IE Hardening

[whitedragon551]

Im thinking about running IE exclusively over FF.

Anyone have any tips, recommendations, etc. to harden IE. Id prefer to use IE x64 on my Win 7 x64 Pro install.

I currently use ABP and the ABP Element Hidder in FF along with Xmarks, LinkExtend, DrWebLink Checker, and a few addons to make FF look like Chrome.

[Cudni]

allow scripting, java and javascript and activex only in Trusted zone, disallowed in others

[whitedragon551]

How do I set a website as trusted or untrusted?

[funkydude]

Quote:

Originally Posted by whitedragon551

How do I set a website as trusted or untrusted?

In the same menu that you move the slider/customize what can run in the trusted zone, there should be a button called "Sites". I would enable protected mode in it thought.

[whitedragon551]

Will do. Do I have to manually enter every single site or is there a whitelist I could use? Seems rather tedious for one person to whitelist every single site as trusted that they want to visit.

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

Will do. Do I have to manually enter every single site or is there a whitelist I could use? Seems rather tedious for one person to whitelist every single site as trusted that they want to visit.

Manually done.

[funkydude]

Quote:

Originally Posted by whitedragon551

Will do. Do I have to manually enter every single site or is there a whitelist I could use? Seems rather tedious for one person to whitelist every single site as trusted that they want to visit.

I don't really see the need for it, it seems rather pointless. I was just helping you because you were curious. Doesn't it technically reduce your protection? What if a trusted site gets hacked? I've never trusted any site just kept all levels on default + protected mode.

[whitedragon551]

Ok so far under security zones I have each of the 4 set to Medium High with Enable Protected Mode enabled for each.

Anything else I can do?

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

Ok so far under security zones I have each of the 4 set to Medium High with Enable Protected Mode enabled for each.

Anything else I can do?

For both Internet and Trusted zones I have disabled the download of font types (way in the bottom), iframes, web sites in a zone with less privileges can elevate to higher zones.

Then, in in Advanced tab I have enabled Always show coded addresses (or something like that in English.) and do not save encrypted pages.

Make sure you've got SmartScreen enabled. And, DEP.

[CloneRanger]

You might also like to look at these guides

Internet Explorer Security Zones - http://www.nwnetworks.com/iezones.htm

How to use security zones in Internet Explorer - http://support.microsoft.com/kb/174360

Internet Explorer security zones registry entries for advanced users - http://support.microsoft.com/kb/182569

[whitedragon551]

Smartscreen is enabled. DEP is enabled for all programs within the OS.

Ok I was reading one of CloneRangers links. In one of them it said frames can allow a website to span multiple zones. If a trusted site is clean and later adds a link to an external malicious site with a .exe file. The .exe file will run under the trusted sites permissions. Anyone to prevent that from happening?

CloneRanger I know you do alot of hardening from your super in depth posts. Are the tips I have so far here worth using? If some arent which ones are?

[CloneRanger]

@ whitedragon551

Thanks for your kind words

I don't use IE much these days, but when i do it's good old IE6

I can't comment on the IE plugins etc that others have suggested, due to the above.

One i can Highly recommend is this.

QuickSet Internet Zone Application qsiz.exe from TeraByte Inc & it's Free Never had any problems with it and it always works. Not sure if it's compatable with IE 7/8 though ? but you can soon find out

With it you can quickly Enable/Disable any/all these on the fly



I only have scripting set, as i've disabled all the others or set to prompt within IE.

Within IE i have iframes DISABLED & suggest you do too, or set to PROMPT. I can't remember ever needing them anyway !

[whitedragon551]

Ok heres a list of what Ive done so far.

Internet Zone:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Local Intranet:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Trusted Sites:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Restricted Sites:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Im thinking about adding these changes to the Internet Zone only.

