Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Networking

    Tightening Up Internet Explorer Security

    By
    Larry Seltzer
    -
    June 2, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Discuss this column in our forum.

      It took many years of browser development before we started fearing them. Until about version 4 of Netscape and IE the only talk of security was theoretical and usually unrealistic, such as whether Java or ActiveX were big holes when neither has turned out to be. The real holes have turned out to be elsewhere.

      Since last weeks AOL-Microsoft settlement seems to spell doom for the vestigial bump that is Netscape, Internet Explorers role as the only browser that matters is further cemented. You can still use other browsers if you want (Mozilla, Opera, etc.), but sometimes you just have to use IE and its just a matter of taking proper precautions.

      Precautions have gotten far more serious in Windows Server 2003. One of the less-noticed changes in that product is that the use of IE in it has been severely restricted. This configuration is called Internet Explorer Enhanced Security Configuration (lets call it ESC), and it applies to the use of the server console itself, not clients of the server (with one caveat having to do with Terminal Services, described below). If IE is ever a vector for an attack on Windows Server 2003 it will likely because the adminisrator opened up the facility.

      So what exactly does ESC do? Much of it employs Internet Zones, a feature of IE that goes back, I think, to the Truman administration, but which isnt appreciated by many users. Zones allow you to say which features web sites can use by default, and provide for a whitelist and a kind of blacklist. The two main zones are the Internet Zone and Local Intranet Zone. The Internet Zone is for all sites not specifically in other zones. The Local Intranet Zone contains sites accessed by UNC paths (like “serversharewindowscmd.exe”). Then there are Trusted Sites and Restricted Sites. When you put a site in Trusted Sites it faces very liberal restrictions. When a site is in Restricted Sites, IE will let it do very little other than to display HTML.

      When ESC is active the default settings for these zones changes from normal to conservative, and I mean “Pat Buchanan is a bleeding-heart liberal” conservative. Scripts and controls dont work, which means a lot of what adminstrators do wont work. Browser Helper Objects are disallowed. Multimedia content is generally blocked. The browser automatically checks for server certificates. HTTPS pages are never cached, and the browser cache is always emptied when the browser shuts.

      And its not just what is obviously IE; these same rules apply to any application that uses the WebBrowser control. Its likely that administrators will run into problems under these restrictions, so there is a separate set of trusted sites called the ESC Trusted sites and an API for application developers to use to write themselves into it. So when you install a new MMC-based administrative application, for example, the install program can add itself to this list. Still there can be unexpected problems. Office applications sometimes use data access pages with ActiveX controls and these will be blocked. Also, while the Windows Update site is automatically put in the Trusted list, the same is not true of Office Update.

      Of course, this is for a server. Could it be that this portends a default restriction on browser usage in future versions of desktop Windows? Not likely. These restrictions are severe and would make normal day-to-day browsing of the type Microsoft itself has been pushing difficult. Quite a bit of microsoft.com would be inaccessible under ESC.

      I mentioned above that there is an exception to these rules for Terminal Services, and there ought to be, since they would make browsing difficult for Terminal Services users. The rules for when ESC applies to various classes of users under Terminal Services are complex. For example, the rules change depending on whether Terminal Server was installed manually or through an unattended install. See this TechNet article and this knowledge base article for more on it.

      This all follows the general philosophical approach of Windows Server 2003, which is that facilities are locked-down unless the adminstrator chooses to open then up. Many observers have been arguing for this for years and I guess its fair to say that the default opening of services is the major failure of Windows 2000. But Im still curious to see how administrators react to this approach, since it forces them to make a lot of important decisions. In the past Microsoft made these decisions for you and (perhaps naively) made a lot of them badly.

      Microsoft has put out copious literature on ESC and the administration of it. There is an article on TechNet that describes the changes in settings under various circumstances. There is also a much more detailed document for administrators that includes scripts for the management of large networks.

      Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      Discuss this column in our forum.

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×