Reference Implementations for Securing Your Web Browser Guidelines
It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox.
See the original guidelines for details about configuring and using your secured browser. The following sections describe how to use the reference implementations.
The implementation of the recommended settings for Mozilla Firefox 2.x and Firefox 3.x is available in a user.js file. To use these settings:
- Install NoScript using Firefox.
- Download the user.js [sig] file into your Firefox profile location.
- Restart Firefox.
The settings specified in the user.js file will override any of the corresponding settings that you have set. The advantage of this behavior is that if the user.js file is removed, then Firefox will behave as it did before the change. The disadvantage is that the settings that are specified in this file cannot be set by using the Firefox preferences GUI.
The recommended settings for Internet Explorer 6 and Internet Explorer 7 are available as a Windows registry file. To incorporate these changes, simply open the ie_sywb.reg [sig] file to merge the changes into the registry. Note that this will overwrite the existing security settings for the web browser. If you use Internet Explorer 7, you can undo the changes by clicking the "Reset all zones to default level" button.
To apply site-specific security settings, use the Security Zones feature of the browser. The Internet Zone, which is the default zone for sites on the internet, is locked down with high security settings, while the Trusted Sites Zone is configured to be the equivalent of the default Internet Zone for Internet Explorer. This way, Internet Explorer uses high security settings by default, and as you encounter sites you trust that need extra features, you can add them to the Trusted Sites zone. The easiest way to add a site to the Trusted Sites zone is to
- double-click the zone indicator icon near the bottom right side of the screen
- click the Trusted sites icon
- click the Sites... button
This dialog allows the user to add the current or other sites to the Trusted Sites zone. Wildcards are also supported. For example, a user can add "*.cert.org" to the list, and any site that resides on the cert.org domain will be trusted.
The initial reaction to a secured web browser may be that sites no longer work, because you are now responsible for deciding which sites can use features that may provide additional functionality but at the same time are more dangerous, such as ActiveX and Signed Java Applets. As time goes on, the sites that you visit regularly will be added to your Firefox NoScript whitelist or Internet Explorer Trusted Sites Zone, and those sites should work fine with minimal user interaction. However, you now have significant protection against malicious web sites, including sites that you have not visited before, such as one that may be linked to from a malicious email message, or sites that you may reach when a trusted site is compromised with an injected IFRAME to a malicious site. In both of these cases, you will be protected against the majority of vulnerabilities that affect web browsers.
Both the Mozilla Firefox and Microsoft Internet Explorer reference files are annotated to describe which settings they will change. Feel free to view and modify them to suit your own needs if necessary.