Windows 7 Resource Kit- P20

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

lượt xem

Windows 7 Resource Kit- P20

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p20', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Nội dung Text: Windows 7 Resource Kit- P20

  1. HoW it WoRKS Buffer Overflow Attacks A buffer overflow (also known as a buffer overrun) occurs when an application attempts to store too much data in a buffer, and memory not allocated to the buffer is overwritten. a particularly crafty attacker can even provide data that instructs the operating system to run the attacker’s malicious code with the applica- tion’s privileges. One of the most common types of buffer overflows is the stack overflow. To under- stand how this attack is used, you must first understand how applications normally store variables and other information on the stack. Figure 20-11 shows a simpli- fied example of how a C console application might store the contents of a variable on the stack. In this example, the string “Hello” is passed to the application and is stored in the variable argv[1]. In the context of a Web browser, the input would be a URL instead of the word “Hello.” C:\test Hello main (int argc, char* argv[]) { sub(argv[1]); } void sub(const char* input) Populate return address { char buf[10]; strcpy(buf, input); Populate input } Populate buf Variable buf Variable input main() return address Hello Hello 0x00420331 Stack FIgURE 20-11 A simple illustration of normal stack operations Notice that the first command-line parameter passed to the application is ultimately copied into a 10-character array named buf. While the program runs, it stores in- formation temporarily on the stack, including the return address where processing should continue after the subroutine has completed and the variable is passed to the subroutine. The application works fine when fewer than 10 characters are passed to it. However, passing more than 10 characters will result in a buffer overflow. Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 903 Please purchase PDF Split-Merge on to remove this watermark.
  2. Figure 20-12 shows that same application being deliberately attacked by providing input longer than 10 characters. When the line strcpy(buf, input); is run, the applica- tion attempts to store the string “hello-aaaaaaaa0066aCB1” into the 10-character array named buf. Because the input is too long, the input overwrites the contents of other information on the stack, including the stored address that the program will use to return control to main(). after the subroutine finishes running, the processor returns to the address stored in the stack. Because it has been modified, execution begins at memory address 0x0066aCB1, where the attacker has presumably stored malicious code. This code will run with the same privilege as the original applica- tion. after all, the operating system thinks the application called the code. C:\test hello-aaaaaaaa0066ACB1 main (int argc, char* argv[]) { sub(argv[1]); } void sub(const char* input) Populate return address { char buf[10]; strcpy(buf, input); Populate input } Overflow buf, overwrite input, and return address Variable buf Variable input main() return address Hello-aaaa aaaaa 0x0066ACB1 Stack FIgURE 20-12 A simplified buffer overflow attack that redirects execution address Bar Visibility Attackers commonly rely on misleading users into thinking they are looking at information from a known and trusted source . One way attackers have done this in the past is to hide the true URL information and domain name from users by providing specially crafted URLs that appear to be from different Web sites . 904 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  3. To help limit this type of attack, all Internet Explorer 7 and later browser windows now require an address bar . Attackers often have abused valid pop-up window actions to display windows with misleading graphics and data as a way to convince users to download or install their malware . Requiring an address bar in each window ensures that users always know more about the true source of the information they are seeing . Cross-Domain Scripting attack protection Cross-domain scripting attacks involve a script from one Internet domain manipulating con- tent from another domain . For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the attacker . Internet Explorer 7 helps to deter this malicious behavior by appending the domain name from which each script originates and by limiting that script’s ability to interact only with windows and content from that same domain . These cross-domain scripting barriers help ensure that user information remains in the hands of only those to whom the user intention- ally provides it . This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user’s computer . Controlling Browser add-ons Browser add-ons can add important capabilities to Web browsers . Unreliable add-ons can also reduce browser stability, however . Even worse, malicious add-ons can compromise pri- vate information . Internet Explorer 7 provides several enhancements to give you control over the add-ons run by your users . The sections that follow describe these enhancements . INTERNET EXpLORER aDD-ONS DISaBLED MODE Internet Explorer 7 includes the No Add-ons mode, which allows Internet Explorer to run temporarily without any toolbars, ActiveX controls, or other add-ons . Functionality in this mode reproduces that of manually disabling all add-ons in the Add-on Manager, and it is very useful if you are troubleshooting a problem that might be related to an add-on . To disable add-ons using the Add-ons Disabled mode, follow these steps: 1. Open the Start menu and point to All Programs . 2. Point to Accessories, click System Tools, and then click Internet Explorer (No Add-ons) . 3. Note the Information bar display in your browser indicating that add-ons are disabled, as shown in Figure 20-13 . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 905 Please purchase PDF Split-Merge on to remove this watermark.
