Using Group Policy Editor (gpedit.msc) to harden IE 9

You and me both. But, I suppose they're the same. It actually make sense that the three options are there (Prompt, Enable and Disable) in some policies, in case the user does want to enable the policy, but chooses the value to apply.

My opinion is that either option, Disable or Enabled-Disable, are the same. But, it's something one should test further.

Suppose the following: I allow active scripting for the Restricted Sites Zone. Then I set the corresponding policy to Disabled. Will active scripting be disabled, despite being allowed in IE settings? Or, will it still be allowed, and the only thing being disabled is the user's capability to change the setting in IE's settings?

I don't know... I suppose the safest way would be to set the policy to Enabled-Disable, just in case.

 

On further thought, it would probably be disabled; the setting is enabled but the action for the setting is disabled, thus Active scripting is disabled.

 

It makes sense, I suppose. One can never be sure with Microsoft, though. They seem to enjoy opening holes, just for fun...

 

You're being too hard on poor Microsoft. They're awesome ( M$ Shill statement )

 

I noticed that both Internet Explorer 9 Security Guide (at the image of IE8 Security Guide) and the template (I simply extracted the contents, and got the entries from the XML file ) have a few policies for User Configuration.

Any special reason why you chose not to use them?

There are a few more, but just to name a few.

I got those set since IE8 Security Guide. I rarely use IE9, though. But, it doesn't hurt to have them.

By the way, it's insane what I got to do to make IE safer, when compared to Chromium. I just have to disable all plugins, javascript and run with an explicit low integrity level. Done deal.

I just hope that IE10 will bring profiles... I got my serious doubts, though. But, I truly wish Microsoft could introduce this functionality. It just makes sense to have it. I could have one profile for certain tasks and another for other tasks. As I do with Chromium.

 

Not sure what you mean. Most of these edits do basically the same things:
1) Some privacy function/ opt out
2) Preventing the user from doing something, which will only effect anyone if they're already infected - no different from Chromium.
3) Requiring further validation for an action

Chromium by default has very similar policies to IE by default because most of these things would require the infection in the first place or simply interfere with compatibility.

 

Those are not in the baseline I downloaded via SCM. Also, I've already got X-site scripting protection enabled under tyhe internet zone under Computer configuration.

 

Sorry, what I meant is that besides disabling JavaScript and plugins in Chromium, because I like that way, all I have to do, to actually kill pretty much anything is to set Chromium to an explicit low integrity level.

With IE, such is not possible. IE won't work with an explicit low integrity level applied to it. And, by running multiple Chromium profiles, I can have more than one instance of Chromium running at the same time, all with different security/privacy settings.

For example, I know I can download and install Chromium templates to control settings in Group Policy Editor and tighten things up. But, that's not what I was trying to express. I just didn't find the best words before. This is actually something I wanted to do for some time now, and I suppose it's a good time to do it these days.

 

Yes but what weaknesses are there in IE that you don't see in Chromium?

 

Weaknesses in what way?

 

It just seems like you're saying that for IE9 to be as secure as Chromium you have to put some work into it.

I don't really see that. I also don't keep up too much with IE9 security... since I generally hate Microsoft's idea of security.

 

Is the downloaded baseline in a format that could be easily read, by opening it in a text editor?

If it would be OK to provide it, I'd like to compare it with the file I extracted from SCM.

I thought SCM would already contain the most up-to-date templates.

I missed that. My bad.

 

I was merely looking at it from the perspective of security freaks like us.

To tighten IE9 I have to change a few of its configuration, and still make it usable. With Chromium, I just have to perform two simple steps - apply a low integrity level to Chromium and its profile. And, it's still usable.

With IE9, I probably would have to do trial and error and see if my favorite websites still work and if not find the best balance between security and usability.

Personally, I'd prefer to be able to apply an explicit low integrity level to IE.

I suppose it depends how one looks at it.

 

from the SCM program, it can be exported to an xls or xlsm file, then read with MS Excel or compatible program

BTW m00nbl00d, regarding IE security, it runs one process at low IE and a Broker process at medium IL (which you probably already know). As far as web browsing is concerned, as well as browser extensions and ActiveX controls, these are run in the low IL process. only the changing of option settings or Save as is done in the medium IL Broker process.

 

Yes, I know that. But, it's impossible to apply an explicit low integrity level - all processes in low integrity, both broker and children.

