Enhanced Security Configuration for Windows Internet Explorer
As a best security practice, a server administrator should not browse Internet Web sites from the server. The administrator should only browse the Internet from a limited user account on a client work station to reduce the possibility of an attack on the server by a malicious Web site. Administrators sometimes need to use Web-based applications which require advanced functionality such as scripts or file downloads. It is a better practice to specifically enable functionality on a few Web sites rather than attempt to block functionality individually on an indefinite number of potentially malicious sites.
Based on this best practice, several changes were made to the default settings in Microsoft Internet Explorer 6 for Windows Server 2003. The following sections describe these changes.
- URL Security Zones
- Advanced Settings
- Home Page
- Microsoft Outlook Express
- Related topics
URL Security Zones
Windows Internet Explorer determines the level of security that is warranted for a given Web page by categorizing it into a URL security zone based on the origin of the Web page. Web sites on remote servers are in the Internet security zone. Without the enhanced security configuration, Web sites on a local network are in the Intranet zone. Web sites on servers identified as potentially malicious are in the Restricted sites zone. Web sites on servers identified as trusted are in the Trusted sites zone. URL security zones templates are applied to each of these zones to specify which actions can be performed by Web pages within that zone. For example, web pages in the Restricted sites zone cannot use Microsoft ActiveX controls by default. For more information about URL security zones and templates, see About URL Security Zones.
The new URL security zone settings in Windows Server 2003 help create an environment that is more secure by default. Under the enhanced security configuration, all Web sites are in the Internet zone. Automatic detection of intranet sites is disabled. ActiveX controls, script, and the Microsoft virtual machine (Microsoft VM) cannot be used from any Internet Web site. Additionally, files cannot be downloaded from these sites. If a crucial Web site requires this functionality, the site can be added to the Trusted sites zone or the Intranet zone to increase privileges.
Security Warning: Adding arbitrary Web sites to the Intranet zone can compromise the security of your server. The Medium-low security template allows NTLM credentials to be sent to sites that request them. Only known site should be added to the Intranet zone to prevent disclosure of this sensitive data. You should review Security Considerations: URL Security Zones API before continuing.
The following table highlights the changes to default URL security zones between Windows 2000 and Windows Server 2003.
| URL security zone | Default security template in Windows 2000 | Default security template in Windows Server 2003 |
|---|---|---|
| Restricted sites | High | High |
| Internet | Medium | High |
| Intranet | Medium-low | Medium-low |
| Trusted sites | Low | Medium |
Each of these values can be changed on the Security tab of the Internet Options dialog box available from the Tools menu in Internet Explorer or from the Control Panel. When any of these values is changed, the Restore Defaults button allows users to revert the value to the secure default.
By default, the Windows Update Web site appears in the Trusted sites zone. Using Remote Assistance requires that script and ActiveX be permitted to run from the URL "hcp://system". This site is added to the Trusted sites zone. Both "https://localhost" and "https://localhost" appear in the Intranet zone as well.
Advanced Settings
Several of the default values for advanced settings in Internet Explorer differ between Windows 2000 and Windows Server 2003. Each of these changes was made in response to a known exploit that is mitigated with this new enhanced security configuration. The following list highlights the settings that are new in Windows Server 2003.
Browsing:
- Enable third-party browser extensions: Not enabled
- Enable Install On Demand (Internet Explorer): Not enabled
- Enable Install On Demand (Other): Not enabled
Java:
- JIT compiler for virtual machine enabled: Not enabled
Multimedia:
- Don't Display online content in the media bar: Enabled
- Play sounds in web pages: Not enabled
- Play animations in web pages: Not enabled
- Play videos in web pages: Not enabled
Security:
- Check for server certificate revocation: Enabled
- Check for signatures on downloaded programs: Enabled
- Do not save encrypted pages to disk: Enabled
- Empty Temporary Internet Files folder when browser is closed: Enabled
These options can all be changed on the Advanced tab of the Internet Options dialog box.
Home Page
The home page is set to a local HTML file that describes the changes to the default security settings. The home page can be reassigned on the General tab of the Internet Options dialog box.
Microsoft Outlook Express
In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to e-mail sent in another format, the response is formatted in plain text.
Security Warning: Reading e-mail with Outlook Express, even in plain text, can compromise the security of your server. Read e-mail from a limited user account to minimize this risk.