  4. FIgURE 20-13 You can disable add-ons to troubleshoot Internet Explorer problems . Running Internet Explorer from the standard Start menu shortcut will return the function- ality to its prior state . aDD-ON MaNaGER IMpROVEMENTS The Add-on Manager provides a simple interface that lists installed add-ons, add-ons that are loaded when Internet Explorer starts, and all add-ons that Internet Explorer has ever used . By reviewing these lists, you can determine which add-ons are enabled or disabled and disable or enable each item by simply clicking the corresponding item . To disable specific add-ons, follow these steps: 1. In your browser, open the Tools menu, select Manage Add-ons, and then click Enable Or Disable Add-ons . 2. Click the Show list and select the set of add-ons that you want to manage . 3. Select the add-on that you want to disable, as shown in Figure 20-14, and then click Disable . 4. Click OK to close the Manage Add-ons dialog box . In troubleshooting scenarios, disable add-ons one by one until the problem stops occurring . CONTROLLING aDD-ONS USING GROUp pOLICY As with earlier versions of Internet Explorer, you can use the Group Policy settings in User Configuration\Administrative Templates\Windows Components\Internet Explorer \Security Features\Add-on Management to enable or disable specific add-ons throughout your organization . 906 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  5. FIgURE 20-14 The Manage Add-ons dialog box makes it easy to disable problematic add-ons . protecting against Data Theft Most users are unaware of how much personal, traceable data is available with every click of the mouse while they browse the Web . The extent of this information continues to grow as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features . Similarly, most online users are likely to have trouble discerning a valid Web site from a fake or malicious copy . As described in the following sec- tions, Internet Explorer provides several features to help give users the information they need to determine whether a site is legitimate . Security Status Bar Although many users have become quite familiar with Secure Sockets Layer (SSL) and its as- sociated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information is protected . Internet Explorer 7 addresses this issue by providing clear and prominent visual cues to the safety and trustworthiness of a Web site . Previous versions of Internet Explorer place a gold padlock icon in the lower-right corner of the browser window to designate the trust and security level of the connected Web site . Given the importance and inherent trust value associated with the gold padlock, Internet Explorer 7 and later versions display a Security Status bar at the top of the browser window to highlight such warnings . By clicking this lock, users can quickly view the Web site identifica- tion information, as shown in Figure 20-15 . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 907 Please purchase PDF Split-Merge on to remove this watermark.
  6. FIgURE 20-15 The gold lock that signifies the use of SSL is now more prominent . In addition, Internet Explorer displays a warning page before displaying a site with an invalid certificate, as shown in Figure 20-16 . FIgURE 20-16 Internet Explorer warns users about invalid certificates . Finally, if a user continues on to visit a site with an invalid certificate, the address bar, shown in Figure 20-17, now appears on a red background . FIgURE 20-17 The red background leaves no doubt that the site’s SSL certificate has a problem . 908 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  7. phishing Phishing—a technique used by many malicious Web site operators to gather personal infor- mation—is the practice of masquerading online as a legitimate business to acquire private information, such as social security numbers or credit card numbers . These fake Web sites, designed to look like the legitimate sites, are referred to as spoofed Web sites . The number of phishing Web sites is constantly growing, and the Anti-Phishing Working Group received reports of more than 10,000 different phishing sites in August 2006 that were attempting to hijack 148 different Web sites . note For more information about the anti-phishing Working Group, visit Unlike direct attacks, in which attackers break into a system to obtain account information, a phishing attack does not require technical sophistication but instead relies on users will- ingly divulging information, such as financial account passwords or social security numbers . These socially engineered attacks are among the most difficult to defend against because they require user education and understanding rather than merely issuing an update for an application . Even experienced professionals can be fooled by the quality and details of some phishing Web sites as attackers become more experienced and learn to react more quickly to avoid detection . HOW THE SMaRTSCREEN FILTER WORKS Phishing and other malicious activities thrive on lack of communication and limited sharing of information . To effectively provide anti-phishing warning systems and protection, the new SmartScreen filter in Internet Explorer 8 consolidates the latest industry information about the ever-growing number of fraudulent Web sites spawned every day in an online service that is updated several times an hour . SmartScreen feeds this information back to warn and help protect Internet Explorer 8 customers proactively . SmartScreen is designed around the principle that an effective early-warning system must ensure that information is derived dynamically and updated frequently . This system combines client-side scanning for suspicious Web site characteristics with an opt-in Phishing Filter that uses three checks to help protect users from phishing: n Compares addresses of Web sites a user attempts to visit with a list of reported legiti- mate sites stored on the user’s computer n Analyzes sites that users want to visit by checking those sites for characteristics com- mon to phishing sites n Sends Web site addresses to a Microsoft online service for comparison to a frequently updated list of reported phishing sites The service checks a requested URL against a list of known, trusted Web sites . If a Web site is a suspected phishing site, Internet Explorer 8 displays a yellow button labeled Suspicious Web- site in the address bar . The user can then click the button to view a more detailed warning . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 909 Please purchase PDF Split-Merge on to remove this watermark.
  8. If a Web site is a known phishing site, Internet Explorer 8 displays a warning with a red status bar . If the user chooses to ignore the warnings and continue to the Web site, the status bar remains red and prominently displays the Phishing Website message in the address bar, as shown in Figure 20-18 . FIgURE 20-18 Internet Explorer can detect phishing Web sites and warn users before they visit them . Internet Explorer first checks a Web site against a legitimate list (also known as an allow list) of sites stored on your local computer . This legitimate list is generated by Microsoft based on Web sites that have been reported as legitimate . If the Web site is on the legitimate list, the Web site is considered safe, and no further checking is done . If the site is not on the legitimate list or if the site appears suspicious based on heuristics, Internet Explorer can use two techniques to determine whether a Web site might be a phishing Web site: n local analysis Internet Explorer examines the Web page for patterns and phrases that indicate it might be a malicious site . Local analysis provides some level of protec- tion against new phishing sites that are not yet listed in the online list . Additionally, local analysis can help protect users who have disabled online lookup . n Online lookup Internet Explorer sends the URL to Microsoft, where it is checked against a list of known phishing sites . This list is updated regularly . When you use SmartScreen to check Web sites automatically or manually (by selecting SmartScreen Filter from the Tools menu and then clicking Check This Website), the address of the Web site you are visiting is sent to Microsoft (specifically, to, us- ing TCP port 443), together with some standard information from your computer such as IP address, browser type, and SmartScreen version number . To help protect your privacy, the information sent to Microsoft is encrypted using SSL and is limited to the domain and path of the Web site . Other information that might be associated with the address, such as search terms, data you enter in forms, or cookies, will not be sent . 910 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  9. note Looking up a Web site in the online phishing Filter can require transferring 8 KB of data or more. Most of the 8 KB is required to set up the encrypted HTTpS connection. The phishing Filter will send a request only once for each domain you visit within a specific period of time. However, a single Web page can have objects stored in multiple servers, resulting in multiple requests. Requests for different Web pages require separate HTTpS sessions. For example, if you visit the Bing search Web site at and enter MySecret as the search term, instead of sending the full address /search?q=MySecret&FORM=QBLH, SmartScreen removes the search term and only sends . Address strings might unintentionally contain personal informa- tion, but this information is not used to identify you or contact you . If users are concerned that an address string might contain personal or confidential information, users should not report the site . For more information, read the Internet Explorer 8 privacy statement at . diReCt FRoM tHe SoURCe Real-Time Checking for Phishing Sites Rob Franco, Lead program Manager Federated Identity Group R eaders asked why we decided to use real-time lookups against the anti-phishing server as opposed to an intermittent download list of sites in the way that an antispyware product might. We included real-time checking for phishing sites be- cause it offers better protection than using only static lists and avoids overloading networks. SmartScreen does have an intermittently downloaded list of “known-safe” sites, but we know phishing attacks can strike quickly and move to new addresses, often within a 24- to 48-hour time period, which is faster than we can practically push out updates to a list of “known-phishing” sites. Even if SmartScreen downloaded a list of phishing sites 24 times a day, you might not be protected against a confirmed, known phishing site for an hour at a time, at any time of day. Because SmartScreen checks unknown sites in real time, you always have the latest intelligence. Requiring users to constantly download a local list can also cause net- work scale problems. We think the number of computers that can be used to launch phishing attacks is much higher than the number of spyware signatures that users deal with today. In a scenario in which phishing threats move rapidly, downloading a list of newly reported phishing sites every hour could significantly clog Internet traffic. Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 911 Please purchase PDF Split-Merge on to remove this watermark.
