‫ Web Browser Security Revisited (Part 3)


Date: 2014/05/17


In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they’re implemented. This time, we’ll look at how to configure IE for best security.

Configuring Internet Explorer for best security practices

As with any browser, the first step in making IE as secure as possible is to update to the latest version. If you’re using Windows 7 or Windows 8/8.1, that means IE 11. If you’re still running XP, that means IE 8 and for Vista users, IE 9 – although if you really care about security, best practice is to upgrade your operating system to Windows 7 or 8/8.1, especially if you’re running XP, support for which will end in April 2014. Thus we’ll focus on configuring IE 11 here.

Install security updates

Regardless of the browser version, Step 2 should be installation of all available security updates for IE, and of course you need to keep it up to date as new patches come out. But it’s not just IE itself that needs to be updated. Many exploits are sneaky; they use the “back door” of browser add-ons to get in and do their dirty work. Be aware of what browser add-ons/plug-ins/extensions are installed and ensure that any updates released for them are installed, too.

Windows Update will tell you if there are IE updates that are missing, but for third party add-ons, you might need to run a browser scanning utility on individual computers or, for better efficiency in the business environment, use patch management software that checks for third party updates.

There may be add-ons installed that you don’t use or don’t need, as well. As with any software or service, best security practice is to remove or disable any unneeded add-ons. You can manage add-ons by clicking the Tools menu in IE and selecting Manage add-ons. Here you can disable those add-ons you don’t need.

You can remove some add-ons completely, although some can only be disabled.

Enable built-in security mechanisms

Recent versions of IE include many built-in security mechanisms. Depending on the version, some of these are enabled by default and some aren’t. Even for those that are, there is the possibility of users or even other admins making changes to the settings, rendering the browser less security. For best security, you’ll want to enable technologies such as SmartScreen filtering, ActiveX filtering, and tracking protection.

Here are some settings to check:

  • Ensure Protected Mode is enabled. This setting is done via a checkbox that you’ll find by clicking the Tools icon, Internet Options, and the Security tab, as shown in Figure 1. (We discussed security zones earlier in this series). IE 11 supports Enhanced Protected Mode, as we discussed earlier in this series. When Enhanced Protected Mode is running, add-ons will only work if they are compatible with Enhanced Protected Mode.

  • Many of today’s laptops and tablets and even some desktops have location services enabled, which can determine the location of the device through GPS, wi-fi, and/or LTE radio transmissions. This is handy for enabling the browser to show search results that are nearby, automatically detect the starting point in giving map directions, and so forth. However, allowing web sites to see your location information can also be a security risk. On the Privacy tab of Internet Options, you can check a box to Never allow websites to request your physical location, as shown in Figure 2.

  • Pop-ups can contain malicious code. The Privacy tab of Internet Options is also where you configure the popup blocker. By default, it’s set to Block most automatic pop-ups, but you can change the settings here to either Block all pop-ups or to Allow pop-ups from secure sites. Note that “secure” doesn’t necessarily mean “safe.” A secure site is one that uses SSL/TLS to encrypt information sent to it over the Internet. Anyone can buy an SSL certificate from a public certification authority. Sites with extended validation (EV) certificates (identified by the “green bar” in the browser window) have gone through stricter vetting to confirm the identities of the web site operators. When you block pop-ups, you can “whitelist” particular sites whose pop-ups you want to allow.
  • There are a number of security-related settings on the Advanced tab of Internet Options, as shown in Figure 3. As noted previously, this is where you can enable Enhanced Protected Mode, which is not enabled by default in IE 11 – unless you’re running Windows 8.1 and haven’t installed the November 2013 updates. Microsoft enabled EPM in Windows 8.1 by default, then disabled it via one of those updates.

The following security settings are checked by default (and should be left that way unless you have a compelling reason to change it): checking for publisher’s certificate revocation, checking for server certificate revocation, checking for signatures on downloaded programs, DOM storage enabled, integrated Windows authentication enabled, native XMLHTTP support enabled, SmartScreen Filter enabled, sending of Do Not Track requests, SSL 3.0, TLS 1.0, 1.1 and 1.2.

You can increase security by enabling some of the items that are not checked by default, but be aware that some of these settings could negatively impact the browser’s ability to access certain sites or resources. Many of the items not checked by default should stay that way for best security. Here are the ones that you might consider changing:

  • Do not save encrypted pages to disk
  • Empty Temporary Internet Files folder when browser is closed
  • Enable Strict P3P validation
  • Warn if changing between secure and not secure mode

Use Group Policy to control IE security settings

You can ensure that IE’s security-related settings on all the machines on your network are configured as you want, and keep them that way, by using Group Policy to enforce the settings. You can do this by using the administrative templates to edit registry-based policy settings. Be sure that when you install IE 11 on the machines, you do so under standard user accounts (not admin) so the users won’t be able to override the Group Policy and change the settings.

When managing IE 11 settings via Group Policy, you can use the Group Policy Management Console (GPMC), the Advanced Group Policy Management Console (AGPMC) for Software Assurance customers, or the local Group Policy Editor. You can also automate the management of Group Policy using PowerShell.

To install the GPMC on your Windows 8.1 computer, download and install the Remote Server Administration Tools (RSAT) for Windows 8.1.

To edit Group Policy, you must have Edit permission for the Group Policy Object (GPO). Domain administrators, Enterprise administrators and members of the Group Policy Creator Owners group have permission by default.

When using the local Group Policy Editor, settings for IE can be configured under Computer Configuration | Administrative Templates | Windows Components | Internet Explorer.

Under Security Features, you’ll find settings for Add-on Management, where you can configure a list of add-ons to be allowed or denied by IE, specifying that IE should Deny all add-ons unless specifically allowed in the Add-on List and a setting to Turn off Adobe Flash in IE.

Other Security Features settings include those controlling AJAX, Binary Behavior Security Restriction, Consistent MIME handling, Local Machine Lockdown Security, and more as listedin the left pane in the figure above.

Other useful policies include preventing users from resetting IE settings and preventing users from enabling or disabling add-ons.

Related Link:

Web Browser Security Revisited (Part 1)

Web Browser Security Revisited (Part 2)






بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0