CONTROLLING aDD-ONS USING GROUp pOLICY As with earlier versions of Internet Explorer, you can use the Group Policy settings in User Configuration\Administrative Templates\Windows Compone
Trang 1HoW it WoRKS
Buffer Overflow Attacks
A buffer overflow (also known as a buffer overrun) occurs when an application attempts to store too much data in a buffer, and memory not allocated to the buffer is overwritten a particularly crafty attacker can even provide data that instructs the operating system to run the attacker’s malicious code with the applica- tion’s privileges.
One of the most common types of buffer overflows is the stack overflow To stand how this attack is used, you must first understand how applications normally store variables and other information on the stack Figure 20-11 shows a simpli- fied example of how a C console application might store the contents of a variable
under-on the stack In this example, the string “Hello” is passed to the applicatiunder-on and is
stored in the variable argv[1] In the context of a Web browser, the input would be a
URL instead of the word “Hello.”
{ char buf[10];
strcpy(buf, input); Populate input
} Populate buf
Variable bufHello
Variable inputHelloStack
main() return address0x00420331
FIgURE 20-11 A simple illustration of normal stack operations
Notice that the first command-line parameter passed to the application is ultimately
copied into a 10-character array named buf While the program runs, it stores
in-formation temporarily on the stack, including the return address where processing should continue after the subroutine has completed and the variable is passed to the subroutine The application works fine when fewer than 10 characters are passed
to it However, passing more than 10 characters will result in a buffer overflow.
Trang 2Figure 20-12 shows that same application being deliberately attacked by providing input longer than 10 characters When the line strcpy(buf, input); is run, the applica- tion attempts to store the string “hello-aaaaaaaa0066aCB1” into the 10-character
array named buf Because the input is too long, the input overwrites the contents of
other information on the stack, including the stored address that the program will use to return control to main() after the subroutine finishes running, the processor returns to the address stored in the stack Because it has been modified, execution begins at memory address 0x0066aCB1, where the attacker has presumably stored malicious code This code will run with the same privilege as the original applica- tion after all, the operating system thinks the application called the code.
{ char buf[10];
strcpy(buf, input); Populate input
} Overflow buf, overwrite input, and return address
Variable buf Variable input
Stack
main() return addressHello-aaaa aaaaa 0x0066ACB1
FIgURE 20-12 A simplified buffer overflow attack that redirects execution
address Bar Visibility
Attackers commonly rely on misleading users into thinking they are looking at information from a known and trusted source One way attackers have done this in the past is to hide the true URL information and domain name from users by providing specially crafted URLs that appear to be from different Web sites
Trang 3To help limit this type of attack, all Internet Explorer 7 and later browser windows now require an address bar Attackers often have abused valid pop-up window actions to display windows with misleading graphics and data as a way to convince users to download or install their malware Requiring an address bar in each window ensures that users always know more about the true source of the information they are seeing
Cross-Domain Scripting attack protection
Cross-domain scripting attacks involve a script from one Internet domain manipulating tent from another domain For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the attacker
con-Internet Explorer 7 helps to deter this malicious behavior by appending the domain name from which each script originates and by limiting that script’s ability to interact only with windows and content from that same domain These cross-domain scripting barriers help ensure that user information remains in the hands of only those to whom the user intention-ally provides it This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user’s computer
Controlling Browser add-ons
Browser add-ons can add important capabilities to Web browsers Unreliable add-ons can also reduce browser stability, however Even worse, malicious add-ons can compromise pri-vate information Internet Explorer 7 provides several enhancements to give you control over the add-ons run by your users The sections that follow describe these enhancements
INTERNET EXpLORER aDD-ONS DISaBLED MODE
Internet Explorer 7 includes the No Add-ons mode, which allows Internet Explorer to run temporarily without any toolbars, ActiveX controls, or other add-ons Functionality in this mode reproduces that of manually disabling all add-ons in the Add-on Manager, and it is very useful if you are troubleshooting a problem that might be related to an add-on
To disable add-ons using the Add-ons Disabled mode, follow these steps:
1. Open the Start menu and point to All Programs
2. Point to Accessories, click System Tools, and then click Internet Explorer (No Add-ons)
3. Note the Information bar display in your browser indicating that add-ons are disabled,
as shown in Figure 20-13
Trang 4FIgURE 20-13 You can disable add-ons to troubleshoot Internet Explorer problems
Running Internet Explorer from the standard Start menu shortcut will return the ality to its prior state
function-aDD-ON MaNaGER IMpROVEMENTS
The Add-on Manager provides a simple interface that lists installed add-ons, add-ons that are loaded when Internet Explorer starts, and all add-ons that Internet Explorer has ever used By reviewing these lists, you can determine which add-ons are enabled or disabled and disable
or enable each item by simply clicking the corresponding item
To disable specific add-ons, follow these steps:
1. In your browser, open the Tools menu, select Manage Add-ons, and then click Enable
Or Disable Add-ons
2. Click the Show list and select the set of add-ons that you want to manage
3. Select the add-on that you want to disable, as shown in Figure 20-14, and then click Disable
4. Click OK to close the Manage Add-ons dialog box
In troubleshooting scenarios, disable add-ons one by one until the problem stops occurring
CONTROLLING aDD-ONS USING GROUp pOLICY
As with earlier versions of Internet Explorer, you can use the Group Policy settings in User Configuration\Administrative Templates\Windows Components\Internet Explorer
\Security Features\Add-on Management to enable or disable specific add-ons throughout your organization
Trang 5FIgURE 20-14 The Manage Add-ons dialog box makes it easy to disable problematic add-ons
protecting against Data Theft
Most users are unaware of how much personal, traceable data is available with every click
of the mouse while they browse the Web The extent of this information continues to grow
