Enterprise Software

Protect your network by customizing IE's desktop security settings

Consultants specializing in security use many sophisticated tools to protect their clients' networks. But an economical and simple first step is to customize Internet Explorer's security settings on the desktop. We'll show you how.

With so many options available to consultants who specialize in security, finding low-cost ways to secure a network could make you stand out, especially as more organizations scrutinize IT dollars. While things like firewalls and proxy servers can be important to building in network security, you can also focus other efforts on the desktop, including customizing your browser security settings to match your level of comfort.

In this article, I’ll look at securing the settings within the Miscellaneous, Scripting, and User Authentication sections on Internet Explorer (IE) as a way to address basic security concerns on your network.

Last in a series
This is the last of three articles in a series covering the security settings on Internet Explorer (IE). Our first installment explored customizing IE’s security zones to block harmful content from infiltrating your network. The second part focused on using IE's ability to filter content to block malicious code from outside sites.

All of the settings that we’ll discuss are custom-configurable. To access them, open IE and select Internet Options from the Tools menu, which will bring up the Internet Options properties sheet. Select the Security tab, click Custom Level, and scroll down to the beginning of the Miscellaneous settings. You’re now free to work with the configuration options we’ll cover here.

Access Data Sources Across Domains
At the top of the Miscellaneous security settings, you’ll find radio buttons that allow you to choose how to access data sources across domains. The way that you should configure this setting really depends on your company’s needs. As with most of the other IE security options, you can either enable it, disable it, or prompt the user to perform the action (Figure A).

Figure A

For example, if your users access a corporate intranet in which single pages pull data from multiple sources in different domains, you’ll need to enable this setting. Otherwise, I recommend disabling the setting or prompting the users.

Drag And Drop Or Copy And Paste Files
This option controls whether users are allowed to drag and drop or copy and paste files from a Web site to their local computer or to a network server. You may either enable or disable this capability or prompt the user to take the appropriate action (Figure B).

Figure B

As long as you’ve got virus protection in place, it’s fairly safe to enable this option—unless, of course, you work in a high-security environment. If you do need to prevent users from dragging and dropping or copying and pasting files from the Web, remember that—as with all of the other settings—this applies only to Web pages that fall within the security zone you’re modifying.

Installation Of Desktop Items
This setting controls whether or not users are allowed to install desktop objects from a Web page. By default, this option is set to prompt the user before installing a desktop item (Figure C).

Figure C

If desktop consistency is important in your organization, however, you might be better off disabling this option.

Launching Programs And Files In An IFRAME
This option controls whether a user will be able to download files or run applications from an IFRAME element on a Web page if that IFRAME element contains directory or folder references. (IFRAMEs work like the <IMG> tags on an HTML page, except an IFRAME houses another Web page, not an image.) You may enable or disable such actions or prompt the user (Figure D).

Figure D

Navigate Sub-frames Across Different Domains
This setting gives you the option to allow IE to display subframes that originated from different domains (Figure E). A subframe is a portion of a Web page that could function as a standalone page but has instead been incorporated into a larger page that may contain other subframes.

Figure E

You can enable or disable this option, or you may prompt the user. Having subframes that come from different domains, however, is generally harmless and so is permitted by default.

Software Channel Permissions
This setting refers to the way that software updates are distributed. As you probably know, many software packages attempt to automatically install the latest updates via the Web.

However, allowing automatic software updates can open the door to malicious code on your network. Channel permissions is usually set to medium safety by default (Figure F), which generally can protect your system from potential hazards.

Figure F

Set to medium safety, IE permits e-mail notifications of software updates and allows updates to be automatically downloaded, but it does require that such updates be manually installed.

Low safety permits—and high safety prevents—e-mail notifications, automatic downloads, and automatic installations.

Submit Nonencrypted Form Data
This option controls whether IE will allow form data to be sent to or from the Web server in an unencrypted format. Since encrypted form data is always allowed, this setting only applies to forms that aren’t sent with Secure Socket Layer encryption (Figure G).

Figure G

Userdata Persistence
Some Web pages attempt to save a small file to your computer that helps the Web site remember your personal information. While storing personal information on the local computer doesn’t constitute a security threat, the thought of a Web site writing files (other than cached data) to your hard drive can be a bit unnerving. You can choose to enable or disable this feature based on your own needs and level of personal paranoia, but prompting the user isn’t an option with this setting (Figure H).

Figure H

Within the Scripting section are additional script security settings that control the way scripts are allowed to behave (Figure I).

Figure I

Active Scripting
In the context of IE security, Active Scripting simply refers to IE’s ability to run scripts found on pages within the “zone” you're visiting.

Allow Paste Operations Via Script
This option controls whether a script found on a Web page is allowed to copy (or cut) and paste information using the Windows clipboard. Unless your company has a specific need for copying and pasting, I strongly recommend disabling this setting.

During the last few months, for example, I’ve encountered a number of Web sites that use copying and pasting as a way of altering your system’s settings. In my case, my antivirus software intercepted some of these operations, but I’ve found that it’s more effective to simply disable such operations at the browser level rather than to blindly trust your antivirus software to intercept such operations.

Scripting Of Java Applets
This setting determines whether a script on a Web page should be allowed to interact with a Java applet. Again, you can either enable, disable, or prompt the user before allowing a script to access Java applets.

User Authentication
Logon is the only setting in the User Authentication section. The Logon setting (Figure J) controls the way that HTTP authentication is handled. This setting gives you four choices: Anonymous Logon, Automatic Logon Only In Intranet Zone, Automatic Logon With Current Username And Password, and Prompt For User Name And Password.

Figure J

If you choose Anonymous Logon, IE will disable HTTP authentication and rely solely on the Web server’s Guest account for access to a site’s resources.

The Automatic Logon Only In Intranet Zone option allows your machine to attempt to log in to Web sites that fall within the intranet zone. If the user attempts to access a Web site that requires authentication, and that site falls outside of the intranet zone, then the user will be prompted for a username and password.

The options for Automatic Logon With Current Username And Password and Prompt For User Name And Password are pretty self-explanatory. One note: The current username and password option only works if the Web server to which you’re connected supports NT Challenge/Response. If NT Challenge/Response is unsupported, the user will be prompted for a username and password, just as if the machine was set to use the Prompt For User Name And Password option.

Consistency is key
As you implement these settings, remember that the only way to truly secure your network is to be consistent. Therefore, consider implementing identical settings on the vast majority, if not all, of the workstations in your organization.

How do you handle securing a large number of desktops?
As a consultant or network administrator, have you ever modified browser security settings in an attempt to lock down a network? Have you gone office to office or have you used a tool like Microsoft’s Internet Explorer Administration Kit? Post your comments or send us an e-mail.


Editor's Picks