Basic Web Browser Security Settings

Attacks via the web against vulnerable web browsers are growing increasingly common, and it is important to protect your computer against them by making sure your browser settings are configured with security in mind. Although other browsers and operating systems are not immune to such attacks, at present, Windows Internet Explorer in its default state is particularly vulnerable to attacks from malicious websites. Users may encounter malicious websites when clicking on link for what appears to be a legitimate site as part of a web search result, when visiting a legitimate site that has been compromised by intruders, or when tricked via a legitimate-looking email message into visiting sites created as part of a virus infection and intended to spread the virus. Depending on which vulnerability is exploited, the result can be execution of arbitrary code (meaning the attacker can potentially gain control of your computer); public exposure of private files; or alteration of browser and network settings to force your web browser to visit websites other than the ones you intended to visit, alter your browser home page, install spyware, etc.

To avoid many of the current browser-based attacks, where feasible the simplest measure for Windows users to take is to install and use as your default a browser other than Internet Explorer, leaving Internet Explorer for use with sites that simply will not work correctly without it. Some good choices for an alternate browser are Mozilla Firefox and Opera.

Regardless of which web browser and operating system you're using, the most significant browser vulnerabilities can be addressed by disabling all scripting languages; however, this will greatly interfere with the functionality of any websites that rely on script execution. Some browsers will allow for making exceptions to the default security settings for specific, trusted sites.

Since you may use some sites with legitimate need for script execution, ITS recommends changing most of the scripting-related settings to "prompt" rather than "disable". This allows you to decide for yourself whether to allow a given script to execute. In the case of Java, it must be either enabled or disabled, no prompting. At the present time, ITS strongly recommends disabling Java. It can be turned on temporarily if you connect to a site that requires it. Be sure to turn it back off again. If you find that you need Java regularly, consider replacing the Microsoft VM with Sunsoft's Java, which at present appears to have fewer security issues.

Steps for tightening security in web browsers
(adapted from a FAQ on the CERT site)

Internet Explorer

Note: If you are not using Internet Explorer version 6, this may not match what you see in your Internet Options. To determine your software version, from the Help menu, select About Internet Explorer... . A dialog box appears with information about your browser including the version number.

  1. Start Internet Explorer as you would when browsing the Internet.
  2. From the Tools menu select Internet Options... . The Internet Options dialog box appears.
  3. Select the Security tab. The Security Options panel appears.
  4. Click on the Internet zone to select it.
  5. Click the Custom Level button. The Security Settings panel appears.
  6. Select the Medium option from the pull-down list.
  7. Click the Reset button. A dialog box appears asking if you are sure you want to change the security settings for this zone.
  8. Click Yes. You now need to scroll through the settings list and make the additional changes listed in the following steps.
  9. For the setting Scripting ActiveX controls marked safe for scripting, check the radio button for Prompt.
  10. If you have a section for Java permissions, check with your system administrator to see if you should disable Java. If you don't have a Java permission setting, then Java is already disabled.
  11. For the setting Active scripting under the Scripting section, check the radio button for Prompt.
  12. Click OK to accept these changes. A dialog box appears asking if you are sure you want to make these changes.
  13. Click Yes.
  14. In the Internet Options dialog box, click the Advanced tab. The Advanced Options panel appears.
  15. Make sure the setting Warn if changing between secure and insecure under the Security setting is checked. If you have a Java setting here, check with your system administrator to see if you should disable it.
  16. Click Apply to save your changes.
  17. Click OK to close the Internet Options dialog box.