as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features Similarly, most online users are likely to have trouble discerning a valid Web site from a fake or malicious copy As described in the following sec-tions, Internet Explorer provides several features to help give users the information they need
to determine whether a site is legitimate
Security Status Bar
Although many users have become quite familiar with Secure Sockets Layer (SSL) and its sociated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information is protected Internet Explorer 7 addresses this issue by providing clear and prominent visual cues to the safety and trustworthiness of a Web site
as-Previous versions of Internet Explorer place a gold padlock icon in the lower-right corner
of the browser window to designate the trust and security level of the connected Web site Given the importance and inherent trust value associated with the gold padlock, Internet Explorer 7 and later versions display a Security Status bar at the top of the browser window to highlight such warnings By clicking this lock, users can quickly view the Web site identifica-tion information, as shown in Figure 20-15
Trang 6FIgURE 20-15 The gold lock that signifies the use of SSL is now more prominent
In addition, Internet Explorer displays a warning page before displaying a site with an invalid certificate, as shown in Figure 20-16
FIgURE 20-16 Internet Explorer warns users about invalid certificates
Finally, if a user continues on to visit a site with an invalid certificate, the address bar, shown in Figure 20-17, now appears on a red background
FIgURE 20-17 The red background leaves no doubt that the site’s SSL certificate has a problem
Trang 7Phishing—a technique used by many malicious Web site operators to gather personal
infor-mation—is the practice of masquerading online as a legitimate business to acquire private information, such as social security numbers or credit card numbers These fake Web sites,
designed to look like the legitimate sites, are referred to as spoofed Web sites The number
of phishing Web sites is constantly growing, and the Anti-Phishing Working Group received reports of more than 10,000 different phishing sites in August 2006 that were attempting to hijack 148 different Web sites
note For more information about the anti-phishing Working Group, visit
http://www.antiphishing.org/.
Unlike direct attacks, in which attackers break into a system to obtain account information,
a phishing attack does not require technical sophistication but instead relies on users ingly divulging information, such as financial account passwords or social security numbers These socially engineered attacks are among the most difficult to defend against because they require user education and understanding rather than merely issuing an update for an application Even experienced professionals can be fooled by the quality and details of some phishing Web sites as attackers become more experienced and learn to react more quickly to avoid detection
will-HOW THE SMaRTSCREEN FILTER WORKS
Phishing and other malicious activities thrive on lack of communication and limited sharing
of information To effectively provide anti-phishing warning systems and protection, the new SmartScreen filter in Internet Explorer 8 consolidates the latest industry information about the ever-growing number of fraudulent Web sites spawned every day in an online service that
is updated several times an hour SmartScreen feeds this information back to warn and help protect Internet Explorer 8 customers proactively
SmartScreen is designed around the principle that an effective early-warning system must ensure that information is derived dynamically and updated frequently This system combines client-side scanning for suspicious Web site characteristics with an opt-in Phishing Filter that uses three checks to help protect users from phishing:
n Compares addresses of Web sites a user attempts to visit with a list of reported mate sites stored on the user’s computer
legiti-n Analyzes sites that users want to visit by checking those sites for characteristics mon to phishing sites
com-n Sends Web site addresses to a Microsoft online service for comparison to a frequently updated list of reported phishing sites
The service checks a requested URL against a list of known, trusted Web sites If a Web site is
a suspected phishing site, Internet Explorer 8 displays a yellow button labeled Suspicious site in the address bar The user can then click the button to view a more detailed warning
Trang 8Web-If a Web site is a known phishing site, Internet Explorer 8 displays a warning with a red status bar If the user chooses to ignore the warnings and continue to the Web site, the status bar remains red and prominently displays the Phishing Website message in the address bar, as shown in Figure 20-18
FIgURE 20-18 Internet Explorer can detect phishing Web sites and warn users before they visit them
Internet Explorer first checks a Web site against a legitimate list (also known as an allow
list) of sites stored on your local computer This legitimate list is generated by Microsoft based
on Web sites that have been reported as legitimate If the Web site is on the legitimate list, the Web site is considered safe, and no further checking is done If the site is not on the legitimate list or if the site appears suspicious based on heuristics, Internet Explorer can use two techniques to determine whether a Web site might be a phishing Web site:
n local analysis Internet Explorer examines the Web page for patterns and phrases
that indicate it might be a malicious site Local analysis provides some level of tion against new phishing sites that are not yet listed in the online list Additionally, local analysis can help protect users who have disabled online lookup
protec-n Online lookup Internet Explorer sends the URL to Microsoft, where it is checked
against a list of known phishing sites This list is updated regularly When you use SmartScreen to check Web sites automatically or manually (by selecting SmartScreen Filter from the Tools menu and then clicking Check This Website), the address of
the Web site you are visiting is sent to Microsoft (specifically, to https://urs.microsoft.com,
us-ing TCP port 443), together with some standard information from your computer such as IP address, browser type, and SmartScreen version number To help protect your privacy, the information sent to Microsoft is encrypted using SSL and is limited to the domain and path
of the Web site Other information that might be associated with the address, such as search terms, data you enter in forms, or cookies, will not be sent
Trang 9note Looking up a Web site in the online phishing Filter can require transferring 8 KB
of data or more Most of the 8 KB is required to set up the encrypted HTTpS connection
The phishing Filter will send a request only once for each domain you visit within a specific period of time However, a single Web page can have objects stored in multiple servers, resulting in multiple requests Requests for different Web pages require separate HTTpS sessions.
