Using Group Policy Editor (gpedit.msc) to harden IE 9

It would be great if one can track down the reg keys for these (if applicable) and compile it into a list; better still a program (in .exe form) so that one can apply these hardening settings in a much simplified manner. An added advantage would be those Windows edition without gpedit.msc can still apply these settings.

 

Found issues with Tracking Protection, LastPass website, and some minor things.

 

Thank you for the feedback, J_L. It's a matter of finding which Group Policy settings are causing the issues which can be a bit of a painstaking process, at least it has for me when I've encountered the odd issue. I had an ActiveX issue the other day, and it wasn't until a while later I found out it had nothing to do with the gpedit settings, but rather it's because IE9x64 doesn't support ActiveX yet

Please let us know if you find the settings.

 

What issue did you have with tracking protection?

 

Way to go Microsoft lol

 

I missed this, what exactly isn't working for you? As plugins such as Flash and Silverlight are ActiveX controls, and their 64bit versions work fine. Did I miss something?

 

My lists are gone, and when I try to install a new one:

Same on 32-bit and 64-bit.

 

Yep, you're right ...just saw this in some of my add-on properties (clearly I'm still learning about activex and so forth ). It was the web page here: -http://www.pcpitstop.com/testax.asp- and I get a "ActiveX is not supported" message, so I did some Google search and someone mentions ActiveX not yet supported in IE x64 yet. Now maybe that was a fairly old page, but I had verified already the pcpitstop activex add-on works in 32 bit IE but not in 64 bit, and the Group Policy settings apply to both browser versions. I'm not sure what's wrong. Could it be pc pitstop's add-on is not compatible with x64??

 

If they don't offer a 64bit plugin IEx64 will obviously not work with that site, it's up to them to develop a 64bit plugin. Just as it was up to Adobe to develop a 64bit version of Flash, Oracle to develop a 64bit version of Java, and Microsoft to develop a 64bit version of Silverlight.

That was as a result of changing one of the settings in this thread? (I haven't actually gone through any myself).

 

Yes, it happened right after going through this and opening IE.

 

Thank you elapsed! This clears it up for me now

@J_L,

I'm not sure yet what could cause this. I'll try to find out a bit later (at an XP machine now).

 

J_L,

I'm able to add and enable a TPL, using EasyPrivacy. This is with all the settings of my updated gpo enabled.

 

Nevermind, it was caused by Comodo Sandbox registry virtualization.

 

Thanks J_L!

For the past week I've had a play with the Microsoft Security Compliance Manager, first in the VM to figure out how it works, then on the real machine today. It allows one to apply security baselines, whether they be the MS defaults or customized ones, to workstations across a netwrok or, as in my case, to stand-alone workstations.

It's quite a slick program, and not that difficult to use. Keep in mind this will only work on Pro, Ultimate or Enterprise Windows versions.

One caveat some might not like is that it's necessary to install MS' .NET 4.0 before the SCM program can be installed, available here:

-http://www.microsoft.com/download/en/details.aspx?id=17851

I have customized, though not necessarily completed, one of MS' IE 9 baselines and re-configured it to similarily mirror the one I posted earlier in this thread, but I've also kept some of the defaults from it. A .XLSX (macros disabled) of it is available from here:

EDIT

-http://www.megaupload.com/?d=SNRWXWTD

Please see post #66 for updated file.

*EDIT*

Now I'm not so sure about this. Maybe it will work on versions that don't have the Group Policy settings, by changing the necessary registry settings instead? Maybe someone knows or can test?

 

*cough*

The damn browser keeps taking me to places. It has a life of its own.

 

Does that program work, m00nbl00d? Seems some are having issues with it.

I've updated the xlsx document to include registry settings:

-http://www.megaupload.com/?d=OCNKTAUW

Just scroll rightmost in the document to see them

 

I have Windows 7 Ultimate, so I already gpedit. So, no idea whether it works or not.

I just thought of sharing. But, I believe the author mentioned it works fine. I think the initial problem was with 64-bit Windows. The author then created a 64-bit version.

I suppose those interested would have to test for themselves. It's one of those things that may work for some, may not work for others.

 

Very good, thank you for the info m00nbl00d

 

Updated October 30, 2011 Internet Explorer 9 Customized Security baseline:

Provided far more detail this time. Most of these settings are recommendations from the MS baseline policy, although a few of them I modified to enhance usability.

