IE8 local Policies interesting to change

Discussion in 'other security issues & news' started by s23, Oct 24, 2010.

Thread Status:
Not open for further replies.
  1. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi

    What of this IE8 policies can be good to enable without decrease usability?

    You guys know whats is the main exe/dll of Microsoft Silverlight to add to EMETV2?
     

    Attached Files:

  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    see pictures, green are okay plus some other hardening features
     

    Attached Files:

  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Scripted Window Security Restrictions : Enabled for Internet Explorer Processes.
    Protection from Zone Elevation : Enabled for Internet Explorer Processes.
    MK Protocol Security Restrictions : Enabled for Internet Explorer Processes.
    Mime Sniffing Features : Enabled for Internet Explorer Processes.
     
  4. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Thanks kess for the detailed response and konata for the suggestions. Already enabled some of them.

    One more doubt: I'm already under a SUA/Applocker (default rules and audit with accesschk for Windows folder). There is some advantage in work with some of the templates of Win 7 in Microsoft Security Compliance Manager? I think is already security enough but... I'm open to suggestions.

    Thx for the help.
     
    Last edited: Oct 26, 2010
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    There are MSCM templates for Applocker but I think you're pretty secure already :D
     
  6. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Sorry for the late reply and Thanks for the help.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Have you guys ever had any sort of problems messing with most of those settings?

    I remember, sometime ago, while testing stuff in a virtual machine, that afterwards IE would be so slow opening pages. Undoing it, wouldn't solve it. I actually had to restore the snapshot.

    I don't have much changed, except SmartScreen settings, auto complete, temp files, protected mode, don't save encripted pages, and a few others I don't remember. I change those that I know won't have any side effects. If I'm not sure about the rest, I don't mess with it.

    As per a doc I got from Microsoft, they recommend the following:


    1.Enable SmartScreen Filter
    2.Enable Prevent Bypassing SmartScreen Filter Warnings
    3.Do not allow users to add or delete sites from Security Zones
    4.Do not allow users to change policies for Security Zones
    5.Do not allow user to turn off Protected Mode
    6.Enable Prevent Ignoring Certificate Errors
    7.Set Form Autocomplete options to Disabled

    Allow Active Scripting Computer Configuration\Administrative Templates\Windows Components
    \Internet Explorer\Internet Control Panel\Security Page\<zone> Disabled in response to zero day attack


    Internet Explorer Processes (Scripted Window Security Restrictions) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions Enabled

    Internet Explorer Processes (Zone Elevation Protection) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation Enabled


    Security Zones: Do not allow users to add/delete sites Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


    Security Zones: Do not allow users to change policies Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


    Prevent Ignoring Certificate Errors Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Internet Control Panel Enabled


    Turn on Protected Mode * Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\<zone> Enabled

    Empty Temporary Internet Files folder when browser is closed Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Enabled

    Disable AutoComplete for forms User Configuration\Administrative Templates\Windows Components\
    Internet Explorer Enabled

    Turn on the auto-complete feature for user names and passwords on forms User Configuration\Administrative Templates\Windows Components\
    Internet Explorer Disabled



    Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Enabled

    Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Enabled

    Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone Enabled

    Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Enabled

    Turn off Managing SmartScreen Filter User Configuration\Administrative Templates\Windows Components\
    Internet Explorer Enabled

    Prevent Bypassing SmartScreen Filter Warnings Computer Configuration\Windows Components\Internet Explorer
    Enabled

    XSS Filter User Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


    Do not save encrypted pages to disk Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Enabled for environments with sensitive data on Web pages.


    Turn off Crash Detection Computer Configuration\Administrative Templates\Windows Components\
    Internet Explorer Enabled


    Internet Explorer Processes (Restrict File Download) Computer Configuration\Administrative Templates\Windows Components
    \Internet Explorer\Security Features\
    Restrict File Download Enabled


    Allow File Downloads Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone. Disabled


    Internet Explorer Processes\Object Caching Protection Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Object Caching Protection Enabled
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What approach do you guys follow to harden IE: Computer configuration or User configuration?

    I do a mix, because some of the stuff aren't in the User Configuration, but I guess that for a single computer the Computer configuration would be OK.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    @ Kees

    I see from your figure that you're applying such policies to HKCU. But, within here, pretty much everything and everyone can modify them by changing the registry entries.

    Why not at HKLM?
     
  10. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi

    I not changed all this settings like you, but so far not even a single problem.

    Normally I use Computer configuration, to apply to all users. But if you have just a Admin account (SAFE Admin setup), change only at HKCU not make much difference ( Only one i think: HKLM you need ADMIN to change and at HKCU not - but confirm this with kees).
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Never mind, I got it wrong. When applying it via Group Policy, users can't modify entries, even if they're in HKCU.

    Sorry if I provoked confusion. :)

    If you apply changes to HKCU normal way, as in manually editing the registry, then no, you need no permissions. But, if you do it via Group Policy, only an administrator can do it; and if this latter approach is taken, then standard users cannot simply go to registry and modify them, because they only have read permissions.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I do all in User, except
    - do not allow users to change policies
    - do not allow users to add/delete sites

    In Security Zones of Administrative (General IE)

    Reason: when starting to play with group policies I wanted an opt-out as Admin for repair and when applied in policies hive of HKCU, user can't change as moonblood pointed out.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, I don't know about other O.S versions, but with Windows 7 we can apply tweaks just for a specific user.

    Imagine there's two standard user accounts. One of them for home banking and the other normal web browsing. We may not want to restrict in the global User Configuration, but rather a separate policy by creating a new snap-in with mmc. This way we can restrict for the account for home banking, while leaving the other less restrictive.
     
Loading...
Thread Status:
Not open for further replies.