Protection at the Network Level
For network administrators, the place to start is by addressing the different security settings available through the network OS such as.
- Options such as security zones and SSL protocols to place limits on controls.
- Access to the CodeBaseSearchPath in the system Registry, which controls where the system will look when it attempts to download ActiveX controls.
- The Internet Explorer Administration Kit (IEAK), which can be used to define and dynamically manage ActiveX controls. IEAK can be downloaded from Microsoft's Web site at www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx.
Although all of these are great, administrators should also consider implementing a firewall if they have not already done so. Some firewalls have the capability of monitoring and selectively filtering the invocation and downloading of ActiveX controls and some do not, so administrators must be aware of the capabilities of the firewall they choose.
Protection at the Client Level
One of the most important things to do as an end user is to keep the OS with all its components and the virus detection software current. Download and install the most current security patches and virus updates on a regular basis. Another option for end users, as well as administrators, is the availability of security zone settings in IE, Outlook, and Outlook Express.These are valuable security tools that should be used to their fullest potential.
End users should exercise extreme caution when prompted to download or run an ActiveX control. They should also make sure that they disable ActiveX controls and other scripting languages in their e-mail applications, which is a measure that is often overlooked. A lot of people think that if they do not use a Microsoft e-mail application, they are safe. But if an e-mail client is capable of displaying HTML pages, chances are they are just as vulnerable using it as they would be using Outlook Express.
Developers have the most important responsibility.They control the first line of defense against ActiveX vulnerability.They must stay current on the tools available to assist in securing the software. They must always consider the risks involved in writing mobile code and follow good software engineering practices and be extra careful to avoid common coding problems and easily exploited coding mistakes. But most importantly, they must use good judgment and common sense and test, test, test before releasing the code to the public. Remember, after signing it and releasing it, it is fair game.
NOTE: Hackers can usually create some creative way to trick a user into clicking on a seemingly safe link or opening e-mail with a title like, "In response to your comments." Once a Web page is loaded in the browser, or an e-mail is opened or previewed in the e-mail software, scripts, components and applets in the HTML document can be downloaded, loaded into memory, and run. If the code is malicious, and designed to exploit a vulnerability, any number of issues (inclusive to running remote code) may occur. It is important to be wary of e-mail from unknown users or Web pages that seem to be legitimate, have the latest service patches installed to resolve vulnerawww bility issues, and make sure that security software on the computer (inclusive to antivirus software) is up-to-date.
In this tutorial:
- Web Based Services Security
- Web Security
- Managing Access Control
- Handling Directory and Data Structures
- Eliminating Scripting Vulnerabilities
- Logging Activity
- Finding Rogue Web Servers
- Stopping Browser Exploits
- Web Spoofing
- Web Server Exploits
- SSL and HTTP/S
- Instant Messaging
- Text Messaging and Short Message Service (SMS)
- Web-based Vulnerabilities
- Dangers Associated with Using ActiveX
- Protection at the Network Level
- Programming Secure Scripts
- Understanding Code Signing
- Buffer Overflows
- Making Browsers and E-mail Clients More Secure
- Securing Web Browser Software
- Resulting from Weak CGI Scripts
- FTP Security
- Secure Copy
- FTP Sharing and Vulnerabilities
- Directory Services and LDAP Security
- Securing LDAP