April 5th, 2006, 09:54 PM
Malware prevention for IE
Ok... since my tutorial has been delayed again, I have decided to at least post something that can help prevent malware.
I don't know if this is a tutorial, or some kind of tips and tricks post... I really don't care. A mod can move it to wherever it's appropriate.
Simple ways to prevent malware and lock down IE.
(This assumes you run XP Pro and have NTFS as your filesystem, some or all of these things will work with other configurations, but I can only guarantee XP Pro with NTFS)
1. Remove execute permissions from the local settings folder for the non-admin account you surf the internet on.
Essentially, this tells Windows that it can't run any program located in any of the sub folders. There shouldn't be any programs in there, but malware has a tendency to end up downloaded and executed there. (This will not stop malware from being downloaded and stored, only the execution.
This can be accomplished by navigating to C:\Documents and Setting\Your User Account\
The local settings folder is hidden, so you may have to go to Tools>>Folder Options>>View>> Show hidden files and Folders (This is a good idea to just have on)
Now, right click on the Local Settings folder, select properties, Security tab, and you can now change the permissions for that folder, and the sub folders within. (Keep in mind that sub folders will inherit permisison fromt he parent folder, so be careful about changing random folder attributes)
File and folder permisisons for Windows XP
2. Disable ActiveX scripting in IE
This can be done through Tools>>Internet Options in IE.
This is an important menu when configuring IE, not only can you set up your basic security here, but you can also define zones, I will be getting to this shortly.
For now, go to the Security tab. Click on the Internet icon...And click on Custom Settings. This is where we can define our own security settings for IE, for sites we haven't specifically configured things for.
I myself disable everything having to do with ActiveX, although you may want to choose prompt for signed controls. This means that a digital signature form a "trusted" source says that it is safe. When it prompts you, it will tell you who signed it, and you can make you decision based on that.
RIght underneath the ActiveX security options, I also disable both file and font downloads... But you can have it prompt you if you feel comfortable making the decision on your own, if not, just set both to disabled.
3. Miscellaneous ecurity options in IE
While we are in the same dialog we set our ActiveX options in, scroll down and you will find another set of options.
Basically, I set everything to disable except for Software Channel Permissions, which is High Safety. And Submit Nonencrypted Form Data, which is Prompt.
4. Scripting Options
Still in the same dialog, the next group of setting we come to is Scripting Options.
Disable all 3 options.
5. User Authentication
Last option in the current dialog box is User Authentication... I just set this to ask me for username and password.
Now that we have configured the internet zone, it is time to look at trusted and restricted sites. The way I see it, every site needs to be restricted (as our settings for the internet zone show), until there is a serious need to trust it, such as http://housecall.trendmicro.com which is an online antivirus scanner that until recently, only used ActiveX (Now has a Java based scanner as well), and the Microsoft update site at http://update.microsoft.com
In which case, we simply click on Trusted, and follow the same routing we did the first time, giving the trusted sites the permissions they need.
Now, it's time to move oon to the Privacy tab of the Internet Options dialog box.
Here, we can tell IE how to handle cookies. I use the High setting by default... and simply add custom rules for sites that I trust, by usin the edit button on this dialog box. The edit button brings up a list of sites that you have set rules for, essentially saying either block all cookies or allow all cookies. Add sites and rules as necessary... For example, forums and the like, tend to need cookies.
If you would like to use a proxy, this can also be configured in the Internet Options dialog box. Tor is a common proxy, and is the basis for the settings I am going to give in this section. You will have to change the values based on your proxy.
Simply go to the Connections tab.
At the bottom, there is a box called LAN Settings, click the button.
Once in the LAN Settings dialog, click on the Use A Proxy Server For Your LAN option. This will allow you access to the proxy settings. On corporate networks, you may find a single proxy that handles all traffic, but we are not corporate, so we are going to configure individual proxies.
I always check the box for Bypass Proxy for Local Connections, as the proxy would interfere with connecting to the machines on my private network.
Now, we can configure the proxy.
Remember, this is based on Tor and may not apply to your proxy, so use some common sense, and if you don't know, please ask before you do something stupid.
Click on Advanced. THis brings up a list of protocols, and allows you to either configure a specific proxy for all of them, or to just use a single proxy for everything.
Tor is a SOCKS proxy, and we will enter the information in the SOCKS area. 127.0.0.1 is the proxy address, and 9050 is the port.
Click ok.. to exit the menu, and ok to exit the previous menu.
9. The Advanced Tab
Here you will find a list of otions that can either be enabled or disabled.
Most of them you can ignore, they will have no bearing on "security" per se... merely the appearance and behavior of IE.
The ones we need to disable (uncheck) are:
Install on Demand Internet Explorer
Install on Demand (other)
Now... we need to make sure that certain ones are checked... scroll down to the Security section at the bottom...
Make sure the following are checked:
Check for publisher's certificate revocation
Check for server certificate revocation
Use integrated Windows Authentication
Use SSL 2.0
Use SSL 3.0
Use TLS 1.0
Warn about invalid site certificates
Warn if changing between secure and not secure mode (not necessary, but most users won't notice the icon that shows a secure connection is in place)
Warn if forms submittal is being redirected.
Ok... that's all for now, I'll do a follow up later, but I have to attend to the baby for the moment.
April 6th, 2006, 02:57 PM
I shall move this to "Tips & Tricks" on the grounds that it is more permanent and less personal than a lot of "fixit" type posts. Also that is the other place apart from tutorials that you send people to have a look?
April 6th, 2006, 07:44 PM
I will be posting a followup to this as I mentioned earlier. I'll just stick it in this thread I guess.
April 7th, 2006, 08:00 AM
d0pp this is a very nice article that you have put together. Just wondering though, can some of these be implemented into other windows Os.?
As i don't willingly use XP anymore on any of the machines here, thus i was interested in implementing or at least try to implement your suggestions into windows2000 .
Other then that, the next installement to this should be a good read.
April 7th, 2006, 09:03 AM
Doppy said he would do it for XP SP2 and IE 6. I have agreed to test his suggestions on Win 2000 SP4.
We hadn't planned on looking at Win 9x, because AFAIK this only supports IE 5.5? and does not have the security features of NT based OSes.