Using Group Policy Editor (gpedit.msc) to harden IE 9

Having explored the use of Group Policy Editor in Win 7 Ultimate to harden Internet Explorer 9, I've come up with a number of settings so far which I feel should re-enforce IE 9's security considerably. Of course gpedit.msc is only available in Pro, Ultimate & Enterprise versions of Windows.

To open Group Policy Editor: Start-> Run-> type "gpedit.msc" (without quotes)-> <Enter>

Note: this is has to be run as Administrator so you can either open it from your administrative account or right click gpedit.msc and choose "Run as administrator" from your Standard account.

The "Local Group Policy Editor" will now be opened. Next, go to:

Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

The following settings are Enabled:

• Disable showing the splash screen
• Prevent participation in the Customer Experience Improvement Program
• Security Zones = Do not allow users to change policies

Next, go to:

Internet Control Panel-> Advanced Page

The following settings are Enabled:

• Check for server certificate revocation
• Do not allow resetting Internet Explorer settings
• Check for signatures on downloaded programs
  
  Disabled
  
• Allow software to run or install even if the signature is invalid

Next, go to:

Internet Control Panel-> Security Page

The following settings are Enabled:

• Internet Zone Template = Medium High
• Restricted Zones Template = High
• Trusted Zones Template = Medium
• Turn on Warn about Certificate Address Mismatch
• Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).

So far this it, although there could be other settings enabled if I find them. Any advice or suggestions is appreciated

 

Thanks. I personally just remove IE entirely but for those who use it it's probably very helpful to have it locked down.

 

Hello, my good sir...

I also harden IE9... It's blocked...

But, for those interested, you could also check this file from Microsoft (English). Give it a read and see which security policies you'd like to apply. Some of them are mentioned by user wat0114

Internet Explorer 8 Desktop Security Guide:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23790

 

You're welcome. I've recently decided just to stick with IE indefinitely, especially as part of my on-going efforts to remain 3rd part free, and will only change to an alternative browser if something breeches IE.

Thank you, m00nbl00d! I will check it out soon.

 

IE9's a good browser, definitely secure.

 

Not if you got Java installed... Even with all Java plugins disabled, Java still works. The other thread was self-explanatory.

 

Isn't that the case with Firefox and Opera as well?

 

Not from what I recall? Anyway, in case of doubt, we can always check the other thread. I wish not to polute wat0114 thread with this off-topic.

 

No worries, all is good

I tested with my current settings and result shown in attachment...

Is this still not considered secure? I didn't read that thread you mention too thoroughly.

 

Try the following:

With Java enabled, go to Java test page http://www.java.com/en/download/testjava.jsp

Then, disable all Java plugins. Make sure you select to show ALL addons. Disable any plugin related to Java. Clean any temporary files from IE. Go back to the Java test page.

In my test, and in elapsed test, Java still loaded, despite the test page saying Java couldn't be found.

I couldn't tell from your image, if you got ActiveX protection enabled? That would stop it, if I well recall it. Not sure. But, it's not a setting enabled by default, so most people would be screwed.

One could also block Java in Group Policy Editor, in IE settings.

-edit-

Link to elapsed's post https://www.wilderssecurity.com/showpost.php?&p=1953267&postcount=81

This is part of my post, which I posted before elapsed:

 

I still have no idea how it works, but to be fair why would you install Java in the first place if you wanted to disable it? If you wanted some kind of whilelist of websites you can use one, or stick to ActiveX filtering which is simpler.

 

Quite simple, actually. I do need Java, because I need to use an application that does require it. But, I don't need it for my browsing, except once a year. So, why not simply have it blocked at all times?

And, like you, I still got no idea why Java still loads in IE, when the plugins are all disabled, but that's not really the point. I just raised a general concern, that's all. The reason being that ActiveX filtering isn't enabled by default. Are all IE9 users aware of such setting? But, some of them may have some plugins disabled, even without knowing what they did, because IE9 does ask if the user wants to disable plugins. A relative of mine disabled a few BHOs, and I had to reenable Prevx BHO.

Also, website whitelisting doesn't work in Java plugin. It does work with Flash, but not with Java. I tested it sometime ago, and even asked MrBrian, back then, if could whitelist, but he couldn't either.

The option is there, but it doesn't work.

 

My mistake. I did not have a firewall rule to allow java.exe to port 53 DNS. Also, I'm using IE9 x64 now. It doesn't seem to suppport Java.

*EDIT* I see a supported x64 Java version. Will try it.

EDIT

So far I can't find a way to disable Java, not even in GP editor. I willl use x64 IE and x64 Java.

 

EDIT

Updated settings in green.

Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

The following settings are Enabled:

• Security Zones: Do not allow users to add/delete sites
• Disable showing the splash screen
• Prevent participation in the Customer Experience Improvement Program
• Security Zones = Do not allow users to change policies

Next, go to:

Security Features-> Mime Sniffing Safety Feature

• Internet Explorer Processes

Next, go to:

Internet Control Panel

• Prevent ignoring certificate errors

Next, go to:

Internet Control Panel-> Advanced Page

The following settings are Enabled:

• Check for server certificate revocation
• Do not allow resetting Internet Explorer settings
• Check for signatures on downloaded programs
  
  Disabled
  
• Allow software to run or install even if the signature is invalid

Next, go to:

Internet Control Panel-> Security Page

The following settings are Enabled:

• Internet Zone Template = Medium High
• Restricted Zones Template = High
• Trusted Zones Template = Medium
• Turn on Warn about Certificate Address Mismatch
• Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).

 

It asks if you want to enable them when you install them, that's it. The general user isn't going to install Java then disable it, if they even know what disabling a plugin is.

wat0114, nice list. Do you think enabling TLS 1.1 and 1.2 would be considered "hardening"?

 

Thank you Elapsed. Yes, I've looked at that and wondered the same thing. Maybe I'll try it. Thanks!

 

Thanks for the settings wat I noticed some of these sites were already enabled for me so guess I didn't have much tweaking in internet control panel.

 

Internet Control Panel-> Advanced Page

The following settings are Enabled:

• Do not save encrypted pages to disk
• Turn off Encryption Support - Only Use TLS 1.0

 

This setting is in Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

 

Thank you 1chaotic! I've corrected this

Would you suggest this plus Elapsed's recommendation? Thank you for the suggestions!

 

No problem wat. I would definitely add do not save encrypted pages to disk. I use this setting myself. Not sure about the other one.

 

Okay, I've added that first one. It makes sense to do so.

 

Indeed it does.

 

Both of those are BAD settings. Here's why:

1. The way this functions means if you enable it, you CANNOT download any files from HTTPS sources, because anything from such sources isn't allowed disk access at all. It's a great privacy feature sure, but as hardening? No, definitely not.
2. It is not a good idea to turn off SSL 3.0 yet, there are still sites that only support 3.0, including some devices like routers that only support 3.0 for logging into their admin panel. The only security you should have disabled is 2.0, which is disabled by default. SSL 3.0, TLS 1.0, 1.1, 1,2 should be enabled.

 

Thank you. I'll prefer to keep my settings for 1, and will follow your suggestion on 2.