Security Zones Basic to In-depth Home Computer Security Guide Page 21

Security Zones

IE uses a capabilities/trust model called Zone Security. In this model, Web sites are permitted to perform certain actions based on the following zones.

• Restricted sites Zone-This zone contains web sites that could potentially damage user’s data.

• Trusted sites zone-This zone contains web sites that user can trust not to damage his computer or data.

• Local Intranet Zone- This zone contains all web sites that are on organization’s intranet.

• Internet Zone- This zone contains all web sites that user haven’t placed in other zones.



Figure-12: Security zones in Internet Explorer

Each zone has an assigned security level (High, Medium, Medium-Low, or Low). Users can modify the security level for each zone, but IE will warn them if they attempt to assign a zone, a security level lower than the recommended minimum level.


Disable ActiveX and Java Scripts

Malicious web scripts can get to a web browser when a web developer sends such damaging code as part of the web server’s response. This malicious code is then executed on the host running the browser.

Unfortunately the problem is by disabling these features; the user may find it frustrating that certain sites can no longer be effectively browsed. If the user cannot live without being able to run these scripts, then an alternative is to use a commercial anti-virus scanner that affords some level of protection against malicious scripts.

Choose the following options for safety:

Open Internet Explorer.

On the menu select Tools à Internet Options.

• Click on the Security tab.

• With the Internet zone highlighted, click the Custom Level button.

• Make the following modifications to the Internet zone:

• Under ActiveX controls and plug-ins, set Script ActiveX controls marked safe for scripting to Disable

• Under Scripting, set Active scripting to Disable (This will disable all scripting, including ActiveX. If this impacts required functionality, change the setting to Prompt)

• Under Scripting, set Scripting of Java applets to Disable

By default Trusted sites zone is assigned low security level, since this zone is intended for highly trusted sites, such as the sites of trusted business partners. User can also customize the settings by clicking on Custom level tab.

To add sites to this zone

• Click on Trusted sites icon

• Click on sites tab to add the trusted web site name

• Select Require server verification (HTTPS for all sites in this zone - This ensures that connections to the site are completely secure

• By default, the Restricted sites zone is assigned High security level. Assign sites to this zone as described earlier.

• Click on OK to return to the Internet Options box, and then click OK.


Other Security Settings in IE

IE contains many other security-related settings. Guidance on implementing a few of particular interest is as follows:

• Open Internet Explorer

• On the menu select Tools Internet Options

• Click on the Advanced tab

• Under Security, check the box for Check for server certificate revocation. This causes IE to verify that a Web site’s digital certificate has not been revoked before accepting it as legitimate and current

• Under Security, check the box for Empty Temporary Internet Files folder when browser is closed. This causes IE to delete temporary files after the browser session is finished; these files could inadvertently contain sensitive information.



Figure-13: Other Security Settings for IE

• Click on the Privacy tab, and then click the Advanced button

• Check the Override automatic cookie handling box. This allows different settings to be made for handling first-party and third-party cookies

• Change the Third-party Cookies setting from Accept to Prompt.

This setting causes IE to prompt the user to accept each third-party cookie that is presented to the system.

For more information on Internet Explorer look at the home page of IE at

http://www.microsoft.com/windows/ie/default.mspx


Secure Site Identification

When buying online, the user must be sure doing business on secure Web sites. Unscrupulous "hackers" can exploit insecure sites to steal user’s personal and important information such as credit card number. This information could be used to steal user’s identity.

Most e-commerce Web sites secure user’s personal information by encrypting or scrambling the data. Netscape and Internet Explorer users can check Web site security by following these instructions:

1. Look for the Lock symbol

Check the status bar at the bottom of the Web browser window for an unbroken lock symbol. This means user’s personal information is scrambled, and no one can read it but the e-business he has contacted.

2. Look for "https" in the Web Site's Address

Secure sites will change their beginning from "http" to “https” if the information is about to pass through a secure channel. The "s" stands for "secure" and indicates that information will travel the Internet in encrypted form.

Since user’s data is encrypted or scrambled, it can't be read during transmission. For example in www.hotmail.com when user enters the login and password information, the address bar indicates a change from “http” to “https” and also shows the following message before forwarding the information See Figure-13.



Figure -14: Message for secure connection


This warning message is generally ignored by the user or they just select it not to show in future, which is a bad practice. Whenever a security confirmation is made, user should verify the server’s digital certificate.


Check the Certificate

Double-click on the lock symbol to view the security certificate. Make sure the certificate is "Issued to" the Web site and the "Valid from" dates are current. User can also see the certificate from File à Properties and then choose certificates.



Figure-15: Checking the validity of a certificate

The certificate should be checked for the issuer, to whom it has been issued and validity period of the issued certificate (as shown in the figure-14 above).

Continued..................