Tested: Make IE8 the safest webbrowser

Discussion in 'other security issues & news' started by Kees1958, Jan 9, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    EDIT1: With safest I mean fully functioning for the average Joe/Jane. Everybody knows that pure text based browsers are the safest, followed by browsers which are lumped/degarded by disabling dynamic code options (some browsers are so badly designed they need to be crippled to use safely :D ).

    EDIT2: Let's hope Sully implements some of these in PGS version 2 :thumb:

    EDIT3: Install Keyscrambler free first before applying these tweaks

    EDIT4: Vista and Windows7 users only have to apply tweaks on first 3 posts (XP also apply tweak of post 10)


    It is simple

    What does it do?

    When SWITCH_BLOCK_ON
    a) It does not allow Internet Explorer to Download files (Attachements) with a risk indication of high, see microsoft http://support.microsoft.com/kb/883260 (it is the list which starts with .ADE).
    b) It blocks execution of these files by Explorer. You can remove this restriction by right clicking the file, select properties, click the general tab (see picture)


    When SWITCH_BLOCK_OFF
    This is the defualt situation (before tweak)
    a) You will be warned when downloading a file (default situation, unless you have changed the regular file download warning setting yourself, this is the default/standard setting) by Internet Explorer
    b) You will be warned when executing a file by Explorer which comes from the internet zone.


    Usage instructions
    1. Works from IE6 and higher

    2. You have to exit/start IE before policy is activated

    3. Download attached text files and change extention from txt ro reg

    SWITCH_BLOCK_ON.reg (was downloaded SWITCH_BLOCK_ON.txt)

    SWITCH_BLOCK_OFF.reg (was downloaded SWITCH_BLOCK_OFF.txt)

    4. You have to run these reg files from ADMIN space (somewhere in C:\Windows or Program FIles) when you use Software restriction Policies (or use PGS to implement on home versions).
     

    Attached Files:

    Last edited: Jan 12, 2010
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    To further strengthen IE8, you can manually change the settings

    as described by PCTools http://www.pctools.com/guides/registry/detail/537/ I would choose to set:

    Advanced
    Cache
    Certficates
    Connections Settings
    HomePage (prevents changing homepage, make sure it has the right setting)
    Profiles (make sure you have set security, privacy, selected cross site filter on, phising philter on and cookie/popup set correctly).
    Proxy



    When you want to fix the search engine (also a point of attack of adware related taskbars etc)

    Open Regedit and navigate to this key
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions

    Add REG_DWORD called NoChangeDefaultSearchProvider
    Give it the vaue 1 (see picture, no search box removes engine box, not the ability to search from the web address box)


    Regards Kees
     

    Attached Files:

  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lastly, you may want the user to deny the right to change status of browser extentions (effectively stops adding plug ins, when you run UAC inVista or Windows7 or use DropMyRIghts or SRP in XP). Adding new plug ins is also a common trick of malware.

    http://support.microsoft.com/kb/883256

    Set NoExtensionManagement to 1
     
  4. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Thanks
    Very usefull settings
     
  5. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Nice post Kees.
     
  6. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Great post.Thank you.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks kees man you are on fire:)
     
  8. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, Franklin has confirmed this in the post where I asked people to test it, Chrome just ignores this setting (allows to download), but sets the ADS correctly (I prefer Chrome's/Iron's implementation best). At least in the Netherlands, according to market research FF users are not the average Joe/Jane.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Another setting found

    A Protection against clickjacking, see for explanation http://technet.microsoft.com/nl-nl/library/cc759517(WS.10).aspx

    Create a key

    HKEY_Current_User\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS

    Create a REG_WORD with the name iexplorer and value 1

    It should look like this see picture
     

    Attached Files:

  11. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Thanks Kees. I have been playing around with your settings on my XP VM and it has really tightened things up. :thumb:
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    for firefox users Noscript already provides protection from clickjacking.
     
  13. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    On Vista and Win7 I wouldn't come near a mile from Firefox. It doesn't have a Protected Mode like IE8, and without it you are just asking for trouble. Stick with IE8. Noscript will help with script based attacks, but not with anything else. It has NO SAFETY NET.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Going with that reasoning it wouldn't matter whether it was XP, Vista or Win 7, Firefox would be unsafe regardless. Firefox, and, most other browsers, imho would be even safer on Vista/7 due to UAC. That being said, this was a good thread, I'll put it to use on my current system and, in a few weeks when it arrives, Win 7 on my new system.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The title of this topic: best without functional degrading the browser for the average user. It is also possible with IE, to disallow scripts, java, flash, binary content in Iframes, etc. Then you have the basic functionality of a text based browsers. But there are better text based browsers (smaller footprint, faster, like Lynx f.i.) than a degraded normal browser.

    Despite a lot of laughter at MicroSoft (with reason Opera was by far the better browser in the past) IE8 really is not a bad browser with one of the best phising/smartscreen filters and cross site scripting protection. The latter (years after . . . ) is still not a standard feature of FF. With 3.6 you will get CSP and finally have protecton for cross site scripting with FF.
     
    Last edited: Jan 11, 2010
  16. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    What makes you think IE8 is safer than firefox? Can you please elaborate as to what exactly Protected Mode in IE8 is?

    you can customize FF with security/Privacy add ons.

    can IE8 block super cookies?
    can IE8 block ping tracking?
    can IE8 disable history?
    can IE8 ensure safe https connections like FF add on Perspectives?
    can IE8 block ads and have a white list with sites that are allowed to show ad's?
    can IE8 block cookies and have a white list of sites that are allowed to give you cookies?
    can IE8 block web bugs?
    can IE8 block user agent?
    can IE8 disable referrer?
    can IE8 block web pages from refreshing them selves?
    can IE8 block Iframe?

    If IE8 can do all these things like FF then you have my attention. also Noscript covers cross site scripting. That said I use FF in combination with admuncher. I do believe it is much safer to use something like admuncher as a proxy/gateway rather than allowing your browser to Directly connect to websites.

    And I do admire Kees1958 idea of using the available tools and configurations on the actual OS to harden your pc instead of installing and using 3rd party software. But I don't think that the available registry tweaks and OS tools we have can cover everything with out using 3rd party software. We really need another forum for OS hardening tweaks. Because for some one to go for the strategy of OS hardening it would be difficult searching thru all these forums for Kees1958's tweaks. I have been bookmarking Kees1958's threads for future reference.
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This depends on how you enjoy your OS. It is definately possible to create as much protection as any/all 3rd party solutions. I think it comes down more to the ease of use 3rd party apps give you over OS implemented answers. The bane of 3rd party apps is of course BSOD or some sort of conflict that could ensue. I also enjoy seeing Kees or anyones approaches that utilize OS resolutions, and the more creative the better for me.

    Sul.
     
  18. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Unfortunately you have your attention on all the wrong details: the unimportant details that tinfoil-hat paranoid users typically obsess over due to lack of knowledge, rather than real security.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Disable history, go into porn mode orInprivate
    Ensure Safe HTTPS, IE checks certifcates, there is a tweak where user can't ignore this

    Block cookies, white list (default functionality, only IE comes in a more useable default)

    Block Iframe: you can set this yourself in the zone setting (ask, deny or allow).

    Lately an addblock type of plug-in is available see AKO's excellent list

    Web Bugs, there is a setting to block dynamic behaviour of binaries (like OutLook does), on top of that IE has a better setting, not to allow OTHER webpages to touch the dynamic code in the cache. I will not post these tweaks, because some sites use this to store encrypted transfer tokens (e.g. when you buy music, you switch to a safe payment service, you return to the download). Considering the risk of web bugs, with the excellent Mime Sniffing/enforcing mechanismes in IE, I think there are bigger fish in the ocean to worry about.

    Since you like to worry (most of us do at Wilders, so this is not intended sarcastically ;) Https://developer.mozilla.org/En/How_Mozilla_determines_MIME_Types and http://adblockplus.org/blog/the-hazards-of-mime-sniffing


    Regards Kees
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    LOL
    says the man who has a browser in their sig with Privacy Issues, what a clown you are. We have had these browser discussions before with Rmus in other threads, there is known malicious-links which can bypass FF Noscript. and if you know of any which can bypass my setup by all means show me.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Exactly! With addons, not natively. So, let's no go on the path which browser (I repeat: browser.) offers more security/privacy.

    1. Cookies

    You can block all cookies, and then allow only the ones you want to allow, therefor creating a whitelist of cookies.

    Personally, I rather handle with cookies my self, than let a third-party tool do it.

    2. History

    As Kees mentioned, you may browse in InPrivate mode and set the days to keep history to 0.

    3. Disabling refreshing

    Yes, it is possible

    There's been a long time since I last used Firefox (was way too buggy and too slow), but I don't remember it being able to stop referrer and a few other things on its own, without the help of add-ons.

    It is quite easy to say that Firefox does this or that, when using third-party add-ons.

    I wonder if all this hype for Firefox would ever exist without the damn add-ons.

    Firefox blocks ads... Yes, it does... Using third-party add-ons.
    Firefox blocks flash... Yes, it does... Using third-party add-ons.
    Firefox allows you not to allow/block javascript in full ... Yes, it does... Using third-party add-ons (NoScript)

    Add-ons, add-ons....
     
  22. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    there is known malicious-links which can bypass FF Noscript.

    Bugger! :eek:
     
  23. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Just use Chromium or a variant of it. It has a built-in sandbox (which is equivalent to IE's Protected Mode), but is a much better performer than IE, which is by far the slowest of all browsers. Chrome/Chromium/Iron tends to be the fastest browser.

    And Firefox can be made to run in Protected Mode as well, but it requires reg hacks.
     
  24. Any link for the Protected Mode in Firefox?
     
  25. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Well, these days, if I'm not in SeaMonkey with NoScript, I'm in Iron, so I should be OK (I have WOT on both). Plus I always have Opera. On my laptop Iron is definitely the fastest, IE 8 is like browsing in slo-mo!
     
Loading...
Thread Status:
Not open for further replies.