Contents Overview Lesson: Configuring Security and Connection Settings for Internet Explorer Lesson: ppt

Contents Overview 1 Lesson: Configuring Security and Connection Settings for Internet Explorer 2 Lesson: Customizing and Deploying Lesson: Configuring Applications for Lesson: Troub

Contents

Overview 1

Lesson: Configuring Security and

Connection Settings for Internet Explorer 2

Lesson: Customizing and Deploying

Lesson: Configuring Applications for

Lesson: Troubleshooting Applications 25

Demonstration: Viewing Dr Watson 27

Module 5: Configuring Internet Explorer and Application

Compatibility

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2003 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, MSDN, PowerPoint, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module introduces students to the security and connection settings for Microsoft® Internet Explorer Students will learn the methods for deploying and enforcing Internet settings

This module also provides students with information about configuring applications that are designed for earlier versions of Microsoft Windows®, and how to gather information by using the Dr Watson program error debugging

utility

There is no lab for this module

After completing this module, students will be able to:

! Configure the security and connection settings for Internet Explorer

! Use the Internet Explorer Administration Kit

! Use Group Policy to customize and deploy Internet settings

! Configure a program that was written for an earlier version of Windows to operate on Windows XP Professional

! Configure the Dr Watson utility to troubleshoot applications

The following materials are required for teaching this module:

! Microsoft PowerPoint® file 2285A_05.ppt

! The DemoApp.exe and Drwtsn32.log files on the Trainer Materials compact disc

It is recommended that you use PowerPoint 2002 or later to display the slides for this course If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not appear correctly

To prepare for this module:

! Read all the materials for this module

! Complete the practices

! Read the materials listed under Additional readings for each topic

Document your additional readings to share with the class

How to Teach This Module

This section contains information that will help you to teach this module For some topics in this module, references to additional information appear in notes at the end of the topic Read the additional information in preparation for teaching the module and, during class, ensure that students are aware of that additional information

Demonstration Pages, Practices, and Labs

Explain to the students how the demonstrations, practices, and labs are designed for this course A module includes two or more lessons Most lessons include demonstration pages and a practice

Demonstration pages provide the steps for demonstrating a task Students do not perform the tasks on these pages with the instructor, but will use these steps

to perform the practice at the end of each lesson

After you presented the contents of the topic and demonstrated the procedures for the lesson, explain that the practice gives students a hands-on opportunity to learn all the tasks that you discussed in the lesson

Lesson: Configuring Security and Connection Settings for Internet Explorer

This section describes the instructional methods for teaching this lesson This lesson teaches students the basic methods of configuring Internet Explorer for security and connections Focus on the reasons for making the settings, and how to make settings on a computer-by-computer basis

The slide for this topic depicts a high-level view of a secure network topology and shows that configuring the client is only a part of a corporate security policy

Briefly describe:

! The dangers of active content

! Firewall rules, and how they protect corporate computers

! How to improve Internet access by using a proxy server

! How dial-up connections from the desktop can bypass the outbound security and access features of a firewall and a proxy server

To introduce security zones, briefly demonstrate the settings on the Security Zones tab and the other tabs on the Internet Options menu Indicate that students can manage certificates on the Content tab Do not discuss certificates,

which are beyond the scope of this course Students will investigate the Local intranet security zone in the practice for this lesson, so focus your

demonstrations of security zones on the other options

When you describe the security options in a security zone, refer to discussions about harmful content from the previous topic

This topic gives students an understanding of the connections that are used for dial-up and virtual private network (VPN) access, and why such connections are typically not used in a local area network (LAN) Concentrate on a proxy configuration for the dial-up connections, the VPN connections, and the LAN settings Briefly demonstrate how to set up a proxy server for different protocols, but advise students that they will usually configure a single proxy for all protocols

Explain to students that practices provide hands-on learning of the tasks that are presented in this lesson In this practice, students will use Internet options If time permits, encourage students to investigate settings that are not presented in the practice

Estimated time to complete this practice: 10 minutes

Lesson: Customizing and Deploying Internet Settings

In this lesson, introduce the following methods for maintaining the Internet Explorer security options that you configured manually in the previous lesson, and discuss when you might use them Note that the first two items are located

in the Internet Explorer Administration Kit (IEAK):

! Internet Explorer Customization Wizard (IECW), which creates custom packages for distributing Internet Explorer

