn offmanagingphishing filter.

Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\

Enabled\Automatic


22/29


Other Security Settings Recommendations

In addition to the security setting categories discussed earlier in this paper, there are othersecurity settings options that you can use to help secure desktop deployments. These settings donot correlate well any of the categories mentioned earlier. This section looks at some of these"other" feature settings, and provides recommendations on how you can adjust their defaultvalues to increase user security.

Do not save encrypted pages to diskTo increase the usability of the browsing experience, Internet Explorer can cache content in alocal store (Temporary Internet Files) for immediate local retrieval rather than incur potentialdelays when repeatedly accessing the network for the same resource. Internet Explorer offers theoption to cache both encrypted and unencrypted content, and by default both content types arecached. Although caching encrypted content could leave HTTPS documents with confidentialinformation in the Temporary Internet Files folder, Microsoft does not enable the setting to cacheencrypted files in order to respect Web server caching instructions. (Also, caching encrypted datahelps prevent user performance issues when repeatedly viewing identical content (such asimages). The risk of local cache files being decrypted is not normally considered a significantconcern, based on both the difficulty required to accomplish it and the value of the informationcontained in those files. User name and password data would not normally be visible, even if amalicious attacker were to decrypt the document payload. They would only be able to see thecontent of pages. However pages may contain sensitive information, such as account balances ortransaction details.

For companies that want to increase Internet Explorer security settings for their users, enablingthis Group Policy setting will prevent local file caching and eliminate the opportunity for malicioususers to try and access these files. When enabling this option, companies should be aware ofpotential performance issues, latency, additional network traffic, and a potential increase in helpdesk calls. Any public Web sites expecting this value to remain disabled may be doing so toreduce their network traffic burden, but it should not cause serious application failures.

Enabling this setting can cause problems accessing "on demand" content such as account historyreports. The problem occurs where users view the report and then navigate away from that pageand then press the Backbutton to view it again. In properly configured server environments theuser will see a specific error message telling them the page has expired or that they need to clickthe Refreshbutton to view the content.



Do not saveencrypted pagesto disk

Computer Configuration\AdministrativeTemplates\Windows Components\InternetExplorer\Internet Control Panel\Advanced Page

Enabled for environmentswith sensitive data onWeb pages.

Disable Automatic Install of Internet Explorer componentsIn some cases, when a user visits a Web site, this will trigger the automatic install of an InternetExplorer component. Typically an organization will want to control when this happens, soMicrosoft recommends that you prevent the automatic install of Internet Explorer componentsthrough Group Policy. However, before you enable this policy setting, Microsoft recommendssetting up an alternative strategy to update Internet Explorer through Microsoft Update or asimilar service.


23/29




Disable AutomaticInstall of InternetExplorer components

Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer

Enabled

Disable Periodic Check for Internet Explorer software updatesBy default, Internet Explorer checks every 30 days to determine if a new version of softwareupdates is available and then notifies the user. However, typically an organization will want tocontrol when updates are installed, and for this reason, Microsoft recommends that you useGroup Policy to disable this check. However, before you enable this policy setting, Microsoftrecommends setting up an alternative strategy to update Internet Explorer through MicrosoftUpdate or a similar service.



Disable PeriodicCheck forInternet Explorersoftware updates


Enabled

Disable software update shell notifications on program launchBy default users are notified if a program uses Microsoft software distribution channels to installnew components, and therefore have the option of refusing the update. Microsoft recommendsthat you disable shell notifications to ensure that the software is installed as required.



Disable softwareupdate shellnotifications onprogram launch


Enabled

Make proxy settings per machine (rather than per user)If a user changes proxy settings, they may be unable to access Web sites. However, for usersthat are traveling, they may need to alter proxy settings to allow them to access the Web indifferent locations.

For computers that are in a fixed location, Microsoft recommends that you use Group Policy toensure that proxy settings are determined on a per computer (rather than a per-user) basis.However, for mobile laptops, you should allow users to change their proxy settings.



Make proxysettings per-machine (ratherthan per-user)


Enabled for computersin a fixed location.

Disabled for mobilelaptops.


24/29


Turn off Crash DetectionInternet Explorer 7 has a crash detection feature that generates crash report information that maybe of use for troubleshooting problems with Internet Explorer. However, the crash reports may

contain sensitive information from the computers memory, so for enterprise computers, Microsoftrecommends that you disable the crash detection feature. If the crash detection feature isdisabled, a crash in Internet Explorer will be similar to one on a computer that runs Windows XPProfessional with Service Pack 1 (SP1) or earlier: it will invoke Windows Error Reporting.

If you experience frequent crashes and need to report them for follow-up troubleshooting, youmay want to temporarily reconfigure the affected computers to enable crash detection.



Turn off Crash Detection Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer

Enabled

Restrict File DownloadIn certain circumstances, Web sites can initiate file download prompts without interaction fromusers. This technique can allow Web sites to put unauthorized files on a users hard disk drive ifthey click the wrong button and accept the download.

