IE Hardening

Discussion in 'other software & services' started by whitedragon551, Oct 18, 2010.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Im thinking about running IE exclusively over FF.

    Anyone have any tips, recommendations, etc. to harden IE. Id prefer to use IE x64 on my Win 7 x64 Pro install.

    I currently use ABP and the ABP Element Hidder in FF along with Xmarks, LinkExtend, DrWebLink Checker, and a few addons to make FF look like Chrome.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    allow scripting, java and javascript and activex only in Trusted zone, disallowed in others
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    How do I set a website as trusted or untrusted?
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    In the same menu that you move the slider/customize what can run in the trusted zone, there should be a button called "Sites". I would enable protected mode in it thought.
     
  5. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Will do. Do I have to manually enter every single site or is there a whitelist I could use? Seems rather tedious for one person to whitelist every single site as trusted that they want to visit.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Manually done.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I don't really see the need for it, it seems rather pointless. I was just helping you because you were curious. Doesn't it technically reduce your protection? What if a trusted site gets hacked? I've never trusted any site just kept all levels on default + protected mode.
     
  8. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Ok so far under security zones I have each of the 4 set to Medium High with Enable Protected Mode enabled for each.

    Anything else I can do?
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For both Internet and Trusted zones I have disabled the download of font types (way in the bottom), iframes, web sites in a zone with less privileges can elevate to higher zones.

    Then, in in Advanced tab I have enabled Always show coded addresses (or something like that in English.) and do not save encrypted pages.

    Make sure you've got SmartScreen enabled. And, DEP.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  11. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Smartscreen is enabled. DEP is enabled for all programs within the OS.

    Ok I was reading one of CloneRangers links. In one of them it said frames can allow a website to span multiple zones. If a trusted site is clean and later adds a link to an external malicious site with a .exe file. The .exe file will run under the trusted sites permissions. Anyone to prevent that from happening?

    CloneRanger I know you do alot of hardening from your super in depth posts. Are the tips I have so far here worth using? If some arent which ones are?
     
    Last edited: Oct 18, 2010
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ whitedragon551

    Thanks for your kind words :)

    I don't use IE much these days, but when i do it's good old IE6 :D

    I can't comment on the IE plugins etc that others have suggested, due to the above.

    One i can Highly recommend is this.

    QuickSet Internet Zone Application qsiz.exe from TeraByte Inc & it's Free :) Never had any problems with it and it always works. Not sure if it's compatable with IE 7/8 though ? but you can soon find out ;)

    With it you can quickly Enable/Disable any/all these on the fly :thumb:

    qz.gif

    I only have scripting set, as i've disabled all the others or set to prompt within IE.

    Within IE i have iframes DISABLED & suggest you do too, or set to PROMPT. I can't remember ever needing them anyway !
     
  13. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Ok heres a list of what Ive done so far.

    Internet Zone:
    Enabled Protected Mode
    Disable Font Downloads
    Disable IFrames
    Disable Websites in a less priveledged zone can navigate into this zone
    Enabled SmartScreen Filter

    Local Intranet:
    Enabled Protected Mode
    Disable Font Downloads
    Disable IFrames
    Disable Websites in a less priveledged zone can navigate into this zone
    Enabled SmartScreen Filter

    Trusted Sites:
    Enabled Protected Mode
    Disable Font Downloads
    Disable IFrames
    Disable Websites in a less priveledged zone can navigate into this zone
    Enabled SmartScreen Filter

    Restricted Sites:
    Enabled Protected Mode
    Disable Font Downloads
    Disable IFrames
    Disable Websites in a less priveledged zone can navigate into this zone
    Enabled SmartScreen Filter

    Im thinking about adding these changes to the Internet Zone only.

    Run ActiveX Controls and Plugins from Enable to Prompt
    Installation of Desktop Items from Prompt to Disable
    Launching of Unsafe Files and Applications from Prompt to Disable

    In the Advanced Settings Tab I have:

    Enabled Do not save encrypted pages to disk
    Empty Temp internet folder when IE is closed

    All of this behind DynDNS settings through my router which are as follows:
    Defense Plan: Block Viruses, Fraudulent Activity, and Phishing
    DynDNS Categories Manually Blocked: Advertisements and Popups, Conficker Worm, Phishing, Spam, Spyware

    Anyone have any tips for the Advanced Privicy tab that allows filtering of first party and third party cookies? Or any comments on the current changes?
     
    Last edited: Oct 20, 2010
  14. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
    ZonedOut

    http://www.spywarewarrior.com/uiuc/resource.htm


    Please note that IE-SPYAD is not an ad blocker. It will not block standard banner ads in Internet Explorer. What this Restricted sites list of known advertisers and crapware pushers will do, however, is:
    stop unwanted crapware from being installed behind your
    back via "drive-by-downloads";

    prevent the hijacking of your home page and other key
    Internet Explorer settings;

    shut down ActiveX, Java, and scripting, all of which can
    be employed to push obnoxious advertising on you and
    compromise your privacy and security;

    block cookies, which can be used to monitor and track your
    travels around the Internet;

    combat obnoxious script-based popups that clutter your
    screen and force unwanted advertising on you.
     
  15. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    XMarks for IE has been installed and bookmarks have been carried over.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If memory serves me right, if you disable it, you won't be able to save files with IE. Give it a try.

    I don't personally use IE quite often, but I have it set to block cookies and always run it via shortcut with
    Code:
    "C:\Program Files\Internet Explorer\iexplore.exe" -private
    You can either do this and create a whitelist of cookies you wish to allow, or do this and whenever you wish to allow cookies, allow it, by clicking the blocked cookies icon at IE's bottom bar. (I find this the best solution for me)
     
  17. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Tested it with AVG trial download. I didnt save the file to the PC. I just selected run and it ran fine. However Avast wont let me download the free version. The page loaded with errors.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can circumvent the issue with not being able to save by using some external downloads manager when needed. If you make use of any, that is.

    I just tried to download avast, and web page loaded fine and I was able to start the download using an external download manager.

    iframes are being blocked, so that's not the culprit. Every other settings are like yours. Something else is preventing avast from downloading and making website load with errors.
     
  19. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I tried with FF as well and it wouldnt download with FF either. Has to be a system side thing.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    From your signature, it would either be the firewall or dyndns, somehow o_O Or something else you've got there, whatever it may be.
     
  21. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Definitely an issue with IE. FF allows it.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. then you've got some setting that you forgot to mention, or didn't notice you changed it? Recheck all settings and write them down and report it. As a good practice, restore all settings, then change one by one and try to download, and move on to next setting.
     
  23. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Everything back at defaults and still a no go. Error message is of a .js which leads me to believe its a java script error. Which wouldnt be uncommon in IEx64. Just to be sure Im going to test IE.

    EDIT- IE didnt work either. Same errors as IEx64. Both with default settings. But it works in FF just fine. I guess this is exactly why I dont use M$ tools and programs. :rolleyes:
     
  24. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Got the downloads working with the below configuration. Any other things I should tweak?

     
Loading...
Thread Status:
Not open for further replies.