Because Web browsing provides so many ways for malicious users to attack your workstations and internal network, it pays to make sure your users aren’t exposing your systems to risk while they browse the Web. In Part 1 and Part 2, I described security zones and settings in Microsoft Internet Explorer (IE) 5.0. In Part 3, I'll show you the IE security settings that let you control cookies and file downloads.
Watch Out for the Cookie Monster!
One security risk in Web browsing that gets a lot of attention is cookies—text files that Web servers leave on your computer to remember you between visits. Web browsing began as a simple, modeless activity where a user requested one static Web page after another. Back then, Web servers didn't need to keep track of connection information. As the Internet evolved, however, Web servers had to support e-commerce and other applications requiring user-server interactions, so the industry designed cookies. (Originally, the word "cookie" was an allusion to fortune cookie, a UNIX program that outputs a different message, or fortune, each time it's used.)
Long-term and Short-term Cookies
Cookies can contain long-term information to help the Web server remember you between Web-site visits, or short-term information to remember what step you’re at during a long transaction. Delta Air Line's Web site contains an example of long-term (stored) cookie usage. Under Remember my SkyMiles number, if I select Yes, as Figure 1 shows, Delta's Web server remembers my SkyMiles frequent flier number each time I visit; I only need to enter my PIN to access my account. Delta's Web server also places a cookie on my computer, as Figure 2 shows. (Note: the numbers shown in the two figures are no longer actual account numbers.)
You can find examples of short-term (per-session) cookies when you shop on the Web. To keep track of what’s in your shopping cart, some Web servers use per-session cookies, which aren’t permanently stored on your computer. To see what cookie files are on your computer, open the folder that corresponds to your user account in %allusersprofile%\ and scroll down to the Cookies folder. (If you're logged in as administrator, the path is probably C:\Documents and Settings\Administrator.<yourcomputername>\Cookies.)
How dangerous cookies are depends on the Web site's developers. Programmers can follow best-practice coding methods that let them get the benefits of cookies without exposing Web-site users to risk, but many developers don’t follow these practices. Web developers should never store confidential information directly in a cookie but store a surrogate key only, which their Web site can use to locate your record in a database on the local server. Following such a practice prevents other Web sites from examining your Cookies folder to collect demographic data about you from the Web sites you've been browsing.
Stored and Per-Session Cookies
IE lets you control the two types of cookies—stored and per-session. Stored cookies are the most dangerous, but you can control them. To prevent your browser from accepting cookies from any site in the current security zone, open IE, select Tools, Internet Options, and select the Security tab. Click Custom level, which displays the Security Settings dialog box, as Figure 3 shows. Scroll to Cookies, Allow cookies that are stored on your computer, and select Disable. If you want to approve cookies on a site-by-site basis, you can select Prompt; however, this setting can bother some users, who'll get a prompt message each time they visit a Web site that tries to create a cookie. If you select Enable, your browser will silently accept cookies from any site in the current zone. Allow per-session cookies (not stored) gives you the same three options, but applies to the safer kind of cookie—the short-term cookie that lasts only as long as you're browsing a given Web site.
For savvy Internet users, who can make informed decisions regarding cookies on a site-by-site basis, I recommend that you use the prompt options. For other users who might get annoyed with the prompt option and accept each cookie without really making a security-minded decision, I recommend that you configure the Internet Zone with Allow cookies that are stored on your computer set to Disable and Allow per-session cookies (not stored) set to Enable. You can then use the Trusted Sites zone for Web sites where you need to make an exception. Configure the Trusted Sites zone to permit stored cookies. You can also add stored cookie Web sites that your users need to access. (Although you might think that configuring hundreds or even thousands of IE installations would be a maintenance headache, I'll finish up this series by showing you how to use Group Policy to configure all of these settings centrally.)
Downloads Can Be Dangerous, Too
Letting users download files from the Internet is dangerous. Trojan horses love to hide in games and other programs users frequently download from the Internet. Some versions of the popular Whackamole game are actually Trojan horses that install Netbus, which lets hackers take complete remote control of your computer. Letting users download files also makes it easy for malicious users to bring hacker tools into your network (like the password sniffer in L0phtcrack). In the Security Settings dialog box that you use to control cookies, under Downloads you can set File download to Disable, preventing users from downloading files from links in the current zone. Of course, there are other ways to get files into your network. Companies serious about closing entryways for malicious code also control the file attachments in incoming emails and control the use of removable media, such as floppies. You can set Font download to Disable to prevent Web pages in the current zone from downloading nonstandard fonts used on Web pages, although I don’t know of any significant risks if you enable this option. However, you should use all available resources to make your Internet Web browsing secure without causing your users too much inconvenience and lost functionality.