dslreports logo

    ActiveX control and plug-ins....Fig 1 Default Level recommended settings
    ActiveX technologies are built using Microsoft's Component Object Model (COM) and have the ability to access everything on your computer, all folders, all files, everything!. ActiveX control and plug-ins can include many things such as web forms, sound and graphics and installation programs. Some of the names associated with ActiveX and benign in nature are Microsoft Windows Media Player, Macromedia Shockwave, RealNetworks RealPlayer.Unfortunately there are forms of ActiveX that some refer to as trojanware and are asociated with names such as Comet Cursor, Xupiter, Gator\Gain, Bonzi....etc. The controls for ActiveX were designed so that you can trust or not trust the person who developed the control. This is done through signatures.
      Download signed ActiveX controls and plug-ins....Fig 1a Security Warning popup
      ActiveX controls and plug-ins have a facility for signing by the developer by checking the developer certificate.Digital certificates are electronic credentials that verify an individual's or an organization's identity on the Web. The identity of the digital certificate owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified. A valid digital signature, though, does not necessarily mean that the software is without problems. It just means that the software originated from a traceable source that you may choose to trust and that the software has not been tampered with since publication. Likewise, an invalid signature does not prove the software is bad or dangerous, but just alerts users to potential dangers and problems.
      Download unsigned ActiveX controls and plug-ins....Fig 1b Security Warning popup
      This option determines whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
      Initialize and script ActiveX controls not marked as safe
      Many ActiveX Controls are initialized with persistent data, which is either local or remote, and most ActiveX Controls are scriptable (they support a set of methods, events, and properties). Both initialization (with persistent data) and scripting require certain safeguards to ensure that security is not violated.
      An example of a control that poses a security risk at initialization time would be a data compression/decompression control. If the user pointed this control to a remote, compressed file that contained a Trojan-horse copy of a system file (such as Kernel.dll) and requested that the control decompress this file, system security could be breached.
      An example of a control that poses a security risk at scripting time would be a control that relies on certain system settings before a script can be safely executed. It would be up to the control developer to provide the necessary code that retrieves the system settings before allowing the script to execute.
      Run ActiveX controls and plug-ins....Fig 1d Security Warning popup
      Determines whether a Control or Plug-In is allowed to run assuming it has already been downloaded and is on the machine. An example would be if you had already downloaded Windows Media player.
      Script ActiveX controls marked safe for scripting....Fig 1e Security Warning popup
      Indicates that it is permissible to invoke the control from a script contained in a web page, using data and parameters provided by that page. In essence, a control marked "safe for scripting" is an assertion by the author that the control has implemented its own "sandbox" and cannot be used by an intruder to damage or compromise your system. Because you must rely on the author of the control to implement this "sandbox" correctly, controls marked as "safe for scripting" require an especially high degree of trust.
Downloads....Fig 2 Default Level recommended settings
    File download....Fig 2a Security Warning popup
    While downloading files is an everyday occurence....downloading files from the Internet can be dangerous. Trojan horses love to hide in games and other programs users frequently download from the Internet. Some versions of the popular Whackamole game are actually Trojan horses that install Netbus, which lets hackers take complete remote control of your computer. Letting users download files also makes it easy for malicious users to bring hacker tools into your network (like the password sniffer in L0phtcrack).
    Font download....Fig 2b Security Warning popup
    This option determines whether Web pages within the zone can download HTML fonts.

Microsoft VM....Fig 3 Default Level recommended settings
Microsoft VM (Virtual Machine) is the software in your browser that allows Java Applets to be fully functional.
    Java permissions
    Your browser displays what HTML code says, but Java goes beyond display and actually executes what the Java says to do. Java is a language that can execute commands to access your files, other computers, even your printer. Because of this, Java must be handled with care. For the novice, recommended settings for your Internet Zone are "High Safety". This will allow Java to function without allowing access to files, printers, or other computers. Additionally, it won't allow any new windows out side of the IE window.


