WindowSecurity.com Newsletter of February 2011 Sponsored by: Alt-N Technologies
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
1. Enhancing Internet Explorer security on Windows servers
I hope you have enjoyed the first WindowSecurity.com newsletter and found the information useful and interesting at the same time, and of course, let me know if there is a topic you would like to see addressed in future newsletters. In this month's newsletter I am going to review some of Internet Explorer's default settings and their intended purposes. The areas discussed apply to all Windows Servers 2003 and later editions!
As a best security practice, systems administrator should never use the server console to browse Internet websites. There may be instances when an administrator may need to browse for support topics using the server's IE while troubleshooting a server problem or downloading the latest device drivers but getting the latest football results or the latest MSN news is simply a bad habit, a security risk indeed. The administrator should accustom himself/herself to browsing the web from a limited user account on a client workstation so as to reduce the possibility of attacks by malicious websites. In a scenario in which an administrator is locked in a server room and needs to use Web-based applications which require advanced functionality such as scripts or file downloads it is a better practice to specifically enable functionality for that specific website and block the rest rather than attempt to block functionality on an indefinite number of potentially malicious sites.
URL Security Zones Settings
All websites accessed by IE on Windows Servers, whether they are on a local network or on the Internet, are placed in the Internet security zone whereas without IE's enhanced security, these are placed in different zones. The default behavior of IE without enhanced security is as follows:
These zones must comply with a set of rules defined by templates, for example; websites in the Restricted sites zone cannot execute ActiveX controls by default.
The server based IE security zone settings create a secure environment where all websites are placed in the Internet zone. That is, automatic detection of intranet sites is not needed and is disabled while ActiveX controls, scripts and downloads cannot run so as to reduce the attack surface. As an administrator, if you need access to this functionality then you need to add the specific site to the Trusted or Intranet zones to increase privileges. However, you must be aware that such inclusion can compromise the security of the server. Sites in the Intranet zones are allowed to request NTLM (NT LAN Manager - authentication protocol) credentials from your servers which can disclose sensitive data if the request is malicious.
IE Advanced Settings
The following browser features can be modified from the Advanced tab of the Internet Options dialog box but as a security best practice they should remain disabled! These are Enable third-party browser extensions, Enable Install On Demand (Internet Explorer) and Enable Install On Demand (Other). The Java JIT compiler for VM and web based animations and videos are disabled by default. Conversely, the Check for server certificate revocation, the Check for signatures on downloaded programs, the Do not save encrypted pages to disk and the Empty Temporary Internet Files folder when browser is closed are all enabled by default.
IE's Home page on Windows servers
The home page is set to a local HTML file res://iesetup.dll/HardAdmin.htm that explains in detail the security settings of the Internet Explorer enhanced security configuration. I suggest that you follow the links on this web page! The default message should read - Internet Explorer Enhanced Security Configuration is enabled.
The security settings listed above will, as most of you already know, prevent websites from displaying correctly and render your web experience a nightmare. Although, you can add a web page to the Trusted sites zone in order to obtain higher privileges, there will be the temptation to add all web sites that you come across! Make sure that only known reliable websites are added to the Intranet zone to prevent the risk of data disclosure and loss of services, and make sure that any sites added during maintenance operations are removed when the works are completed as even reliable sites are prone to attacks!
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at email@example.com.
See you next month! - George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
Takeown - A security command-line tool for Windows Servers and clients.
Takeown allows an administrator to recover access to a file or a complete folder that he was previously denied access to. By making the administrator the owner of the file or folder, access permissions can then be modified according to the administrator/IT requirements. For a full explanation of the takeown command and its parameters, from a command prompt type, takeown /?
Bear in mind that taking ownership of a file in Windows does not give you access rights, therefore, you need to set file permissions afterwards in order to be able to view data. The main advantage of the takeown command would be when used in scripts to set ownership over a large number of files and folders!
4. Latest Security Exploits and Concerns
5. Let's get some feedback from the audience!
Would you install and use Mozilla Firefox or Google Chrome on your Windows servers? Share your opinion by sending an e-mail to firstname.lastname@example.org