! IEAK Profile Manager, which maintains the deployed browsers

! Group Policy Management Console, which provides maintenance of Internet Explorer settings, but requires Microsoft Active Directory®directory service and Group Policy

In this topic, describe the IECW and how it creates browser packages Before teaching this topic, download IEAK SP1 from: http://www.microsoft.com/ windows/ieak/downloads/ieak6/download.asp

After downloading the IEAK, familiarize yourself with the versions and licensing of the kit For this course, the corporate license is installed on student computers, and the automatic version synchronization (AVS) has run once so that the practice will work If you want to provide a brief demonstration of IEAK, select Flat for the Media Selection and use Connections Customization for the feature selection Students will use Security Zones and Content ratings

in the practice

Discuss the concepts of Group Policy, and how the linking of Group Policy objects to appropriate container objects in Active Directory enforces settings and software configuration for all objects in the Active Directory container Explain that, by using the Internet Explorer Maintenance (IEM) extension to Group Policy, students can maintain browsers by making settings that Group Policy objects can deploy Reiterate that the IEM extension requires Active Directory

Connection Settings for

In this practice, students will use the IECW to configure Internet Explorer settings

This practice is optional Configuring the Internet Explorer Customization Wizard during setup requires an Internet connection Verify that IEAK is installed and configured properly prior to the students running this practice

In this demonstration, use the Group Policy Management Console (GPMC) to demonstrate the use of Group Policy The GPMC consists of IEM, which is a Microsoft Management Console (MMC) extension, and a set of scriptable interfaces for managing Group Policy Describe GPMC to your students, and advise them that GPMC is a separate component from Windows Server 2003

To prepare for this demonstration, familiarize yourself with how the console works, and complete all the steps in the demonstration before teaching this module

In this topic, discuss the best practices for configuring Internet Explorer Best practices include setting restrictions that apply an organization’s acceptable-use policy Best practices must also include enforcing settings by disabling a user’s ability to change the browser’s security-related settings Discuss the policies of the students’ organizations to give students an opportunity to learn from each other

Lesson: Configuring Applications for Microsoft Windows XP

Professional

In this lesson, explain to students that you have finished the discussion about security issues with browsers, and that this lesson addresses information about applications

Program compatibility involves applying small pieces of code that enable programs written for earlier versions of Windows to run on Windows XP Professional Show students that they can ensure program compatibility either manually or by using a wizard Demonstrate the manual method by using Microsoft Notepad

In this topic, describe how to run the Program Compatibility Wizard

Lesson: Troubleshooting Applications

In this lesson, introduce students to the Windows application debugger, Dr Watson, and show them how to read Dr Watson log files

In this topic, describe the Dr Watson utility and how to use it It is unlikely that students are application developers, so focus on using Dr Watson to diagnose problems and create reports for support organizations The examples in the text are also located in a log file on the Trainer Materials compact disc

In this demonstration, show students how to open the Dr Watson for Windows dialog box and how to view the log file Point out the different parts

of the file, including the application exception, system information, task list, module list, state dump, and symbol table

Assessment

Assessment questions for this module are located on the Student Materials compact disc You can use them as pre-instruction assessments to help students identify areas of difficulty, or you can use them as post-instruction assessments

to validate learning

Consider using assessments to reinforce learning at the end of the day You can also use assessments at the beginning of the day to review information that you taught on the previous day

Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this module, you will learn how to configure security and connection settings for Internet Explorer to ensure that users have appropriate access to the Internet and intranet You will also learn how to configure applications so that they are compatible with Microsoft® Windows® XP Professional

After completing this module, you will be able to:

! Configure security and connection settings for Internet Explorer

! Use the Internet Explorer Administration Kit (IEAK) and Group Policy to customize and deploy Internet settings

! Configure applications written for earlier versions of Windows to operate on computers running Windows XP Professional

! Configure the Dr Watson debugging utility to troubleshoot applications

Introduction

Objectives

Lesson: Configuring Security and Connection Settings for Internet Explorer

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Your organization’s acceptable-use policy describes when users may download and run software from other hosts, and whether application components must be digitally signed Configure Internet Explorer to support this policy, to support and augment network security, and to protect individual users’ desktop computers

After completing this lesson, you will be able to:

! Describe the reasons to configure security and connection settings for Internet Explorer

! Describe Internet Explorer security options

! Configure security and connection settings for Internet Explorer

Introduction

Lesson objectives

Why Configure Internet Explorer Settings?