For example, if you visit the Bing search Web site at http://www.bing.com and enter
MySecret as the search term, instead of sending the full address http://www.bing.com
/search?q=MySecret&FORM=QBLH, SmartScreen removes the search term and only sends http://www.bing.com/search Address strings might unintentionally contain personal informa-
tion, but this information is not used to identify you or contact you If users are concerned that an address string might contain personal or confidential information, users should not report the site For more information, read the Internet Explorer 8 privacy statement at
http://www.microsoft.com/windows/internet-explorer/privacy.aspx
diReCt FRoM tHe SoURCe
Real-Time Checking for Phishing SitesRob Franco, Lead program Manager
Federated Identity Group
Readers asked why we decided to use real-time lookups against the anti-phishing server as opposed to an intermittent download list of sites in the way that an antispyware product might We included real-time checking for phishing sites be- cause it offers better protection than using only static lists and avoids overloading networks.
SmartScreen does have an intermittently downloaded list of “known-safe” sites, but we know phishing attacks can strike quickly and move to new addresses, often within a 24- to 48-hour time period, which is faster than we can practically push out updates to a list of “known-phishing” sites Even if SmartScreen downloaded a list
of phishing sites 24 times a day, you might not be protected against a confirmed, known phishing site for an hour at a time, at any time of day.
Because SmartScreen checks unknown sites in real time, you always have the latest intelligence Requiring users to constantly download a local list can also cause net- work scale problems We think the number of computers that can be used to launch phishing attacks is much higher than the number of spyware signatures that users deal with today In a scenario in which phishing threats move rapidly, downloading
a list of newly reported phishing sites every hour could significantly clog Internet traffic.
Trang 10Anonymous statistics about your usage will also be sent to Microsoft, such as the time and total number of Web sites browsed since an address was sent to Microsoft for analysis This information, along with the information described earlier, will be used to analyze the performance and improve the quality of the SmartScreen service Microsoft will not use the information it receives to personally identify you Some URLs that are sent may be saved to
be included in the legitimate list and then provided as client updates When saving this mation, additional information—including the SmartScreen and operating system version and your browser language—will be saved
infor-Although the online list of phishing sites is regularly updated, users might find a phishing site that is not yet on the list Users can help Microsoft identify a potentially malicious site by reporting it Within Internet Explorer 8, select SmartScreen Filter from the Tools menu and then click Report Unsafe Website Users are then taken to a simple form they can submit to inform Microsoft of the site
HOW TO CONFIGURE SMaRTSCREEN OpTIONS
To enable or disable SmartScreen, follow these steps:
1. In your browser, open the Tools menu and select Internet Options
2. In the Internet Options dialog box, click the Advanced tab, scroll down to the Security group in the Settings list, and then select or clear the Enable SmartScreen Filter check box
You can use the following Group Policy settings to configure whether users need to figure the SmartScreen filter:
con-n Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn Off Managing SmartScreen Filter
n User Configuration\Administrative Templates\Windows Components\Internet Explorer
\Turn Off Managing SmartScreen Filter
If you enable the setting, you can choose to enable or disable SmartScreen Additionally, in the same group, you can enable the Prevent Bypassing SmartScreen Filter Warnings policy
diReCt FRoM tHe SoURCe
Anti-Phishing Accuracy StudyTony Chor, Group program Manager
Internet Explorer Product Team
As we worked on the new phishing Filter in Internet Explorer 7, we knew the key measure would be how effective it is in protecting customers In addition to our internal tests, we wanted to find some external measure of our progress to date
as well as point to ways we could improve We didn’t know of a publicly available study covering the area, only some internal and media product reviews.
Trang 11To help us answer this question, we asked 3Sharp LLC to conduct a study of the phishing Filter in Internet Explorer 7 along with seven other products designed
to protect against phishing threats 3Sharp LLC tested these eight browser-based products to evaluate their overall accuracy in catching 100 live, confirmed phishing Web sites over a six-week period (May through July 2006) and also to understand the false-positive error rate on 500 good sites We were pleased to see that the phishing Filter in Internet Explorer 7 finished at the top of 3Sharp’s list as the most accurate anti-phishing technology, catching nearly 9 of 10 phishing sites while gen- erating no warning or block errors on the 500 legitimate Web sites tested.
