Table of Contents
NOTE OF CAUTION
Within this document I am talking about changing the contents of the Registry. Always be sure to make a backup before changing. You can do this in the Registry Editor by clicking File, Export and following the prompts.
The components that make up Internet Explorer are tightly integrated into the Windows environment, so making changes to them affects many other programs including Outlook (Express) and Windows Media Player. Be aware of the changes you make! Even if you mistype an address you might fall into the hands of someone who has bad intentions. A simple example is the well known search engine of Google. If you mistype this as Goggle, you'll end up at a site for SpyBouncer...|
Every day, new security holes are found in Internet Explorer, so you should always keep Internet Explorer up-to-date, even if you use another browser like Opera or Firefox. By not updating you might leave holes to be used in other programs.
Another cause for trouble is active content. ActiveX controls and Java applets can bring the net to life, but they also introduce possible risks in that they will have programming errors that can be used maliciously.
There is a fifth zone in the form of My Computer, but this is normally not configurable. ActiveX controls that were installed on the computer by Windows run in this zone. The controls you download do not! Also URLs that reference files on your computer run in My Computer (files you save from the Internet continue to run in the security zone attached to that site though).
What does all this mean? If you install a program such as Adobe Acrobat, you download the installer from the Internet. When you run that file, it will run in the Internet Zone (provided you didn't put Adobe in the Restricted or Trusted Zone!). Once the program has been installed, when you start Acrobat it will run in My Computer. If Adobe also installed a file that will be opened by Internet Explorer, for example ReadMe.html, this will also run in My Computer.
With Windows XP SP-2, this zone now has the highest security level. Any content that uses Active Scripting or attempts to load an ActiveX Control is prevented from running unless the user explicitly allows it to be run by clicking the Information bar. Because this can interfere with the operation of local running web applications, developers can add a Mark Of The Web to make files run in the Local Intranet zone instead of My Computer. For more information see http://msdn.microsoft.com.
To assign sites to zones or alter the configuration of their settings, open Internet Options by either choosing Tools within Internet Explorer or opening it from the Control Panel.
Configuring Local Intranet After installation the Local Intranet Zone is set up to include the following site categories:
To remove one or more of these categories from the Local Intranet, select Local Intranet on the "Security" tab of Internet Options and click "Sites...". Clear the appropriate checkboxes on the dialog and click OK.
ADDING AND REMOVING SITES FROM A ZONE
Select the zone you want to append the site to and click "Sites...". Type or copy and paste the site's URL into "Add this Web site to the zone:" box and click "Add". The site will appear in the "Web sites:" list box. To remove a site select it in that list box and click "Remove".
Tips: Check your Trusted Zone periodically. Programs can add sites to the Trusted Zones and thereby give sites powers you don't want them to have!
It could be that the default zones do not match what you need. If that happens, you can always create your own zone. Internet Explorer doesn't let you create a zone on your own, but you can create one relatively easily.
The zones are in the Registry in the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones. This key has the following subkeys:
1) Local Intranet
2) Trusted sites
4) Restricted Sites
The simplest way to create a new zone is by exporting one of the keys with Registry Editor, changing it and importing the new key.
REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"Description"="This zone contains Web sites that can possibly damage you computer or data."
The other settings in the file specify various security settings. You can adjust them from Internet Options.
There are four default settings available:
Local Intranet - Medium-Low
Trusted sites - Low
Restricted sites - High
Internet - Medium
You can change the setting by moving the slider under "Security Level For This Zone". If you don't see a slider then there are custom settings active. To make it re-appear click on Default Level. Also note that settings applied to Trusted sites are more lenient than the ones applied to the Local Intranet! So, don't put sites in Trusted sites unless you trust them more than the machines on your own intranet!
I'm not discussing the various individual settings because they change from version to version. To change the settings for a selected zone, click Custom Level and fill in your preferences in the dialog box that shows up.
There are significant differences between Internet Explorer 5 and Internet Explorer 6. Settings for cookies have been removed. Internet Explorer 6 has a new tab (Privacy) where you can adjust your settings for cookies. Also, some of the settings for security have been tightened. Most settings are retained, but Java and scripting have been disabled in the Restricted sites, regardless of the previous settings.
ActiveX security settings
These are very restrictive by default because of the power of the controls.
- Automatic Prompting For ActiveX Controls: Determines whether users are prompted with the Information Bar before installing an ActiveX Control. If this setting is disabled the control will be handled as defined by other settings. If enabled it will show the Information Bar.