Microsoft recommends that you configure the Internet Explorer Processes (Restrict FileDownload)setting to Enabled. This ensures that download prompts that are not user-initiatedare blocked for Internet Explorer processes.

The following table includes the policy object name, and its location in Group Policy..


Internet Explorer

Processes (Restrict FileDownload)


Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download

Enabled

Disable Allow File Downloads for Restricted Sites ZoneBy default, file downloads are disabled for the Restricted sites zone. However, Microsoftrecommends enforcing this setting in Group Policy to ensure that users cannot download fileswhen in the Restricted sites zone.



Allow File

Downloads


Templates\Windows Components\InternetExplorer\Internet Control Panel\SecurityPage\Restricted Sites Zone.

Disabled

Enable Data Execution PreventionData Execution Prevention (DEP) is a set of hardware and software technologies that performadditional checks on memory to help prevent malicious code from running on a system. Theprimary benefit of DEP is that it helps prevent code execution from data pages, such as thedefault heap pages, various stack pages, and memory pool pages.

Typically, code is not executed from the default heap and the stack. Hardware-enforced DEPdetects code that is running from these locations and raises an exception when execution occurs.If the exception is unhandled, the process will be stopped. Execution of code from protected


25/29


memory in kernel mode causes a Stop error. DEP can help block a class of security intrusions.Specifically, DEP can help block a malicious program in which a virus or other type of attack hasinjected a process with additional code and then tries to run the injected code. On a system with

DEP, execution of the injected code causes an exception. Software-enforced DEP can help blockprograms that take advantage of exception-handling mechanisms in Windows.

Although DEP is supported in Windows XP SP2, this Internet Explorer setting is only available tousers running Internet Explorer 7 on Windows Vista. Data execution prevention configuration forcomputers running Windows XP SP2 is controlled through Boot.ini switches or the System

control panel. For more information about managing DEP in Windows XP SP2, see the Changesto Functionality in Microsoft Windows XP Service Pack 2page. There are some known supportissues with plug-in extensibility components when DEP is enabled. Administrators areencouraged to contact the component manufacturer for an updated DEP compatible plug-inversion.

To enable DEP in Internet Explorer 7, right click on the Internet Explorer icon and select Run asAdministrator (otherwise the option appears grayed out). Now in the Internet Optionsdialogbox, on the Advancedtab, select the Enable memory protection to help mitigate online

attackscheck box.

Do not allow users to enable or disable add-onsUsers often choose to install add-ons that are not permitted by an organization's security policy.Such add-ons can pose a significant security and privacy risk to your network. Therefore,Microsoft recommends using Group Policy to ensure that users do not have the ability to enableor disable add-ons. If Add-ons are specifically included in the add-on list policy setting, then usercan still manage them.

The following table includes the policy object names, and their location in Group Policy.


Deny all add-ons

unless specificallyallows in the add-onlist


Templates\Windows Components\Internet Explorer\SecurityFeatures\Add-on Management

Enabled

Add-on List Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Security Features\Add-on Management

Enabled with add-onslisted

Ensure Consistent MIME HandlingInternet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine filehandling procedures for files that are received through a Web server. For example, the MIME filetype could contain information in plain text, but the MIME data could indicate that the file is really

an executable file.MIME file type spoofing is a potential threat to any organization. Microsoft recommends usingGroup Policy to ensure that files are consistent and properly labeled for Internet ExplorerProcesses. This ensures that Internet Explorer examines all received files and enforcesconsistent MIME data for them.



Internet ExplorerProcesses (ConsistentMIME Handling)

Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Security Features\Consistent MIME Handling

Enabled


26/29


Enable MIME Sniffing Safety FeaturesMIME sniffing is a process that examines the content of a MIME file to determine its contextwhether it is a data file, an executable file, or some other type of file. MIME sniffing is typically

used in conjunction with MIME spoofing, and is a potential threat to any organization. Therefore,Microsoft recommends using Group Policy to enable MIME sniffing safety features, and ensurethat these files are consistently handled to help prevent malicious file downloads that may infectyour network.

When set to Enabled, MIME sniffing will not promote a file of one type to a more dangerous filetype. If you disable this policy setting, MIME sniffing configures Internet Explorer processes toallow promotion of a file from one type to a more dangerous file type. For example, a text filecould be promoted to an executable file, which is dangerous because any code in the supposedtext file would be executed.



Internet ExplorerProcesses(MIME Sniffing)

Computer Configuration\AdministrativeTemplates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Feature

Enabled

Display the Information BarThe Information bar provides information to users about the Web sites they are visiting, and candisplay warnings when there are problems with a Web site. Microsoft recommends that youensure the Information bar is displayed for Internet Explorer processes in Group Policy.



Internet ExplorerProcesses/InformationBar

Computer Configuration\Ad