It’s great to see so many companies looking for different ways to address the nificant problem of phishing We think that the results reported by 3Sharp validate the unique approach we’ve taken of combining a service-backed block list with client-side heuristics That said, we understand that the threat posed by phishing
sig-is constantly evolving, as are the tools designed to protect users Thsig-is set of results represents only the relative performance during that period We know we need to keep working to keep up with the changes in the attacks, and we are already using the results of this test to further improve the efficacy of the phishing Filter.
Deleting Browsing History
Browsers store many traces of the sites users visit, including cached copies of pages and ages, passwords, and cookies If a user is accessing confidential information or authenticated Web sites from a shared computer, the user might be able to use the stored copies of the Web site to access private data To simplify removing these traces, Internet Explorer 7 pro-vides a Delete Browsing History option that allows users to initiate cleanup with one button, easily and instantly erasing personal data
im-To delete your browsing history, follow these steps:
1. In your browser, open the Tools menu and select Internet Options
2. In the Internet Options dialog box on the General tab, click Delete in the Browsing History group
3. In the Delete Browsing History dialog box, shown in Figure 20-19, select only the objects you need to remove
Trang 12FIgURE 20-19 The Delete Browsing History dialog box provides a single interface for removing confidential remnants from browsing the Web
If you don’t want users to be able to delete their browsing history, form data, or words, you can enable the Group Policy settings located in both Computer Configuration
pass-\Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History and User Configuration\Administrative Templates\Windows Components\Internet Explorer
\Delete Browsing History
Blocking IDN Spoofing
Look-alike attacks (sometimes called homograph attacks) are possible within the ASCII
char-acter set For example, www alpineskihouse com would be a valid name for Alpine Ski House, but www a1pineskihouse com would be easily mistaken for the valid name—even though the lowercase L has been replaced with the number 1 However, with International Domain Name (IDN), the character repertoire expands from a few dozen characters to many thousands of characters from all the world’s languages, thereby increasing the attack surface for spoofing attacks immensely
The design of the anti-spoofing mitigation for IDN aims to:
n Reduce the attack surface
n Treat Unicode domain names fairly
n Offer a good user experience for users worldwide
n Offer simple, logical options with which the user can fine-tune the IDN experience
Trang 13One of the ways Internet Explorer reduces this risk is by using Punycode Punycode, as
defined in RFC 3492, converts Unicode domain names into a limited character set With Punycode, the domain name soüth contoso com (which might be used to impersonate south contoso com) becomes soth-kva contoso com There is little doubt that showing the Punycode form leaves no ground for spoofing using the full range of Unicode characters However, Punycode is not very user friendly
Given these considerations, Internet Explorer 7 and later versions impose restrictions
on the character sets allowed to be displayed inside the address bar These restrictions are based on the user’s configured browser-language settings Using APIs from Idndl dll, Internet Explorer will detect which character sets are used by the current domain name If the domain name contains characters outside the user’s chosen languages, it is displayed in Punycode form to help prevent spoofing
A domain name is displayed in Punycode if any of the following are true:
n The domain name contains characters that are not a part of any language (such as www com)
n Any of the domain name’s labels contains a mix of scripts that do not appear together within a single language For instance, Greek characters cannot mix with Cyrillic within
a single label
n Any of the domain name’s labels contain characters that appear only in languages other than the user’s list of chosen languages Note that ASCII-only labels are always permitted for compatibility with existing sites A label is a segment of a domain name, delimited by dots For example, www microsoft com contains three labels: www, microsoft, and com Different languages are allowed to appear in different labels as long as all the languages are in the list chosen by the user This approach is used to support domain names such as name contoso com, where contoso and name are composed of different languages
Whenever Internet Explorer 7 and later versions prevent an IDN domain name from playing in Unicode, an Information bar notifies the user that the domain name contains char-acters that Internet Explorer is not configured to display It is easy to use the IDN Information bar to add additional languages to the allow list By default, the user’s list of languages will usually contain only the currently configured Microsoft Windows language
dis-The language-aware mitigation does two things:
n It disallows nonstandard combinations of scripts from being displayed inside a label
This takes care of attacks such as http://bank.contoso.com, which appears to use a
sin-gle script but actually contains two scripts That domain name will always be displayed
as http://xn bnk-sgz.contoso.com because two scripts (Cyrillic and Latin) are mixed
inside a label This reduces the attack surface to single-language attacks
n It further reduces the surface attack for single-language attacks to only those users who have chosen to permit the target language
Trang 14Users who allow Greek in their language settings, for example, are as susceptible to only spoofs as the population using English is susceptible to pure ASCII-based spoofs To pro-tect against such occurrences, the Internet Explorer 7 Phishing Filter monitors both Unicode and ASCII URLs If the user has opted in to the Phishing Filter, a real-time check is performed during navigation to see whether the target domain name is a reported phishing site If so, navigation is blocked For additional defense-in-depth, the Phishing Filter Web service can apply additional heuristics to determine whether the domain name is visually ambiguous If