  10. Anonymous statistics about your usage will also be sent to Microsoft, such as the time and total number of Web sites browsed since an address was sent to Microsoft for analysis . This information, along with the information described earlier, will be used to analyze the performance and improve the quality of the SmartScreen service . Microsoft will not use the information it receives to personally identify you . Some URLs that are sent may be saved to be included in the legitimate list and then provided as client updates . When saving this infor- mation, additional information—including the SmartScreen and operating system version and your browser language—will be saved . Although the online list of phishing sites is regularly updated, users might find a phishing site that is not yet on the list . Users can help Microsoft identify a potentially malicious site by reporting it . Within Internet Explorer 8, select SmartScreen Filter from the Tools menu and then click Report Unsafe Website . Users are then taken to a simple form they can submit to inform Microsoft of the site . HOW TO CONFIGURE SMaRTSCREEN OpTIONS To enable or disable SmartScreen, follow these steps: 1. In your browser, open the Tools menu and select Internet Options . 2. In the Internet Options dialog box, click the Advanced tab, scroll down to the Security group in the Settings list, and then select or clear the Enable SmartScreen Filter check box . You can use the following Group Policy settings to configure whether users need to con- figure the SmartScreen filter: n Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn Off Managing SmartScreen Filter n User Configuration\Administrative Templates\Windows Components\Internet Explorer \Turn Off Managing SmartScreen Filter If you enable the setting, you can choose to enable or disable SmartScreen . Additionally, in the same group, you can enable the Prevent Bypassing SmartScreen Filter Warnings policy . diReCt FRoM tHe SoURCe Anti-Phishing Accuracy Study Tony Chor, Group program Manager Internet Explorer Product Team A s we worked on the new phishing Filter in Internet Explorer 7, we knew the key measure would be how effective it is in protecting customers. In addition to our internal tests, we wanted to find some external measure of our progress to date as well as point to ways we could improve. We didn’t know of a publicly available study covering the area, only some internal and media product reviews. 912 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  11. To help us answer this question, we asked 3Sharp LLC to conduct a study of the phishing Filter in Internet Explorer 7 along with seven other products designed to protect against phishing threats. 3Sharp LLC tested these eight browser-based products to evaluate their overall accuracy in catching 100 live, confirmed phishing Web sites over a six-week period (May through July 2006) and also to understand the false-positive error rate on 500 good sites. We were pleased to see that the phishing Filter in Internet Explorer 7 finished at the top of 3Sharp’s list as the most accurate anti-phishing technology, catching nearly 9 of 10 phishing sites while gen- erating no warning or block errors on the 500 legitimate Web sites tested. It’s great to see so many companies looking for different ways to address the sig- nificant problem of phishing. We think that the results reported by 3Sharp validate the unique approach we’ve taken of combining a service-backed block list with client-side heuristics. That said, we understand that the threat posed by phishing is constantly evolving, as are the tools designed to protect users. This set of results represents only the relative performance during that period. We know we need to keep working to keep up with the changes in the attacks, and we are already using the results of this test to further improve the efficacy of the phishing Filter. Deleting Browsing History Browsers store many traces of the sites users visit, including cached copies of pages and im- ages, passwords, and cookies . If a user is accessing confidential information or authenticated Web sites from a shared computer, the user might be able to use the stored copies of the Web site to access private data . To simplify removing these traces, Internet Explorer 7 pro- vides a Delete Browsing History option that allows users to initiate cleanup with one button, easily and instantly erasing personal data . To delete your browsing history, follow these steps: 1. In your browser, open the Tools menu and select Internet Options . 2. In the Internet Options dialog box on the General tab, click Delete in the Browsing History group . 3. In the Delete Browsing History dialog box, shown in Figure 20-19, select only the objects you need to remove . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 913 Please purchase PDF Split-Merge on to remove this watermark.
  12. FIgURE 20-19 The Delete Browsing History dialog box provides a single interface for removing confidential remnants from browsing the Web . If you don’t want users to be able to delete their browsing history, form data, or pass- words, you can enable the Group Policy settings located in both Computer Configuration \Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History and User Configuration\Administrative Templates\Windows Components\Internet Explorer \Delete Browsing History . Blocking IDN Spoofing Look-alike attacks (sometimes called homograph attacks) are possible within the ASCII char- acter set . For example, www .alpineskihouse .com would be a valid name for Alpine Ski House, but www .a1pineskihouse .com would be easily mistaken for the valid name—even though the lowercase L has been replaced with the number 1 . However, with International Domain Name (IDN), the character repertoire expands from a few dozen characters to many thousands of characters from all the world’s languages, thereby increasing the attack surface for spoofing attacks immensely . The design of the anti-spoofing mitigation for IDN aims to: n Reduce the attack surface . n Treat Unicode domain names fairly . n Offer a good user experience for users worldwide . n Offer simple, logical options with which the user can fine-tune the IDN experience . 914 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  13. One of the ways Internet Explorer reduces this risk is by using Punycode . Punycode, as defined in RFC 3492, converts Unicode domain names into a limited character set . With Punycode, the domain name soüth .contoso .com (which might be used to impersonate south .contoso .com) becomes soth-kva .contoso .com . There is little doubt that showing the Punycode form leaves no ground for spoofing using the full range of Unicode characters . However, Punycode is not very user friendly . Given these considerations, Internet Explorer 7 and later versions impose restrictions on the character sets allowed to be displayed inside the address bar . These restrictions are based on the user’s configured browser-language settings . Using APIs from Idndl .dll, Internet Explorer will detect which character sets are used by the current domain name . If the domain name contains characters outside the user’s chosen languages, it is displayed in Punycode form to help prevent spoofing . A domain name is displayed in Punycode if any of the following are true: n The domain name contains characters that are not a part of any language (such as www . .com) . n Any of the domain name’s labels contains a mix of scripts that do not appear together within a single language . For instance, Greek characters cannot mix with Cyrillic within a single label . n Any of the domain name’s labels contain characters that appear only in languages other than the user’s list of chosen languages . Note that ASCII-only labels are always permitted for compatibility with existing sites . A label is a segment of a domain name, delimited by dots . For example, www .microsoft .com contains three labels: www, microsoft, and com . Different languages are allowed to appear in different labels as long as all the languages are in the list chosen by the user . This approach is used to support domain names such as name .contoso .com, where contoso and name are composed of different languages . Whenever Internet Explorer 7 and later versions prevent an IDN domain name from dis- playing in Unicode, an Information bar notifies the user that the domain name contains char- acters that Internet Explorer is not configured to display . It is easy to use the IDN Information bar to add additional languages to the allow list . By default, the user’s list of languages will usually contain only the currently configured Microsoft Windows language . The language-aware mitigation does two things: n It disallows nonstandard combinations of scripts from being displayed inside a label . This takes care of attacks such as, which appears to use a sin- gle script but actually contains two scripts . That domain name will always be displayed as because two scripts (Cyrillic and Latin) are mixed inside a label . This reduces the attack surface to single-language attacks . n It further reduces the surface attack for single-language attacks to only those users who have chosen to permit the target language . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 915 Please purchase PDF Split-Merge on to remove this watermark.
