Securing client applications involves both the application of security settings and the education of users. You can secure Internet Explorer through the use of administrative templates, as well as by configuring the security settings for the built-in security zones. Microsoft Office also has a set of administrative templates that you can use to control access to certain types of attachments, junk e-mail, and other potentially damaging content. Helping users understand how to safely download files from the Internet and how to safely open e-mail attachments is key to maintaining application security in your organization.
Internet Explorer Administrative Templates
Internet Explorer administrative templates help you enforce security requirements for workstations running Windows XP and prevent the exchange of unwanted content by means of the browser. Use the following practices to help secure Internet Explorer on the workstations in your environment:
Consider using the settings included in the Enterprise Client templates.
Ensure that requests to the Internet occur only in direct response to user actions.
Ensure that information sent to specific Web sites reaches only those sites unless specific user actions are allowed for transmitting information to other destinations.
Ensure that trusted channels to servers/sites, and the owners of the servers/sites on each channel, are clearly identified.
Ensure that any script or program that runs with Internet Explorer executes in a restricted environment. Programs delivered through trusted channels can be enabled to operate outside the restricted environment.
Internet Explorer Zones
In Internet Explorer, you can configure security settings for several built-in security zones: the Internet zone, the Local intranet zone, the Trusted sites zone, the Restricted sites zone, and the My Computer zone. The default settings for these zones in Windows XP Service Pack 2 are:
For the Internet zone, the default security level is Medium. This zone is intended for all content in Uniform Resource Locators (URLs) with fully qualified domain names.
For the Local intranet zone, the default security level is Medium-Low. This allows your user credentials (user name and password) to be passed automatically to sites and applications that need them. This site is intended for all Web sites on your local network in the same DNS domain as the client computer.
For the Trusted sites zone, the default security level is Low. This allows browsing of many Internet sites. This zone is empty unless specifically configured.
For the Restricted sites zone, the default security level is High. This zone is empty unless specifically configured and is often used by e-mail applications for viewing e-mail messages formatted in Hypertext Markup Language (HTML).
The My Computer zone (sometimes referred to as the Local Computer zone) is not displayed in the user interface by default. The security for this zone is set to Low by default. This zone is intended for content that is found on the local computer.
You should carefully evaluate the settings for each of these zones to ensure that they are appropriate for the level of security required in your environment.
Caution
Configuring Internet Explorer zone settings to values that are lower than the default settings may cause a computer to become vulnerable to attacks the default settings have been configured to prevent. Use caution when using templates to lower the security settings for zones.
Note
To further reduce the attack surface, the default security settings for these Internet Explorer zones have been increased in Windows XP SP2.
Windows XP SP2 Internet Explorer Security Enhancements
Windows XP Service Pack 2 (SP2) has added security features to Internet Explorer and has improved existing ones. These features help to make Web browsing more secure.
MIME-handling enforcement. Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) type information to decide how to handle files that have been sent by a Web server. Depending on the MIME type, Internet Explorer will process the Hypertext Transfer Protocol (HTTP) file requests differently. For example, an HTTP request for a JPEG file when received will be displayed, but an .exe file will result in the user being prompted for a decision on how to handle the file.
Consistency checks. Internet Explorer now requires that all file-type information that is provided by Web servers be consistent with the actual file content. The browser will enforce consistency between how a file is handled in the browser and how it is handled in the Windows Shell. Additionally, files are renamed in the Internet Explorer cache to enforce consistent handling of the files by all applications.
Stricter rules. In SP2, Internet Explorer will now follow stricter rules that are designed to reduce the attack surface for spoofing the Internet Explorer MIME-handling logic. If Internet Explorer receives a file with “text/plain” MIME type but the MIME sniff indicates that the file is actually an HTML, media, or executable file, Internet Explorer will not increase the privilege of the file compared with the server’s declared MIME type. If an incorrectly configured Web server hosts HTML files but sends text/plain as the content type in the HTTP header, Internet Explorer will show the file as plaintext rather than render the HTML.
Better security management. The overall security management for Internet Explorer has been improved with the addition of the following features:
Add-on management and crash detection
Add-on installation prompt
Download prompt
Pop-up manager
Internet Explorer Window restrictions
These features allow users and administrators to more easily obtain information about their security settings. Users and administrators can also easily retrieve the status of their browser add-ons and configure these add-ons. The clarity of information provided by the prompts for both download and add-on installation have been improved to help users make more informed security decisions about the required actions.
Local Machine zone restrictions. Internet Explorer treats pages differently depending on the locations from which they are opened. Pages that are opened from the Internet have applied restrictions that might prevent them from performing certain operations. Pages that are opened from the local machine are in the Local Machine zone and have fewer restrictions. The Local Machine zone is an Internet Explorer security zone, but it is not displayed in the settings for Internet Explorer.
Feature Control Security Zone settings. In an effort to improve the management of some security settings, SP2 has been built with Feature Control Security Zone settings. The zone settings provide users and administrators with more specific control for:
MIME sniffing
Security elevation
Windows restrictions
Group Policy settings. With the addition of the Feature Control Security Zone settings, SP2 has added new security policies that allow administrators to manage the new feature control settings by using Group Policy objects (GPOs). This change allows Group Policy administrators to uniformly configure the new Internet Explorer Feature Control settings for the computers and users that they manage.
Microsoft Outlook Security
If your organization uses Microsoft Outlook 98, Outlook 2000, Outlook 2002, or Office Outlook 2003 with a server that has server-side security, such as Microsoft Exchange Server, you can customize the security features to meet your organization’s needs.
You can use the Outlook Administrator Pack to control the types of attached files blocked by Outlook, modify the Outlook Object Model warning notifications, and specify user- or group-security levels. For example, you can modify the security settings for viewing various types of attachments, such as executable files and application data files, and apply those settings to specific groups of users of an Exchange server.
You can use the Outlook administrative template to configure security options for client computers by using Group Policy or local Group Policy. You can configure various settings in this template to customize Outlook security for your environment. For example, you can import the Microsoft Office Outlook 2003 (Outlk11.adm) administrative template into a GPO and use it to set the Outlook security level for macros to Low, Medium, or High for all clients affected by the GPO.
Outlook 2003 includes several security enhancements, including:
Warns the user before opening potentially dangerous file types.
Runs executable content in the Restricted Sites zone.
Uses antispam controls to reduce unsolicited e-mail.
Does not automatically load HTML content.
Prevents other applications from accessing address books.
Provides application programming interfaces (APIs) to prevent software from running.
More Information
The Outlook Administrator Pack is included in the Office 2003 Editions Resource Kit. You can download this resource kit from the Microsoft Office Online Web site.
Best Practices for Securing Applications
Consider the following best practices for securing applications on client computers on your organization’s network:
Educate users about how to download files from the Internet safely and how to open e-mail attachments safely. Ensure that users configure zones correctly in Outlook so that scripts and active content in HTML e-mail messages from the Internet zone will not be run. Users should not open e-mail attachments that they were not expecting, even from other users whom they trust.
Only install applications that are required for users to do their jobs. Each application that is installed can introduce additional security issues. To limit the number of security issues on client computers, install only applications that users must use to perform the tasks required by their jobs.
Implement a policy for updating applications. Keeping applications current with security updates is just as critical as keeping the operating system current. You can update Microsoft Office applications at the Microsoft Office Online Web site. You can also use Windows Server Update Services to update Microsoft Office applications.
Photo by smithi1
Comments
You can follow this conversation by subscribing to the comment feed for this post.