Problem solve Get help with specific problems with your technologies, process and projects.

Browser security, part 1: Spinning a spider's web

Browser security, part 1: Spinning a spider's web

Is your Internet browser spun on the woven path of a hacker's warped Web? Will your company's dominant theme in 2003 be browser security or compromised privacy? We begin our two-part series on protecting your Web browser. In this mini-series, we will focus on Internet Explorer (IE) 6.0 security.

Microsoft On Demand?
By default, Microsoft enables "Install On Demand" to allow your Internet Explorer browser version 6.0 to download and install plugins/components automatically using IE Active Set up. Although your browser will prompt you before proceeding with download/install of object(s), it is possible for hackers to use IE set up against you and launch an attack or carry out a particular task in your browser. Not to mention, you have not verified the integrity of the installable component and are relying on Microsoft (or other vendors in the case of IE version 5.x).

Instead of relying on your browser to prompt your users for downloads, installs, and/or updates, consider disabling these features and implementing a company policy that only propagates these components once your security administrator has completed the following three steps:

  1. Manually downloaded each component from the vendor's official Web site.
  2. Verified the official release of component and original file size with vendor.
  3. Tested off-line and certified component is safe to distribute to your users.

Start securing your user's browser today by clicking on the Restore Defaults button located in the ToolsInternet OptionsAdvanced tab to reset advanced settings. Then, go to the Browsing section and clear the following features:

  • Enable Install On Demand (Internet Explorer)
  • Enable Install On Demand (Other)
  • Automatically check for Internet Explorer updates
  • Reuse Windows for launching shortcuts
  • Close unused folders in History and Favorites
  • Enable folder view for FTP sites
  • Enable offline items to be synchronized on a schedule
  • Enable third-party browser extension
  • Show friendly HTTP error messages
  • Use passive FTP (for firewall or DSL modem capability)

    Default On Demand?
    Before we continue, let's take care of some basic security steps:
    In the General tab, click on the Settings button and then Move Folder button to specify a unique path to store your Temporary Internet Files folder. Next, change "Check for newer versions of stored pages" from Automatically to "Every visit to the page." Consider resetting the amount of disk space to use to 1M byte.

    You will be prompted to log off in order for Windows to finish moving files to new location. Make sure that you save your work environment and then select Yes; otherwise, your settings will revert back to default values. Log in and verify (in Settings) the path for Temporary Internet Files folder is the one you specified. Click on View Objects folder and remove any unused objects. Take note of the date and file size for each object and check periodically for any discrepancies.

    In the General tab, click on Delete Cookies then Delete Files (select offline content) to clear all of the cookies and temporary files stored in your Temporary Internet Files folder. Next, clear the History folder and set "Days to keep pages in history" to zero.

    Make sure that you take the time to set the appropriate permissions and enable auditing on Temporary Internet Files folder. At a minimum, enable successful and failed auditing of the following activities:

  • List Folder / Read Data
  • Read Attributes & Read Extended
  • Create Files / Write Data
  • Create Folders / Append Data
  • Write Attributes / Write Extended
  • Delete Subfolders / Delete
  • Change Permissions

    Privacy On Demand?
    Consider changing the default setting of Medium for Privacy to High and then managing the Web sites that your browser will accept or block cookies from. Set the privacy level to Block All Cookies and decide if you want to override cookie handling to restrict Web sites from inserting or reading a cookie on your computer in the first place.

    It's been my experience that some of these basic steps have often been overlooked by experienced IT professionals. If you're serious about security, you must pay attention to security details and leave no room for hackers.

    In the absence of network security, exists an opportunity for intrusion.

    Please write to me or visit my Web site ( and let me know if this article has brought to light any potential weak links in your network.

    Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in our Ask-the-Expert section. Submit a security question to Luis here or view his previously answered Ask-the-Expert questions.

  • This was last published in December 2002

    Dig Deeper on Network Security Best Practices and Products

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.