- Binary And Script Behaviors: Restricts binary and script behavior in Restricted Sites and Local Machine. Binary and script behaviors are compiled HTML components, Windows Script Components or COM components that are delivered from a website instead of on the client. The settings are as follows: Enabled allows all behaviors, Disabled prevents them and Administrator Approved allows behaviors for a list pre-approved by the System Administrator.
- Download Signed ActiveX Controls: Can you download controls which are signed? This means that you can assume that the control has not been tampered with; it does not mean the control doesn't have a harmful effect. Internet Explorer only downloads without a confirmation from sites in your Trusted sites-zone; consider changing this to Prompt for added security.
- Download Unsigned ActiveX Controls: Internet Explorer blocks downloading without a prompt in all zones but Trusted Sites. If you develop and/or test ActiveX controls, you might want to change this setting for the Local Intranet. Definitely, you don't download unsigned controls from outside sources though!
- Initialize And Script ActiveX Controls Not Marked As Safe: This determines whether Internet Explorer allows initialization and/or scripting for controls that does not have the "Safe for" signature. Unless you're testing controls there's no need to change this setting.
- Run ActiveX Controls And Plug-ins: Internet Explorer allows downloaded ActiveX controls and plugins to run in all zones but the Restricted Sites. You can change this option to allow only Administrator-approved controls to run. A Plug-in is an application to handle Internet content; an example would be Acrobat Reader, which is used to open .pdf-files from the Internet.
- Script ActiveX Controls Marked Safe For Scripting: This enables controls loaded with thetag to interact with scripts. Only in Restricted Sites it is disabled. If you upgrade from Internet Explorer 5 to Internet Explorer 6, this is a setting which is not changed, so you might want to set it like that in Restricted Sites.
All file and font downloads are enabled by default for all zones but the Restricted Sites.
Java Security Settings
The Microsoft VM section of Security Settings has five options:
High Safety corresponds to the Java Sandbox. Medium Safety allows what High Safety allows plus Access Scratch Space (a place in your file system where the applet can create temporary files without full use of your system) and perform user directed file input/output. Low Safety additionally has: perform non user directed file input/output, execute other applications on your system, create and use dialog boxes, provide thread group access in the current execution context, open network connections with other computers, load libraries, make calls to Windows libraries (dll-files), create popups without the warning that the window was created by an applet, exit Microsoft VM, read/write in the Registry, print and create class loaders.
In other words, under Low Safety a Java applet can become just as powerful as an ActiveX Control. When you take into account that Java asks permission for applets if the applet cannot do what it wants, you can safely set this to the High Safety.
When you choose Custom, a button will appear that you can click to show a dialog box where you can adjust your own settings.
Miscellaneous Security Settings
- Access Data Sources Across Domains: This setting determines whether Internet Explorer will allow a component to access data sources on other domains than the site it comes from. Because this is potentially hazardous, this is not permitted in Internet and Restricted Sites zones by default
- Allow META REFRESH: A META REFRESH tag redirects you to a different server after a delay. Usually this is benign, and it's a service to redirect you to a new site after the website has been moved.
- Allow Scripting Of Internet Explorer Webbrowser Control: Determines whether scripts can access the Webbrowser control that renders the content and interface of Internet Explorer.
- Allow Script Initiated Windows Without Size Or Position Constraints: This controls if a script can create popup windows that are larger than the screen is. If enabled it is possible to create windows that block out toolbars, Start menu, taskbar, etc. It is a trick often used to trick the user into installing malware.
- Allow Webpages To Use Restricted Protocols For Active Content: Determines whether a webpage accessed through a protocol restricted in a security zone can run active content. To add protocols, use Group Policy.
- Display Mixed Content: Internet Explorer prompts for permission to show both secure and non-secure content on the same page. This can happen when a secure page is loading an image from a non secure place, or when frames are being used and one frame is secure while the other is not. The risk is that when you are in a mixed page you are not aware if you are answering questions on a secure part of the page or not. If you find the prompt annoying, you can turn it off.
Tip: to see if a part of the page is secure or not, right-click and choose Properties. Check the URL; if it begins with https:// it's secure.
- Don't Prompt For Client Certificate Selection When No Certificate Or Only One Certificate Exists: Some secure sites want proof that you are who you say you are. They request a client certificate, a file that tells the server that you are indeed you and is signed by a root that is trusted by the server. If this setting is disabled Internet Explorer will show you a list of certificates to choose from.
