As you can see, if you are beta testing Windows .NET Server, there are quite a few differences in security as there were from Windows 2000. Some are subtle, where others are very obvious. One of the subtle ones in my opinion is the changing of Internet Explorers security settings. Now that you have Internet Explorer 6 installed on .NET server by default, you should know how to protect yourself with it. There is more added features of course, but more than ever, more security ‘enhancements’ to include setting up Cookie configuration usage. It’s easier and makes more sense in the newest version of the Windows Server based operating system from Redmond. Lets look at how Windows .NET Server handles Browser security with Internet Explorer 6.
First, lets discuss why browser security is such a big deal. First off, you do most of what you do on the Internet through a web browser. The information age is led with a web browser, and to make it even more important, you should also know that the almost all new Operating System Platforms allow administration via the web browser, so that being said, its important that you protect this application. Your privacy on the Web should be your utmost concern especially if you are visiting sites that may cause you problems such as Porn, Warez, or any other type of site that you may very well be the target of malicious activity. I very much doubt you will get an attack launched against you if you visit a company website, but you never know. In all actuality, some company web sites, were putting in scripts to replace your homepage with theirs, (form of Browser Hijacking) so don’t think that even an admirable site may not cause you problems. Other security concerns will definitely be with the usage of Cookies from just about any site. Luckily, Internet Explorer 6.0 has many new and updated privacy features to help prevent your system from malicious activity.
Cookies
Every time I hear this word, I think of a nice box of Oreo’s, but that is not what this form of cookies are… these are the annoying little text files that your PC or Server get littered with over the course of your using your Browser and using the Web Browser. So, what exactly is a cookie anyway? A cookie is nothing more than a small text file that is placed on your local machine that will contain information about you and more importantly, your web surfing habits. The original intentions of a Cookie are not bad, they were meant to aid your surfing experience. Here are some examples of what cookies can do for you:
Remember username and passwords so you don’t have to enter them every time you log into a site
Remember page preferences, so when you revisit the page, you have those preferences predefined
Cookies are most often used to customize your browser or for personalized content delivery but on occasion, they can be used to exploit you because they do in fact carry personal information about you. Also, your PC or Server will accept cookies by default and you will never even know if this information is getting cached on you or not. Here are 2 published cookie exploits for you to see:
Microsoft released Security Bulletin MS01-055, which discusses a vulnerability in Internet Explorer 5.5 and 6.0 that enables a malicious Webmaster to read and alter cookies by “injecting a script.” By design Web sites should only be allowed to access its own cookies. However, someone recently discovered a vulnerability whereby a specifically formed URL can allow a Web site to gain access to any cookie, and even modify the data in a cookie. This is very dangerous because some Web sites hide personal or sensitive data in their cookies, such as a password for entry to the site. Unfortunately, at this time, no patch is available to correct this issue because according to Microsoft, “The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft.” Microsoft is preparing a patch for this issue, but in the meantime they recommend that you disable Active Scripting in all Zones. The risk factor is high in all Zones except for the Restricted Zone, which has Active Scripting, disabled by default. Details on how to do this can be found in the Frequently Asked Questions section of the Security Bulletin.
Microsoft released Security Bulletin MS02-015, which discusses the availability of a Cumulative Patch for Internet Explorer 5.01, 5.5 and 6.0. This patch includes all of the fixes and functionality from all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates two new vulnerabilities:
Incorrect security zone determination could allow a script within a cookie execute in the context of the Local Computer Zone. Andreas Sandblad of Sweden reported this.
Incorrect handling of object tags could allow an attacker to invoke any executable on the victim’s machine.
If you are running Internet Explorer 5.01, 5.5 or 6.0, you should apply this patch. Additional details can be found in Microsoft Knowledge Base article Q319182.
As you can see, this is a problem, and is not going to be going away, only getting worse. Lets look at how you can protect yourself besides reading all the Microsoft press releases and applying hot fixes.
Cookie Protection
There are 3 ways you can protect yourself… Delete your cookies on occasion, make sure your cookies folder (wherever it may be depending on what version you are running) is being actively scanned via Antivirus, and always visit Windows Update online to see if there are any new hotfixes for your browser based on Cookie Exploits.
http://v4.windowsupdate.microsoft.com/en/default.asp
Another way is to block them. In this article, we are going to look at the major differences between older versions of IE, and the newer IE 6. In older versions, you could block cookie usage or set it up to prompt you first. First, the major difference is in the placement of the configurations of Cookie usage with IE. You used to have to go into a specific Zone, go to the Custom Levels change the Cookie usage settings as seen here:
Once you set the Cookies usage to either enable, disable or prompt, you will see that once you get a site that wants to place a cookie on your local machine, it will either transparently take it, disable it, or prompt you as seen here:
That’s it! It’s that easy to set up your browser security. Now, that you have set this up in Windows IE 5.x, you need to know the differences between this version, and Windows .NET and XP default browser level of IE 6.
