Networking / Beginners

---

Securing Web Browser Software

Although the same general principles apply, each of the popular Web browser programs has a slightly different method to configure its security options. To illustrate some of the settings available in a browser, we'll look at how to make changes in IE 7, and see how to turn off features that allow security holes to be exploited.To find information on how to secure other browsers available on the Internet, you can visit their individual Web sites and refer to the browser documentation to determine which options are available and how to properly configure them.The Web sites for other popular browsers include:

• Konqueror www.konqueror.org
• Mozilla Firefox www.mozilla.com/en-US/firefox/
• Mozilla Suite www.mozilla.org/products/mozilla1.x
• Netscape http://browser.netscape.com
• Opera www.opera.com/support/tutorials/security

Securing Microsoft IE

Securing Microsoft IE involves applying the latest updates and patches, modifying a few settings, and practicing intelligent surfing. Microsoft routinely releases IE-specific security patches, so it is important to visit the Windows Update site regularly.You can visit this site at http://windowsupdate.microsoft.com, or by clicking the Windows Update menu item on IE's Tools menu. As we mentioned earlier in this tutorial, this constant flow of patches is due to both the oversights of the programmers who wrote the code and to the focused attacks on Microsoft products by the malevolent cracker community. In spite of this negative attention, IE can still be employed as a relatively secure Web browser-when it is configured correctly.

The second step is to configure IE for secure surfing. Users can do this through the Internet Options, which is available to access through the Windows Control Panel or through the Internet Options menu item found under IE's Tools menu of IE. If the default settings are properly altered on the Security, Privacy, Content, and Advanced tabs, IE security is improved significantly.

Zones are defined on the Security tab. A zone is nothing more than a named collection of Web sites (from the Internet or a local intranet) that can be assigned a specific security level. IE uses zones to define the threat level a specific Web site poses to the system. IE offers four security zone options:

• Internet Contains all sites not assigned to other zones.
• Local Intranet Contains all sites within the local intranet or on the local system.The OS maintains this zone automatically.
• Trusted Sites Contains only sites manually added to this zone. Users should add only fully trusted sites to this zone.
• Restricted Sites Contains only sites manually added to this zone. Users should add any sites that are specifically not trusted or that are known to be malicious to this zone.

Each zone is assigned a predefined security level or a custom level can be created.The predefined security levels are offered on a slide controller with up to five settings with a description of the content that will be downloaded under particular conditions.The possible available settings are:

• Low, which provides the least security, and allows all active content to run, and most content to be downloaded and run without prompts.With this setting, there is minimal security for users, so it should only be used with sites that are explicitly trusted.
• Medium-Low, which is the default setting for the Local intranet zone, and provides the same security as the Medium level except that users aren't prompted.
• Medium, which is the default level for Trusted Sites, and the lowest setting available for the Internet zone. Unsigned ActiveX content isn't downloaded, and the user is prompted before downloading potentially unsafe content.
• Medium-High, which is the default setting for the Internet zone, as it is suitable for most Web sites. Unsigned ActiveX content isn't downloaded, and the user is prompted before downloading potentially unsafe content.
• High, which is not only the default level for Restricted Sites, it is the only level available for that zone. It is the most restrictive setting and has a minimum number of security features disabled.

Custom security levels can be defined to exactly fit the security restrictions of an environment. There are numerous individual security controls related to how ActiveX, downloads, Java, data management, data handling, scripting, and logon are handled.The most secure configuration is to set all zones to the High security level. However, keep in mind that increased security means less functionality and capability.

The Privacy tab defines how IE manages personal information through cookies. The Privacy tab offers a slide controller with six settings ranging from full disclosure to complete isolation.These settings are only applicable to the Internet zone, and include the following levels:

• Accept All Cookies, which allows cookies from any Web site to be saved on the computer, and any cookies already on the computer to be read by the sites that created them.
• Low, which blocks third-party cookies that don't have a compact privacy policy, as well as restricting third-party cookies that don't have your implicit consent to store information that contains information that could be used to contact you without explicit consent.
• Medium, which is the default level.This level blocks third-party cookies that don't have a compact privacy policy, as well as blocking third-party cookies that don't have your explicit consent and restricting first party cookies that don't have your implicit consent to store information that contains information that could be used to contact you without explicit consent.
• Medium-High, which blocks third-party cookies that don't have a compact privacy policy, and first- and third-party cookies that store information that contains information that could be used to contact you without explicit consent.
• High, which blocks cookies that don't have a compact privacy policy and store information that contains information that could be used to contact you without explicit consent.
• Block All Cookies, in which all cookies are blocked, and any cookies already on the computer can't be read by Web sites.

In addition to the slide controller's settings, IE 7 also has an Advanced button that can be used to open the Advanced Privacy Settings dialog box, allowing you to configure custom settings that will override cookie handling.These custom cookie settings only apply to the Internet zone, allowing you to specify whether first-party and third-party cookies are allowed or denied, or whether a prompt will be initiated, as well as whether session cookies are allowed. Individual Web sites can be defined whose cookies are either always allowed or always blocked. Preventing all use of cookies is the most secure configuration, but it is also the least functional. Many Web sites will not function properly under this setting, and some will not even allow users to visit them when cookies are disabled.

The Content tab, gives access to the certificates that are trusted and accepted by IE. If a certificate has been accepted that the administrator no longer trusts, they can peruse this storehouse and remove it.

The Content tab also gives access to IE's AutoComplete capability.This feature is useful in many circumstances, but when it is used to remember usernames and passwords to Internet sites, it becomes a security risk.The most secure configuration requires that AutoComplete be turned off for usernames and passwords, that prompting to save passwords is disabled, and that the current password cache is cleared.

On the Advanced tab, several security-specific controls are included at the bottom of a lengthy list of functional controls.These security controls include the following (and more):

• Check for certificate revocation
• Do not save encrypted pages to disk
• Empty Temporary Internet Files folder when browser is closed
• Use SSL 2.0, SSL 3.0, and TLS 1.0 settings