Miscellaneous Options....Fig 4 Default Level recommended settings
    Access data sources across domains
    Controls cross-domain data access. Cross-domain data access can open the door to various spoofing attacks.
    Allow META REFRESH
    The Meta Refresh setting (tag) enables the author of a Web page to redirect your browser to another Web page after a specified amount of time.
    Display mixed content....Fig 4a Security Warning popup
    When you browse to a secure web site(Https\SSL(Secure Sockets Layer) your information that you provide, such as your name or credit-card number, is encrypted so that it can't be viewed by other people. However, that page may also contain items that do not use this secure protocol. This is referring to miscellaneous images or navigation bars, which do not need to be encrypted. All personal information you send and receive should still be encrypted.
    Don't prompt for client certificate selection when no certificates or only one certificate exists
    This option specifies whether users are prompted to select a certificate when no trusted certificate or only one trusted certificate has been installed on the computer.
    Drag and drop or copy and paste files
    Controls whether users can drag-and-drop files or copy and paste files.
    Installation of desktop items
    Controls whether or not users can download and install Active Desktop content.
  • Launching programs and files in an IFRAME
    Controls whether applications may be run and files may be downloaded from a floating frame (IFRAME).
  • Navigate sub-frames across different domains
    Prevents frame spoofing (e.g., inserting a malicious page within a frame in a legitimate web site). Introduced in version 5.
  • Software channel permissions
    Controls whether or not an email message it sent with notification of available software for download, and whether or not that software can be installed.
  • Submit nonencrypted form data
    Controls whether data in HTML forms may be submitted. Only affects non-SSL form data. Forms sent with SSL encryption are always allowed.
  • Userdata persistence
    Enables objects to persist data, such as page state in user data. Used within an XML store.


  • Scripting....Fig 5 Default Level recommended settings
    • Active scripting....Fig 5a Security Warning popup
      Current security vulnerabilities that exist in Microsoft's Internet Explorer web browser exist in the service called "active scripting". Active scripts are programs written in Javascript, or sometimes Microsoft's VBScript and ActiveX. If you ever go to a URL that has an ".asp" extension, you are most likely running a script, or program, off of that server. Active scripting is one mechanism by which worms can enter our computing environment, infect your PC, and then use your PC to launch attacks elsewhere. There is also a risk that such attacks could release personal information such as cookies containing passwords, URL's, and credit card information.
    • Allow paste operations via script
      Since Internet Explorer ("IE") version 5.0, there has been a way to read and set the users clipboard text using script. This can be handy for web-based applications but can be used in a malicious way to steal the clipboard contents. It is easily possible to monitor the contents of the clipboard, and send it to a remote server-side script for processing. The remote script could then save the clipboard text in a database, or e-mail it to the evil overlord script creator. By itself this doesn't cause much harm, but users can often copy sensitive information to the clipboard....e-mails, addresses, passwords, pictures....which could then fall into the wrong hands.
    • Scripting of Java applets
      A java applet downloaded from the web runs on your system in a secure environment called the sandbox. An applet running in the sandbox is not allowed to do anything that could violate the security of your system. In particular it can't read or write files.


  • User Authentication....Fig 6 Default Level recommended settings
    • Anonymous logon
      Disables HTTP authentication and uses guest access for CIFS (Common Internet File System).
    • Automatic logon only in Intranet zone
      Logs on automatic on all intranet sites and prompts for username and password for sites in all other zones.
    • Automatic logon with current username and password
      Configures Internet Explorer to attempt to logon using Windows NT Challenge Response (also known as NTLM authentication). If NTLM is supported by the server, the logon uses the users network user name and password for logon. If NTLM is not supported, the user is prompted for a username and password.
    • Prompt for user name and password
      Prompts once per session for username and password. Once successfully logged on, the credentials are silently used for the remainder of the session.


  • References

  • Recommended Personal additions for securing Internet Explorer browsing


  • Feedback received on this FAQ entry:
    • what does security settings mean !!!

      2013-09-16 04:31:19

    • You simply defined "Access data sources across domains" by re-arranging and repeating the phrase. Worthless explanation.

      2012-10-18 20:18:40



    Expand got feedback?

    by Bubba See Profile edited by MSeng See Profile
    last modified: 2005-06-11 12:24:22