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Each type of Internet content carries risk The slide illustrates a typical network topology built to mitigate these risks This topology includes:

! The Internet Security and Acceleration (ISA) firewall that controls access to the Internet, and protects the internal network from unauthorized access and attacks

! The Microsoft ISA Server cache that provides proxy server capability, enabling high-speed access to World Wide Web content

! Client computers running Microsoft Windows XP Professional, Microsoft Internet Explorer, and Microsoft ISA client software

You can set browser security and connection settings to:

! Block harmful content

! Configure encryption and certificate use

! Set the use of temporary files

! Enable a proxy server to access the Internet

When you configure a proxy server to access the Internet, you set Internet Explorer to send packets destined for external Web sites to an intermediate device on your network, the proxy server The proxy server accepts the packets and translates them to ensure that no servers outside your network can identify the originator

For more information about using the ISA Server as a proxy and ISA firewalls,

see the ISA Server Product Guide at: http://www.microsoft.com/isaserver/

Security Zones for Internet Explorer

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Internet Explorer classifies online content into security zones You can assign a unique security level to each zone to define the level of browser access Internet Explorer security settings for accessing a Web site are based on the zone to which a Web site belongs For each zone, you can control settings for:

! Managing Microsoft ActiveX® controls, cookies, scripts, and Java capabilities

! Downloading files

! Authenticating passwords

! Providing cross-frame security Use the following guidelines to place Web sites in their appropriate security zones, and to select settings for the zones in Internet Explorer:

! Local intranet zone This zone contains sites that you trust, which are

located on your organization’s intranet You probably want to allow users to run all types of active content from this location To provide this capability, set the Local intranet zone to Low

! Internet zone This zone contains all sites that you have not placed in other

zones Assign a higher security level to the Internet zone, such as Medium

or High, to prevent users from running active content and downloading code

! Trusted sites zone This zone contains specific sites that you trust You can

place the Uniform Resource Locators (URLs) or entire domains in the Trusted sites zone Although you do not own these sites, you probably want

to allow users to run all types of content from this zone To provide this capability, set the Local intranet zone to Low

! Restricted sites zone This zone contains Internet sites that include

potentially harmful Web content Assign the highest security levels to the Restricted sites zone to prevent users from downloading and running active content

Security zones

Recommended settings

Configure the Local intranet zone to correspond to the network and firewall configuration of your organization The default settings for the Local intranet zone may not match your network configuration, and there is no method for Internet Explorer to detect your firewall automatically

For more information about potentially dangerous Internet content, see Module 6, “Securing Internet Applications and Components,” in Course 2810A,

Fundamentals of Network Security

For more information about cross-frame scripting and security, see the article

About Cross-Frame Scripting and Security at:

http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp

Important

Additional reading

Connection Settings for Internet Explorer

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

! Use connection settings to identify the dial-up or virtual private network (VPN) connection for accessing the Internet

• A typical user who works away from the office has two dial-up connections, one to an Internet service provider (ISP) and one to the corporate network

• A VPN is typically used when the only access to the corporate network

is through an Internet connection

• Local-area-network-based PCs typically have no dial-up and VPN connections

! Use connection settings to identify the proxy servers to use for various protocols, for example, Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) for the LAN and for each connection

A proxy server is a computer that connects to the Internet without compromising the security of your internal network Typically, the same proxy server is used for all Internet protocols

For more information about using VPNs, see the article Use Virtual Private Networks for Secure Internet Data Transfer at:

http://www.microsoft.com/windowsxp/pro/using/howto/gomobile/vpns.asp For more information about proxy servers, seethe ISA Server Product Guide at:

http://www.microsoft.com/isaserver/evaluation/productguide.asp

Key points

Additional reading

Practice: Protecting Clients from Active Content

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this practice, you will adjust the browser’s security settings in Internet Explorer to protect users from active content

Before working on this practice, you must have a computer running Microsoft Windows XP Professional

You must configure various security settings in Internet Explorer to prevent users from installing and running active content that they see on the Internet or the local intranet

! View the Local intranet zone settings

1 Log on to the nwtraders domain as ComputerNameUser (for example,

VancouverUser) with a password of P@ssw0rd

2 Right-click Start, click Properties, on the Taskbar and Start Menu Properties dialog box click Start menu, and then click OK

