X

Images: How to run Internet Explorer securely

Here are the key configuration changes you can make to disable various features and reduce the attack surface in Microsoft's Internet Explorer. This guide provides a walk-through of IE 6.0 but applies to the latest IE 7.0 as well. (This guidance was prepared and distributed by Will Dorman, vulnerability analyst at Carnegie Mellon Software Engineering Institute CERT Cordination Center).
By Ryan Naraine, Contributor
87875.png
1 of 10 Ryan Naraine/ZDNET
Here are the key configuration changes you can make to disable various features and reduce the attack surface in Microsoft's Internet Explorer. This guide provides a walk-through of IE 6.0 but applies to the latest IE 7.0 as well.

(This guidance was prepared and distributed by Will Dorman, vulnerability analyst at Carnegie Mellon Software Engineering Institute CERT Cordination Center).

To get started, to Tools > Internet Options. Please note that these options may vary slightly depending on your browser version.

87876.png
2 of 10 Ryan Naraine/ZDNET
Click on the Security tab which shows the various IE security zones.

For each of these zones, you can select a Custom Level of protection. By clicking the Custom Level button, you will see a second window open that permits you to select various security settings for that zone.

The Internet zone is where all sites initially start out. The security settings for this zone apply to all the web sites that are not listed in the other security zones. We recommend the High security setting be applied for this zone.

By selecting the High security setting, several features including ActiveX, Active scripting, and Java will be disabled. With these features disabled, the browser will be more secure.

Click the Default Level button and then drag the slider control up to High.

87877.png
3 of 10 Ryan Naraine/ZDNET
You can click on the Custom Level button to get a more granular control over what features are allowed in the zone.

Here you can control the specific security options that apply to the current zone.

Default values for the High security setting can be selected by choosing High and clicking the Reset button to apply the changes.

87878.png
4 of 10 Ryan Naraine/ZDNET
Trusted sites is a security zone for web sites that you believe are securely designed and contain trustworthy content. To add or remove sites from this zone, you can click the "Sites" button (see next slide).

CERT/CC recommends that you set the security level for the Trusted sites zone to Medium. When the Internet Zone is set to High, you may encounter web sites that do not function properly due to one or more of the associated security settings.

This is where the Trusted sites zone can help. If you trust that the site will not contain malicious code, you can add it to the list of sites in the Trusted sites zone (see next slide).

Once a site is added to this zone, features such as ActiveX and active scripting will be enabled. The benefit of this type of configuration is that IE will be more secure by default, and sites can be “whitelisted” in the Trusted sites zone to gain extra functionality.

87879.png
5 of 10 Ryan Naraine/ZDNET
When you click on the "Sites" button (previous slide), a new window pops up that lists the sites that you trust and permit you to add or remove sites.

You may also require that only sites with Secure Sockets Layer (SSL) implemented can be active in this zone.

This permits you to verify that the site you are visiting is the site that it claims to be.

87880.png
6 of 10 Ryan Naraine/ZDNET
In the Privacy tab, you can configure settings for (text files placed on your computer to track your movements about the Web.

CERT/CC recommends that you select the Advanced button and select Override automatic cookie handling.

See next slide for instructions on how to configure this setting.

87881.png
7 of 10 Ryan Naraine/ZDNET
Select Prompt for both first and third-party cookies. This will prompt you each time a site tries to place a cookie on your computer.

You can then evaluate the originating site, whether you wish to accept or deny the cookie, and what action to take in the future (always accept, always block, or continue to ask).

87882.png
8 of 10 Ryan Naraine/ZDNET
By selecting the "Sites" button (go back two slides), you can manage the cookie settings for specific sites.

You can add or remove sites, and you can change the current settings for existing sites.

The bottom section of this window will specify the domain of the site and the action to take when that site wants to place a cookie on your computer.

You can use the upper section of this window to change these settings.

87883.png
9 of 10 Ryan Naraine/ZDNET
In the Advanced tab, you can find default settings used by all zones.

The settings contained in the Multimedia section have features that you can adjust to protect against some potential vulnerabilities. For instance, attackers may be able to track your usage or exploit the software you use to play multimedia data.

CERT/CC recommends disabling the options to play sounds and videos by unchecking these boxes.

87884.png
10 of 10 Ryan Naraine/ZDNET
Under the Programs tab, you can specify your default applications for viewing Web sites, e-mails, and other network related tasks.

You can also prevent Internet Explorer from showing you a message asking to be your default Web browser.

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes
Holiday lights in Central Park background

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes

21 Photos
Winter backgrounds for your next virtual meeting
Wooden lodge in pine forest with heavy snow reflection on Lake O'hara at Yoho national park

Related Galleries

Winter backgrounds for your next virtual meeting

21 Photos
Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes
3D Rendering Christmas interior

Related Galleries

Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes

21 Photos
Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos