Few areas of security are more important than that of Internet Explorer. When properly configured, Internet Explorer is a secure browser that offers a safe environment for users to navigate the many resources of the Internet and the Web. When you’ve improperly or poorly configured Internet Explorer, the poor configuration can make your organization’s network and computers susceptible to attack and misuse by malicious users.
One of the most important ways you can help protect your network and your computers is to optimize Internet Explorer security, and the most important area of this configuration has to do with Internet Explorer security zones. You use security zones to restrict or permit access to specific types of Web content, including ActiveX® controls, plug-ins, file and font downloads, Java applets, and scripts. You can also use security zones to control the types of actions users can perform while viewing Web content. For example, you can enable launching of programs within an internal browser frame, known as an IFRAME, but disable installation of desktop items.
You can use Group Policy to manage security zones in several ways. You can set policies that control the user actions with regard to security zones and customize the settings for each security zone. As discussed in Chapter 6, in the section titled "Working with Attachment Manager," four types of security zones are defined:
Restricted sites. Sites you don’t trust
Trusted sites. Sites you trust explicitly
Internet sites. Sites on the Internet
Intranet sites. Sites on your organization’s internal network
Each security zone is assigned a default security level, which can range from low to high. Low security means that most actions are permitted and the security restrictions are very relaxed. High security means that most actions are disabled and the security restrictions are very stringent.
Each security level consists of parameters that typically are enabled, disabled, or set to prompt a user before the related feature can be invoked. You can change the settings by specifying a new security level for a particular security zone or by defining a custom level in which you set the state of each parameter.
You should closely scrutinize several categories of settings, including:
ActiveX controls, plug-ins, Java applets, and scripts. Any time you enable ActiveX controls, plug-ins, Java applets, and scripts, you expose your network and your computers to potential abuse or misuse. You can, in fact, eliminate most problems with malware simply by not allowing the use of ActiveX controls, plug-ins, Java applets, or scripts. Although this is a drastic step, an increasing number of organizations have elected to disable these features to reduce the impact of malware on their networks.
Downloads. With most types of downloads, you should consider prompting the user before the download occurs. Although this can be annoying for users, it makes users more aware of what’s being downloaded to their computers and the potential risks. With this in mind, you might want to enable Automatic Prompting For File Downloads and set Font Download to Prompt.
User Authentication. The Logon setting determines whether user name and password information is sent to a trusted or intranet content server when it is requested. The key risk of using this setting is that computers outside the network could gain access to logon names for your network and unauthorized external users could use the logon names to stage attacks on your system.
Note
With Trusted or Intranet zone sites, the current user’s logon information can be provided automatically when the client computer receives an NTLM or a NEGOTIATE WWW-Authenticate Challenge. While the risk associated with allowing user authentication is limited to trusted and intranet sites, it is important to remember that the definition of a local intranet site is configurable. The local intranet site can include all local sites not listed in other zones, all sites that bypass the proxy server, and all network paths.
With the Logon setting, all security levels except High present a potential security risk. Keep the following in mind:
With High security, content servers prompt for a user name and password when a logon is needed, and information is never passed automatically.
With Medium or Medium-Low security, the current user name and password are returned for logon requests to resources in the Intranet zone, which, as you might recall, can include intranet sites, network paths (UNCs), and sites bypassed by the proxy server. These bypassed sites are easy to forget when you’re considering possible security issues.
With Low security, logon information is returned for logon requests from content servers in any zone. This is a dangerous setting when used with external content servers.
A key way to ensure that security zones are configured exactly as you expect them to be is to implement restrictions on who can change security zone settings and how settings are applied. Several policies control security zone modification and usage:
Disable The Security Page. If you enable this policy, Windows removes the Security tab in the Internet Properties dialog box. This prevents users from making any changes to security zones. This policy takes precedence over and overrides Security Zones: Do Not Allow Users To Change Policies and Security Zones: Do Not Allow Users To Add/Delete Sites. This policy is located under User ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control Panel.
Security Zones: Do Not Allow Users To Add/Delete Sites. If you enable this policy, Windows disables the Sites button on the Security tab of the Internet Properties dialog box, which then prevents users from modifying the site management settings for the Local Intranet, Trusted Sites, and Restricted Sites zones. This means users cannot add sites, remove sites, or change the Include settings for the Local Intranet zone. This policy is located under Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
Security Zones: Do Not Allow Users To Change Policies. If you enable this policy, Windows prevents users from changing security zone settings. When this policy is enabled, the Custom Level and Default Level buttons are disabled on the Security tab of the Internet Properties dialog box. This prevents users from changing the security zone settings established by the administrator. This policy is located under Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
Security Zones: Use Only Machine Settings. If you enable this policy, Windows sets security zone settings by machine rather than by user. The policy is intended to ensure that security zones are consistently applied to all users of a computer. If you enable this policy without also preventing users from changing security zones, any user can make changes to security zones that affect all other users of the computer. This policy is located under Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer.
You can enable one or more of these policies to enforce restrictions on changing security zone settings. Simply double-click the policy, select Enabled, and then click OK.
Note
Windows XP Service Pack 2 and later include policies for locking down the local machine security zone. This special security zone applies only to the security of the local computer and is designed to prevent users from making changes that might materially affect the security of their computers. Any policies set under User ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity PageLocked-Down Local Machine Zone are locked out in the local machine zone and set according to their policy configuration. Rather than set each policy individually, you can use the Locked-Down Local Machine Zone Template policy under User ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity Page to set the local machine zone security so that it is consistent with a specific security level.
Tip
For computers running Windows XP Professional with Service Pack 2 or later, you can configure security zones through Administrative Templates. The related policies are found in both Computer Configuration and User Configuration under Administrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity Page. By administering security zones through the Administrative Templates, you can override imported settings that would otherwise apply. The specific zone settings configured through Administrative Templates will be applied only to computers running Windows XP Professional with Service Pack 2 or later.
