Tested: Make IE8 the safest webbrowser

[Kees1958]

EDIT1: With safest I mean fully functioning for the average Joe/Jane. Everybody knows that pure text based browsers are the safest, followed by browsers which are lumped/degarded by disabling dynamic code options (some browsers are so badly designed they need to be crippled to use safely ).

EDIT2: Let's hope Sully implements some of these in PGS version 2

EDIT3: Install Keyscrambler free first before applying these tweaks

EDIT4: Vista and Windows7 users only have to apply tweaks on first 3 posts (XP also apply tweak of post 10)


It is simple

What does it do?

When SWITCH_BLOCK_ON
a) It does not allow Internet Explorer to Download files (Attachements) with a risk indication of high, see microsoft http://support.microsoft.com/kb/883260 (it is the list which starts with .ADE).
b) It blocks execution of these files by Explorer. You can remove this restriction by right clicking the file, select properties, click the general tab (see picture)


When SWITCH_BLOCK_OFF
This is the defualt situation (before tweak)
a) You will be warned when downloading a file (default situation, unless you have changed the regular file download warning setting yourself, this is the default/standard setting) by Internet Explorer
b) You will be warned when executing a file by Explorer which comes from the internet zone.


Usage instructions
1. Works from IE6 and higher

2. You have to exit/start IE before policy is activated

3. Download attached text files and change extention from txt ro reg

SWITCH_BLOCK_ON.reg (was downloaded SWITCH_BLOCK_ON.txt)

SWITCH_BLOCK_OFF.reg (was downloaded SWITCH_BLOCK_OFF.txt)

4. You have to run these reg files from ADMIN space (somewhere in C:\Windows or Program FIles) when you use Software restriction Policies (or use PGS to implement on home versions).

[Kees1958]

To further strengthen IE8, you can manually change the settings

as described by PCTools http://www.pctools.com/guides/registry/detail/537/ I would choose to set:

Advanced
Cache
Certficates
Connections Settings
HomePage (prevents changing homepage, make sure it has the right setting)
Profiles (make sure you have set security, privacy, selected cross site filter on, phising philter on and cookie/popup set correctly).
Proxy



When you want to fix the search engine (also a point of attack of adware related taskbars etc)

Open Regedit and navigate to this key
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions

Add REG_DWORD called NoChangeDefaultSearchProvider
Give it the vaue 1 (see picture, no search box removes engine box, not the ability to search from the web address box)


Regards Kees

[Kees1958]

Lastly, you may want the user to deny the right to change status of browser extentions (effectively stops adding plug ins, when you run UAC inVista or Windows7 or use DropMyRIghts or SRP in XP). Adding new plug ins is also a common trick of malware.

http://support.microsoft.com/kb/883256

Set NoExtensionManagement to 1

[Sjoeii]

Thanks
Very usefull settings

[andyman35]

Nice post Kees.

[cqpreson]

Great post.Thank you.

[jmonge]

thanks kees man you are on fire

[arran]

Interesting but its not just some thing IE has firefox also marks downloaded files for the Attachment Manager.
http://smallvoid.com/article/ie-attachment-manager.html

[Kees1958]

Quote:

Originally Posted by arran

Interesting but its not just some thing IE has firefox also marks downloaded files for the Attachment Manager.
http://smallvoid.com/article/ie-attachment-manager.html

Yep, Franklin has confirmed this in the post where I asked people to test it, Chrome just ignores this setting (allows to download), but sets the ADS correctly (I prefer Chrome's/Iron's implementation best). At least in the Netherlands, according to market research FF users are not the average Joe/Jane.

[Kees1958]

Another setting found

A Protection against clickjacking, see for explanation http://technet.microsoft.com/nl-nl/l...17(WS.10).aspx

Create a key

HKEY_Current_User\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS

Create a REG_WORD with the name iexplorer and value 1

It should look like this see picture

[Threedog]

Thanks Kees. I have been playing around with your settings on my XP VM and it has really tightened things up.

[arran]

for firefox users Noscript already provides protection from clickjacking.

[Zombini]

On Vista and Win7 I wouldn't come near a mile from Firefox. It doesn't have a Protected Mode like IE8, and without it you are just asking for trouble. Stick with IE8. Noscript will help with script based attacks, but not with anything else. It has NO SAFETY NET.

[dw426]

Quote:

Originally Posted by Zombini

On Vista and Win7 I wouldn't come near a mile from Firefox. It doesn't have a Protected Mode like IE8, and without it you are just asking for trouble. Stick with IE8. Noscript will help with script based attacks, but not with anything else. It has NO SAFETY NET.

Going with that reasoning it wouldn't matter whether it was XP, Vista or Win 7, Firefox would be unsafe regardless. Firefox, and, most other browsers, imho would be even safer on Vista/7 due to UAC. That being said, this was a good thread, I'll put it to use on my current system and, in a few weeks when it arrives, Win 7 on my new system.

[Kees1958]

Quote:

Originally Posted by arran

for firefox users Noscript already provides protection from clickjacking.

The title of this topic: best without functional degrading the browser for the average user. It is also possible with IE, to disallow scripts, java, flash, binary content in Iframes, etc. Then you have the basic functionality of a text based browsers. But there are better text based browsers (smaller footprint, faster, like Lynx f.i.) than a degraded normal browser.

Despite a lot of laughter at MicroSoft (with reason Opera was by far the better browser in the past) IE8 really is not a bad browser with one of the best phising/smartscreen filters and cross site scripting protection. The latter (years after . . . ) is still not a standard feature of FF. With 3.6 you will get CSP and finally have protecton for cross site scripting with FF.

[arran]

Quote:

Originally Posted by Zombini

On Vista and Win7 I wouldn't come near a mile from Firefox. It doesn't have a Protected Mode like IE8, and without it you are just asking for trouble. Stick with IE8. Noscript will help with script based attacks, but not with anything else. It has NO SAFETY NET.

What makes you think IE8 is safer than firefox? Can you please elaborate as to what exactly Protected Mode in IE8 is?

you can customize FF with security/Privacy add ons.

can IE8 block super cookies?
can IE8 block ping tracking?
can IE8 disable history?
can IE8 ensure safe https connections like FF add on Perspectives?
can IE8 block ads and have a white list with sites that are allowed to show ad's?
can IE8 block cookies and have a white list of sites that are allowed to give you cookies?
can IE8 block web bugs?
can IE8 block user agent?
can IE8 disable referrer?
can IE8 block web pages from refreshing them selves?
can IE8 block Iframe?

If IE8 can do all these things like FF then you have my attention. also Noscript covers cross site scripting. That said I use FF in combination with admuncher. I do believe it is much safer to use something like admuncher as a proxy/gateway rather than allowing your browser to Directly connect to websites.

And I do admire Kees1958 idea of using the available tools and configurations on the actual OS to harden your pc instead of installing and using 3rd party software. But I don't think that the available registry tweaks and OS tools we have can cover everything with out using 3rd party software. We really need another forum for OS hardening tweaks. Because for some one to go for the strategy of OS hardening it would be difficult searching thru all these forums for Kees1958's tweaks. I have been bookmarking Kees1958's threads for future reference.

[Sully]

Quote:

Originally Posted by arran

And I do admire Kees1958 idea of using the available tools and configurations on the actual OS to harden your pc instead of installing and using 3rd party software. But I don't think that the available registry tweaks and OS tools we have can cover everything with out using 3rd party software.

This depends on how you enjoy your OS. It is definately possible to create as much protection as any/all 3rd party solutions. I think it comes down more to the ease of use 3rd party apps give you over OS implemented answers. The bane of 3rd party apps is of course BSOD or some sort of conflict that could ensue. I also enjoy seeing Kees or anyones approaches that utilize OS resolutions, and the more creative the better for me.

Sul.

[Eice]

Quote:

Originally Posted by arran

If IE8 can do all these things like FF then you have my attention.

Unfortunately you have your attention on all the wrong details: the unimportant details that tinfoil-hat paranoid users typically obsess over due to lack of knowledge, rather than real security.

[Kees1958]

Quote:

Originally Posted by arran

What makes you think IE8 is safer than firefox? Can you please elaborate as to what exactly Protected Mode in IE8 is?

you can customize FF with security/Privacy add ons.

can IE8 block super cookies?
can IE8 block ping tracking?
can IE8 disable history?
can IE8 ensure safe https connections like FF add on Perspectives?
can IE8 block ads and have a white list with sites that are allowed to show ad's?
can IE8 block cookies and have a white list of sites that are allowed to give you cookies?
can IE8 block web bugs?
can IE8 block user agent?
can IE8 disable referrer?
can IE8 block web pages from refreshing them selves?
can IE8 block Iframe?

If IE8 can do all these things like FF then you have my attention.