- Drag And Drop Or Copy And Paste Files: With this setting enabled (default in Local Intranet and Trusted Sites), a control or script could move itself from a zone to a zone with less severe security. If you don't have a full 100% trust in your Trusted Sites and Local Intranet consider changing this to Prompt.
- Installation Of Desktop Items: This is only enabled in the Trusted Sites zone, and allows you to guard against a security flaw where users could gain unauthorized privileges on a Windows 2000 or Windows XP machine. See Microsoft Security Bulletin MS00-020 for more information.
- Launching Programs And Files In An IFRAME: IFRAMEs are in-line ,or floating, frames often used in popups. Security problems involving IFRAMES usually exploit buffer overflow and/or hostile scripts vulnerabilities. The IFRAME is only enabled by default in the Trusted Sites zone. See Microsoft Security Bulleting MS99-042 for more information.
- Navigate Sub-Frames Across Different Domains: Just as with 'Access Data Sources Across Domains' it is possible for sites to show content from another site in a frame. Disable to prevent. By default this is disabled in Restricted Sites.
- Open Files Based On Content, Not File Extension: When enabled the MIME type of the file will be checked to determine which application should be used for opening the file. If disabled the specified program will be used.
- Software Channel Permissions: Three options are available: High Safety, Low Safety and Medium Safety. High Safety prevents from being notified by e-mail on software updates, and keeps programs from automatically getting downloaded and installed. Low Safety does allow this, and Medium Safety gets you the e-mails and downloads (provided it is digitally signed), but no automatic installation.
- Submit Non-Encrypted Form Data: As it says... Disable prevents, Enable permits, and Prompt prompts.
- Use Popup Blocker: Well… Use the built-in popup blocker or not.
- Userdata Persistence: If enabled, web sites can create XML files on your system that can store large quantities of information about you. These files ("Supercookies") are no security threat, since they can only contain what you enter. If you see this as a circumvention of Internet Explorer 6's support for the Platform for Privacy Preferences (P3P), disable this setting.
- Web Sites In Less Privileged Web Content Zones Can Navigate Into This Zone: Specifies if Websites running in a security zone with a higher security settings can change the zone to one with less security. For example, changing from Internet to Local Intranet.
Scripting Security Settings
- Active Scripting: Determines whether scripts are allowed to run on a web page. Enabled in all but Restricted Sites
- Allow Paste Operations Via Script: A security flaw that allowed scripts to copy data from the user's clipboard to their website... If you are concerned about this, disable it. This is only disabled in Restricted Sites.
- Scripting Of Java Applets: this sets whether scripts are allowed to interact with Java applets. Enabled in all but Restricted Sites.
User Authentication Settings
What happens when you have to login to a website. You might think it is convenient to have you logged in automatically, but don't allow it anywhere but the Local Intranet and Trusted Sites. A malicious web site can ask for your login credentials and steal these without you knowing. For more information about this exploit, see Microsoft Security Bulletin MS01-001.
Global Security Settings
In addition to the settings for every security zone you can change global settings on the Advanced tab in Internet Options. These settings apply to every security zone on the computer. The settings are basic on/off checks. The default values are also given. Most descriptions are self-explanatory so I only give extra information if needed.
- Allow Active Content From CDs To Run On My Computer (off): Allows active content to be run automatically from CD without prompting, as would happen with other active content.
- Allow Active Content To Run Files In My Computer (off).
- Allow Software To Run Or Install Even If Signature Is Invalid (off): Running and installing active content is prevented if the signature is invalid regardless of the security zone.
- Check For Publisher's Certificate Revocation (on): Checks to see if a certificate is revoked when you download an ActiveX control.
- Check For Server Certificate Revocation (off): Checks the Certificate Revocation List for the status of the certificate on web sites that use SSL or TLS
- Check For Signatures On Downloaded Programs (on): Checks signatures on downloaded ActiveX controls.
- Do Not Save Encrypted Pages To Disk (off): prevents saving of secure pages in the Temporary Internet Files folder.
- Empty Temporary Internet Files Folder When Browser Is Closed (off): This option should be enabled on all public computers or computers with high security requirements.
- Enable Integrated Windows Authentication (on): Ensures that only NTLM-based authentication is used to authenticate a user.
- Enable Profile Assistant (on): Allows you to use the Profile Assistant to store and maintain personal information.
- Use SSL 2.0 (on), Use SSL 3.0 (on), Use TLS 1.0 (off): Allows the use of these protocols when creating secure channels.
