IE10 Enhanced Protection Mode

Discussion in 'other software & services' started by lucky_r, May 31, 2013.

Thread Status:
Not open for further replies.
  1. lucky_r

    lucky_r Registered Member

    Joined:
    May 31, 2013
    Posts:
    3
    Location:
    USA
    I'm using an HP laptop from 2007 with Windows 8, and my System information says "32-bit operating system, x64-based processor". I read that IE10 Enhanced Protection Mode improves security by running processes as 64-bit, if I have that right. Will this improve browsing security on my 32-bit OS laptop, or would I be safer with Google Chrome with AdBlock Plus and BitDefender Traffic Light extensions? I'm using Avast free antivirus and Windows firewall. I also use Windows 8 as desktop instead of Metro UI. Thanks!
     
  2. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    EPM will do nothing on a 32-bit system.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Your hardware may be 64 bit, but if your OS is 32 bit, it can't run 64 bit processes.
     
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    To get the full benefits of X64, upgrade to x64 Windows 7.
     
  5. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    On 32-bit Windows 7, EPM will do nothing. However, on 32-bit Win8, EPM runs each tab process in its own AppContainer for higher security. On 32-bit Win8, they just can't use High-Entropy ASLR.

    Going back to the original question, if you're interested in tweaking IE10 security on Win8, then enable Enhanced Protected mode in the Advanced tab of the Internet Options panel for the "Desktop-style" IE10, then skip over to the Security tab and make sure you've checked the checkbox for Protected Mode on all four Zones (Internet, Intranet, Trusted Sites, and of course Restricted). Now your tabs will be running in AppContainers. More info on all that: http://blogs.msdn.com/b/ieinternals...rk-security-addons-cookies-metro-desktop.aspx

    I'd also suggest enabling ActiveX Filtering, which is done by clicking the gear icon > Safety > ActiveX Filtering, and using Microsoft EMET. According to security researcher Didier Stevens, EMET's ASLR implementation is better than the baseline Windows ALSR, since it changes base addresses every time a process is started (as opposed to once per reboot). That info may be somewhat dated by now, but the bottom line is that EMET is a keeper.
     
    Last edited: Jun 1, 2013
  6. lucky_r

    lucky_r Registered Member

    Joined:
    May 31, 2013
    Posts:
    3
    Location:
    USA
    Thanks for all that info, mechBgon. I set up my IE10 as you recommended, including Active-X and EMET. One fringe benefit I noted with EPM is that it apparently blocks ads, which is helpful since I couldn't install AdBlock Plus onto IE10. With EPM/Active-X/EMET. do you believe IE10 provides comparable security to Google Chrome & Firefox on Windows 8?
     
  7. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    It might even be the ActiveX Filtering that's reducing the ads, since it switches Flash Player to disabled-by-default and you then enable it for sites where you want it (that's the blue circle-with-a-slash up in the address bar, click it if you're not seeing the intended content and you can opt that site in).

    In the big picture, FireFox has an underlying disadvantage: it runs with the user's own Integrity Level and no sandbox, so if/when it does get compromised, the bad guys have the same clout that you have. Chrome runs at low integrity with a sandbox, IE10 has low integrity and Protected Mode (and AppContainer on Win8 ). Some will point out that FF has extra security tweakability in the form of NoScript, and that does have value if you don't mind the upkeep.

    Beyond that, I perceive IE10 and Chrome competing about equally. Both of their makers have their game face on when it comes to security. With either one, the next thing I'd look at is keeping my add-ons/extensions up-to-date, since they're so heavily targeted in real life:

    1. unless you absolutely must have Oracle Java installed, uninstall it and avoid it perpetually. If you do need it, then make sure it can only function for sites where you absolutely do need it. One technique is to have one Java-enabled browser and use it ONLY for the Java-driven sites that you absolutely must use, and test to be sure Java's disabled in your other browser(s). If you're using Win8 Professional then I can also go into detail on how to limit Java using the Local Group Policy.

    2. try out the Secunia PSI utility, which checks to see if your software (including browser add-ons) needs security patches, and shows you where to download them from.

    3. enable add-ons only for sites where you definitely want them to run. Using ActiveX Filtering is one example of this. EPM on Win8 will also severely restrict what add-ons can even try to run, since many aren't AppContainer-compatible by nature and get automatically blocked. In that situation, you see a prompt to allow you to choose Disabled if you want to fall back on "regular" Protected Mode (32-bit tab, no AppContainer) to use the add-on. A real-world example for me: the ActiveX control I use to view our security cameras at work, which requires dropping out of EPM to view the video feed.

    4. set your User Account Control slider to "Always Notify." This guards against a known type of privilege-escalation exploit used by certain nasty malware in the infection routine, e.g. ZeroAccess rootkits.

    edit: 5. PDF readers are also exploited in real life via browsers and other methods. If you find the built-in Win8 Reader gets the job done for you, uninstall your other PDF readers and just use that, because it runs in an AppContainer and doesn't have tons of extra features to abuse. Next-best: Adobe Reader 11 in a security-hardened form, since it has a good sandbox and the abused features can be turned off. Some tips on that here: http://security.thejoshmeister.com/2010/05/7-easy-steps-to-increase-adobe-reader.html



    If your laptop happens to have a fingerprint reader, also consider using biometric software to make it easier to use super-strong passwords and avoid password re-use at multiple websites. Post back if that's the case and I can go into more detail.
     
    Last edited: Jun 2, 2013
  8. lucky_r

    lucky_r Registered Member

    Joined:
    May 31, 2013
    Posts:
    3
    Location:
    USA
    I believe I uninstalled Java already; if it doesn't show under Start -> Programs, can I assume I'm OK there? I've had Secunia PSI for a while, so I should be good on SW updates. My laptop doesn't have a fingerprint reader, but I've been using KeePass for passwords instead.
    Regarding EMET, it looks like there's more than one release around. Mine is 3.0, but do I need to keep an eye out for 4.0? iexplore currently shows under the "DEP" and "Running EMET" columns. Thanks again for taking the time to help!
     
  9. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    That sounds good. As a confirmation, you could try a Java-driven site like www.time.gov to confirm there's no Java functionality.

    EMET 4.0 would be worthwhile just on the ease-of-use improvements alone. For example, you can start up all your browsers, media players, PDF readers, music apps, instant-messaging programs, email programs and anything else that might be at risk, and then select them from EMET's "running processes" list (hold down CTRL while clicking to select multiple programs at once), then right-click them and choose Configure Apps to add them to the protected list. That's much easier than hunting them down the old way.

    EMET 4.0 also has some desirable improvements in other areas. So yeah, I think that's the one to get. The beta version is working well, if you don't want to wait for the final version.
     
Loading...
Thread Status:
Not open for further replies.