Greek-so, the Phishing Filter will warn the user via the indicator in the Internet Explorer address bar Whenever a user is viewing a site addressed by an IDN, an indicator will appear in the Internet Explorer Address bar to notify the user that IDN is in use The user can click the IDN indicator to view more information about the current domain name Users who do not want
to see Unicode addresses may select the Always Show Encoded Addresses check box on the Advanced tab of the Internet Options dialog box
Security Zones
Web applications are capable of doing almost anything a standard Windows application can
do, including interacting with the desktop, installing software, and changing your computer’s settings However, if Web browsers allowed Web sites to take these types of actions, some Web sites would abuse the capabilities to install malware or perform other malicious acts on computers
To reduce this risk, Internet Explorer limits the actions that Web sites on the Internet can take However, these limitations can cause problems for Web sites that legitimately need elevated privileges For example, your users might need to visit an internal Web site that uses an unsigned ActiveX control Enabling unsigned ActiveX controls for all Web sites is very dangerous, however
Understanding Zones
To provide optimal security for untrusted Web sites while allowing elevated privileges for trusted Web sites, Internet Explorer provides multiple security zones:
n Internet All Web sites that are not listed in the trusted or restricted zones Sites in
this zone are restricted from viewing private information on your computer (including cookies or temporary files from other Web sites) and cannot make permanent changes
to your computer
n local Intranet Web sites on your intranet Internet Explorer can detect automatically
whether a Web site is on your intranet Additionally, you can add Web sites manually to this zone
n Trusted Sites Web sites that administrators have added to the Trusted Sites list
because they require elevated privileges Trusted Sites do not use Protected Mode, which could introduce security weaknesses Therefore, you need to select the Web sites added to the Trusted Sites zone carefully You don’t need to add all sites you trust
Trang 15to this zone; instead, you should add only sites that you trust and that cannot work
properly in the Internet or intranet zones By default, this zone is empty
n Restricted Sites Web sites that might be malicious and should be restricted from
performing any potentially dangerous actions You need to use this zone only if you plan to visit a potentially malicious Web site and you need to minimize the risk of a security compromise By default, this zone is empty
note When moving from a trusted site to an untrusted site or vice versa, Internet Explorer warns the user and opens a new window This reduces the risk of users acciden- tally trusting a malicious site.
Configuring Zones on the Local Computer
You can configure the exact privileges assigned to each of these security zones by following these steps:
1. Select Internet Options from the Tools menu
2. In the Internet Options dialog box, click the Security tab
3. Click the zone you want to modify In the Security Level For This Zone group, move the slider up to increase security and decrease risks, or move the slider down to increase privileges and increase security risks for Web sites in that zone For more precise con-trol over individual privileges, click Custom Level To return to the default settings, click Default Level
4. Click OK to apply your settings
note application developers can use the IInternetSecurityManager::SetZoneMapping()
method to add sites to specific security zones.
To configure the Web sites that are part of the Local Intranet, Trusted Sites, or Restricted Sites zone, follow these steps:
1. In Internet Explorer, visit the Web page that you want to configure
2. Select Internet Options from the Tools menu
3. In the Internet Options dialog box, click the Security tab
4. Click the zone you want to modify and then click Sites
5. If you are adding sites to the Local Intranet zone, click Advanced
6. If you are adding a site to the Trusted Sites zone and the Web site does not support HTTPS, clear the Require Server Verification (HTTPS:) For All Sites In This Zone check box
7. Click Add to add the current Web site to the list of Trusted Sites Then click Close
Trang 168. Click OK to close the Internet Options dialog box Then close Internet Explorer, reopen
it, and visit the Web page again If the problem persists, repeat these steps to remove the site from the Trusted Sites zone Continue reading this section for more trouble-shooting guidance
You need to add sites to a zone only if they cause problems in their default zone For more information, read the section titled “Troubleshooting Internet Explorer Problems” later in this chapter
Configuring Zones Using Group policy
To manage security zones in an enterprise, use the Group Policy settings located at
\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
\Security Page under both Computer Configuration and User Configuration Using these tings, you can configure the exact rights applied to each zone To assign a standard security level (Low, Medium Low, Medium, Medium High, or High) to a zone, enable one of the fol-lowing settings:
set-n Internet Zone Template
n Intranet Zone Template
n Local Machine Zone Template
n Restricted Sites Zone Template
n Trusted Sites Zone Template
If none of the standard security levels provides the exact security settings you need, you can edit the settings in the appropriate zone’s node within the Security Page node In particu-lar, notice the Turn On Protected Mode setting located in each zone’s node
To specify that a URL is part of a specific zone, enable the Site To Zone Assignment List setting in the Security Page node After you have enabled a URL, you can assign it (using the
Value Name field, with an optional protocol) to a specific zone (using the Value field) using
the zone’s number:
n 1: Local Intranet zone
n 2: Trusted Sites zone
n 3: Internet zone
n 4: Restricted Sites zoneFor example, Figure 20-20 shows the Group Policy setting configured to place any requests
to contoso.com (regardless of the protocol) in the Restricted Sites zone (a value of 4) Requests
to www.fabrikam.com, using either HTTP or HTTPS, are placed in the Intranet zone (a value
of 1) HTTPS requests to www.microsoft.com are placed in the Trusted Sites zone (a value of 2)
In addition to domain names, you can specify IP addresses, such as 192 168 1 1, or IP address ranges, such as 192 168 1 1-192 168 1 200
Trang 17FIgURE 20-20 Use the Site To Zone Assignment List setting to override security zone assignment for specific URLs
