Windows XP Cookbook (Cookbooks)

Problem

You want to select more secure Internet Explorer security settings for ActiveX and Active Scripting.

Solution

Using a graphical user interface

  1. In Internet Explorer, choose Tools Internet Options, and click the Security tab. Click Internet, and then click Custom Level. The Security Settings screen shown in Figure 13-5 appears.

    Figure 13-5. Controlling Internet Explorer security settings

  2. Scroll to Download signed ActiveX Controls. A signed ActiveX control is one that has been guaranteed as having been created by a specific company. Because the company that created them is willing to be identified, signed controls are considered more secure than unsigned controls, but there's still no absolute guarantee that they're safe. Choose Disable if you want to completely stop ActiveX controls or choose Prompt if you want to receive a message before you download and run a signed ActiveX control. The message would let you download and run controls on a case-by-case basis. If you choose this setting, you might choose to run a control from a big, well-known company like Microsoft, but not run one from a smaller company that you never heard of.

  3. In the Download unsigned ActiveX Controls, select Disable. Unsigned controls are a security risk, and you should never run them.

  4. In the Initialize and script ActiveX Controls not marked as safe section, choose Disable. This will make sure that Internet Explorer doesn't run any controls that aren't safe.

    Some sites, like Microsoft Update, are designed to use ActiveX controls. So if you disable the controls, some sites might not work properly.

  5. Scroll to the Java VM entry. This controls how Java applets are treated by Internet Explorer. Java applets are small programs downloaded to your computer from a web site, similar in some ways to ActiveX controls. Select High Safety. This will ensure that Java applets are isolated in what's called a sandbox so that they can't damage or attack your computer.

  6. Scroll to Miscellaneous and select Disable for Access to data sources across domains. This will help avoid certain scripting attacks.

  7. Click OK when you're done.

For security, you may want to disable Microsoft's Java Virtual Machine (JVM), and instead install Sun's JRE. For details, see http://java.sun.com/j2se/1.4.2/docs/guide/deployment/deployment-guide/upgrade-guide/.

Using Group Policy

  1. Run the Group Policy Editor by typing gpedit.msc at the command line and pressing Enter.

  2. Select User Configuration Internet Explorer Maintenance Security.

  3. Double-click Security Zones and Content Ratings.

  4. In the Security Zones and Privacy section, select Import the current security zones and privacy settings, and click Modify Settings. The Internet Properties dialog box appears. Click Custom Level. The Security Settings screen shown in Figure 13-5 appears.

  5. Follow the directions in steps 2 through 7 of the Using a GUI solution, above.

  6. When you're done customizing the settings, you'll be returned to the Group Policy Editor. Click OK.

Discussion

ActiveX controls and scripting are two of the most glaring security holes in Internet Explorer, and are frequently exploited by malware authors to install spyware, home-page hijackers, and other dangerous software on your PC.

These security holes are a particular problem because Internet Explorer is tied directly into XP. That means that the malware won't just affect Internet Explorer it can target the entire operating system. That's why it's particularly important to change you Internet Explorer security settings, as outlined in this recipe.

If you have ActiveX settings that prompt you before downloading and installing an ActiveX control, whenever you come across a web site that tries to download a control, you'll get a message asking if you want to install the control. Click Install if you want to install it, and Don't Install if you choose not to.

This message can get annoying, especially if you commonly download ActiveX controls from safe, well-known sites such as Microsoft or Symantec. You might be tempted to change your Internet Explorer settings to automatically download signed ActiveX controls. That's dangerous, so there's a better way to handle the problem. The next time you download an ActiveX control from a site, click More Options. If it's a site you trust, click Always install software, then click Install. From now on, ActiveX controls from that company will automatically install, and you won't be bothered again by a message. Similarly, if it's a site you don't trust, click Never install and then click Don't Install. From then on, the warning won't pop when you visit, and the ActiveX control won't be installed.

Another solution is to use an alternative browser, such as the free open-source browser Firefox (http://www.mozilla.org/products/firefox). Firefox doesn't have the same security holes as Internet Explorer. Additionally, it's not directly tied to the operating system, so that if Firefox is attacked, the entire operating system isn't imperiled.

If you use Firefox, though, some web sites may not work properly, because they require ActiveX controls.

See Also

You can get a free online checkup that examines Internet Explorer or another browser for security holes. Go to the Qualsys Browser Checkup (http://browsercheck.qualys.com).

Категории