CSC250: Introduction to Computer Security

Security and Privacy on the Internet

Web Browser Settings - Q182569

A lot of information can be found out about you as you navigate the web. Also, in this day and age of lots of scripting and active content on the web, it is possible for your machine to be broken into or have personal information revealed by visiting a malicious web page. It is also possible for information to be gleaned about your browsing habits. Patching your browser helps in prevention of well-known browser exploits, but cannot protect you from malicious sites.

Internet Explorer has an extensive security control panel. These settings are stored in the registry. The browser allows you to set the web into four distinct zones. You can add sites as you see fit to these zones. For instance, if you must allow cookies to be set from a certain site, you could add it to the list of trusted sites, while not allowing cookies from the internet zone.

The four zones are:

  1. Internet
  2. Local Intranet
  3. Trusted Sites
  4. Restricted Sites
You are also provided with 4 standard security levels, which can be changed by the user. What would happen if a user went in and changed the High security settings to allow just about anything?

The four default security levels are:
  • High
  • Medium
  • Medium Low
  • Low
Each option gives you the ability to check a radio button saying
  • Disable - disables the feature
  • Enable - enables the feature
  • Prompt - prompts the user with a little warning message and a request for action

Options in the security control panel include:

  • Active X Controls and Plugins
    • See this page for a discussion on security of Java and ActiveX. Here is an explantion and demonstration of what an ActiveX control can do to your computer. Are you brave enough to run exploder?
    • Download Signed ActiveX Controls
    • Download Unsigned ActiveX Controls
    • Initialize and script ActiveX Controls not marked as safe
    • Run ActiveX controls and plugins
    • Script ActiveX controls marked as safe
  • Downloads
    • File Download
    • Font Download
  • Microsoft VM
    • Java Permissions (there are 5 levels of protection here)
  • Miscellaneous
    • Access Data Sources across domains | An explanation of cross-site scripting from CERT. Another explanation of cross site scripting from cgisecurity. The best basic explanation of cross site scripting from CERT.
    • Allow META Refresh
    • Display Mixed content
    • Don't prompt for certificate when no certificate exists ...
    • Drag and Drop or copy and paste files
    • Installation of desktop items
    • Launching programs and files in an IFRAME (external object frame)
    • Navigate sub frames across different domains
    • Software Channel permissions
    • Submit nonencrypted form data
    • Userdata persistence
  • Scripting
    • Active Scripting
    • Allow paste operations via script
    • Scripting of Java applets
  • User Authentication (there are four radio buttons here)
    • Logon
      • Anonymous
      • Automatic Login only in intranet zone
      • Automatic Login with current username and password
      • Prompt for username and password

The Privacy tab

The privacy tab in IE has different settings to accept or reject cookies. The privacy settings only apply to the internet zone.

The Advanced tab

The advanced settings tab also contains several security settings.

Using Digital Certificates in IE

Microsoft has apparently known that a Flaw in XP will allow an attacker to wipe your HD, but hid the fact for several months. If I were you I would make sure to get SP 1 on all XP machines under your control as soon as you get your coffee in the morning.