- Warn About Invalid Site Certificates (on): Warns users on secure websites if the Site's certificate is invalid.
- Warn If Changing Between Secure And Not Secure Methods (off).
- Warn If Forms Submittal Is Being Redirected (on): shows a message when the submitted form is beng redirected to another website or location to retrieve content.
USING CONTENT ADVISOR
Because the Internet is uncontrolled, there will be something on it to offend anyone. This is not just an issue for parents who want to protect their offspring, it can be an issue for everyone. Internet Explorer handles this through Content Advisor.
When Content Advisor finds the user going to a restricted page, it will issue a warning. Users who know the Supervisor password can bypass this and go to the site anyway.
Internet Explorer comes with one rating system, RSACi (Recreational Software Advisory Council). This system is obsolete. It has been supplanted by ICRA (Internet Content Rating Association, http://www.icra.org).
To install ICRA follow these steps:
By default Content Advisor blocks unrated pages because it has no way of knowing what the content is. When you go to an unrated page, you will be presented with a dialog saying you cannot view the page. You can enter the supervisor password and say whether this page is allowed or not.
If you don't want this protection you can change the default behavior. Go to Internet Options, Content, and click Settings. On the General tab select Users Can See Sites That Have No Rating.
You can create your own ratings by setting up a list of sites and specifying Always or Never on the Approved Sites tab. You can also delete sites from this list on the tab.
Turning Content Advisor off can be done by clicking the Disable button and specifying the password.
MANAGING ACTIVEX CONTROLS
ActiveX controls are Windows programs, therefore they are able to do what any program can do. They are only limited by the permissions of your account. Already hundreds of them will be on your computer, because ActiveX controls are an important part of Windows. Apart from installing programs, you can also download these controls from the Internet when you visit a website.
To help decide if a download is risky or not, Microsoft employs a digital signing strategy called Authenticode. On downloading, Internet Explorer checks to see whether it can download the control or not. If it can't find information on it, Internet Explorer will ask you if it can be downloaded.
Note that the signature does not tell you it can be trusted, it only attests to the integrity and authenticity of the control you are about to download. In the default security settings for the Internet, Internet Explorer prompts you for permission to download and blocks unsigned downloads. On the dialog box you can click the name of the component's publisher to see the certificate that was used to sign the download. Remember that once the control is downloaded you cannot see the certificate again, so if you want to see it, that would be the time. You can import the certificate by clicking Install Certificate.
Once the control is downloaded you can see more about it by going to the General tab of Internet Options and clicking Settings, View Objects. Alternatively you can go to %SystemRoot%\Downloaded Program Files .
Updating ActiveX Controls
In the Details view of the Downloaded Program Files folder, you can find several types of information about a control. The Status column tells you if the control has been damaged. Creation Date tells when you downloaded it. If the control has become damaged, or you think you should update it, you can right-click the control and choose Update from the menu. When updates are available, you'll be presented with the already familiar Certificate window, and after that the control will be updated.
Deleting ActiveX Controls
How tempting it might be just to hit Delete in the Downloaded Program Files folder, this will not uninstall the control. It will only get rid of the .ocx/.dll file, but not the modifications in the Registry. When you get to the site that installed the control, it might make Internet Explorer crash, because it finds the control in the Registry and not on disk!
If you want to delete an ActiveX control, open Add Or Remove Programs in the Control Panel to see if it can be uninstalled from there. If it cannot, right-click the control and choose Remove.
ActiveX Control Properties
Right-clicking a control and choosing Properties reveals more information about it. The Properties dialog box shows on the General tab if it is a Java applet or an ActiveX control (Type), where you downloaded the control (CodeBase). Internet Explorer uses the security zone that the CodeBase belongs to to determine what the permissions are for the control. Note that the CodeBase might be different from the website where you downloaded the control. In such a case Internet Explorer applies the most restrictive of the settings.
The Version tab allows you to find information about the control's publisher and the Dependency tab identifies the file(s) used by the component.
Safe For Initialization and Safe For Scripting Flags
ActiveX controls can be instantiated with local or remote data. If this data comes from an untrustworthy source this could cause a breach in the security. As a way of dealing with these risks, publishers can sign the controls as Safe For Initialization and/or Safe For Scripting.
If a control is marked Safe For Initialization, the publisher asserts that the control will do no harm, regardless of how it was initialized. If a control is marked Safe For Scripting, the publisher asserts that the control will do no harm no matter how the properties, methods and events are scripted.
