IE8 local Policies interesting to change

Hi

What of this IE8 policies can be good to enable without decrease usability?

You guys know whats is the main exe/dll of Microsoft Silverlight to add to EMETV2?

 

see pictures, green are okay plus some other hardening features

 

Scripted Window Security Restrictions : Enabled for Internet Explorer Processes.
Protection from Zone Elevation : Enabled for Internet Explorer Processes.
MK Protocol Security Restrictions : Enabled for Internet Explorer Processes.
Mime Sniffing Features : Enabled for Internet Explorer Processes.

 

Thanks kess for the detailed response and konata for the suggestions. Already enabled some of them.

One more doubt: I'm already under a SUA/Applocker (default rules and audit with accesschk for Windows folder). There is some advantage in work with some of the templates of Win 7 in Microsoft Security Compliance Manager? I think is already security enough but... I'm open to suggestions.

Thx for the help.

 

There are MSCM templates for Applocker but I think you're pretty secure already

 

Sorry for the late reply and Thanks for the help.

 

Have you guys ever had any sort of problems messing with most of those settings?

I remember, sometime ago, while testing stuff in a virtual machine, that afterwards IE would be so slow opening pages. Undoing it, wouldn't solve it. I actually had to restore the snapshot.

I don't have much changed, except SmartScreen settings, auto complete, temp files, protected mode, don't save encripted pages, and a few others I don't remember. I change those that I know won't have any side effects. If I'm not sure about the rest, I don't mess with it.

As per a doc I got from Microsoft, they recommend the following:


1.Enable SmartScreen Filter
2.Enable Prevent Bypassing SmartScreen Filter Warnings
3.Do not allow users to add or delete sites from Security Zones
4.Do not allow users to change policies for Security Zones
5.Do not allow user to turn off Protected Mode
6.Enable Prevent Ignoring Certificate Errors
7.Set Form Autocomplete options to Disabled

Allow Active Scripting Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel\Security Page\<zone> Disabled in response to zero day attack


Internet Explorer Processes (Scripted Window Security Restrictions) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions Enabled

Internet Explorer Processes (Zone Elevation Protection) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation Enabled


Security Zones: Do not allow users to add/delete sites Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


Security Zones: Do not allow users to change policies Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


Prevent Ignoring Certificate Errors Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Internet Control Panel Enabled


Turn on Protected Mode * Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\<zone> Enabled

Empty Temporary Internet Files folder when browser is closed Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Enabled

Disable AutoComplete for forms User Configuration\Administrative Templates\Windows Components\
Internet Explorer Enabled

Turn on the auto-complete feature for user names and passwords on forms User Configuration\Administrative Templates\Windows Components\
Internet Explorer Disabled



Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Enabled

Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Enabled

Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone Enabled

Use SmartScreen Filter User Configuration\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Enabled

Turn off Managing SmartScreen Filter User Configuration\Administrative Templates\Windows Components\
Internet Explorer Enabled

Prevent Bypassing SmartScreen Filter Warnings Computer Configuration\Windows Components\Internet Explorer
Enabled

XSS Filter User Configuration\Administrative Templates\Windows Components\Internet Explorer Enabled


Do not save encrypted pages to disk Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Enabled for environments with sensitive data on Web pages.


Turn off Crash Detection Computer Configuration\Administrative Templates\Windows Components\
Internet Explorer Enabled


Internet Explorer Processes (Restrict File Download) Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\
Restrict File Download Enabled


Allow File Downloads Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone. Disabled


Internet Explorer Processes\Object Caching Protection Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Object Caching Protection Enabled

 

What approach do you guys follow to harden IE: Computer configuration or User configuration?

I do a mix, because some of the stuff aren't in the User Configuration, but I guess that for a single computer the Computer configuration would be OK.

 

@ Kees

I see from your figure that you're applying such policies to HKCU. But, within here, pretty much everything and everyone can modify them by changing the registry entries.

Why not at HKLM?

 

Hi

I not changed all this settings like you, but so far not even a single problem.

Normally I use Computer configuration, to apply to all users. But if you have just a Admin account (SAFE Admin setup), change only at HKCU not make much difference ( Only one i think: HKLM you need ADMIN to change and at HKCU not - but confirm this with kees).

 

Never mind, I got it wrong. When applying it via Group Policy, users can't modify entries, even if they're in HKCU.

Sorry if I provoked confusion.

If you apply changes to HKCU normal way, as in manually editing the registry, then no, you need no permissions. But, if you do it via Group Policy, only an administrator can do it; and if this latter approach is taken, then standard users cannot simply go to registry and modify them, because they only have read permissions.

 

I do all in User, except
- do not allow users to change policies
- do not allow users to add/delete sites

In Security Zones of Administrative (General IE)

Reason: when starting to play with group policies I wanted an opt-out as Admin for repair and when applied in policies hive of HKCU, user can't change as moonblood pointed out.

 

By the way, I don't know about other O.S versions, but with Windows 7 we can apply tweaks just for a specific user.

Imagine there's two standard user accounts. One of them for home banking and the other normal web browsing. We may not want to restrict in the global User Configuration, but rather a separate policy by creating a new snap-in with mmc. This way we can restrict for the account for home banking, while leaving the other less restrictive.