managing msie security in corporate networks by creating custom security zones

Managing MSIE security Managing MSIE security in corporate networks in corporate networks

by creating custom Security Zonesby creating custom Security Zones

Patrick ChambetEdelweb – ON-X [email protected]://www.edelweb.frhttp://www.chambet.com

EdelWeb

mailto:[email protected]

http://www.edelweb.fr

http://www.chambet.com

Managing MSIE security by creating custom Security ZonesPatrick Chambet

uu General pointsGeneral points

uu MSIE Security Zones creation and MSIE Security Zones creation and settingssettings

uu ConclusionConclusion

PlanningPlanning


uu A lot of companies use Internet Explorer A lot of companies use Internet Explorer internally as their corporate Web browserinternally as their corporate Web browser

uu They need to protect themselves against They need to protect themselves against hostile codehostile codeØØ VirusesVirusesØØ WormsWormsØØ Hostile Web serversHostile Web serversØØ SpywareSpyware

General PointsGeneral Points (1/2)(1/2)


General PointsGeneral Points (2/2)(2/2)

uu Companies need several policies, depending Companies need several policies, depending on the kind of browsed Web siteson the kind of browsed Web sitesØØ Professional Web sitesProfessional Web sitesØØ “Tolerated” Web sites“Tolerated” Web sitesØØ “Forbidden” Web sites“Forbidden” Web sites

uu Which ActiveX are allowed in the company ?Which ActiveX are allowed in the company ?ØØ Flash player ?Flash player ?ØØ Media player ?Media player ?ØØ CompanyCompany--made ActiveX ?made ActiveX ?


uu General pointsGeneral points

MSIE Security Zones creation andMSIE Security Zones creation andsettingssettings

uu ConclusionConclusion

PlanningPlanning


MSIE Security ZonesMSIE Security Zones (1/8)(1/8)

uu IE security zones settings are stored in 2 IE security zones settings are stored in 2 locations in the Registry locations in the Registry ØØ HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WinWin

dowsdows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettingsØØ HKEY_CURRENT_USERHKEY_CURRENT_USER\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WindWind

owsows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettingsØØ The settings are additiveThe settings are additiveØØ Only custom Web sites in HKEY_CURRENT_USER Only custom Web sites in HKEY_CURRENT_USER

are visibleare visible

uu To use only computer settingsTo use only computer settingsØØ Set value Set value

Security_HKEY_LOCAL_MACHINE_onlySecurity_HKEY_LOCAL_MACHINE_only ininHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SoftwareSoftware\\PoliciePoliciess\\MicrosoftMicrosoft\\WindowsWindows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettings\\ (DWORD) to 1(DWORD) to 1



uu Sub keys Sub keys ØØ TemplatePoliciesTemplatePolicies

ØØ Settings of the default security zone levels Settings of the default security zone levels (Low, Medium Low, Medium, High)(Low, Medium Low, Medium, High)

ØØ ZoneMapZoneMapØØ Contains domains and protocols with custom Contains domains and protocols with custom

behaviorbehaviorØØ ZonesZones

ØØ Contains the zones settingsContains the zones settings



uu BuiltBuilt--in Zonesin ZonesØØ 0 My Computer0 My ComputerØØ 1 Local Intranet Zone1 Local Intranet ZoneØØ 2 Trusted sites Zone2 Trusted sites ZoneØØ 3 Internet Zone3 Internet ZoneØØ 4 Restricted Sites Zone4 Restricted Sites Zone

uu Unhide the «Unhide the « My ComputerMy Computer » zone» zoneØØ Set value Set value FlagsFlags in in

HKEY_CURRENT_USERHKEY_CURRENT_USER\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WinWindowsdows\\CurrentVersionCurrentVersion\\InternetInternetSettingsSettings\\ZonesZones\\00 to 71to 71

uu The The FlagsFlags DWORD value determines the DWORD value determines the ability of the user to modify the security ability of the user to modify the security zone's settingszone's settings

uu Proper security zone parameters are used Proper security zone parameters are used locally for saved HTML pageslocally for saved HTML pagesØØ “Mark of the Web” “Mark of the Web”