  14. Users who allow Greek in their language settings, for example, are as susceptible to Greek- only spoofs as the population using English is susceptible to pure ASCII-based spoofs . To pro- tect against such occurrences, the Internet Explorer 7 Phishing Filter monitors both Unicode and ASCII URLs . If the user has opted in to the Phishing Filter, a real-time check is performed during navigation to see whether the target domain name is a reported phishing site . If so, navigation is blocked . For additional defense-in-depth, the Phishing Filter Web service can apply additional heuristics to determine whether the domain name is visually ambiguous . If so, the Phishing Filter will warn the user via the indicator in the Internet Explorer address bar . Whenever a user is viewing a site addressed by an IDN, an indicator will appear in the Internet Explorer Address bar to notify the user that IDN is in use . The user can click the IDN indicator to view more information about the current domain name . Users who do not want to see Unicode addresses may select the Always Show Encoded Addresses check box on the Advanced tab of the Internet Options dialog box . Security Zones Web applications are capable of doing almost anything a standard Windows application can do, including interacting with the desktop, installing software, and changing your computer’s settings . However, if Web browsers allowed Web sites to take these types of actions, some Web sites would abuse the capabilities to install malware or perform other malicious acts on computers . To reduce this risk, Internet Explorer limits the actions that Web sites on the Internet can take . However, these limitations can cause problems for Web sites that legitimately need elevated privileges . For example, your users might need to visit an internal Web site that uses an unsigned ActiveX control . Enabling unsigned ActiveX controls for all Web sites is very dangerous, however . Understanding Zones To provide optimal security for untrusted Web sites while allowing elevated privileges for trusted Web sites, Internet Explorer provides multiple security zones: n Internet All Web sites that are not listed in the trusted or restricted zones . Sites in this zone are restricted from viewing private information on your computer (including cookies or temporary files from other Web sites) and cannot make permanent changes to your computer . n local Intranet Web sites on your intranet . Internet Explorer can detect automatically whether a Web site is on your intranet . Additionally, you can add Web sites manually to this zone . n Trusted Sites Web sites that administrators have added to the Trusted Sites list because they require elevated privileges . Trusted Sites do not use Protected Mode, which could introduce security weaknesses . Therefore, you need to select the Web sites added to the Trusted Sites zone carefully . You don’t need to add all sites you trust 916 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  15. to this zone; instead, you should add only sites that you trust and that cannot work properly in the Internet or intranet zones . By default, this zone is empty . n Restricted Sites Web sites that might be malicious and should be restricted from performing any potentially dangerous actions . You need to use this zone only if you plan to visit a potentially malicious Web site and you need to minimize the risk of a security compromise . By default, this zone is empty . note When moving from a trusted site to an untrusted site or vice versa, Internet Explorer warns the user and opens a new window. This reduces the risk of users acciden- tally trusting a malicious site. Configuring Zones on the Local Computer You can configure the exact privileges assigned to each of these security zones by following these steps: 1. Select Internet Options from the Tools menu . 2. In the Internet Options dialog box, click the Security tab . 3. Click the zone you want to modify . In the Security Level For This Zone group, move the slider up to increase security and decrease risks, or move the slider down to increase privileges and increase security risks for Web sites in that zone . For more precise con- trol over individual privileges, click Custom Level . To return to the default settings, click Default Level . 4. Click OK to apply your settings . note application developers can use the IInternetSecurityManager::SetZoneMapping() method to add sites to specific security zones. To configure the Web sites that are part of the Local Intranet, Trusted Sites, or Restricted Sites zone, follow these steps: 1. In Internet Explorer, visit the Web page that you want to configure . 2. Select Internet Options from the Tools menu . 3. In the Internet Options dialog box, click the Security tab . 4. Click the zone you want to modify and then click Sites . 5. If you are adding sites to the Local Intranet zone, click Advanced . 6. If you are adding a site to the Trusted Sites zone and the Web site does not support HTTPS, clear the Require Server Verification (HTTPS:) For All Sites In This Zone check box . 7. Click Add to add the current Web site to the list of Trusted Sites . Then click Close . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 917 Please purchase PDF Split-Merge on to remove this watermark.
