Using Group Policy Editor (gpedit.msc) to harden IE 9

Discussion in 'other software & services' started by wat0114, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest


    This is in the explanation on 1:

    It only seems to mention password, credit card and similar data not being saved, as opposed to prohibiting downloading files. I hope I understand this correctly? It seems to be a setting one could recommend.
     
  2. wat0114

    wat0114 Guest

    EDIT

    Updated settings 10/13/2011 - Geared more toward a "family" lockdown policy

    Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

    The following settings are Enabled:

    • Disable Per-User Installation of ActiveX Controls
    • Turn off Managing phishing filter = Automatic
    • Do not allow users to enable or disable add-ons
    • Prevent users from bypassing Smartscreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet
    • Prevent bypassing Smartscreen Filter warnings
    • Turn off Managing Smartscreen Filter for IE 9 = On
    • Security Zones: Do not allow users to add/delete sites
    • Disable showing the splash screen
    • Prevent participation in the Customer Experience Improvement Program
    • Security Zones = Do not allow users to change policies

    Next, go to:

    Security Features-> Mime Sniffing Safety Feature

    • Internet Explorer Processes

    Next, go to:

    Internet Control Panel

    • Disable the Privacy page
    • Prevent ignoring certificate errors

    Next, go to:

    Internet Control Panel-> Advanced Page

    The following settings are Enabled:

    • Turn off Encryption Support: use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2
    • Check for server certificate revocation
    • Do not allow resetting Internet Explorer settings
    • Check for signatures on downloaded programs

    The following settings are Disabled

    • Allow software to run or install even if the signature is invalid
    Next, go to:

    Internet Control Panel-> Security Page

    The following settings are Enabled:

    • Internet Zone Template = Medium High
    • Restricted Zones Template = High
    • Trusted Zones Template = Medium
    • Turn on Warn about Certificate Address Mismatch
    • Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).

    I believe this is very close to complete now, but I'll certainly make changes where necessary :)
     
    Last edited by a moderator: Oct 13, 2011
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Again, it is NOT a "hardening" feature by any means whatsoever, it will prevent downloading of files from secure sources as I have already explained.

    Here is blog from MS themselves, explaining how it can also cause issues with flash. I'd imagine things like viewing PDF files would also break:
    http://blogs.msdn.com/themes/blogs/...ave-encrypted-pages-to-disk-is-set&GroupKeys=

    edit: wording it as "turn off encryption support" is confusing. There is no encryption to turn off, SSL2 is already off by default. It should be "Enable encryption support: TLS 1.1, 1.2"
     
    Last edited: Oct 12, 2011
  4. wat0114

    wat0114 Guest

    Thank you elapsed. That clears things up for me now. I will disable that setting.
     
  5. wat0114

    wat0114 Guest

    EDIT

    Updated settings 10/15/2011 - The " Enterprise Lockdown" policy. Pretty much finalized and very happy with it :)

    =================================================================================================================
    Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer

    The following settings are Enabled:

    • Do not allow users to enable or disable add-ons (This prevents enabling of any new installed add-ons)
    • Disable Per-User Installation of ActiveX Controls
    • Turn off Managing phishing filter = Automatic
    • Turn off Crash Detection
    • Prevent users from bypassing Smartscreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet
    • Prevent bypassing Smartscreen Filter warnings
    • Turn off Managing Smartscreen Filter for IE 9 = On
    • Security Zones: Do not allow users to add/delete sites
    • Disable showing the splash screen
    • Prevent participation in the Customer Experience Improvement Program
    • Security Zones = Do not allow users to change policies

    Next, go to:

    Security Features

    • Mime Sniffing Safety Feature = Internet Explorer Processes
    • Protection From Zone Elevation = Internet Explorer Processes
    • Local Machine Zone Lockdown Security = Internet Explorer Processes
    • Restrict File Download = Internet Explorer Processes
    • Restrict ActiveX Install = Internet Explorer Processes
    • Scripted Windows Security restrictions = All Processes
    • Object Caching Protection = Internet Explorer Processes
    • MK Protocol Security Restriction = Internet Explorer Processes

    Next, go to:

    Internet Control Panel

    • Disable the Privacy page (ensure Pop-up blocker is set to Medium)
    • Disable the Advanced page
    • Prevent ignoring certificate errors

    Next, go to:

    Internet Control Panel-> Advanced Page

    The following settings are Enabled:

    • Turn off Encryption Support: use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2
    • Check for server certificate revocation
    • Do not allow resetting Internet Explorer settings
    • Check for signatures on downloaded programs
    The following settings are Disabled

    • Allow software to run or install even if the signature is invalid
    Next, go to:

    Internet Control Panel-> Security Page

    The following settings are Enabled:

