View
1
Download
0
Category
Preview:
Citation preview
Managing MSIE security Managing MSIE security in corporate networks in corporate networks
by creating custom Security Zonesby creating custom Security Zones
Patrick ChambetEdelweb – ON-X Grouppatrick.chambet@edelweb.frhttp://www.edelweb.frhttp://www.chambet.com
EdelWeb
Page 2Managing MSIE security by creating custom Security ZonesPatrick Chambet
uu General pointsGeneral points
uu MSIE Security Zones creation and MSIE Security Zones creation and settingssettings
uu ConclusionConclusion
PlanningPlanning
Page 3Managing MSIE security by creating custom Security ZonesPatrick Chambet
uu A lot of companies use Internet Explorer A lot of companies use Internet Explorer internally as their corporate Web browserinternally as their corporate Web browser
uu They need to protect themselves against They need to protect themselves against hostile codehostile codeØØ VirusesVirusesØØ WormsWormsØØ Hostile Web serversHostile Web serversØØ SpywareSpyware
General PointsGeneral Points (1/2)(1/2)
Page 4Managing MSIE security by creating custom Security ZonesPatrick Chambet
General PointsGeneral Points (2/2)(2/2)
uu Companies need several policies, depending Companies need several policies, depending on the kind of browsed Web siteson the kind of browsed Web sitesØØ Professional Web sitesProfessional Web sitesØØ “Tolerated” Web sites“Tolerated” Web sitesØØ “Forbidden” Web sites“Forbidden” Web sites
uu Which ActiveX are allowed in the company ?Which ActiveX are allowed in the company ?ØØ Flash player ?Flash player ?ØØ Media player ?Media player ?ØØ CompanyCompany--made ActiveX ?made ActiveX ?
Page 5Managing MSIE security by creating custom Security ZonesPatrick Chambet
uu General pointsGeneral points
MSIE Security Zones creation andMSIE Security Zones creation andsettingssettings
uu ConclusionConclusion
PlanningPlanning
Page 6Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (1/8)(1/8)
uu IE security zones settings are stored in 2 IE security zones settings are stored in 2 locations in the Registry locations in the Registry ØØ HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WinWin
dowsdows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettingsØØ HKEY_CURRENT_USERHKEY_CURRENT_USER\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WindWind
owsows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettingsØØ The settings are additiveThe settings are additiveØØ Only custom Web sites in HKEY_CURRENT_USER Only custom Web sites in HKEY_CURRENT_USER
are visibleare visible
uu To use only computer settingsTo use only computer settingsØØ Set value Set value
Security_HKEY_LOCAL_MACHINE_onlySecurity_HKEY_LOCAL_MACHINE_only ininHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SoftwareSoftware\\PoliciePoliciess\\MicrosoftMicrosoft\\WindowsWindows\\CurrentVersionCurrentVersion\\InternetInternet SettingsSettings\\ (DWORD) to 1(DWORD) to 1
Page 7Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (2/8)(2/8)
uu Sub keys Sub keys ØØ TemplatePoliciesTemplatePolicies
ØØ Settings of the default security zone levels Settings of the default security zone levels (Low, Medium Low, Medium, High)(Low, Medium Low, Medium, High)
ØØ ZoneMapZoneMapØØ Contains domains and protocols with custom Contains domains and protocols with custom
behaviorbehaviorØØ ZonesZones
ØØ Contains the zones settingsContains the zones settings
Page 8Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (3/8)(3/8)
uu BuiltBuilt--in Zonesin ZonesØØ 0 My Computer0 My ComputerØØ 1 Local Intranet Zone1 Local Intranet ZoneØØ 2 Trusted sites Zone2 Trusted sites ZoneØØ 3 Internet Zone3 Internet ZoneØØ 4 Restricted Sites Zone4 Restricted Sites Zone
uu Unhide the «Unhide the « My ComputerMy Computer » zone» zoneØØ Set value Set value FlagsFlags in in
HKEY_CURRENT_USERHKEY_CURRENT_USER\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\WinWindowsdows\\CurrentVersionCurrentVersion\\InternetInternetSettingsSettings\\ZonesZones\\00 to 71to 71
uu The The FlagsFlags DWORD value determines the DWORD value determines the ability of the user to modify the security ability of the user to modify the security zone's settingszone's settings
Page 9Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (4/8)(4/8)
uu Proper security zone parameters are used Proper security zone parameters are used locally for saved HTML pageslocally for saved HTML pagesØØ “Mark of the Web” “Mark of the Web”
<!<!---- saved from saved from urlurl=(0023)http://foo.example.com/ =(0023)http://foo.example.com/ ---->>
URL lengthURL length
uu The easiest way to create a new security zoneThe easiest way to create a new security zoneØØ Export the closest zone (trusted / restricted) to a Export the closest zone (trusted / restricted) to a
..regreg filefileØØ Modify the zone number and some settingsModify the zone number and some settings
ØØ Flags, icon, name, …Flags, icon, name, …ØØ Import the Import the ..regreg filefileØØ Use the GUI to customize your settingsUse the GUI to customize your settings
Page 10Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE MSIE SecuritySecurity ZonesZones (5/8)(5/8)
BeforeBefore AfterAfter
Page 11Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (6/8)(6/8)
Page 12Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (7/8)(7/8)
uu Administrator approved ActiveXAdministrator approved ActiveXØØ Check “Administrator approved” in “Run Check “Administrator approved” in “Run
ActiveX controls and plugActiveX controls and plug--ins” (value ins” (value “1200”)“1200”)
ØØ The The approredapprored controls are stored in controls are stored in HKEY_CURRENT_USERHKEY_CURRENT_USER\\SoftwareSoftware\\PoliciesPolicies\\MicrMicrosoftosoft\\WindowsWindows\\CurrentVersionCurrentVersion\\InternetInternetSettingsSettings\\AllowedControlsAllowedControls\\
ØØ In the MMCIn the MMCØØ GPO editor snapGPO editor snap--ininØØ Local Computer PolicyLocal Computer PolicyØØ User configurationUser configuration
Page 13Managing MSIE security by creating custom Security ZonesPatrick Chambet
MSIE Security ZonesMSIE Security Zones (8/8)(8/8)
Page 14Managing MSIE security by creating custom Security ZonesPatrick Chambet
DeploymentDeploymentuu IEAKIEAKuu GPOGPO
ØØ User configuration/Windows settings/IE User configuration/Windows settings/IE Maintenance/SecurityMaintenance/Security
Page 15Managing MSIE security by creating custom Security ZonesPatrick Chambet
ConclusionConclusionuuMSIE Security Zones in a corporate MSIE Security Zones in a corporate
network can be customized to special network can be customized to special needs depending on user working needs depending on user working habitshabits
uuThe overall IE security is increasedThe overall IE security is increased
uuBut does not replace the security patch But does not replace the security patch management process for IEmanagement process for IE
Page 16Managing MSIE security by creating custom Security ZonesPatrick Chambet
uuMicrosoft KBMicrosoft KBØØ Q182569Q182569
http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=182569=182569ØØ Q315933Q315933 (Local Machine zone)(Local Machine zone)
http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=315933=315933http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=833633=833633
ØØ Q240797 (ActiveX Compatibility: the Kill Bit)Q240797 (ActiveX Compatibility: the Kill Bit)http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=240797=240797
uuMicrosoft Microsoft ReskitsReskitsØØ http://www.microsoft.com/resources/documentation/ie/6/allhttp://www.microsoft.com/resources/documentation/ie/6/all
/reskit/en/reskit/en--us/part2/c04ie6rk.mspxus/part2/c04ie6rk.mspxØØ http://www.microsoft.com/resources/documentation/ie/5/allhttp://www.microsoft.com/resources/documentation/ie/5/all
/reskit/en/reskit/en--us/part1/ch07zone.mspxus/part1/ch07zone.mspx
LinksLinks (1/2)(1/2)
Page 17Managing MSIE security by creating custom Security ZonesPatrick Chambet
Links Links (2/2)(2/2)
uu Increase your browsing and eIncrease your browsing and e--mail safetymail safetyØØ http://www.microsoft.com/security/incident/http://www.microsoft.com/security/incident/settingssettings
.mspx.mspx
uu MSDNMSDNØØ URL Security ZonesURL Security Zones
http://msdn.microsoft.com/library/enhttp://msdn.microsoft.com/library/en--us/dnanchorus/dnanchor/ / html/html/anch_securityzones.aspanch_securityzones.asp
ØØ URL Security Zones ReferenceURL Security Zones Referencehttp://http://msdn.microsoft.com/library/default.asp?urlmsdn.microsoft.com/library/default.asp?url=/=/workshop/security/workshop/security/szone/reference/urlzones_ref_enszone/reference/urlzones_ref_entry.asptry.asp
Page 18Managing MSIE security by creating custom Security ZonesPatrick Chambet
Questions & AnswersQuestions & Answers
Recommended