Under default security settings controls without these flags will be blocked in the Local Intranet, Internet and Restricted Sites zones. In the Trusted Sites zone you will be prompted to obtain permission.
If a control is marked safe for scripting, the Registry key for the
Likewise safe for initialization is indicated by this key:
Note that these keys do not have any keys or values under them. If you want to demote the control you just delete the key that indicates it is safe. Do not delete other parts, just the key marking it as safe!
Permitting Only Administrator Approved ActiveX Controls To Run
You can restrict the use of ActiveX controls to a set approved by the Administrator by using Microsoft Internet Explorer Administration Toolkit (which you can download at http://www.microsoft.com/windows/ieak/default.mspx) or with Group Policy.
Start Group Policy by choosing Run... from the Start menu and entering gpedit.msc. In Group Policy navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls. You'll see a list of controls which you can add to the approved list by double-clicking an entry and selecting Enabled from the popup window.
You can add Controls which are not on this list by editing the Registry. Get the CLSID from the Control by right-clicking the Control and choosing Properties. Select and copy the CLSID. Open Registry Editor and navigate to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls. If that key doesn't exist you can create it. Add a DWORD value for the CLSID you want, and set the data to 0. To prohibit the use of that Control set the data to 1.
To limit Internet Explorer to the use of those Controls configure the Run ActiveX Controls And Plug-ins setting to Administrator Approved. This is a per-security-zone setting, so you will have to set it for every zone you want limited.
Inactivating an ActiveX Control
If you want to make sure that an ActiveX Control never runs on your system again copy the CLSID from the Control by going to %SystemRoot%\Downloaded Program Files, double-clicking the Control to be removed and copying the ID field from the General tab.
Run Registry Editor and navigate to HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility. In this key add a new Key and paste the copied CLSID as name. If the key already exists, Registry Editor will refuse to add it, so delete the newly appended key and select the other key. Add a DWORD value named Compatibility Flags. Double-click that value to edit it and enter the hexadecimal value 400 (or 1024 after selecting decimal). When the value is 0x00000400 the Control will become inactive. To make it active again, delete the value Compatibility Flags.
MANAGING JAVA APPLETS
Just like ActiveX Controls, downloaded Java Applets are located in %SystemRoot%\Downloaded Program Files, where you can view, update and remove them. Java Applets don't have unrestricted access to your system because they run in a "sandbox". In this sandbox an applet can do the following:
For more details about the security of Java Applets see Java Security Settings in this article.
A script is embedded in a web page, and is written in VBScript or JScript. Scripts can also be saved as stand alone files (the extensions used are .vbs for VBScript and .js for Jscript). With the Windows Scripting Host they can executed as well. Many viruses are written as scripts, so use a good Anti-Virus program to protect you from scripted email.
Because scripts normally make use of known exploits and security breaches, keep up to date with Windows and Internet Explorer patches!
Internet Explorer includes a number of security settings that affect scripting, see earlier in this article.
You can configure the Internet Zone to prompt when a site wants to execute a script. And create a security zone with sites that you deem trustworthy. After the site has been proven to be benign, you add it to the newly created security zone, and it will run as normal.
As an alternative you can use Jason Levine's Script Sentry (http://www.jasons-toolbox.com/scriptsentry.asp). Script Sentry allows you to run scripts without interruption, and display alerts when other scripts want to run.
Bleeping Computer Advanced Internet Security Concepts
BleepingComputer.com: Computer Help & Tutorials for the beginning computer user.
Damn you Microsoft! I am a notepad addict. If you look at my taskbar at any time and you will see at least 5 notepads, usually a lot more running at one time. Why? Because it is fast and small I use it to keep notes, to do lists, phone numbers, write code, search and replace, etc. The reasons are endless....
A very common question we see here at Bleeping Computer involves people concerned that there are too many SVCHOST.EXE processes running on their computer. The confusion typically stems from a lack of knowledge about SVCHOST.EXE, its purpose, and Windows services in general. This tutorial will clear up this confusion and provide information as to what these processes are and how to find out more ...
HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get ...
In order to use a hard drive, or a portion of a hard drive, in Windows you need to first partition it and then format it. This process will then assign a drive letter to the partition allowing you to access it in order to use it to store and retrieve data.
A driver is a program that is able to control a device that is connected to your computer. These drivers are used by the operating system to enable it to communicate with the particular device the driver was made for. Devices that you connect to your computer are often very specialized which makes it so Windows can not communicate directly with the device without a program telling it how to. This ...