Archive for the ‘Internet Explorer’ Category.

Internet Explorer 10 – Enhanced Protected Mode

Så lige nedenstående info omkring Blackhole og Exploit.

Blackhole” Exploit Kit Activity Peaks as Exploit Activity on the Internet Reaches New Heights
http://blogs.technet.com/b/security/archive/2012/11/12/blackhole-exploit-kit-activity-peaks-as-exploit-activity-on-the-internet-reaches-new-heights.aspx

Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date
http://blogs.technet.com/b/security/archive/2012/11/06/exploit-activity-at-highest-levels-in-recent-times-the-importance-of-keeping-all-software-up-to-date.aspx

I den forbindelse vil jeg lige linke til info omkring IE 10 nye sandbox i form af Enhanced Protected Mode.

Internet Explorer 10 gets a new sandbox : Enhanced Protected Mode
http://www.julien-manici.com/blog/ie10-new-sandbox-enhanced-protected-mode-windows-8/

Enhanced Protected Mode
http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

Understanding Enhanced Protected Mode
http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

Bloker reklamer + tracking i Internet Explorer

Jeg har tidligere skrevet om, hvordan man blokerer reklamer i Internet Explorer via såkaldte TPL.

Bloker reklamer i IE9
http://jravn.dk/?p=346

Jeg fortalte her at man kunne benytte Quero AdBlock IE TPL, som var rigtig god.

Jeg har så fundet en ny freeware TPL som hedder Fanboy Adblock List, som jeg syntes er mere stabil og effektiv
http://www.fanboy.co.nz/

Jeg har testet dem op mod en række at de kendte danske online aviser og medier og den nakker alle reklamer på disse sites.
Fanboy Adblock List virker også med IE10.

Tilføj dem til IE via nedenstående link.
http://www.fanboy.co.nz/ie.html

Klik på Add TPL for Fanboy Adblock List for Internet Explorer 9 og Fanboy Tracking List

Gå herefter til Tools i IE. Vælg Safety og Tracking Protection.

Enable til sidst Fanboy Adblock List og Fanboy Tracking list.

Det er herefter game over for reklamer og man oplever nu at siderne vises lynhurtigt.

Bloker reklamer i IE9

Med IE9’s nye Tracking Protection Lists(TPL) feature, er det nu blevet rigtig nemt at blokere/fjerne reklamer på diverse websites.
Det betyder også at siderne loader hurtigere i browseren.
Jeg har testet Quero AdBlock IE TPL (Adblock Plus), som nakker reklamerne på alle de sider jeg har besøgt. En god test kunne være at besøge www.eb.dk.
Du kan hente og indlæse Quero TPL’en via nedenstående link.
http://www.quero.at/adblock_ie_tpl.php

Microsoft har også et site med 3 parts Tracking Protection Lists, som kan ses her.
http://iegallery.com/en/trackingprotectionlists/

IE7 og Group Policies


Jeg orker ikke at skulle google hver gang jeg skal konfigurere IE7 via Group Policies.
Jeg har derfor prøvet at lave en konfig-plan for IE7, som jeg kan anvende næste gang det bliver nødvendigt.

Basis konfigurationen af IE7, er som følger:

Download og installer IE7 adm templates fra din GPO admin server/workstation.
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&displaylang=en

Remove eksisterende ” inetres.adm” templates under “Administrative Templares.
Gå til C:Windowsinf og omdøb ” inetres.adm” til “inetres_org.adm”
Kopier C:Program FilesMicrosoft Group Policy inetres.adm til C:Windowsinf.
Import herefter den nye IE7 template.

For at gøre oplevelsen med IE7 transperant for brugerne, vælger jeg her at konfigurere følgende:

Computer Configuration – Administrative Templates – Windows Components – Internet Explorer
Prevent participation in the Customer Experience Improvement Program = Enabled
Prevent Performance of first run customization settings =    Enabled
Turn on Menu Bar by Default = Enabled

User Configuration – Windows Settings – Internet Explorer Maintenance – URLs – Important URLs
Important URLs (Homepage) = http://jravn.dk

Indsæt til sidst vigtige virksomheds websider i “Trusted Sites og intranet”. Det kunne feks være som følger:

User Configuration – Windows Settings – Internet Explorer – Security – Security Zones and Content Ratings
Intranet – Outlook Web Acces – Citrix Web Interface – Bank mfl.

For mere info til ovenstående, se dette link (Internet Explorer 7 Deployment Guide):
http://www.microsoft.com/downloads/details.aspx?familyid=E41D8800-D134-4356-A2E7-C01BEE790908&displaylang=en

Nedenstående lister de fleste af de anbefalede sikkerheds indstillinger for IE7, som Microsoft har udarbejdet i dette dokument.
http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en

Min plan er at køre med dem i forskellige miljøer og vende tilbage til denne blog-post, hvis jeg fremover oplever problemer med nedenstående.

Security Zones.