Through Group Policy, you can implement standard settings for each security zone and deploy these settings to users of one or more computers. Before doing this, you must configure the security settings for each of the four security zones, starting with the Internet security zone. You can then import the settings into policy so that they can be deployed throughout a selected site, domain, or OU. These imported settings then apply to all Windows 2000 or later computers that process the related GPO. The only exception is if you’ve configured the Internet Control Panel security page for computers running Windows XP Professional Service Pack 2 or later. With these computers, settings in both Computer Configuration and User Configuration under Administrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity Page override imported security zone settings.
The Internet security zone sets Web content permissions for all sites not placed in other zones. Complete the following steps to configure the Internet security zone:
Access the Internet Options utility in the Control Panel, and then select the Security tab. Select Internet from the Zone list.
To restore the default level if it was changed, click Default Level. Then click OK and skip the remaining steps.
To set a different or custom level, click Custom Level. You can use the Security Settings dialog box (Figure 8-9) to set a custom level for individual parameters or reset the zone to a preset security level.
If you want to use a custom level, use the buttons provided to set individual parameters, and then click OK.
If you want to reset the zone to a particular security level, select the level using the Reset To drop-down list, click Reset, and then click OK. The security levels available are Low, Medium-Low, Medium, and High.
The Local Intranet security zone sets Web content permissions on the local network. The default security level is Medium-Low. You can configure this zone by completing the following steps:
In the Internet Properties dialog box, click the Security tab, and then select Local Intranet from the Zone list.
Set the security level by doing one of the following:
To restore the default level if it was changed, click Default Level. Then click OK.
To set a different or custom level, click Custom Level. You can then use the Security Settings dialog box to set a custom level for individual parameters or reset the zone to a preset security level. When you are finished configuring settings, click OK.
Define which sites are included in the Local Intranet zone by clicking Sites. This displays the Local Intranet dialog box, shown in Figure 8-10.
You can now include or exclude local (intranet) sites not listed in other zones, sites that bypass the proxy server, and network paths (UNCs). To include a resource, select the related check box. To exclude a resource, clear the related check box.
If you want to specify additional sites for the Local Intranet zone or if you require secure verification using Hypertext Transfer Protocol Secure (HTTPS) for all servers in the Local Intranet zone, click Advanced. This displays a new Local Intranet dialog box, in which you can do the following:
Add a site by typing its IP address in the Add This Web Site To The Zone text box and then clicking Add.
Remove previously defined sites by selecting the site in the Web Sites list box and then clicking Remove.
Require secure verification using HTTPS by selecting Require Server Verification (HTTPS:) For All Sites In This Zone.
Click OK twice to close the Local Intranet dialog boxes.
The Trusted Sites security zone sets Web content permissions for sites that are explicitly trusted and considered to be free of potentially offensive or unauthorized content and content that might damage or harm the computer. By default, the security level for this zone is set to Low. You can configure this zone by completing the following steps:
In the Internet Properties dialog box, click the Security tab, and then select Trusted Sites in the Zone list.
Set the security level by doing one of the following:
To restore the default level if it was changed, click Default Level. Then click OK.
To set a different or custom level, click Custom Level. You can then use the Security Settings dialog box to set a custom level for individual parameters or reset the zone to a preset security level. When you are finished configuring settings, click OK.
Click Sites to define which sites are included in the Trusted Sites zone. This displays the Trusted Sites dialog box, shown in Figure 8-11.
You can now add and remove trusted sites from this zone. All Web sites in this zone will use the zone’s security settings. To add a site, type its IP address in the Add This Web Site To The Zone text box and then click Add. To remove a site, select the site in the Web Sites list box and then click Remove.
You can also require secure verification using HTTPS. Select Require Server Verification (HTTPS:) For All Sites In This Zone to enable this feature, or clear the related check box to disable this feature.
Click OK.
The Restricted Sites security zone sets permissions for sites with potentially offensive or unauthorized content and content that might damage or harm the computer. Site restrictions don’t prevent users from accessing unauthorized sites, however. They merely establish a different security level for these sites. To prevent users from accessing restricted sites, you must configure a proxy server or firewall to block access to the sites.
By default, the security level for Restricted Sites is set to High. You can place sites on the restricted list by completing the following steps:
In the Internet Properties dialog box, click the Security tab and then select Restricted Sites in the Zone list.
Set the security level by doing one of the following:
To restore the default level if it was changed, click Default Level. Then click OK.
To set a different or custom level, click Custom Level. You can then use the Security Settings dialog box to set a custom level for individual parameters or reset the zone to a preset security level. When you are finished configuring settings, click OK.
Click Sites to define which sites are included in the Restricted Sites zone. This displays the Restricted Sites dialog box, which is similar to the dialog box shown earlier in Figure 8-11.
To add a restricted site, type its IP address in the Add This Web Site To The Zone text box and then click Add.
To remove a site, select the site in the Web Sites list box and then click Remove.
Click OK twice to close the Restricted Sites and Internet Properties dialog boxes.
After you configure the security settings for each of the four security zones, you can import the settings into the Security Zones And Content Ratings policy so that they can be deployed throughout a selected site, domain, or OU. Import the settings by completing these steps:
Configure each of the four security zones as discussed earlier. When you are finished, access User ConfigurationWindows SettingsInternet Explorer MaintenanceSecurity in Group Policy and then double-click Security Zones And Content Ratings.
Select Import The Current Security Zone Settings And Privacy Settings and then click Modify Settings. You can now check the security zone settings you defined previously.
When you are finished, click OK twice to apply the policy.