Results 1 to 14 of 14
  1. #1
    New Lounger
    Join Date
    Jun 2001
    Location
    Canada
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security Settings (6.0)

    I am just trying to make sure my browser is securely configured and I was wondering if there is any concensus on what the settings should be for these three items in the Internet Zone.

    Script ActiveX controls marked safe for scripting
    Java permissions
    Active scripting

    Am I right in thinking that I should leave my Internet Zone setting to Medium? And, if so, are there any other individual settings that I should change?

    Thanks in advance.

    James

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security Settings (6.0)

    This is what I use. Opinions will differ significantly.
    Attached Images Attached Images

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    It is completely up to how paranoid or cautious you want to be -- and also it depends on your surfing habits. If you only visit a few trusted and well-known sites, then the default Medium setting is probably fine. If you occasionally visit sites where the content might be, eh, questionable, then you would fare better with a restricted Internet zone.

    The above image shows ActiveX well controlled and restricted, yet still functional. If an ActiveX program wants to run, you will be prompted. No new ActiveX controls will be downloaded.

    So far, Java at the High Safety setting seems to work fine -- I have never had a problem. Microsoft's drive away from this technology may make this less of an issue in the future anyway -- or so they would like.

    My only real concern is with Scripting. This is very powerful and potentially very dangerous. That is why it is going to depend on the type of Internet surfer you are. Scripting can do anything on your computer you can do -- delete files, modify your registry, install programs -- including viruses and trojans, or open endless numbers of IE windows. It is the technololgy that is responsible for web sites "stealing" your Home Page, installing garbage like Comet Cursor without your knowledge, and opening Pop-up/Pop-under ads like that famous X10 camera ad.

    Again, if you stay away from sites that do these obnoxious things, then it does not matter where you set your scripting settings. I do a lot of Internet surfing, so I get exposed to all kinds of threats. To me, it is better to restrict scripting (disabled) in the Internet zone. But as jscher states, opinion will vary significantly. That is why we were given these options.

    In case you are interested, here is a nice source of information on the topic:
    Internet Explorer Security Options, Part 1, Part 2, Part 3, Part 4, Part 5.

  4. #4
    New Lounger
    Join Date
    Feb 2002
    Location
    Brussels, Belgium
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    Intresting post thanks dude!

  5. #5
    New Lounger
    Join Date
    Jun 2001
    Location
    Canada
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    Thanks for your comments.

    When you say you think it is better to disable scripting in the Internet Zone, I know you mean "Active scripting". But do you also mean to disable "Scripting of Java applets"?

    Thanks again.

    James

  6. #6
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    I have all three script settings on Disabled in the Internet zone. If I am on a site that needs to use scripts -- and I trust the site, I will add it to my Trusted Sites zone -- where scripts and ActiveX can both run.

  7. #7
    New Lounger
    Join Date
    Jun 2001
    Location
    Canada
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    One last question ... honest.

    Should I disable or uninstall the Windows Scripting Host?

    Thanks again for all your help. It has put my mind at ease.

    James

  8. #8
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    Personally, I use scripting so I could never remove the Windows Scripting Host (WSH). First, let's consider what you are trying to accomplish. Removing the WSH will NOT prevent IE from running scripts. IE itself is a "script host" and it does not require WSH to run scripts. So, removing the WSH is not going to supercede the Internet zone Security settings.

    WSH runs scripts that are already on your computer and some of these are very useful. There is one I have that deletes the URL history, for example -- but there are many more uses. Jason Levine has written several useful scripts that require the WSH. They can be found here. The TrustSetter script adds buttons to your IE Toolbar so you can quickly move the site you are on into the Trusted or Restricted sites. There are many other GOOD scripts out there.

    So, I am not sure you want eliminate a useful function on your computer. Instead, you want to control it. I have looked at various methods, and the one I like best is Jason's ScriptSentry. He will post here occasionally, plus he has his own forum set up. I think it is the most elegant answer out there. Give it a look.

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security Settings (6.0)

    To expand on this a bit, WSH provides access to system components such as the shell (command line), the registry, and the file system. It can be extremely useful and devastatingly damaging. A script running inside IE, unless able to access ActiveX controls (COM objects), is really only supposed to be able to manipulate windows and documents. This can be incredibly annoying, but typically is not destructive. So taking away an IE-hosted script's access to the rest of the computer is Job #1, and after that you can take either approach: do like me and trust most sites and put the really annoying ones in the Restricted Sites, or do like Rick and trust no one until you have a chance to check them out, at which point you add them to your Trusted Sites. The latter certainly is the more conservative approach, but I find that many sites are unnavigable without scripting, so in the interest of speeding through my surfing duties, I leave scripting on most of the time. Being prompted can be a good strategy to see how much scripting is used, and for what, so you might want to try that for a while.