Disable history, go into porn mode orInprivate
Ensure Safe HTTPS, IE checks certifcates, there is a tweak where user can't ignore this

Block cookies, white list (default functionality, only IE comes in a more useable default)

Block Iframe: you can set this yourself in the zone setting (ask, deny or allow).

Lately an addblock type of plug-in is available see AKO's excellent list

Web Bugs, there is a setting to block dynamic behaviour of binaries (like OutLook does), on top of that IE has a better setting, not to allow OTHER webpages to touch the dynamic code in the cache. I will not post these tweaks, because some sites use this to store encrypted transfer tokens (e.g. when you buy music, you switch to a safe payment service, you return to the download). Considering the risk of web bugs, with the excellent Mime Sniffing/enforcing mechanismes in IE, I think there are bigger fish in the ocean to worry about.

Since you like to worry (most of us do at Wilders, so this is not intended sarcastically Https://developer.mozilla.org/En/How...nes_MIME_Types and http://adblockplus.org/blog/the-haza...-mime-sniffing


Regards Kees

[arran]

Quote:

Originally Posted by Eice

Unfortunately you have your attention on all the wrong details: the unimportant details that tinfoil-hat paranoid users typically obsess over due to lack of knowledge, rather than real security.

LOL
says the man who has a browser in their sig with Privacy Issues, what a clown you are. We have had these browser discussions before with Rmus in other threads, there is known malicious-links which can bypass FF Noscript. and if you know of any which can bypass my setup by all means show me.

[m00nbl00d]

Quote:

Originally Posted by arran

What makes you think IE8 is safer than firefox? Can you please elaborate as to what exactly Protected Mode in IE8 is?

you can customize FF with security/Privacy add ons.

Exactly! With addons, not natively. So, let's no go on the path which browser (I repeat: browser.) offers more security/privacy.

Quote:

Originally Posted by arran

can IE8 block super cookies?
can IE8 block ping tracking?
can IE8 disable history?
can IE8 ensure safe https connections like FF add on Perspectives?
can IE8 block ads and have a white list with sites that are allowed to show ad's?
can IE8 block cookies and have a white list of sites that are allowed to give you cookies?
can IE8 block web bugs?
can IE8 block user agent?
can IE8 disable referrer?
can IE8 block web pages from refreshing them selves?
can IE8 block Iframe?

1. Cookies

You can block all cookies, and then allow only the ones you want to allow, therefor creating a whitelist of cookies.

Personally, I rather handle with cookies my self, than let a third-party tool do it.

2. History

As Kees mentioned, you may browse in InPrivate mode and set the days to keep history to 0.

3. Disabling refreshing

Yes, it is possible

Quote:

If IE8 can do all these things like FF then you have my attention. also Noscript covers cross site scripting. That said I use FF in combination with admuncher. I do believe it is much safer to use something like admuncher as a proxy/gateway rather than allowing your browser to Directly connect to websites.

There's been a long time since I last used Firefox (was way too buggy and too slow), but I don't remember it being able to stop referrer and a few other things on its own, without the help of add-ons.

It is quite easy to say that Firefox does this or that, when using third-party add-ons.

I wonder if all this hype for Firefox would ever exist without the damn add-ons.

Firefox blocks ads... Yes, it does... Using third-party add-ons.
Firefox blocks flash... Yes, it does... Using third-party add-ons.
Firefox allows you not to allow/block javascript in full ... Yes, it does... Using third-party add-ons (NoScript)

Add-ons, add-ons....

[Daveski17]

there is known malicious-links which can bypass FF Noscript.

Bugger!

[chronomatic]

Just use Chromium or a variant of it. It has a built-in sandbox (which is equivalent to IE's Protected Mode), but is a much better performer than IE, which is by far the slowest of all browsers. Chrome/Chromium/Iron tends to be the fastest browser.

And Firefox can be made to run in Protected Mode as well, but it requires reg hacks.

Any link for the Protected Mode in Firefox?

[Daveski17]

Quote:

Originally Posted by chronomatic

Just use Chromium or a variant of it. It has a built-in sandbox (which is equivalent to IE's Protected Mode), but is a much better performer than IE, which is by far the slowest of all browsers. Chrome/Chromium/Iron tends to be the fastest browser.

And Firefox can be made to run in Protected Mode as well, but it requires reg hacks.

Well, these days, if I'm not in SeaMonkey with NoScript, I'm in Iron, so I should be OK (I have WOT on both). Plus I always have Opera. On my laptop Iron is definitely the fastest, IE 8 is like browsing in slo-mo!