Previous | Next

Internet Explorer Security

Internet Explorer 4.0 adds several security features to Windows 98, including support for security zones, Secure Socket Layer (SSL) versions 2.0/3.0 and Private Communication Technology (PCT) version 1.0 protocols, client and server authentication, and the Platform for Internet Content Selection (PICS) rating system. These security features make it easier for you to protect your computer and your privacy while using the Internet.

Security zones.

You can divide the Web into zones and have Internet Explorer 4.0 provide different levels of security depending on which zone you have assigned to a Web site.

When you install Windows 98, you configure the following Internet Explorer settings:

A fifth zone, My Computer, is also created, but it is not configurable through the security options.

This system lets the administrator divide the Web content a browser can visit into groups, each of which can have a security level associated with it. The Web content can be anything from a Hypertext Markup Language (HTML) file to a graphic, an ActiveX control, a Java applet, or an executable file.

Authenticode technology.

An Authenticode certificate identifies who published a piece of software and verifies that it has not been tampered with.

Certificate management.

System administrators can control which Java applets, ActiveX controls, and other software can be run on their intranets, based on who published the software.

Capabilities-based Java security (sandboxing).

The Internet Explorer 4.0 security model for Java makes it easy for you to control how Java applets interact with your computer system. You can decide what capabilities and levels of access to your computer or system you want to give Java applets. You can offer full access to applets from trusted sources while restricting applets from unknown sources to safe "sandboxes" where they cannot harm files.

Privacy protection.

Internet Explorer 4.0 supports all standard Internet security protocols to ensure private communication over the Web. Internet Explorer prompts you before user names or passwords are sent to Web sites not designated as trusted. For trusted sites, you can choose not to be prompted before personal information is transmitted. Outlook Express — the Internet mail and news component of Internet Explorer 4.0 — lets you encrypt messages and ensures that no one can falsely assume your identity on the Internet.

The following sections explain how to configure these settings.

Setting Up Security Zones

Internet Explorer 4.0 has security options that let you configure a security level to a specific Web site according to how much you trust the content of that Web site. Five predefined security zones, four of which have configurable security settings, are set up in Internet Explorer 4.0:

Note

Because security works differently in Internet Explorer 4.0, any existing Internet Explorer 3.0 settings are not preserved.

Using the Internet Properties dialog box in the Internet option in Control Panel, you can set the security options you want for Internet, Trusted sites, Restricted sites, and Local intranet, and then add or remove sites from the zones depending on your level of trust in each site.

In corporate environments, administrators can set up zones for users and can add or remove authentication certificates of software publishers that they do or do not trust so that users do not have to make security decisions while they are using the Internet.

For each security zone, you can choose a High, Medium, Low, or Custom security setting. Use the High setting for sites in a zone of untrustworthiness and Low in a trusted zone. The Custom option gives advanced users and administrators even more control over all security options, including the following:

To set up security zones

  1. In Control Panel, double-click Internet.
  2. Click the Security tab.
  3. Configure the settings according to your security needs.

Setting Up the Internet Zone

By default, the Internet zone is set to the Medium security level. If you are concerned about security problems as users browse the Internet, change this setting to High. When this level is set to High, some Web pages may not be allowed to perform certain operations that can potentially compromise security.

For more advanced and detailed security control, use the Custom settings to configure each individual security setting for the zone.

To set up custom settings for the Internet zone

  1. In the Security tab, select Custom, and then click Settings.
  2. Configure the settings according to your security needs.

Adding Sites to the Trusted and Restricted Zones

You can classify Web sites into two categories, according to how much you trust their contents:

By default, the Trusted sites zone is set to the Low security level. When you add a site to the Trusted sites zone, the site is allowed to perform more operations, and Internet Explorer will ask you to make fewer security decisions when you access the site. Add a site to this zone only if you trust all of its content never to do anything that may harm your computer. For the Trusted sites zone, it is strongly recommended that you use the HTTPS protocol so that you can securely connect to the site.