Run ActiveX Controls and Plugins from Enable to Prompt
Installation of Desktop Items from Prompt to Disable
Launching of Unsafe Files and Applications from Prompt to Disable

In the Advanced Settings Tab I have:

Enabled Do not save encrypted pages to disk
Empty Temp internet folder when IE is closed

All of this behind DynDNS settings through my router which are as follows:
Defense Plan: Block Viruses, Fraudulent Activity, and Phishing
DynDNS Categories Manually Blocked: Advertisements and Popups, Conficker Worm, Phishing, Spam, Spyware

Anyone have any tips for the Advanced Privicy tab that allows filtering of first party and third party cookies? Or any comments on the current changes?

[drhu22]

ZonedOut

http://www.spywarewarrior.com/uiuc/resource.htm


Please note that IE-SPYAD is not an ad blocker. It will not block standard banner ads in Internet Explorer. What this Restricted sites list of known advertisers and crapware pushers will do, however, is:
stop unwanted crapware from being installed behind your
back via "drive-by-downloads";

prevent the hijacking of your home page and other key
Internet Explorer settings;

shut down ActiveX, Java, and scripting, all of which can
be employed to push obnoxious advertising on you and
compromise your privacy and security;

block cookies, which can be used to monitor and track your
travels around the Internet;

combat obnoxious script-based popups that clutter your
screen and force unwanted advertising on you.

[whitedragon551]

XMarks for IE has been installed and bookmarks have been carried over.

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

[...]
Launching of Unsafe Files and Applications from Prompt to Disable

If memory serves me right, if you disable it, you won't be able to save files with IE. Give it a try.

Quote:

Anyone have any tips for the Advanced Privicy tab that allows filtering of first party and third party cookies? Or any comments on the current changes?

I don't personally use IE quite often, but I have it set to block cookies and always run it via shortcut with

Code:

"C:\Program Files\Internet Explorer\iexplore.exe" -private

You can either do this and create a whitelist of cookies you wish to allow, or do this and whenever you wish to allow cookies, allow it, by clicking the blocked cookies icon at IE's bottom bar. (I find this the best solution for me)

[whitedragon551]

Quote:

Originally Posted by m00nbl00d

If memory serves me right, if you disable it, you won't be able to save files with IE. Give it a try.

Tested it with AVG trial download. I didnt save the file to the PC. I just selected run and it ran fine. However Avast wont let me download the free version. The page loaded with errors.

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

Tested it with AVG trial download. I didnt save the file to the PC. I just selected run and it ran fine. However Avast wont let me download the free version. The page loaded with errors.

You can circumvent the issue with not being able to save by using some external downloads manager when needed. If you make use of any, that is.

I just tried to download avast, and web page loaded fine and I was able to start the download using an external download manager.

iframes are being blocked, so that's not the culprit. Every other settings are like yours. Something else is preventing avast from downloading and making website load with errors.

[whitedragon551]

I tried with FF as well and it wouldnt download with FF either. Has to be a system side thing.

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

I tried with FF as well and it wouldnt download with FF either. Has to be a system side thing.

From your signature, it would either be the firewall or dyndns, somehow Or something else you've got there, whatever it may be.

[whitedragon551]

Definitely an issue with IE. FF allows it.

[m00nbl00d]

Quote:

Originally Posted by whitedragon551

Definitely an issue with IE. FF allows it.

OK. then you've got some setting that you forgot to mention, or didn't notice you changed it? Recheck all settings and write them down and report it. As a good practice, restore all settings, then change one by one and try to download, and move on to next setting.

[whitedragon551]

Everything back at defaults and still a no go. Error message is of a .js which leads me to believe its a java script error. Which wouldnt be uncommon in IEx64. Just to be sure Im going to test IE.

EDIT- IE didnt work either. Same errors as IEx64. Both with default settings. But it works in FF just fine. I guess this is exactly why I dont use M$ tools and programs.

[whitedragon551]

Got the downloads working with the below configuration. Any other things I should tweak?

Quote:

Originally Posted by whitedragon551

Internet Zone:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Local Intranet:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Trusted Sites:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

Restricted Sites:
Enabled Protected Mode
Disable Font Downloads
Disable IFrames
Disable Websites in a less priveledged zone can navigate into this zone
Enabled SmartScreen Filter

In the Advanced Settings Tab I have:

Enabled Do not save encrypted pages to disk
Empty Temp internet folder when IE is closed