Internet Explorer Version 6
Now with Internet Explorer 6.0 you can selectively block different types of cookies. Internet Explorer 6.0 can offer you ‘6’ predefined settings from accepting cookies to blocking cookies. Lets look at these in detail:
You can view the new policies from the new Privacy tab of the Internet Options window. To get to this tab, open IE and go to Tools => Internet Options.
You can see that the tightest security level you can implement is to set the privacy level to Block All Cookies. Once you set this and apply it, the browser will block any cookie it encounters and the cookies you already have on your local machine cannot be read by web sites. This is for the paranoid only!
Next up is the High Level of privacy, which will block cookies that do not have a privacy policy or is trying to use personal information on your machine without your consent. Remember, Cookies can contain a lot about you to include any info (such as your address) that you may have entered into a site at one time that has now been placed in a cookie on your local machine.
Now, you can set Medium High. This setting will allow you to block 3rd party cookies that do not have a privacy policy. Cookies from third-party Web sites that do not have a compact policy, which may be a condensed computer-readable privacy statement will be blocked for your protection. Cookies from third-party Web sites that use your personally identifiable information without your explicit consent will be blocked as well as Cookies from first-party Web sites that use your personally identifiable information without your implicit consent will be blocked.
When using the Medium Setting, Cookies from third-party Web sites that do not have a compact policy (a condensed computer-readable privacy statement) will be blocked. Cookies from third-party Web sites that use your personally identifiable information without your implicit consent will be blocked. Cookies from first-party Web sites that use your personally identifiable information without your implicit consent will be deleted from your computer when you close Internet Explorer
When using Low, Cookies from third-party Web sites that do not have a compact policy (a condensed computer-readable privacy statement) will be blocked. Cookies from third-party Web sites that use your personally identifiable information without your implicit consent will be deleted from your computer when you close Internet Explorer
Lastly, when enabling Accept all cookies, all cookies will be saved on your computer. Existing cookies on your computer can be read by the Web sites that created them
Internet Explorer 6 in Windows XP and .NET Server help protect your privacy, plain and simple. As you can see from the above example, we were able to apply more customizable options to the Browsers security.
Other IE 6 options you should be aware of are the Privacy tabs advanced button and the Privacy Reports option. First lets look at the advanced tab options.
Advanced Privacy Settings
When you click on and view the advanced privacy settings, you can have the option to override automatic cookie handling and specify even more granular options. In this figure, we can see that you can select between first and third party cookies as well as to always allow session cookies.
Web Sites Override
Another configuration option is to click on the ‘edit’ button below the advanced button to set the Web sites override. In the figure below, you can see that this set of options allow you to override specific web sites as seen here. I have set a rule to always block offlimits.com from this local machine.
Privacy Report
Internet Explorer 6 also allows you to view A Web site’s privacy policy. This policy will tell the following:
* What kind of information the site collects
* Who it gives the information
* How it uses the information
Many Web sites provide a privacy statement (Platform for Privacy Preferences – P3P) that you can view:
1. Open Internet Explorer, on the View menu => click Privacy Report
2. Double click the Web site for which you want to view the privacy policy.
A security flaw here is that you need to be careful that although IE 6 will allow you to view the policy, that doesn’t mean that, the site itself is not in compliance with its own policy. You can only view that it has one.
Security Zones
Security Zones are still used, and wont be covered in this article, but to make the comparison between the IE 6 version of the browser, and the older one such as version 5.x, you should know that IE 6 still uses Security zones, and has an “Custom Level” you can set which will open the same dialog box where you set Cookie settings earlier.
You can see in the Security Settings that the control over Cookies is not listed, and you will now have to configure Cookies in the Privacy tab as seen earlier.
In this article as have looked at the major differences in security between Windows .NET Server and XP’s default Internet Web Brower, Internet Explorer 6 against the older version of the browser, IE 5.x to be exact. For more information on these settings, you can view the following References:
IE 6 configuration Guidelines
http://www.microsoft.com/windowsxp/pro/using/howto/security/ie6.asp
http://www.microsoft.com/windows/ie/using/howto/privacy/config.asp
Internet Explorer 6 Privacy Feature FAQ
http://msdn.microsoft.com/library/default.asp?url=/Workshop/security/privacy/overview/privacyfaq.asp
How to Create a Customized Privacy Import File
http://msdn.microsoft.com/Workshop/security/privacy/overview/privacyimportxml.asp?frame=true
How to Deploy P3P Privacy Policies on Your Web Site
http://msdn.microsoft.com/Workshop/security/privacy/overview/createprivacypolicy.asp?frame=true
Privacy in Internet Explorer 6
http://msdn.microsoft.com/library/enus/dnpriv/html/ie6privacyfeature.asp?frame=true