By default, the Restricted sites zone is set to the High security level. When you add a site to the Restricted sites zone, the site is allowed to perform only minimal, very safe operations. Add sites that you do not trust to this zone.

To add sites to the Trusted sites zone or Restricted sites zone

  1. In the Security tab, select either the Trusted sites zone or Restricted sites zone in the Zone list.
  2. Click Add Sites, select the desired sites for that zone, and then click OK.

Setting Up the Local Intranet Zone

To be secure, the Local intranet zone must be set up in accordance with the proxy server and firewall configuration. All sites in the zone should be "inside the firewall," and proxy servers should be configured so that they do not allow an external Domain Name System (DNS) to be resolved in this zone.

By default, the Local intranet zone consists of local domain names and those set in proxy override in the Connection tab. Make sure that these settings are indeed secure for the installation; if they are not, adjust them as needed. You can check that the Local intranet zone is configured correctly by browsing various intranet and Internet pages and checking that the correct zone is shown in the status bar.

After you have checked that the Local intranet zone is secure, you can change the zone’s security level to Low to allow a wider range of operations and make the Web pages more functional. You can also adjust individual security settings in the Security Settings dialog box as explained in "Setting Up the Internet Zone" earlier in this section.

If parts of your intranet are not secure or do not meet your security standards, you can exclude them from the Intranet zone by adding them to the Restricted sites zone.

The Local intranet zone is designed to be configured using the Microsoft Internet Explorer Administration Kit; however, you can also use the Security tab in the Internet Properties dialog box.

Summary of Authenticode Technology

When users download signed code to their computers, Authenticode verifies both its publisher and its integrity (that it has not been tampered with since the author published it). No software can be guaranteed to be 100 percent safe under all circumstances, but Authenticode uses public key technology to sign objects digitally and help you make informed decisions about blocking the execution of certain code. Authenticode works with all common types of downloadable code, including Java applets, ActiveX controls, and plug-ins.

Authenticode checks to see that a piece of software is digitally signed during the valid lifetime of the publisher’s certificate.

Authenticode can also automatically check to make sure a software publisher’s certificate has not been revoked. Publishers can have their certificates revoked if they abuse their code-signing agreement by, for example, creating malicious code that harms users’ computers.

Summary of Certificate Management

Authentication certificates are a key tool in providing Internet security. Certificate management eases the administration of network security. The certificates, which are assigned to software publishers who meet defined levels of integrity and security in their code, give users a way to identify the origin of a piece of software on the Internet. This identification mechanism forms the basis of Authenticode. Certificate Management lets system administrators control which Java applets and ActiveX controls are allowed to run on their networks based on who published the applets or controls.

Example

Certificate Management

You can let users open and run all internally created controls, but keep all controls that originate from outside your corporate firewall from loading and running on company computers.

Site certificates verify that you are really connected to the Web sites that you believe you are connected to. Viewing information may not present a security risk, but sending information can. Security certificates are issued to particular organizations for specific periods of time. Before you send information, certificates are sent from the secure Web sites to Internet Explorer 4.0. These certificates provide certain information about security at those sites. Internet Explorer 4.0 verifies that the Internet address stored in the certificate is valid and that the current date precedes the expiration date.

Note

Site Certificates are active only for Uniform Resource Locators (URLs) using HTTPS. Communication to and from Web sites using HTTPS are kept private through encryption when this mode is active.

To see the site certificates stored in Internet Explorer 4.0

  1. Start Internet Explorer.
  2. Click the View menu, and then click Internet Options.
  3. Click the Content tab, and then click Authorities.

    By default, the Certificate Authorities dialog box contains a list of authorities that are allowed to issue certificates to sites.

If you are connected to a site with a certificate, a lock icon appears on the bottom right corner of the browser window.

