Internet Explorer (hardening)
The purpose of this page is to show how to harden the Internet Explorer web browsing client from Microsoft. There's no voodoo required, just simple configuration.
Before we look at Internet Explorer, please ensure you have the latest version and your system is up to date with service releases and patches. Run Windows Update
now if you're not sure.
Now, fire up Internet Explorer and open the Internet Options dialogue which you will find under the tools menu.
Select the Security tab, make sure the Internet Zone is highlighted and select Custom Level
.
This displays the Security Options
dialogue box. Scroll down to the section labelled Scripting.
Make sure all sections are set to Disable
.
Select OK
to get back to the Internet Options dialogue box.
We have now prevented any site from running client side script in our browser, but that isn't quite what we want. There are some sites that we actually want to allow to run scripts.
Now highlight the Trusted Zone and select sites
. In this box we add the URLs (it takes wildcards) of any sites that we want to allow scripting. I can't tell you which those are for you, but let me suggest a few.
These will (should) let the Microsoft Update programs do their stuff - you can tighten up this list if you want, but I'll leave that as an excercise for the reader.
- http://*.microsoft.com
- https://*.microsoft.com
Other suitable candidates may include your online banking facility and any site you absolutely trust not to mess with your computer. You will find that some sites no longer work as expected, when that happens you have a choice, either add those sites to your trusted list or find another site containing the information - not all webmasters are clueless imbeciles - finally you could use another browser.
The following is not strictly related to security but does address some of the privacy issues related to web surfing. From the Internet Options dialogue select the Privacy tab and the select Advanced.
Set First Party Cookies to accept
and Third Party Cookies to block
. Select OK
and we're done.
One final word on privacy, more of an anoyance really - if you find yourself irritated by the sheer presence of thousands of adverts on your favourite news sites you can add records to your hosts file which effectively blocks all requests to the ad-server. However, this will affect all programs running on your computer and is therefore out of scope for this document.
Please remember this one thing: there is no software in the world that can stop you launching trojan/worm/virus programs if you're determind to - if it looks dodgy - no, if it doesn't look right then don't run it - whatever it is, no matter where it came from.