  16. 8. Click OK to close the Internet Options dialog box . Then close Internet Explorer, reopen it, and visit the Web page again . If the problem persists, repeat these steps to remove the site from the Trusted Sites zone . Continue reading this section for more trouble- shooting guidance . You need to add sites to a zone only if they cause problems in their default zone . For more information, read the section titled “Troubleshooting Internet Explorer Problems” later in this chapter . Configuring Zones Using Group policy To manage security zones in an enterprise, use the Group Policy settings located at \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel \Security Page under both Computer Configuration and User Configuration . Using these set- tings, you can configure the exact rights applied to each zone . To assign a standard security level (Low, Medium Low, Medium, Medium High, or High) to a zone, enable one of the fol- lowing settings: n Internet Zone Template n Intranet Zone Template n Local Machine Zone Template n Restricted Sites Zone Template n Trusted Sites Zone Template If none of the standard security levels provides the exact security settings you need, you can edit the settings in the appropriate zone’s node within the Security Page node . In particu- lar, notice the Turn On Protected Mode setting located in each zone’s node . To specify that a URL is part of a specific zone, enable the Site To Zone Assignment List setting in the Security Page node . After you have enabled a URL, you can assign it (using the Value Name field, with an optional protocol) to a specific zone (using the Value field) using the zone’s number: n 1: Local Intranet zone n 2: Trusted Sites zone n 3: Internet zone n 4: Restricted Sites zone For example, Figure 20-20 shows the Group Policy setting configured to place any requests to (regardless of the protocol) in the Restricted Sites zone (a value of 4) . Requests to, using either HTTP or HTTPS, are placed in the Intranet zone (a value of 1) . HTTPS requests to are placed in the Trusted Sites zone (a value of 2) . In addition to domain names, you can specify IP addresses, such as 192 .168 .1 .1, or IP address ranges, such as 192 .168 .1 .1-192 .168 .1 .200 . 918 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  17. FIgURE 20-20 Use the Site To Zone Assignment List setting to override security zone assignment for specific URLs . Network protocol Lockdown Sometimes you might want to apply different security settings to specific protocols within a zone . For example, you might want to configure Internet Explorer to lock down HTML content hosted on the Shell: protocol if it is in the Internet zone . Because the Shell: protocol’s most common use is for local content and not Internet content, this mitigation can reduce the at- tack surface of the browser against possible vulnerabilities in protocols less commonly used than HTTP . By default, Network Protocol Lockdown is not enabled, and this setting is sufficient for most environments . If you choose to create a highly restrictive desktop environment, you might want to use Network Protocol Lockdown to mitigate security risks . Configuring Network Protocol Lockdown is a two-phase process, as follows: n Configure the protocols that will be locked down for each zone Enable the Group Policy setting for the appropriate zone and specify the protocols that you want to lock down . The Group Policy settings are located in both User Configuration and Computer Configuration under Administrative Templates\Windows Components \Internet Explorer\Security Features\Network Protocol Lockdown\Restricted Protocols Per Security Zone . n Configure the security settings for the locked-down zones Enable the Group Policy setting for the zone and specify a restrictive template or configure individual security settings . The Group Policy settings are located in both User Configuration and Computer Configuration under Administrative Templates\Windows Components \Internet Explorer\Security Page\ . Improvements Previously Introduced in Internet Explorer 7 CHapTER 20 919 Please purchase PDF Split-Merge on to remove this watermark.