Summary of Java Security (Sandboxing)

Support for sandboxing, the Java security model, was built into Internet Explorer 3.0 and has been enriched in Internet Explorer 4.0. Running a Java applet in a sandbox prevents it from accessing a computer or network resource and also greatly restricts what it can do. Internet Explorer lets you control access of applets to users’ resources, such as their hard disks and network connections. It presents users with a range of security options, such as allowing a Java applet to access a specific amount of hard disk space on a client computer.

Summary of Privacy Protection

The following list describes the kinds of privacy protection built into Internet Explorer 4.0.

Secure channel services.

Support for Secure Socket Layer (SSL) versions 2.0/3.0 and Private Communication Technology (PCT) version 1.0 ensures that personal or business communications using the Internet or an intranet are private. The SSL and PCT protocols create a secure channel so that no one can eavesdrop on communications. With secure communications guaranteed, users can buy consumer goods, reserve plane tickets, or conduct personal banking on the Internet.

Transport Layer Security.

Transport Layer Security (TLS) is a new secure channel protocol under development by the Internet Engineering Task Force. TLS builds on existing protocols to create an improved Internet secure channel protocol.

Personal Information Exchange.

The Personal Information Exchange (PFX) is a set of public key-based security technologies that is part of the Microsoft Internet security framework. PFX supports such Internet standards as X.509 and PKCS#12 certificate formats. Microsoft has submitted PFX for consideration as a new Public Key Cryptography Standard (PKCS).

Cookie privacy.

Some Web sites use cookie technology to store information on client computers. These cookies are usually used to provide Web site personalization features. With Internet Explorer 4.0, you can choose whether or not to store a cookie.

Tip

You can decline cookies from a site by selecting Prompt before accepting cookies on the Advanced tab in the Internet Options dialog box of the Internet Explorer View menu.

SOCKS firewall support.

Many corporations provide their employees with access to the Internet through firewalls that protect the corporation from unwanted access. SOCKS is a standard protocol for traversing firewalls in a secure and controlled manner. Internet Explorer 4.0 is compatible with firewalls that use the SOCKS protocol.

Windows NT Server challenge/response.

Corporations can take advantage of the Microsoft Windows NT LAN Manager challenge/response authentication that might already be in use on their Windows NT Server network. Users enjoy increased password protection and security while still able to use their existing Internet information servers.

CryptoAPI version 2.0.

CryptoAPI provides the underlying security services for secure channels and code signing. Through CryptoAPI, developers can easily integrate strong cryptography into their applications. Cryptographic Service Provider (CSP) modules interface with CryptoAPI and perform functions, including key generation and exchange, data encryption and decryption, hashing, digital signatures, and signature verification. CryptoAPI is included as a core component of Windows 98 and Windows 95. Internet Explorer 4.0 automatically provides this support for earlier versions of Windows.

Microsoft Wallet.

Microsoft Wallet supports securely storing important and private information, such as credit cards, electronic driver’s licenses, ATM cards, and electronic cash. No application or person can view this information without a user’s permission. In addition, a user decides where to store the information (on a computer, smart card, or floppy disk). Users have to enter password or account information only once and do not have to remember many different passwords. Users have complete control over who can see or use this information. Wallet allows information to be securely transferred to any computer and used with any application through the use of PFX technology. Designed for the future, Wallet supports additional payment methods (such as Internet cash) as well as other credentials and confidential information.

PICS standards for Internet content.

Parents want the assurance that children can be blocked from visiting sites that display inappropriate information. Corporations have similar concerns, wanting to block the use of sites that offer no business value to their customers. Microsoft has been working closely with the Platform for Internet Content Selection (PICS) committee to help define standards for rating Internet content.

Forget your password?

With Internet Explorer 4.0, you do not have to type your user name and password every time you want to access a subscription Web service. Instead, Internet Explorer 4.0 functions as your virtual wallet, flashing your personal certificate to Web servers that want to verify your identity. It works the other way, too. You can also store certificates of Web servers in Internet Explorer 4.0. This means you can verify the identity of any Web merchant or other Web server before you purchase goods or communicate with them.