A 2003-compatible Excel spreadsheet of all settings, including registry, is available here: -http://www.megaupload.com/?d=YT0EP0AP

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\

• Turn off Managing SmartScreen Filter for Internet Explorer 9 = Enabled
• Turn off Crash Detection = Enabled
• Do not allow users to enable or disable add-ons = Enabled
• Turn off the Security Settings Check feature = disabled
• Prevent "Fix settings" functionality = disabled
• Disable Per-User Installation of ActiveX Controls = enabled
• Prevent participation in the Customer Experience Improvement Program = enabled
• Security Zones: Do not allow users to change policies = enabled
• Security Zones: Do not allow users to add/delete sites = enabled
• Security Zones: Use only machine settings = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History\

• Disable "Configuring History" = disabled
• Configure Delete Browsing History on exit = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\

• Do not allow resetting Internet Explorer settings = enabled
• Turn off Encryption Support = Enabled: Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2
• Check for server certificate revocation = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\

• Disable the Privacy page = Enabled
• Disable the Advanced page = enabled
• Prevent ignoring certificate errors = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\

• Site to Zone Assignment List = enabled
• Turn on Warn about Certificate Address Mismatch = enabled
• Turn on Protected Mode = enabled (Note: For Trusted Sites Zone)

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\

• Use SmartScreen Filter = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\

• Initialize and script ActiveX controls not marked as safe = disabled
• Download signed ActiveX controls = prompt
• Software channel permissions = enable
• Allow script-initiated windows without size or position constraints = disable
• Automatic prompting for file downloads = disable
• Access data sources across domains = disable
• Use Pop-up Blocker = enable
• Launching applications and files in an IFRAME = prompt
• Java permissions = disable java
• Download unsigned ActiveX controls = disable
• Allow installation of desktop items = disable
• Web sites in less privileged Web content zones can navigate into this zone = disable
• Turn on Protected Mode = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\

• Allow META REFRESH = disable
• Allow binary and script behaviors
• Launching applications and files in an IFRAME = disable
• Run .NET Framework-reliant components not signed with Authenticode = disable
• Allow installation of desktop items = disable
• Download unsigned ActiveX controls = disable
• Allow script-initiated windows without size or position constraints = disable
• Use Pop-up Blocker = enable
• Download signed ActiveX controls = disable
• Allow active scripting = disable
• Initialize and script ActiveX controls not marked as safe = disable
• Java permissions = disable java
• Allow file downloads = disable
• Scripting of Java applets = prompt
• Allow drag and drop or copy and paste files = disable
• Navigate windows and frames across different domains = disable
• Run ActiveX controls and plugins = disable
• Software channel permissions = High safety
• Allow font downloads = enable
• Automatic prompting for file downloads = disable
• Run .NET Framework-reliant components signed with Authenticode = prompt
• \Script ActiveX controls marked safe for scripting = disable
• Web sites in less privileged Web content zones can navigate into this zone = disable
• Allow status bar updates via script = disable
• Turn on Protected Mode = enabled

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\

• Local Machine Zone Lockdown Security: Internet Explorer Processes = enabled
• Mime Sniffing Safety Feature: Internet Explorer Processes = enabled
• Restrict ActiveX Install: Internet Explorer Processes = enabled
• Restrict File Download: Internet Explorer Processes = enabled
• Notification bar: Internet Explorer Processes = enabled
• Scripted Window Security Restrictions: Process List = enabled
• Object Caching Protection: Internet Explorer Processes = enabled

 

Didn't you mean Scripted Window Security Restrictions: All Processes = enabled?

That's what I see referenced in IE9 Security Guide documentation.

 

Ahh, nothing escapes your keen eyesight, m00nbl00d Thanks Indeed, it should be (and that's how it was): Scripted Window Security Restrictions: All Processes = enabled

 

I could spot an eagle!! Better yet, make it fleas on the eagle!!

By the way, I'm wondering if there's any difference between disabling a policy by choosing Disabled or activating it first, and then choosing the option Disable, among those three options Prompt, Activate or Disable?

The templates only indicate Disable, but not which one. I believe that both ways are just different ways to achieve the same, which is to disable something. But, is there more to it?

 

The options are normally: Not configured, Enabled, or Disabled. Usually there's no difference between Not configured and Disabled.

 

Sorry, that's not what I meant. I'll try to clarify it.

As you well say, there are usually three options: Not Configured, Disabled or Enabled, which I wrongly called it Activated.

But, there are some situations that Microsoft suggests to disable some policies and I'm wondering if they're talking about the Disabled option, or if they mean to set the policy to Enabled and then choose the option Disable (among Prompt, Enable or Disable)...

I suppose there's no difference... but why having both options? If it's to disable, it's to disable.

 

I see, I figured you meant something different TBH, I'm not really sure what MS means in these scenarios.