Network protocol Lockdown
Sometimes you might want to apply different security settings to specific protocols within a zone For example, you might want to configure Internet Explorer to lock down HTML content hosted on the Shell: protocol if it is in the Internet zone Because the Shell: protocol’s most common use is for local content and not Internet content, this mitigation can reduce the at-tack surface of the browser against possible vulnerabilities in protocols less commonly used than HTTP
By default, Network Protocol Lockdown is not enabled, and this setting is sufficient for most environments If you choose to create a highly restrictive desktop environment, you might want to use Network Protocol Lockdown to mitigate security risks Configuring Network Protocol Lockdown is a two-phase process, as follows:
n Configure the protocols that will be locked down for each zone Enable the
Group Policy setting for the appropriate zone and specify the protocols that you want
to lock down The Group Policy settings are located in both User Configuration and Computer Configuration under Administrative Templates\Windows Components
\Internet Explorer\Security Features\Network Protocol Lockdown\Restricted Protocols Per Security Zone
n Configure the security settings for the locked-down zones Enable the Group
Policy setting for the zone and specify a restrictive template or configure individual security settings The Group Policy settings are located in both User Configuration and Computer Configuration under Administrative Templates\Windows Components
\Internet Explorer\Security Page\
Trang 18Managing Internet Explorer Using group Policy
Internet Explorer has hundreds of settings, and the only way to manage it effectively in an enterprise environment is to use the more than 1,300 settings that Group Policy provides Be-sides the security settings discussed earlier in this chapter, you can use dozens of other Group Policy settings to configure almost any aspect of Internet Explorer The sections that follow describe Group Policy settings that apply to Internet Explorer 7 (which also apply to Internet Explorer 8), as well as those that apply only to Internet Explorer 8
Group policy Settings for Internet Explorer 7 and Internet Explorer 8
Table 20-2 shows some examples of the more useful settings that apply to both Internet Explorer 7 and Internet Explorer 8 Settings marked as CC can be found at
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\ Settings marked as UC can be found at User Configuration\Administrative Templates
\Windows Components\Internet Explorer\
TABlE 20-2 Group Policy Settings for Internet Explorer 7 and Internet Explorer 8
Add A Specific List Of Search Providers To The User’s Search Provider List
3 3 With the help of custom registry settings or a
custom administrative template, you can configure custom search providers that will be accessible from the Search toolbar
Turn Off Crash Detection 3 3 Allows you to disable Crash Detection, which
auto-matically disables problematic add-ons Enable this setting only if you have an internal add-on that is unreliable but still required
Do Not Allow Users
To Enable Or Disable Add-ons
3 3 Enable this setting to disable the Add-on Manager
Turn On Menu Bar By Default
3 3 By default, Internet Explorer 7 does not display
a menu bar Users can display the menu bar by pressing the Alt key Enable this setting to display the menu bar by default
Disable Caching Of Auto-Proxy Scripts
3 If you use scripts to configure proxy settings, you can use this setting if you experience problems with script caching
Trang 19SETTINg CC UC DESCRIPTION
Disable External Branding Of Internet Explorer
3 Prevents the customization of logos and title bars
in Internet Explorer and Microsoft Office Outlook Express This custom branding often occurs when users install software from an Internet service provider
Disable Changing Advanced Page Settings
3 Enable this policy to prevent users from changing security, multimedia, and printing settings from the Internet Options Advanced tab
Customize User Agent String
3 3 Changes the user-agent string, which browsers use
to identify the specific browser type and version to Web servers
Use Automatic Detection For Dial-Up Connections
3 Disabled by default, you can enable this policy setting to allow Automatic Detection to use a Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server to customize the browser the first time it starts
Move The Menu Bar Above The Navigation Bar
3 Enable this policy setting to control the placement
of the menu bar If you don’t set this, users can configure the location of the menu bar relative to the navigation bar by dragging it
Turn Off Managing Pop-Up Filter Level
3 3 Use this setting to configure whether users can set
the Pop-up Filter level You can’t set the Pop-up Filter level directly with this setting; you can only define whether or not users can manage the setting Turn Off The Security
Settings Check Feature
3 3 By default, Internet Explorer will warn users if
set-tings put them at risk If you configure setset-tings in such a way that Internet Explorer would warn the users, enable this setting to prevent the warning from appearing
Turn On Compatibility Logging
3 3 Enable this setting to log the details of requests
that Internet Explorer blocks Typically, you need
to enable this setting only when actively shooting a problem with a Web site
trouble-Enforce Full Screen Mode
3 3 Enable this policy only if using a computer as a
Web-browsing kiosk
Trang 20SETTINg CC UC DESCRIPTION
Configure Media Explorer Bar
3 Enable this policy if you want to be able to disable the Media Explorer Bar The Media Explorer Bar plays music and video content from the Internet Keep in mind that multimedia content is used for legitimate, business-related Web sites more and more often, including replaying meetings and webcasts
Prevent The Internet Explorer Search Box From Displaying
3 Enable this policy to hide the search box
Restrict Changing The Default Search Provider
3 3 Enable this policy to force users to use the search
provider you configure Pop-Up Allow List 3 3 Enable this policy and specify a list of sites that
should allow pop-ups if you have internal Web sites that require pop-up functionality
Prevent Participation In The Customer Experience Improvement Program
3 3 Microsoft uses the Customer Experience
Improve-ment Program (CEIP) to gather information about how users work with Internet Explorer If you enable this policy, CEIP will not be used In some organizations, you might need to disable CEIP to meet confidentiality requirements If you disable this policy, CEIP will always be used For more information about CEIP, visit