<!>

URL lengthURL length

uu The easiest way to create a new security zoneThe easiest way to create a new security zoneØØ Export the closest zone (trusted / restricted) to a Export the closest zone (trusted / restricted) to a

..regreg filefileØØ Modify the zone number and some settingsModify the zone number and some settings

ØØ Flags, icon, name, …Flags, icon, name, …ØØ Import the Import the ..regreg filefileØØ Use the GUI to customize your settingsUse the GUI to customize your settings

http://foo.example.com/

http://foo.example.com/


MSIE MSIE SecuritySecurity ZonesZones (5/8)(5/8)

BeforeBefore AfterAfter



uu Administrator approved ActiveXAdministrator approved ActiveXØØ Check “Administrator approved” in “Run Check “Administrator approved” in “Run

ActiveX controls and plugActiveX controls and plug--ins” (value ins” (value “1200”)“1200”)

ØØ The The approredapprored controls are stored in controls are stored in HKEY_CURRENT_USERHKEY_CURRENT_USER\\SoftwareSoftware\\PoliciesPolicies\\MicrMicrosoftosoft\\WindowsWindows\\CurrentVersionCurrentVersion\\InternetInternetSettingsSettings\\AllowedControlsAllowedControls\\

ØØ In the MMCIn the MMCØØ GPO editor snapGPO editor snap--ininØØ Local Computer PolicyLocal Computer PolicyØØ User configurationUser configuration


DeploymentDeploymentuu IEAKIEAKuu GPOGPO

ØØ User configuration/Windows settings/IE User configuration/Windows settings/IE Maintenance/SecurityMaintenance/Security


ConclusionConclusionuuMSIE Security Zones in a corporate MSIE Security Zones in a corporate

network can be customized to special network can be customized to special needs depending on user working needs depending on user working habitshabits

uuThe overall IE security is increasedThe overall IE security is increased

uuBut does not replace the security patch But does not replace the security patch management process for IEmanagement process for IE


uuMicrosoft KBMicrosoft KBØØ Q182569Q182569

http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=182569=182569ØØ Q315933Q315933 (Local Machine zone)(Local Machine zone)

http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=315933=315933http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=833633=833633

ØØ Q240797 (ActiveX Compatibility: the Kill Bit)Q240797 (ActiveX Compatibility: the Kill Bit)http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=240797=240797

uuMicrosoft Microsoft ReskitsReskitsØØ http://www.microsoft.com/resources/documentation/ie/6/allhttp://www.microsoft.com/resources/documentation/ie/6/all

/reskit/en/reskit/en--us/part2/c04ie6rk.mspxus/part2/c04ie6rk.mspxØØ http://www.microsoft.com/resources/documentation/ie/5/allhttp://www.microsoft.com/resources/documentation/ie/5/all

/reskit/en/reskit/en--us/part1/ch07zone.mspxus/part1/ch07zone.mspx

LinksLinks (1/2)(1/2)

http://www.microsoft.com/resources/documentation/ie/6/all





Links Links (2/2)(2/2)

uu Increase your browsing and eIncrease your browsing and e--mail safetymail safetyØØ http://www.microsoft.com/security/incident/http://www.microsoft.com/security/incident/settingssettings

.mspx.mspx

uu MSDNMSDNØØ URL Security ZonesURL Security Zones

http://msdn.microsoft.com/library/enhttp://msdn.microsoft.com/library/en--us/dnanchorus/dnanchor/ / html/html/anch_securityzones.aspanch_securityzones.asp

ØØ URL Security Zones ReferenceURL Security Zones Referencehttp://http://msdn.microsoft.com/library/default.asp?urlmsdn.microsoft.com/library/default.asp?url=/=/workshop/security/workshop/security/szone/reference/urlzones_ref_enszone/reference/urlzones_ref_entry.asptry.asp

http://www.microsoft.com/security/incident/

http://www.microsoft.com/security/incident/

http://msdn.microsoft.com/library/en

http://msdn.microsoft.com/library/en


Questions & AnswersQuestions & Answers

managing msie security in corporate networks by creating custom security zones

Documents