Security zone

Security level

Tested

Local Machine

Custom

ok

Internet

Medium-High

ok

Local intranet

Medium-low

ok

Trusted sites

Medium

ok

Restricted sites

High

ok


Recommendations for Increased Security.

Policy object

Location

Recommended setting

Tested

Internet Explorer Processes (Zone Elevation Protection)

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesProtection From Zone Elevation

Enabled

ok

Security Zones: Do not allow users to add/delete sites

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer

Enabled

ok

Security Zones: Do not allow users to change policies

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer

Enabled

ok

Prevent Ignoring Certificate Errors

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control Panel

Enabled

ok

Internet Explorer Processes (Restrict ActiveX Install)

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity FeaturesRestrict ActiveX Install

Enabled

1

Allow Active Scripting

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerInternet Control PanelSecurity Page<zone>

Disabled in response to zero day attack

4

Internet Explorer Processes (Scripted Window Security Restrictions)

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesScripted Window Security Restrictions

Enabled

ok

ur non Protected Mode

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity Page<zone>

Enabled

ok

Empty Temporary Internet Files folder when browser is closed

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelAdvanced Page

Enabled

ok

Disable AutoComplete for forms

User ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

Enabled

ok

Turn on the auto-complete feature for user names and passwords on forms

User ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

Disabled

ok

Logon Options

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerInternet Control PanelSecurity PageInternet Zone

EnabledPrompt for Username and Password

ok

Logon Options

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerInternet Control PanelSecurity PageIntranet Zone

EnabledAutomatic Logon with Current Username and Password

ok

Logon Options

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerInternet Control PanelSecurity PageRestricted Sites Zone

EnabledAnonymous Logon

ok

Logon Options

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerInternet Control PanelSecurity PageTrusted Sites Zone

EnabledAutomatic Logon only in Intranet Zone

ok

Turn off managing phishing filter

Computer ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

EnabledAutomatic

ok

Do not save encrypted pages to disk

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelAdvanced Page

Enabled for environments with sensitive data on Web pages.

Ok

Disable Automatic Install of Internet Explorer components

Computer ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

Enabled

ok

Disable Periodic Check for Internet Explorer software updates

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer

Enabled

ok

Disable software update shell notifications on program launch

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet Explorer

Enabled

ok

Turn off Crash Detection

Computer ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

Enabled

ok

Internet Explorer Processes (Restrict File Download)

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity Features
Restrict File Download

Enabled

ok

Allow File Downloads

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity PageRestricted Sites Zone

Disabled

ok

Deny all add-ons unless specifically allows in the add-on list

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity FeaturesAdd-on Management

Enabled

2

Add-on List

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity Features
Add-on Management

Enabled with add-ons listed

3

Internet Explorer Processes (Consistent MIME Handling)

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity Features
Consistent MIME Handling

Enabled

ok

Internet Explorer Processes (MIME Sniffing)

Computer ConfigurationAdministrative TemplatesWindows Components
Internet ExplorerSecurity Features
MIME Sniffing Safety Feature

Enabled

ok

Internet Explorer ProcessesMK Protocol Security Restriction

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesMK Protocol Security Restriction

Enabled

ok

Internet Explorer ProcessesObject Caching Protection

Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerSecurity FeaturesObject Caching Protection

Enabled

ok

Configure Outlook Express

User ConfigurationAdministrative TemplatesWindows Components
Internet Explorer

EnabledBlock attachments that could contain a virus

ok

Note til Punkt 1-2-3:
Ved at at enable disse punkter vil alle Add-on blive disablet i brugernes IE. Derfor skal man forinden planlægge og teste denne lockdown.
Nedenstående links er doku til disse punkter:

About ActiveX Controls:
http://msdn2.microsoft.com/en-us/library/aa751971.aspx

Introduction to ActiveX – Part 1-2-3:
http://blogs.technet.com/askperf/archive/2007/11/16/introduction-to-activex-part-one.aspx
http://blogs.technet.com/askperf/archive/2007/11/30/introduction-to-activex-part-two-managing-activex-controls.aspx
http://blogs.technet.com/askperf/archive/2007/12/04/introduction-to-activex-part-three-security-and-security-zones.aspx

The ActiveX Installer Service in Windows Vista:
http://www.microsoft.com/technet/technetmag/issues/2007/07/AxIS/default.aspx

Note til Punkt 4:
Ved at disable “Allow Active Scripting” disabler man også Javascript, som mange web sites bruger i dag. Det betyder at man også skal planlægge og teste denne indstilling.
IT afdelingen skal her indstille sig på, at vedligeholde en Trusted Site liste.
Hvis man tillader at brugerne selv kan tilføje til Trusted Sites kan man installere “Internet Explorer 5 Power Tweaks Web Accessory” ude på de enkelte workstations.
Fordelen er her, at den integrerer Trusted Sites i IE menuen.
Alternativt til ovenstående, kan man opsætte en Secure Proxy i form af ISA 2006 + GFI Webmonitor eller Bluecoat, som kan scanne http trafik.