10 IE Browser Settings for Safer Surfing

Here are 10 essential security settings from Zscaler Senior Security Engineer Jeff Forristal, plus tips from other experts

Ask a room full of security practitioners for a list of security settings that'll make Internet Explorer (IE) safe to use and you'll either hear laughter or advice to get a new browser like Mozilla Firefox, Opera, Safari or Google Chrome.

Even as Microsoft has worked diligently to improve security in its troubled browser, especially in IE7 and the newly-released IE8, security pros simply don't trust it. Most have turned to alternative browsers, especially Firefox. [See: Microsoft Releases IE8, Stresses Security]

But the intoxication security pros find in Firefox and the other alternatives comes with a big hangover. When one wakes up from an evening of online adventuring on one of the alternative browsers, the painful reality is that they will never be able to get away from IE completely. The obvious reason is that IE is so tightly integrated into the Windows operating system, though some industry voices have called on Microsoft to divorce it from the OS. [See: Security Expert: Microsoft Should Sever IE from Windows]

"We aren't going to be able to get away from IE in the corporate world anytime soon," said Christopher Mendlik, a threat analyst at Wachovia. Besides the tight integration with Windows, there's the simple reality that some business applications will only work when used in IE. At CSOonline and other media outlets, for example, the programs used to post content online tend to be allergic to non-IE browsers.

Those who have no choice but to use IE have turned to a number of coping mechanisms.

Mendlik chooses to lock down IE with group policies, stay on top of new patches and deploy content filtering on a proxy/firewall with real-time blacklists. He also monitors internal and outgoing connections like a hawk for any unusual activity.

Thomas Evans, a Cleveland-based network security administrator, suggested installing Sandbox for IE, which allows users to run any program in a "sandbox" and confine any damage done to the sandbox and virtual registry. "When the [browsing] session is over, you can delete everything associated with it safely. If you do get something via drive-by it won't get out to do damage," he said.

In addition to these measures, CSOonline went in search of 10 essential security settings to make an online ride on the IE bandwagon safer. Here's a list of 10 provided by Jeff Forristal, a senior security engineer with cloud security vendor Zscaler:

1. Disable XPS documents XPS documents are a new image format that was introduced in Vista, Forristal said. Attackers have been having a field day exploiting image/document formats and parsers, so the fewer formats your browser supports, the better.

Tools/Internet Options/Security tab/Internet zone/Custom Level/XPS Documents: disable.

Downside: This can affect simple XPS document viewing, but you can get a standalone XPS viewer from MS that doesn't require IE, he said.

2. Disable font download

Tools/Internet Options/Security tab/Internet zone/Custom Level/Font download: disable.

Websites can offer to have your browser install an appropriate font file in order to display international characters correctly when viewing a Web page. This is, however, just another file format and attack vector that could harbor unknown/undiscovered vulnerabilities, Forristal said. If you don't tend to browse websites outside your normal language, then you really don't need this.

Downside: It might make some Web pages slightly less pretty, but Forristal said they will still be usable.

3. Disable inclusion of local file directory path when uploading files to a server

Tools/Internet Options/Security tab/Internet zone/Custom Level/Include local file directory path when uploading files to a server: disable.

Whenever you upload a file to a Web server (such as an image to your blog or Flickr account), the browser has the choice of sending just the file name or the entire file path, even though the website only needs the file name, Forristal said. This results in a mild privacy concern because the file path can include identifying information such as your computer's login account name. Sending "c:\Users\jforristal\Pictures\blog.gif" exposes my username "jforristal," he noted.

Downside: No obvious negatives.

4. Disable prompting if you are prone to just clicking "yes"

Tools/Internet Options/Security tab/Internet zone/Custom Level/(various).

Many of the semi-security options in the zone security tab have "Prompt" set by default, which means to ask you what to do. If you are prone to always selecting "yes" whenever a popup box is presented to you (note: not a good habit!), you can remove the temptation by simply switching all the "Prompt" options to "Disable." This is usually safe if you don't find yourself being prompted for much anyway.

Downside: No obvious negatives.

5. Always prompt for username and password

Tools/Internet Options/Security tab/Internet zone/Custom Level/User Authentication/Logon: Prompt for username and password.

For home users and others using computers that are not in a business environment that uses Active Directory, there is no advantage to having auto-logon enabled since there is practically nothing you would want to auto-logon to out on the Internet, he said. Normally IE will limit this auto-logon behavior to sites in the Intranet zone, but what if an attacker can trick IE to thinking a website is in a different zone? No point in taking that risk for a feature you don't need, anyway, he said.

Downside: No obvious negatives.

6. Disable SSL 2.0 support

Tools/Internet Options/Advanced tab/Use SSL 2.0: unchecked.

SSL2 has been long declared insecure and not suitable for use by the regulators of financial institutions, Forristal noted. Any website in the world that only supports SSL2 and nothing newer (SSL3, TLS) is either up to no good or probably so old that it's full of vulnerabilities, making it prone to being compromised by a hacker and thus up to no good anyways.

Downside: No obvious negatives.

7. Enable TLS support

Tools/Internet Options/Advanced tab/Use TLS 1.0: checked.

TLS is the evolution of SSL, offering more security enhancements and extensions than SSL3. Its use is warranted, and thus this feature should be enabled.

Downside: No obvious negatives.

8. Disable searching from the URL bar

Tools/Internet Options/Advanced Tab/Search from the address bar: Do not search from the address bar.

Forristal personally doesn't like the idea of every cut and paste error, typo, and other items entered into the URL bar to be automatically sent off to search engines as search terms. There is the possibility of an information disclosure situation happening. Hence this suggestion.

Downside: No obvious negatives.

9. Disable unnecessary add-ons

Tools/Internet Options/Programs tab/Manage Add-ons button.

There are a lot of third-party tools that hook themselves into your browser. Each one technically is a way for an attacker to potentially hack you, and as such, you want to disable as many of them as possible, Forristal said.

Downside: Unfortunately it's not always obvious what should be left alone and what should be disabled, Forristal said.

But users should peruse the list to see if anything jumps out as something no longer needed. For example, he asked, "Do you no longer use Skype after giving it a try a few months ago? Then you can safely disable the Skype browser add-on.

10. Uninstall old Java installations

[Vista] Start Menu/Control Panel/Programs and Features.

For some strange reason, new versions of Java sometimes install completely new versions rather than upgrade the old versions. This can be problematic because an attacker can still potentially utilize the old versions, and those could harbor security flaws fixed in the newer versions. So Forristal suggests checking your installed applications list, scrolling down to 'Java' and keeping the highest listed version number while removing the rest. "While you're in there, it's also a good time to browse the list and remove anything else you don't use anymore -- again, less attack surface overall," he said.

Downside: No obvious negatives.

"Most of the options above, with the exception of uninstalling old Java versions, can safely be undone by just changing a checkbox or radio button value," Forristal said. "So it's OK to experiment and try these settings; if any give you a problem, just revert and things are back to normal."

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)