If you would like to read the other parts in this article series please go to
- Web Browser Security Revisited (Part 1)
- Web Browser Security Revisited (Part 2)
- Web Browser Security Revisited (Part 4)
- Web Browser Security Revisited (Part 5)
- Web Browser Security Revisited (Part 6)
- Web Browser Security Revisited (Part 7)
Configuring Internet Explorer for best security practices
As with any browser, the first step in making IE as secure as possible is to update to the latest version. If you’re using Windows 7 or Windows 8/8.1, that means IE 11. If you’re still running XP, that means IE 8 and for Vista users, IE 9 – although if you really care about security, best practice is to upgrade your operating system to Windows 7 or 8/8.1, especially if you’re running XP, support for which will end in April 2014. Thus we’ll focus on configuring IE 11 here.
Install security updates
Regardless of the browser version, Step 2 should be installation of all available security updates/rollups for IE, and of course you need to keep it up to date as new patches come out. But it’s not just IE itself that needs to be updated. Many exploits are sneaky; they use the “back door” of browser add-ons to get in and do their dirty work. Be aware of what browser add-ons/plug-ins/extensions are installed and ensure that any updates released for them are installed, too.
Windows Update will tell you if there are IE updates that are missing, but for third party add-ons, you might need to run a browser scanning utility on individual computers or, for better efficiency in the business environment, use patch management software that checks for third party updates.
There may be add-ons installed that you don’t use or don’t need, as well. As with any software or service, best security practice is to remove or disable any unneeded add-ons. You can manage add-ons by clicking the Tools menu in IE and selecting Manage add-ons. Here you can disable those add-ons you don’t need, as shown in Figure 1.
You can remove some add-ons completely, although some can only be disabled.
Figure 1
Enable built-in security mechanisms
Recent versions of IE include many built-in security mechanisms. Depending on the version, some of these are enabled by default and some aren’t. Even for those that are, there is the possibility of users or even other admins making changes to the settings, rendering the browser less security. For best security, you’ll want to enable technologies such as SmartScreen filtering, ActiveX filtering, and tracking protection.
Here are some settings to check:
- Ensure Protected Mode is enabled. This setting is done via a checkbox that you’ll find by clicking the Tools icon, Internet Options, and the Security tab, as shown in Figure 2. (We discussed security zones earlier in this series). IE 11 supports Enhanced Protected Mode, as we discussed earlier in this series. When Enhanced Protected Mode is running, add-ons will only work if they are compatible with Enhanced Protected Mode. Enhanced Protected Mode is turned on and off via the Advanced tab, which we’ll look at a little later in this article.
Figure 2
- Many of today’s laptops and tablets and even some desktops have location services enabled, which can determine the location of the device through GPS, wi-fi, and/or LTE radio transmissions. This is handy for enabling the browser to show search results that are nearby, automatically detect the starting point in giving map directions, and so forth. However, allowing web sites to see your location information can also be a security risk. On the Privacy tab of Internet Options, you can check a box to Never allow websites to request your physical location, as shown in Figure 3.
Figure 3
- Pop-ups can contain malicious code. The Privacy tab of Internet Options is also where you configure the popup blocker. By default, it’s set to Block most automatic pop-ups, but you can change the settings here to either Block all pop-ups or to Allow pop-ups from secure sites. Note that “secure” doesn’t necessarily mean “safe.” A secure site is one that uses SSL/TLS to encrypt information sent to it over the Internet. Anyone can buy an SSL certificate from a public certification authority. Sites with extended validation (EV) certificates (identified by the “green bar” in the browser window) have gone through stricter vetting to confirm the identities of the web site operators. When you block pop-ups, you can “whitelist” particular sites whose pop-ups you want to allow.
- There are a number of security-related settings on the Advanced tab of Internet Options, as shown in Figure 4. As noted previously, this is where you can enable Enhanced Protected Mode, which is not enabled by default in IE 11 – unless you’re running Windows 8.1 and haven’t installed the November 2013 updates. Microsoft enabled EPM in Windows 8.1 by default, then disabled it via one of those updates.