3 Click Start, click Control Panel

4 If the Pick a Category page is not displayed, under Control Panel, click Switch to Category View

5 On the Pick a Category page, click Network and Internet Connections

6 Press SHIFT, right-click Internet Options, and then click Run as to open

Internet Options with administrator privileges

7 In the Run As box, select The following user, in the User name box, type

ComputerName\administrator, and in the Password box, type P@ssw0rd

and then click OK

8 On the Security tab, select Local intranet, and then click Default Level

9 Move the security-level slider to Low, and then click Apply

10 Click Custom Level and record the settings in the following table

Objective

Prerequisites

Scenario

11 Under Reset custom settings, in the Reset to box, select Medium, click Reset and then record the settings in the following table

If a warning dialog box appears, asking you to confirm that you want

to change the security settings for this zone, click Yes

12 Under Reset custom settings, in the Reset to box, select High, click Reset,

and then record the settings in the following table

13 Click Cancel, and on the Security tab, click Cancel to close the Internet Options dialog box

14 Note the different settings for each level in the following table

Download signed ActiveX controls Download unsigned ActiveX controls

File download Active scripting Logon

! Change the Local intranet zone settings

1 In Internet Options, on the Security tab, select Local intranet

2 Click Custom Level and modify the settings, and then click OK

3 In the Warning dialog box, click Yes

4 On the Security tab, ensure that Local intranet is selected, click Default level, and then click Apply

5 Click OK to close the Internet Options dialog box

6 Close all open windows, and then log off the domain

Note

Lesson: Customizing and Deploying Internet Explorer Settings

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use the Internet Explorer Administration Kit (IEAK) and Group Policy to create custom browsers with preset options This lesson provides information about using IEAK and Group Policy to configure security zones, proxy settings, and privacy settings You will also learn how to prevent users from modifying these settings

After completing this lesson, you will be able to:

! Identify the features of the IEAK and Group Policy

! Describe how the IEAK enforces security for Web browsers

! Use Group Policy to enforce security for Web browsers

! Describe the guidelines for configuring security for Web browsers

! Use the IEAK and Group Policy to customize and deploy Internet settings

Introduction

Lesson objectives

Methods for Customizing and Deploying Internet Explorer Settings

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

There are three methods for customizing Internet Explorer: the Internet Explorer Options menu, the Internet Explorer Administration Kit (IEAK), and

the Internet Explorer Maintenance (IEM) extension for Group Policy These methods allow you to configure several Internet Explorer settings, including:

! The user interface and the appearance of the browser

! Connection settings, such as dial-up and local area network (LAN) connections

! Custom URLs, such as the home page

! Security settings, such as security zones and content ratings

! Default programs for common Internet tasks, such as reading e-mail and viewing newsgroups

Use the Internet Explorer Options menu to customize browser settings The

advantages of this method are that the interface is part of Internet Explorer and requires no additional programs or utilities The limitations of this manual method are that you cannot restrict users from changing settings, and it is difficult to maintain the settings in a large environment

Overview

Internet Explorer

Options menu

Use the IEAK to create customized browsers with preset options and to prevent users from modifying these settings The Microsoft Internet Explorer 6

Resource Kit CD-ROM contains the following IEAK programs and tools:

! Internet Explorer Customization Wizard This wizard guides you through

the process of creating custom browser packages When these packages are installed on users’ desktop computers, users receive Internet Explorer with the settings and options that you have chosen

! IEAK Profile Manager This enables you to change deployed browser

settings and restrictions automatically

! IEAK Toolkit This toolkit contains the programs, and sample files that you

can use to extend the IEAK functionality for your organization

! IEAK Help The help file includes conceptual and procedural topics that you

can view and print

An advantage of IEAK is that you can create a custom installation package that includes software in addition to browser settings The IEAK is not the most efficient way to maintain browser settings, however, because a change requires that you use an update package on the computers

You can download the IEAK software from the IEAK home page at: http://www.microsoft.com/windows/ieak/default.asp

In an Active Directory environment, use Microsoft Management Console (MMC) with the IEM extension The extension adds Internet Explorer settings

to the MMC, which enables you to change those settings in Group Policy For more information about the Internet Explorer Administration Kit, see the product documentation for Internet Explorer or the IEAK home page at: