Using Group Policy Editor (gpedit.msc) to harden IE 9

Discussion in 'other software & services' started by wat0114, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Having explored the use of Group Policy Editor in Win 7 Ultimate to harden Internet Explorer 9, I've come up with a number of settings so far which I feel should re-enforce IE 9's security considerably. Of course gpedit.msc is only available in Pro, Ultimate & Enterprise versions of Windows.

    To open Group Policy Editor: Start-> Run-> type "gpedit.msc" (without quotes)-> <Enter>

    Note: this is has to be run as Administrator so you can either open it from your administrative account or right click gpedit.msc and choose "Run as administrator" from your Standard account.

    The "Local Group Policy Editor" will now be opened. Next, go to:

    Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

    The following settings are Enabled:

    • Disable showing the splash screen
    • Prevent participation in the Customer Experience Improvement Program
    • Security Zones = Do not allow users to change policies

    Next, go to:

    Internet Control Panel-> Advanced Page

    The following settings are Enabled:

    • Check for server certificate revocation
    • Do not allow resetting Internet Explorer settings
    • Check for signatures on downloaded programs

      Disabled
    • Allow software to run or install even if the signature is invalid

    Next, go to:

    Internet Control Panel-> Security Page

    The following settings are Enabled:

    • Internet Zone Template = Medium High
    • Restricted Zones Template = High
    • Trusted Zones Template = Medium
    • Turn on Warn about Certificate Address Mismatch
    • Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).

    So far this it, although there could be other settings enabled if I find them. Any advice or suggestions is appreciated :)
     
    Last edited by a moderator: Oct 12, 2011
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks. I personally just remove IE entirely but for those who use it it's probably very helpful to have it locked down.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello, my good sir... :D

    I also harden IE9... It's blocked... :argh:

    But, for those interested, you could also check this file from Microsoft (English). Give it a read and see which security policies you'd like to apply. Some of them are mentioned by user wat0114

    Internet Explorer 8 Desktop Security Guide:

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23790
     
  4. wat0114

    wat0114 Guest

    You're welcome. I've recently decided just to stick with IE indefinitely, especially as part of my on-going efforts to remain 3rd part free, and will only change to an alternative browser if something breeches IE.


    Thank you, m00nbl00d! I will check it out soon.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    IE9's a good browser, definitely secure.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not if you got Java installed... :D Even with all Java plugins disabled, Java still works. The other thread was self-explanatory. o_O :D
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Isn't that the case with Firefox and Opera as well?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not from what I recall? Anyway, in case of doubt, we can always check the other thread. I wish not to polute wat0114 thread with this off-topic. :thumb:
     
  9. wat0114

    wat0114 Guest

    No worries, all is good :thumb:

    I tested with my current settings and result shown in attachment...

    Is this still not considered secure? I didn't read that thread you mention too thoroughly.
     

    Attached Files:

  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Try the following:

    With Java enabled, go to Java test page http://www.java.com/en/download/testjava.jsp

    Then, disable all Java plugins. Make sure you select to show ALL addons. Disable any plugin related to Java. Clean any temporary files from IE. Go back to the Java test page.

    In my test, and in funkydude test, Java still loaded, despite the test page saying Java couldn't be found.

    I couldn't tell from your image, if you got ActiveX protection enabled? That would stop it, if I well recall it. Not sure. But, it's not a setting enabled by default, so most people would be screwed.

    One could also block Java in Group Policy Editor, in IE settings.

    -edit-

    Link to funkydude's post https://www.wilderssecurity.com/showpost.php?&p=1953267&postcount=81

    This is part of my post, which I posted before funkydude:

     
    Last edited: Oct 12, 2011
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    I still have no idea how it works, but to be fair why would you install Java in the first place if you wanted to disable it? If you wanted some kind of whilelist of websites you can use one, or stick to ActiveX filtering which is simpler.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Quite simple, actually. I do need Java, because I need to use an application that does require it. But, I don't need it for my browsing, except once a year. So, why not simply have it blocked at all times?