With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Application Compatibility (within both User Configuration and Computer Configuration), you can control cut, copy, and paste operations for Internet Explorer Typically, you do not need to modify these settings
Trang 21With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Browser Menus (within both User Configuration and Computer tion), you can disable specific menu items
Configura-With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel (within both User Configuration and Computer Configuration), you can disable specific aspects of the Internet Options dialog box, including individual tabs and settings Change these settings if you want to prevent users from easily modifying important Internet Explorer settings This will disable the user interface only and will not prevent users from directly changing registry values
With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Internet Settings (within both User Configuration and Computer ration), you can configure user interface elements, including AutoComplete, image resizing, smooth scrolling, link colors, and more You need to change these settings only if one of the default settings proves problematic in your environment
Configu-With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Offline Pages (within both User Configuration and Computer tion), you can disable different aspects of offline pages, which allows users to keep a copy of Web pages for use while disconnected from a network Typically, you do not need to change these settings
Configura-With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Persistence Behavior (within both User Configuration and Computer Configuration), you can configure maximum amounts for Dynamic HTML (DHTML) Persistence storage on a per-zone basis Typically, you do not need to change these settings
With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Security Features (within both User Configuration and Computer ration), you can configure all aspects of Internet Explorer security
Configu-With the policy settings located in Administrative Templates\Windows Components
\Internet Explorer\Toolbars (within both User Configuration and Computer Configuration), you can configure toolbar buttons and disable user customization of these buttons Users will probably be most familiar with the default button configuration However, you can modify the default settings to better suit your environment
New Group policy Settings for Internet Explorer 8
Table 20-3 shows some examples of the more useful settings that apply only to Internet Explorer 8 Settings marked as CC can be found at Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\ Settings marked as UC can be found at User Configuration\Administrative Templates\Windows Components\Internet Explorer\
Trang 22TABlE 20-3 New Group Policy Settings for Internet Explorer 8
Accelerators\Turn Off Accelerators
3 3 Enable this policy setting to disable Accelerators
Deploy Non-Default Accelerators
3 3 Enable this policy setting to deploy custom
Accelerators Turn Off\Reopen Last
Browsing Session
3 3 If Internet Explorer crashes, it prompts the user
to reopen any tabs the next time the user opens
it Enable this policy to disable that behavior and always open with a single blank tab
Compatibility View\Turn
On Internet Explorer 7 Standards Mode and Turn On Internet Explorer 7 Standards Mode For Local Intranet
3 3 Use these two policies to enable Internet Explorer
7 Standards Mode on either the Internet or your intranet Standards Mode configures Internet Explorer 8 to identify itself as Internet Explorer 7
to Web servers, and the policies cause Internet Explorer to render Web pages similar to pages in Internet Explorer 7
Compatibility View\Turn Off Compatibility View
3 3 Turning on this policy prevents users from
access-ing Compatibility View Turn Off Data Execution
Prevention
3 3 Data Execution Prevention (DEP) can cause
prob-lems with some Web applications If you discover that DEP causes an important application to fail, you should attempt to fix the bug in the applica-tion In the meantime, you can enable this policy
to allow the application to function without being terminated by DEP
Prevent Deleting Web Sites That The User Has Visited, Prevent Deleting Temporary Internet Files, Prevent Deleting Cook-ies, Prevent Deleting InPrivate Blocking Data, Configure Delete Brows-ing History On Exit
3 3 These policies give you control over the user’s
browsing history You can configure these policies
to prevent users from clearing their history to make
it easier to monitor user activity Alternatively, you can configure the history to be deleted automati-cally if you would rather not store browsing history
Configure New Tab Default Behavior
3 3 Enable this policy to choose whether a new tab
displays a blank page, the user’s home page, or the standard new tab page
Trang 23SETTINg CC UC DESCRIPTION
Turn Off Windows Search AutoComplete
3 3 When a user begins typing in a search box,
AutoComplete provides a list of the user’s previous searches While this can prevent the user from typing,
it might inadvertently reveal something the user has searched for while a coworker is near or during a presentation
InPrivate\Turn Off InPrivate Browsing
3 3 Enable this policy to prevent users from accessing
InPrivate Browsing mode
Using the Internet Explorer Administration Kit
Internet Explorer has dozens of settings To simplify the process of configuring and izing Internet Explorer for your organization and to add custom features, you can use the Internet Explorer Administration Kit (IEAK)
custom-IEAK allows you to:
n Establish version control across your organization
n Distribute and manage browser installations centrally
n Configure automatic connection profiles for users’ computers
n Customize virtually any aspect of Internet Explorer, including home pages, search engines, RSS feeds, favorites, toolbar buttons, Accelerators, security, communications settings, and other important elements
Naturally, you can also use Group Policy settings to configure each of these settings In Active Directory Domain Services (AD DS) environments, configuring Group Policy is more efficient than using IEAK IEAK is extremely useful for configuring workgroup computers, however, and nothing prevents you from using IEAK to help deploy Internet Explorer in AD
DS environments
You can download IEAK from Microsoft at http://technet.microsoft.com/en-us/ie/bb219517.
