Securing Web Browser Software
Although the same general principles apply, each of the popular Web browser programs has a slightly different method to configure its security options. To illustrate some of the settings available in a browser, we'll look at how to make changes in IE 7, and see how to turn off features that allow security holes to be exploited.To find information on how to secure other browsers available on the Internet, you can visit their individual Web sites and refer to the browser documentation to determine which options are available and how to properly configure them.The Web sites for other popular browsers include:
- Konqueror www.konqueror.org
- Mozilla Firefox www.mozilla.com/en-US/firefox/
- Mozilla Suite www.mozilla.org/products/mozilla1.x
- Netscape http://browser.netscape.com
- Opera www.opera.com/support/tutorials/security
Securing Microsoft IE
Securing Microsoft IE involves applying the latest updates and patches, modifying a few settings, and practicing intelligent surfing. Microsoft routinely releases IE-specific security patches, so it is important to visit the Windows Update site regularly.You can visit this site at http://windowsupdate.microsoft.com, or by clicking the Windows Update menu item on IE's Tools menu. As we mentioned earlier in this tutorial, this constant flow of patches is due to both the oversights of the programmers who wrote the code and to the focused attacks on Microsoft products by the malevolent cracker community. In spite of this negative attention, IE can still be employed as a relatively secure Web browser-when it is configured correctly.
The second step is to configure IE for secure surfing. Users can do this through the Internet Options, which is available to access through the Windows Control Panel or through the Internet Options menu item found under IE's Tools menu of IE. If the default settings are properly altered on the Security, Privacy, Content, and Advanced tabs, IE security is improved significantly.
Zones are defined on the Security tab. A zone is nothing more than a named collection of Web sites (from the Internet or a local intranet) that can be assigned a specific security level. IE uses zones to define the threat level a specific Web site poses to the system. IE offers four security zone options:
- Internet Contains all sites not assigned to other zones.
- Local Intranet Contains all sites within the local intranet or on the local system.The OS maintains this zone automatically.
- Trusted Sites Contains only sites manually added to this zone. Users should add only fully trusted sites to this zone.
- Restricted Sites Contains only sites manually added to this zone. Users should add any sites that are specifically not trusted or that are known to be malicious to this zone.
Each zone is assigned a predefined security level or a custom level can be created.The predefined security levels are offered on a slide controller with up to five settings with a description of the content that will be downloaded under particular conditions.The possible available settings are:
- Low, which provides the least security, and allows all active content to run, and most content to be downloaded and run without prompts.With this setting, there is minimal security for users, so it should only be used with sites that are explicitly trusted.
- Medium-Low, which is the default setting for the Local intranet zone, and provides the same security as the Medium level except that users aren't prompted.
- Medium, which is the default level for Trusted Sites, and the lowest setting available for the Internet zone. Unsigned ActiveX content isn't downloaded, and the user is prompted before downloading potentially unsafe content.
- Medium-High, which is the default setting for the Internet zone, as it is suitable for most Web sites. Unsigned ActiveX content isn't downloaded, and the user is prompted before downloading potentially unsafe content.
- High, which is not only the default level for Restricted Sites, it is the only level available for that zone. It is the most restrictive setting and has a minimum number of security features disabled.
Custom security levels can be defined to exactly fit the security restrictions of an environment. There are numerous individual security controls related to how ActiveX, downloads, Java, data management, data handling, scripting, and logon are handled.The most secure configuration is to set all zones to the High security level. However, keep in mind that increased security means less functionality and capability.
The Privacy tab defines how IE manages personal information through cookies. The Privacy tab offers a slide controller with six settings ranging from full disclosure to complete isolation.These settings are only applicable to the Internet zone, and include the following levels:
- Accept All Cookies, which allows cookies from any Web site to be saved on the computer, and any cookies already on the computer to be read by the sites that created them.
- Block All Cookies, in which all cookies are blocked, and any cookies already on the computer can't be read by Web sites.
The Content tab, gives access to the certificates that are trusted and accepted by IE. If a certificate has been accepted that the administrator no longer trusts, they can peruse this storehouse and remove it.
The Content tab also gives access to IE's AutoComplete capability.This feature is useful in many circumstances, but when it is used to remember usernames and passwords to Internet sites, it becomes a security risk.The most secure configuration requires that AutoComplete be turned off for usernames and passwords, that prompting to save passwords is disabled, and that the current password cache is cleared.
On the Advanced tab, several security-specific controls are included at the bottom of a lengthy list of functional controls.These security controls include the following (and more):
- Check for certificate revocation
- Do not save encrypted pages to disk
- Empty Temporary Internet Files folder when browser is closed
- Use SSL 2.0, SSL 3.0, and TLS 1.0 settings
In this tutorial:
- Web Based Services Security
- Web Security
- Managing Access Control
- Handling Directory and Data Structures
- Eliminating Scripting Vulnerabilities
- Logging Activity
- Finding Rogue Web Servers
- Stopping Browser Exploits
- Web Spoofing
- Web Server Exploits
- SSL and HTTP/S
- Instant Messaging
- Text Messaging and Short Message Service (SMS)
- Web-based Vulnerabilities
- Dangers Associated with Using ActiveX
- Protection at the Network Level
- Programming Secure Scripts
- Understanding Code Signing
- Buffer Overflows
- Making Browsers and E-mail Clients More Secure
- Securing Web Browser Software
- Resulting from Weak CGI Scripts
- FTP Security
- Secure Copy
- FTP Sharing and Vulnerabilities
- Directory Services and LDAP Security
- Securing LDAP