Running "normal" Protected Mode could in theory (the same with Chromium... remember Vupen exploit against Chrome's sandbox, by exploiting Flash?) be possible to go from low to medium/high, breaking out of the sandbox. With an explicit low integrity level, such would not happen... unless a serious bug exists in Windows code.

 

Okay, but the web content runs in the Low IL process, and isn't that where malicious code would run as well, therefore held at Low IL?

No, I don't remember that one, but I'll certainly take your word for it that it happened. If the process does break out and goes to, say, Medium IL, it still can't write to an object of equal or lesser IL unless the Discretionary Access Control list (DACL) grants it permission to do so, so it seems, as far as I understand it, it's not necessarily that easy to exploit an equal or lesser IL object by a given process. I should mention, however, that malware running in IE9's protected mode IL could still read user's dowcuments, but at least it can't modify user's account settings.

 

Yes, the Vupen exploit (never released, never seen in the wild, details unknown other than a BO on Flash) was said to run at medium integrity, that's the integrity of the broker process.

If it wanted high it would need to ask for admin rights.

Running at low is a good way to further reduce the impact but you have to mess with some folders/ settings, which is a pain.

 

Not necessarily. To be honest I don't remember much of what was said about the Vupen's exploit, but it's something I'll look into. But, considering that it would need to ask for administrator rights, such would only happen if the account was protected by UAC.

If no UAC, then no reason to ask for anything. And, in all honesty, a higher % of people not only run their daily tasks under an administrator account, but they also have UAC disable, so that they won't be "annoyed" by it (whatever they consider to be an annoyance).

If it weren't for me, a relative of mine would have been running in an administrator account with UAC disabled. That's how it came configured from the computer shop. These folks don't even bother explaining to their costumers what something is and what it can do to protect them. Quite shameful.

Which also means one more thing, in what comes to Internet Explorer: UAC disabled = Internet Explorer 9 running with the same permissions as the user = No Protected Mode.

That will depend on what program you wish to modify, really. I don't remember about other browsers, but with Chromium, I only need to apply a low integrity level to chrome.exe and to the profile folder.

What I truly find a painful task with setting up IE this way, is not that it's hard to configure, it's not... It's just that it require some effort to come to a perfect balance between usability and security. And, lately we've found out that disabling Java in IE add-ons manager doesn't really disable Java for IE. Madness.

To disable Java I actually had to disable in Group Policy Editor. But, according to Microsoft's info on documents I've been reading about the templates, it will depend on the situation (the website). So, it may not be disabled at all times.

Anyway... I shall not deviate any longer from what this thread is really for - Harden Internet Explorer, and the good work wat0114 is doing by letting us all know about what he has done and for sharing it with us.

 

I remember a lot. I looked into it as much as I could.

There wasn't a ton of info out there, it was a buffer overflow attack on Flashplayer that allowed for
1) Download of a payload
2) Execution of payload/ arbitrary code

The payload was executed at medium integrity, assuming UAC is on (which it would be since they'd only test a default Windows.)

Yes, on a non-default windows exploits can be much worse.

I would think your downloads folder as well as your temp folder.

Firefox needs quite a few.

 

Bummer. I tried to install SCM in Sandboxie but it fails, because SQL Server won't install, because Sandboxie won't allow services.

I really wouldn't want to install it on my real system, just to get the templates.

 

Can't you configure sandboxie to allow services?

 

It's well under 1 Gb, but if it's only the services you are concerned about, you can disable them all except for MSSQL$MICROSOFTSCM, which can be set to "Manual" and only start it when you want to run the SCM to create and deploy a policy, then stop it when you're finished. This way the entire installation is only taking up some disk space, but at least it won't be running services and using system resources when you're not using it.

 

No, I'm not concerned about the services. I've been using an older laptop with only 60GB (~40GB free), and it's a IDE hdd, and these hard disks are really expensive. The laptop I was using before literally melted down (the motherboard).

I want to keep this laptop with the essential stuff and get rid of the rest as soon as I finish with it. And, I hate having to backup all the time. Sandboxie just makes it easy, you know.

 

With all that free space available, < 1Gb is barely going to make a difference

 

-edit-

By the way, I found baselines to download here -http://social.technet.microsoft.com/wiki/contents/articles/1865.aspx

I believe these to be the same ones that SCM would download? I really just need the XML files or any other format. The ones already bundled with SCM are in XML format, so I suppose they're all in this format.

I'm already downloading them and will take a look.