aspx After installing IEAK, start the Customization Wizard by clicking Start, pointing to
All Programs, clicking Windows IEAK 8, and then clicking Internet Explorer Customization Wizard The wizard prompts you for detailed information about your organization and how you want to configure Internet Explorer Most of the wizard pages are self-explanatory The following pages deserve some extra explanation:
n Media Selection On this page, if you are deploying the settings to only Windows
Vista or later computers, you can create a Configuration-Only Package Select CD-ROM or File if you need to deploy Internet Explorer 8 to earlier versions of Windows also
Trang 24n Additional Settings The Control Management settings do not apply to Windows
Vista and later operating systems Instead, you should use the Group Policy settings located in Administrative Templates\Windows Components\Internet Explorer
\Administrator Approved Controls (within both User Configuration and Computer Configuration) to enable or disable specific controls throughout your organization After you complete the wizard, it saves your settings to the location you specify You can edit them later using the IEAK 8 Profile Manager This is useful if you need to make several slightly different variations of your Internet Explorer customizations
Troubleshooting Internet Explorer Problems
Because Web pages are complex and change frequently, you might occasionally have lems using Internet Explorer The sections that follow provide troubleshooting guidance for the following types of problems:
prob-n Internet Explorer does not start
n An add-on does not work properly
n Some Web pages do not display properly
n An unwanted toolbar appears
n The home page or other settings have changed
note If you need to study the communications between Internet Explorer and a Web site, try Fiddler Fiddler analyzes Web communications and is much easier to understand than Network Monitor For more information about Fiddler (a free download), visit
http://www.fiddlertool.com/fiddler.
Internet Explorer Does Not Start
If Internet Explorer does not start, or starts but appears to be frozen, the problem is likely caused by a problematic add-on Often, you can simply terminate the Internet Explorer process (Iexplore exe) with Task Manager and restart Internet Explorer If restarting Internet Explorer does not solve the problem, start Internet Explorer in No Add-ons mode, as described
in the section titled “Internet Explorer Add-ons Disabled Mode” earlier in this chapter
an add-on Does Not Work properly
Occasionally, a Web page might require you to have a specific add-on If the Web page displays a message indicating that you need to install the add-on, you should consider the security risks carefully before installing it
Trang 25If the page continues to display improperly after you install the add-on, the add-on might
be disabled Users can disable add-ons manually, or Internet Explorer might disable a lematic add-on automatically To enable an add-on, follow these steps:
1. In your browser, open the Tools menu, select Manage Add-ons, and then click Enable
Or Disable Add-ons
2. Click the Show list and then click Add-ons That Have Been Used By Internet Explorer
3. Select the add-on that you need to enable and then click Enable
4. Click OK
If the add-on later becomes disabled again, Internet Explorer probably disabled it because
it is crashing Visit the add-on developer’s Web site and download the latest version—an update might be available that solves the problem If no update is available or the problem persists, you can disable the ability of Internet Explorer to disable the plug-in automatically
To disable Crash Detection, enable the Turn Off Crash Detection Group Policy setting in either Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\
or User Configuration\Administrative Templates\Windows Components\Internet Explorer\ If the problem occurs on a single computer, edit the setting in local Group Policy If the problem occurs on all computers in a domain, edit the domain Group Policy settings
Some Web pages Do Not Display properly
Most Web site developers test their Web pages using Internet Explorer’s default settings If you modify the default settings, you might cause pages to display incorrectly In particular, enabling restrictive security settings or disabling features such as scripts can cause rendering problems
If the problem occurs on a small number of trustworthy Web sites, your first ing step should be to enable Compatibility View, as described in the section titled “Internet Explorer 8 Improvements” at the beginning of this chapter If that does not solve the problem, add the sites to the Trusted Sites zone by following these steps:
1. In Internet Explorer, visit the Web page
2. Select Internet Options from the Tools menu
3. In the Internet Options dialog box, click the Security tab
4. Click Trusted Sites and then click Sites
5. If the Web site does not support HTTPS, clear the Require Server Verification (HTTPS:) For All Sites In This Zone check box Click Add to add the current Web site to the list of Trusted Sites and then click Close
6. Click OK to close the Internet Options dialog box Then close Internet Explorer, reopen
it, and visit the Web page again If the problem persists, repeat these steps to remove the site from the Trusted Sites zone Continue reading this section for more trouble-shooting guidance