    And, like you, I still got no idea why Java still loads in IE, when the plugins are all disabled, but that's not really the point. I just raised a general concern, that's all. The reason being that ActiveX filtering isn't enabled by default. Are all IE9 users aware of such setting? But, some of them may have some plugins disabled, even without knowing what they did, because IE9 does ask if the user wants to disable plugins. A relative of mine disabled a few BHOs, and I had to reenable Prevx BHO. :D

    Also, website whitelisting doesn't work in Java plugin. It does work with Flash, but not with Java. I tested it sometime ago, and even asked MrBrian, back then, if could whitelist, but he couldn't either.

    The option is there, but it doesn't work. o_O
     
  13. wat0114

    wat0114 Guest

    My mistake. I did not have a firewall rule to allow java.exe to port 53 DNS. Also, I'm using IE9 x64 now. It doesn't seem to suppport Java.

    *EDIT* I see a supported x64 Java version. Will try it.

    EDIT

    So far I can't find a way to disable Java, not even in GP editor. I willl use x64 IE and x64 Java.
     
    Last edited by a moderator: Oct 12, 2011
  14. wat0114

    wat0114 Guest

    EDIT

    Updated settings in green.

    Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

    The following settings are Enabled:

    • Security Zones: Do not allow users to add/delete sites
    • Disable showing the splash screen
    • Prevent participation in the Customer Experience Improvement Program
    • Security Zones = Do not allow users to change policies

    Next, go to:

    Security Features-> Mime Sniffing Safety Feature

    • Internet Explorer Processes

    Next, go to:

    Internet Control Panel

    • Prevent ignoring certificate errors

    Next, go to:

    Internet Control Panel-> Advanced Page

    The following settings are Enabled:

    • Check for server certificate revocation
    • Do not allow resetting Internet Explorer settings
    • Check for signatures on downloaded programs

      Disabled
    • Allow software to run or install even if the signature is invalid

    Next, go to:

    Internet Control Panel-> Security Page

    The following settings are Enabled:

    • Internet Zone Template = Medium High
    • Restricted Zones Template = High
    • Trusted Zones Template = Medium
    • Turn on Warn about Certificate Address Mismatch
    • Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).
     
    Last edited by a moderator: Oct 12, 2011
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    It asks if you want to enable them when you install them, that's it. The general user isn't going to install Java then disable it, if they even know what disabling a plugin is.

    wat0114, nice list. Do you think enabling TLS 1.1 and 1.2 would be considered "hardening"?
     
  16. wat0114

    wat0114 Guest

    Thank you Funkydude. Yes, I've looked at that and wondered the same thing. Maybe I'll try it. Thanks!
     
  17. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Thanks for the settings wat :thumb: I noticed some of these sites were already enabled for me so guess I didn't have much tweaking in internet control panel.
     
    Last edited: Oct 12, 2011
  18. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Internet Control Panel-> Advanced Page

    The following settings are Enabled:

    • Do not save encrypted pages to disk
    • Turn off Encryption Support - Only Use TLS 1.0
     
  19. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    This setting is in Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer
     
  20. wat0114

    wat0114 Guest

    Thank you 1chaotic! I've corrected this :)

    Would you suggest this plus Funkydude's recommendation? Thank you for the suggestions!
     
  21. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    No problem wat. I would definitely add do not save encrypted pages to disk. I use this setting myself. Not sure about the other one.
     
  22. wat0114

    wat0114 Guest

    Okay, I've added that first one. It makes sense to do so.
     
  23. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Indeed it does.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Both of those are BAD settings. Here's why:

    1. The way this functions means if you enable it, you CANNOT download any files from HTTPS sources, because anything from such sources isn't allowed disk access at all. It's a great privacy feature sure, but as hardening? No, definitely not.
    2. It is not a good idea to turn off SSL 3.0 yet, there are still sites that only support 3.0, including some devices like routers that only support 3.0 for logging into their admin panel. The only security you should have disabled is 2.0, which is disabled by default. SSL 3.0, TLS 1.0, 1.1, 1,2 should be enabled.
     
  25. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544

    Thank you. I'll prefer to keep my settings for 1, and will follow your suggestion on 2. :thumb:
     
Loading...
Thread Status:
Not open for further replies.