Figure 4
The following security settings are checked by default (and should be left that way unless you have a compelling reason to change it): checking for publisher’s certificate revocation, checking for server certificate revocation, checking for signatures on downloaded programs, DOM storage enabled, integrated Windows authentication enabled, native XMLHTTP support enabled, SmartScreen Filter enabled, sending of Do Not Track requests, SSL 3.0, TLS 1.0, 1.1 and 1.2, warning of certificate address mismatch and warning of POST submittal directed to a zone that doesn’t permit posts.
You can increase security by enabling some of the items that are not checked by default, but be aware that some of these settings could negatively impact the browser’s ability to access certain sites or resources. Many of the items not checked by default should stay that way for best security. Here are the ones that you might consider changing:
- Do not save encrypted pages to disk
- Empty Temporary Internet Files folder when browser is closed
- Enable Strict P3P validation
- Warn if changing between secure and not secure mode
Use Group Policy to control IE security settings
You can ensure that IE’s security-related settings on all the machines on your network are configured as you want, and keep them that way, by using Group Policy to enforce the settings. You can do this by using the administrative templates to edit registry-based policy settings. Be sure that when you install IE 11 on the machines, you do so under standard user accounts (not admin) so the users won’t be able to override the Group Policy and change the settings.
When managing IE 11 settings via Group Policy, you can use the Group Policy Management Console (GPMC), the Advanced Group Policy Management Console (AGPMC) for Software Assurance customers, or the local Group Policy Editor. You can also automate the management of Group Policy using PowerShell. I usually use the GPMC.
To install the GPMC on your Windows 8.1 computer, download and install the Remote Server Administration Tools (RSAT) for Windows 8.1, which you can download here.
To edit Group Policy, you must have Edit permission for the Group Policy Object (GPO). Domain administrators, Enterprise administrators and members of the Group Policy Creator Owners group have permission by default.
When using the local Group Policy Editor, settings for IE can be configured under Computer Configuration | Administrative Templates | Windows Components | Internet Explorer. Here you’ll see Security Features templates, as shown in Figure 5.
Figure 5
Under Security Features, you’ll find settings for Add-on Management, where you can configure a list of add-ons to be allowed or denied by IE, specifying that IE should Deny all add-ons unless specifically allowed in the Add-on List, and a setting to Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects. There are also settings to manage whether processes will respect add-on management user preferences.
Other Security Features settings include those controlling AJAX, Binary Behavior Security Restriction, Consistent MIME handling, Local Machine Lockdown Security, and more as listed in the left pane in the figure above.
There are also many settings in the Computer Configuration | Windows Components | Internet Explorer | Internet Control Panel node that can be used to control settings that impact security. For example, in the Advanced Page folder, you’ll find a policy to prevent ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. This forces all web sites to run in Enhanced Protected Mode, instead of giving users the option to disable EPM for a particular web site if the site attempts to run an ActiveX control that’s not compatible with EPM.
Other useful policies include preventing users from resetting IE settings and preventing users from enabling or disabling add-ons.
You can download a spreadsheet containing references for all the Group Policy administrative templates and explaining what each does from the Microsoft web site
Use PowerShell to manage Group Policy for IE
You can use PowerShell Group Policy cmdlets to automate the same tasks you can perform in the GPMC or local Group Policy Editor. PowerShell cmdlets can be used to create, edit, remove, back up and import GPOs. You can use the GPRegistryValue cmdlets to change registry-based policy settings.
Set-GPRegistryValue is the cmdlet used to configure registry-based policy settings in Computer Configuration or User Configuration nodes of a GPO. You specify the GPO by name or GUID. For information about the syntax and examples of how to use it, see this link.
Summary
In this part 3 of our series on web browser security, we delved into some of the security settings in Internet Explorer and how to configure the browser for best security. Next, we’ll move on to a similar discussion of the Google Chrome and Firefox browsers.
If you would like to read the other parts in this article series please go to