  18. Managing Internet Explorer Using group Policy Internet Explorer has hundreds of settings, and the only way to manage it effectively in an enterprise environment is to use the more than 1,300 settings that Group Policy provides . Be- sides the security settings discussed earlier in this chapter, you can use dozens of other Group Policy settings to configure almost any aspect of Internet Explorer . The sections that follow describe Group Policy settings that apply to Internet Explorer 7 (which also apply to Internet Explorer 8), as well as those that apply only to Internet Explorer 8 . Group policy Settings for Internet Explorer 7 and Internet Explorer 8 Table 20-2 shows some examples of the more useful settings that apply to both Internet Explorer 7 and Internet Explorer 8 . Settings marked as CC can be found at Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\ . Settings marked as UC can be found at User Configuration\Administrative Templates \Windows Components\Internet Explorer\ . TABlE 20-2 Group Policy Settings for Internet Explorer 7 and Internet Explorer 8 SETTINg CC UC DESCRIPTION Add A Specific List Of 3 3 With the help of custom registry settings or a Search Providers To The custom administrative template, you can configure User’s Search Provider custom search providers that will be accessible List from the Search toolbar . Turn Off Crash Detection 3 3 Allows you to disable Crash Detection, which auto- matically disables problematic add-ons . Enable this setting only if you have an internal add-on that is unreliable but still required . Do Not Allow Users 3 3 Enable this setting to disable the Add-on Manager . To Enable Or Disable Add-ons Turn On Menu Bar By 3 3 By default, Internet Explorer 7 does not display Default a menu bar . Users can display the menu bar by pressing the Alt key . Enable this setting to display the menu bar by default . Disable Caching Of 3 If you use scripts to configure proxy settings, you Auto-Proxy Scripts can use this setting if you experience problems with script caching . 920 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
  19. SETTINg CC UC DESCRIPTION Disable External 3 Prevents the customization of logos and title bars Branding Of Internet in Internet Explorer and Microsoft Office Outlook Explorer Express . This custom branding often occurs when users install software from an Internet service provider . Disable Changing 3 Enable this policy to prevent users from changing Advanced Page Settings security, multimedia, and printing settings from the Internet Options Advanced tab . Customize User Agent 3 3 Changes the user-agent string, which browsers use String to identify the specific browser type and version to Web servers . Use Automatic Detection 3 Disabled by default, you can enable this policy For Dial-Up Connections setting to allow Automatic Detection to use a Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server to customize the browser the first time it starts . Move The Menu Bar 3 Enable this policy setting to control the placement Above The Navigation of the menu bar . If you don’t set this, users can Bar configure the location of the menu bar relative to the navigation bar by dragging it . Turn Off Managing 3 3 Use this setting to configure whether users can set Pop-Up Filter Level the Pop-up Filter level . You can’t set the Pop-up Filter level directly with this setting; you can only define whether or not users can manage the setting . Turn Off The Security 3 3 By default, Internet Explorer will warn users if set- Settings Check Feature tings put them at risk . If you configure settings in such a way that Internet Explorer would warn the users, enable this setting to prevent the warning from appearing . Turn On Compatibility 3 3 Enable this setting to log the details of requests Logging that Internet Explorer blocks . Typically, you need to enable this setting only when actively trouble- shooting a problem with a Web site . Enforce Full 3 3 Enable this policy only if using a computer as a Screen Mode Web-browsing kiosk . Managing Internet Explorer Using Group Policy CHapTER 20 921 Please purchase PDF Split-Merge on to remove this watermark.
  20. SETTINg CC UC DESCRIPTION Configure Media 3 Enable this policy if you want to be able to disable Explorer Bar the Media Explorer Bar . The Media Explorer Bar plays music and video content from the Internet . Keep in mind that multimedia content is used for legitimate, business-related Web sites more and more often, including replaying meetings and webcasts . Prevent The Internet 3 Enable this policy to hide the search box . Explorer Search Box From Displaying Restrict Changing The 3 3 Enable this policy to force users to use the search Default Search Provider provider you configure . Pop-Up Allow List 3 3 Enable this policy and specify a list of sites that should allow pop-ups if you have internal Web sites that require pop-up functionality . Prevent Participation In 3 3 Microsoft uses the Customer Experience Improve- The Customer Experience ment Program (CEIP) to gather information about Improvement Program how users work with Internet Explorer . If you enable this policy, CEIP will not be used . In some organizations, you might need to disable CEIP to meet confidentiality requirements . If you disable this policy, CEIP will always be used . For more information about CEIP, visit . In addition to the settings in Table 20-2, several subnodes contain additional Internet Explorer–related settings . With the policy settings located in Administrative Templates \Windows Components\Internet Explorer\Administrator Approved Controls (within both User Configuration and Computer Configuration), you can enable or disable specific controls throughout your organization . With the policy settings located in Administrative Templates\Windows Components \Internet Explorer\Application Compatibility (within both User Configuration and Computer Configuration), you can control cut, copy, and paste operations for Internet Explorer . Typically, you do not need to modify these settings . 922 CHapTER 20 Managing Windows Internet Explorer Please purchase PDF Split-Merge on to remove this watermark.
Đồng bộ tài khoản