In Part 1 and Part 2, I described security zones and settings in Microsoft Internet Explorer (IE) 5.0. In Part 3, I showed you the IE security settings that control cookies and file downloads. In Part 4, I'll show you how to securely set IE's Java permissions and describe some of the settings under the Miscellaneous group of security settings.
To access IE's security options, open IE, go to the Tools menu and select Internet Options, and select the Security tab. Click the zone you want to configure, and click Custom Level to display the Security Settings dialog box. Scroll to Microsoft VM, as Figure 1 shows. Microsoft VM lets you set the security levels to control any Java applets your users encounter on Web sites in each zone. Although you can specify a custom level, I don’t recommend using Custom Level for Java permissions in most cases because Java security is very granular; you really need to be a Java programmer to understand Java permissions.
When you choose the High safety level, you put fairly tight restrictions on Web pages that include Java applets. Using this level of protection prevents Java applets from accessing your computer’s files, registry, or printers, or displaying windows outside the IE window without first warning the user. Also, the applets won't be able to run other applications, but can initiate network connections back to the Web server. The main difference between the Medium safety and High safety levels is that in the Medium safety level, the user must give permission to Java applets to access files on the local computer. In the Low safety level, Java applets can do almost anything on the local computer, including accessing files, starting applications, accessing the computer's registry, using printers, and contacting computers other than the Web server—even contacting computers on your internal network. I recommend using High safety for most users for any site on the Internet zone. You’ll probably use Low safety for your Local intranet zone to support any highly functional intranet sites that use Java.
IE has grouped together the settings for a number of features that are not related to each other. Scroll to Miscellaneous to see these settings.
Access data sources across domains. The first setting under Miscellaneous, Access data sources across domains, controls whether IE prevents scripts and applets on the Web page in the current zone from accessing databases other than the Web server where the requested page resides. I recommend that you disable this setting.
Drag and drop or copy and paste files. Similar to the File download policy we discussed in Part 3, Drag and drop or copy and paste files is an important setting. Because of the security risks you face in letting users bring in files from the Internet, you've probably decided to disable File downloads. If so, make sure you also disable the Drag and drop or copy and paste files option. If you don't, users can still effectively download Internet files by dragging or copying the files to the clipboard.
Installation of desktop items. Although not a well-documented option, Installation of desktop items seems to have something to do with Active Desktop and different modes for your desktop interface. Follow the rule, "When in doubt, disable."
Launching programs and files in an IFRAME. An IFRAME is a floating frame that some Web sites display. Because this policy provides yet another way to download unauthorized files from the Internet, you should disable Launching programs and files in an IFRAME.
Navigate sub-frames across different domains. Microsoft introduced Navigate sub-frames across different domains to combat the series of cross-frame navigation attack methods that attackers discovered in IE 4.0. In this privilege escalation type of attack, a malicious Web site that currently executes in a more restricted zone tries to insert malicious code into a frame of a page from a trusted Web site. I recommend you disable this setting.
Software channel permissions. With the Software channel permissions policy, IE provides the capability for vendors to distribute software updates automatically through specially formatted email. If you choose Low safety, IE automatically installs any software updates you receive, regardless of whether the update is signed. If you enable Medium safety, IE automatically downloads but doesn’t install updates that have a valid signature. The High safety option completely disables automatic software updates. Because an attacker can use automatic updates to enter your system, I recommend selecting the High safety mode.
Submit nonencrypted form data. When a user fills in some fields on a Web page form and clicks submit, IE checks first to see whether the user connects to the server using Secure Socket Layer (SSL) to encrypt the form. If so, IE sends the form content to the Web server. If the connection to the Web server isn’t using SSL encryption, IE checks Submit nonencrypted form data to see whether the user has permission to send the form without encryption protection. Depending on the Web page, the information the user just entered might be confidential (e.g., credit card numbers). A Web developer should never request private information from a user without using encryption, but some do. Hackers can look at data users send in the clear text over the Internet. If you enable this option, train users to determine whether a Web page is using SSL by looking for the lock icon at the bottom of the IE window. If Web pages don't display the lock icon, train users not to enter private information. If you set this option to Prompt, users don’t need to remember to look for the lock before submitting private information. IE will always warn users before it sends form data they've just entered in clear text. However, if you want to prevent users from sending any form data in clear text, set Submit nonencrypted form data option to disable. Unfortunately, you'll prevent users from accessing clear text connection sites that ask for relatively public information, such as email addresses, because IE doesn’t know when form fields include only private data. Keep in mind that setting the Prompt option can really annoy users, so if you can't train users not to enter private information on Web pages that don’t display the lock icon, Prompt is your only other option.
Userdata persistence. IE 5.0 provides a newway for Web pages to remember the values a user enters into a form between visits to the Web site. IE calls this policy Userdata persistence, and lists it under the Miscellaneous settings. However, because using this policy presents some risk, depending on the type of data on the form, you might want to disable this feature for all Web sites in the current zone. In Part 5, I’ll finish our tour of IE’s security options, and in Part 6, I'll show you how to use Group Policy to configure the options centrally for all your users.