Keep IE secure by configuring the right settings

by Michael "Mullins CCNA, MCP" | Mar 23, 2006 10:22:00 PM

Tags: ActiveX/COM/COM+/DCOM, Web browsers, Microsoft Windows, Michael Mullins CCNA, MCP, ActiveX Control, Microsoft Internet Explorer, security, Security Solutions Newsletter

26 comment(s)

Takeaway: IE has the ability to provide a secure browsing experience. But it's the responsibility of the organization or the user to configure it properly. In this edition of Security Solutions, Mike Mullins tells you how to configure the right security settings for IE.

Most Web browsers offer the option of controlling a wide variety of potential security issues and annoyances, yet each browser takes a different approach to handling these issues. Let's take a look at the method that Microsoft's Internet Explorer (IE) uses to provide a secure browser experience.

When it comes to the newer versions of Windows (including Windows XP, Windows Server 2003, and Windows 2000), IE 6 is an extension and integral part of the operating system. Using IE 6, you can block pop-ups, disable Java and ActiveX controls, and protect yourself from cross-site scripting.

You can access these options by going to Tools | Internet Options in Internet Explorer and selecting the Security tab. This area also allows you to configure security zones for different levels of trust for different Web sites.

The security settings you select here control the security for each zone. Here's a look at the default security settings for IE.

Security option	Low	Medium-Low	Medium	High
*ActiveX Controls*
Download signed ActiveX controls	Enable	Prompt	Prompt	Disable
Download unsigned ActiveX controls	Prompt	Disable	Disable	Disable
Initialize and script ActiveX controls not marked as safe	Prompt	Disable	Disable	Disable
Run ActiveX controls and plug-ins	Enable	Enable	Enable	Disable
Script ActiveX controls marked safe for scripting	Enable	Enable	Enable	Disable
*Downloads*
File download	Enable	Enable	Enable	Disable
Font download	Enable	Enable	Enable	Prompt
*Miscellaneous*
Access data sources across domains	Enable	Prompt	Disable	Disable
Allow META REFRESH	Enable	Enable	Enable	Disable
Display mixed content	Prompt	Prompt	Prompt	Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists	Enable	Enable	Disable	Disable
Drag and drop or copy and paste files	Enable	Enable	Enable	Prompt
Installation of desktop items	Enable	Prompt	Prompt	Disable
Launching programs and files in an IFRAME	Enable	Prompt	Prompt	Disable
Navigate sub-frames across different domains	Enable	Enable	Enable	Disable
Software channel permissions	Low safety	Medium safety	Medium safety	High safety
Submit non-encrypted form data	Enable	Enable	Prompt	Prompt
Userdata persistence	Enable	Enable	Enable	Disable
*Scripting*
Active scripting	Enable	Enable	Enable	Disable
Allow paste operations via script	Enable	Enable	Enable	Disable
Scripting of Java applets	Enable	Enable	Enable	Disable
*User Authentication*
Logon	Automatic logon with current username and password	Automatic logon only in Intranet zone	Automatic logon only in Intranet zone	Prompt for user name and password

Let's take a look at how you can best apply these default settings in each zone to ensure security:

Internet: When it comes to security risks for your computer and your network, consider this to be the Wild West. I recommend selecting the Medium level, which disables most ActiveX content (unless signed by a trusted publisher).
Local Intranet: This zone controls internal corporate Web pages, and you should set the security setting for Low. This provides all of the functionality that the browser has to offer with the most permissive security settings.
Trusted Sites: This zone controls the Web sites, external to your own network, that you trust. Such sites typically include your bank, your personal e-mail site, etc. I suggest setting this zone to Medium-Low or Low if required to properly display all of the content of these select trusted sites.
Restricted Sites: This zone addresses the Web sites that you probably shouldn't be visiting anyway. The default setting for this zone is High�and for good reason. I don't recommend modifying this setting under any circumstances.

While these are the suggested security settings, you can also modify and create a custom setting for each zone if you prefer. However, the four default settings generally provide the balance of security and functionality that you're looking for.

In a corporate environment, you can deploy these settings throughout the enterprise. You can do so by using the Internet Explorer Administration Kit and deploying those settings through a package delivery system such as Systems Management Server (SMS).

Final thoughts

IE has the ability to provide a secure browsing experience. However, it's the responsibility of the organization or the user to configure it properly. Most important, apply security measures against those sites that aren't in your security zone.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

26 comment(s)