    • Internet Zone Template = Medium High
    • Restricted Zones Template = High
    • Trusted Zones Template = Medium
    • Turn on Warn about Certificate Address Mismatch
    • Site to Zone Assignment List: Sites that you trust and don't want "broken" by the Medium High Internet Zone can be placed here with a value of "2" (= Medium for Trusted Zone).
    =====================================================================================================================
    • Will make further changes if necessary
     
    Last edited by a moderator: Oct 16, 2011
  6. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    This is some of the settings I use here for some time.. from IE8 most precisely, and for the sites i visit, no problems appeared:

    Under Internet Explorer -> Security Features (Just for IE and explorer process)

    -Binary Behaviour security
    -Consistent Mime Handling
    -Local machine zone lockdown security
    -Mime sniffing safety feature
    -Object caching protection
    -Protection from zone elevation
    -Restrict file download
    -Scripted Window Security Restriction
     
    Last edited: Oct 14, 2011
  7. wat0114

    wat0114 Guest

    Thank you, s23, i will look over those settings :)

    EDIT

    I've applied a couple of those settings, so far, in my list. Thanks again!
     
    Last edited by a moderator: Oct 14, 2011
  8. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,342
    Location:
    USA
    Wow wat you really locked down IE :D
     
  9. wat0114

    wat0114 Guest

    Well, I think so, and the amazing thing is it's had no noticeable adverese affect on the browsing experience so far.
     
  10. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Glad in help.
     
  11. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,342
    Location:
    USA
    Good to know.
     
  12. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Thanks for sharing wat0114:thumb:
    Is always great to increase security without the need to install more applications. I´ll implement your settings and keep a eye on this thread.
     
  13. wat0114

    wat0114 Guest

    You're welcome Alex! Hope it works for you.
     
  14. wat0114

    wat0114 Guest

    Policy List has been edited with several more security options enabled: 10/15/2011
     
  15. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    Nice list... I will have to try it out. Thanks.
     
  16. wat0114

    wat0114 Guest

    Thanks Rilla! I did away with: Security Features-> Add-on Management:
    • Add-on List
    • Deny all add-ons unless specifically allowed in the Add-on List

    because it was too cumbersome to manage, expecially with having to enter the CLSID's of all allowed add-ons, a labor-intensive copy/paste chore, so I instead went with: Local Computer Policy-> Computer Configuration-> Administrative Templates-> Windows Components-> Internet Explorer
    • Do not allow users to enable or disable add-ons
     
  17. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    You're right, that's too much work. I think the change is for the better.

    Is it easy enough to add one when you need it? I've never played with this stuff. Since it comes with the OS and don't add any extra usage it's another security layer for us.

    I always find your posts helpful. Don't forget to update your link in post #39. I'm gonna save this as a offline file and use it when I reinstall windows.

    Thanks
     
  18. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    I'm only answering since you asked :)

    If one only wanted to use Java in their browser of choice e.g. Firefox, then it'd be reasonable to disable it in IE. I disable all plugins in IE so that the attack surface is as low as possible when I'm forced to use it on occasion, and don't even install ActiveX plugins when possible (e.g. Flash).

    Another reason to disable plugins is that it's good practice for when they aren't currently needed, especially considering third party plugins are the least secure component of a browser. Those with only an intermittent need I keep disabled - and don't think I'm unreasonable to expect they should stay that way.

    In any case, plugins shouldn't run when you've exhausted the in-browser options for disabling them. IE9 with a vulnerable version of Java (disabled) was consistently able to be exploited. In Firefox, disabling Java meant Java exploits failed which is the desired result.
     
  19. wat0114

    wat0114 Guest

    Thanks again for your kind words, Rilla! If the settings aren't final now, they're very close, for sure :)
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Looks great, I may change IE 9 to my default browser at this rate. Applied a few to explorer.exe and firefox.exe. Thanks for providing useful information and tips as always.
     
  21. wat0114

    wat0114 Guest

    Thank you, J_L. Please let us know if something "breaks" due to these settings. They're quite restrictive, I guess, but so far for me no issues. Yesterday a video on a secure MS TechNet blog page wouldn't even display, and after wasting my time trying to isolate the issue, thinking it was one of the settings, it turns out Silverlight isn't supported on x64 IE :gack:
     
  22. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Yeah, Silverlight x64 will come with Silverlight 5 due soon (this year).

    That being said more and more of the MS "sites" are using HTML5 with a Silverlight fall-back so you may not even need it eventually (I don't have it installed).
     
  23. wat0114

    wat0114 Guest

    Good news, thanks elapsed!
     
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
  25. wat0114

    wat0114 Guest

    In no hurry, but I'm tempted to try it :) Thanks again.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.