    As a safeguard against accidentally running .vbs or other scripts, you can change the default, double-click action from Open (i.e., Run) to Edit, using the File Types dialog in Windows Explorer. Or you can put this in a .vbs file and run it:
    Code:
    Main
    retval = MsgBox("Try it again - bet it won't run.")
    '------------------------------------------------------------
    Sub Main
    Dim sExtArray(5), oShell, iCount, sKey, sRunCmd
    sExtArray(0) = "JSE"
    sExtArray(1) = "JS"
    sExtArray(2) = "VBE"
    sExtArray(3) = "VBS"
    sExtArray(4) = "WSF"
    sExtArray(5) = "WSH"
    'add more as needed...these are the ones in my registry, personally
    
    Set oShell = Wscript.CreateObject("Wscript.Shell")  'Instantiate Windows Shell object
    On Error Resume Next                                'Must do inline error checking
    For iCount = 0 To UBound(sExtArray)                 'Loop through file extensions
      sKey = "HKCR" & sExtArray(iCount) & "FileShell"'The action is in the Shell key
      sRunCmd = oShell.RegRead(sKey & "OpenCommand")  'Store the old Open command
      If Err.Number <> 0 Then                           'Already gone, most likely
        Err.Clear
      End If
      If sRunCmd <> vbNullString Then                   'The Open Command key exists
        oShell.RegDelete sKey & "OpenCommand"         'Delete the old Open Command key
        oShell.RegDelete sKey & "Open"                 'Delete the old Open key
        oShell.RegWrite sKey & "Run", "&Run Script (danger!)"  'Create new Run key
        oShell.RegWrite sKey & "RunCommand", sRunCmd  'Copy the old Open command to Run
        oShell.RegWrite sKey, "Edit"                    'Set default action as Edit
      End If
    Next
    
    oShell.RegDelete "HKCRShellScrapNeverShowExt"     'Force .SHS to be visible
      If Err.Number <> 0 Then                           'Already gone, most likely
        Err.Clear
      End If
    End Sub
    Last edited by jscher2000; 2011-02-08 at 11:32. Reason: Updated code tags for new lounge

  10. #10
    New Lounger
    Join Date
    Jun 2001
    Location
    Canada
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    So, am I right in thinking that I can leave WSH enabled and, provided that my settings for IE and Outlook are fine, WSH won't leave me vulnerable to viruses that come via websites or e-mail? Or does WSH provide an extra vulnerability to viruses that come via the internet (e-mail or browsing the web)?

    James

  11. #11
    New Lounger
    Join Date
    Jun 2001
    Location
    Canada
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    Hi there,

    You said that "taking away an IE-hosted script's access to the rest of the computer is Job #1". Do you do that by disabling active scripting, or is there more to it than that?

    Also, you mentioned changing the Open option for .vbs files. Is this just to prevent me from inadvertently executing a script by accidentally double-clicking it? Or is there another way that I might inadvertently execute a .vbs file that this tweak would prevent?

    Sorry for asking so many questions. I'm just trying to get a good handle on what steps I need to take to make my system secure.

    James

  12. #12
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security Settings (6.0)

    <hr>You said that "taking away an IE-hosted script's access to the rest of the computer is Job #1". Do you do that by disabling active scripting, or is there more to it than that?<hr>
    You do that with the ActiveX settings, particularly the ones relating to scripting of ActiveX controls. Over the years, MS has issued a number of patches to mark controls as "unsafe for scripting" when it turned out that they could be exploited in some way. On the assumption that there's always one more problem just around the corner, I set the option to Prompt even when MS says a control is "safe for scripting."

    <hr>Also, you mentioned changing the Open option for .vbs files. Is this just to prevent me from inadvertently executing a script by accidentally double-clicking it? Or is there another way that I might inadvertently execute a .vbs file that this tweak would prevent?<hr>
    Mostly and maybe. It's not something I've explored in great depth.

  13. #13
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security Settings (6.0)

    Changing the Open option for .vbs, etc. files is an option. Honestly, and after much investigation, Jason's ScriptSentry is a vastly superior option. Take a good look at it and I think you will find it quite useful.

    Changing the open command will effect the way any script or program can run a .vbs script. When a program tries to run a .vbs file, it will query the registry and look at the Shell (Default) value. If none is found, it queries the OpenCommand value. It then uses that value to "open" or run the file.

    Scripting, even without ActiveX, can do annoying and dangerous things. There are loopholes being found every month. I tend to be conservative and paranoid. It is a personal decision.

    Scripts on a web page can do anything a script can do on your computer -- edit the registry, copy or delete files, and even install viruses. Don't forget the past. One of the vectors of NIMDA was simply SCRIPT on a web page -- no ActiveX was involved.

    "W32/Nimda.A@mm (CV-5, Minda, Concept Virus, Code Rainbow) directly affects servers running Microsoft's Internet Information Server (IIS) by replacing key system files. The virus adds a Java script code snippet (<html><script
    language="Jav*Sc***t">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> to all .HTM and .HTML pages on the server. Now every time an infected page is viewed (opened), the Java script is downloaded to your computer. An infected PC will further send Nimda through an infected email attachment."

    Many reference to this are available...

    Using Jason's Trust Setter script makes being paranoid very easy! The toolbar buttons are extremely useful.

  14. #14
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security Settings (6.0)

    > One of the vectors of NIMDA was simply SCRIPT on a web page...

    Opening the NIMDA email file in a new window would have been benign were it not for a severe browser bug. Nevertheless, you are wise to be more cautious than me. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •