Disabling Active Scripting in Internet Explorer

References:

• http://www.microsoft.com/technet/security/bulletin/ms01-055.asp?frame=true
• Microsoft Article: How to Disable Active Content in Internet Explorer
• Malicious Web scripts FAQ (from CERT)

Many of the current security vulnerabilities that exist in Microsoft's Internet Explorer web browser exist in the service called "active scripting". Active scripts are programs written in Javascript, or sometimes Microsoft's VBScript and ActiveX. If you ever go to a URL that has an ".asp" extension, you are most likely running a script, or program, off of that server. While Internet Explorer is a great browser in many ways, and while we don't necessarily discourage its use here in ACD, it will be important for you to disable active scripting except where absolutely necessary. The reason is that active scripting is one mechanism by which worms can enter our computing environment, infect your PC, and then use your PC to launch attacks elsewhere. There is also a risk that such attacks could release personal information such as cookies containing passwords, URL's, and credit card information.

While it is possible to completely disable active scripting, there are legitimate sites for which you want active scripting enabled. For example http://windowsupdate.microsoft.com and many of the pages served by the http://www.acd.ucar.edu web site and the http://www.acd.ucar.edu/search search pages. Also, there may be webmail sites that use active scripting. And some sites with high amounts of contents such as CNN's news site can also make heavy use of scripts. Online commerce sites such as CDW, PC Connection, etc., may also use scripts in their sites.

Fortunately Internet Explorer has in its design, "trusted sites". That is, it is possible to generally disable active scripting, but enable it for the sites that you routinely visit, such as your webmail or online commerce sites. Here are some steps to make Internet Explorer more secure in ACD (and therefore protect the rest of UCAR's computing environment):

(I should also note that these settings are even more vital for home PC users outside of UCAR's somewhat protected environment. Browsing at home generally tends to hit a wider variety of sites, increasing one's chances of picking of a virus or worm from an infected site).

1. Make sure you are running Internet Explorer version 6. If you must, there is still support from Microsoft for IE5.5 service pack 2, but not for previous versions. Click Help and select "About Internet Explorer". If you don't have Internet Explorer version 6, go ahead and update by logging in as the local Administrator, starting up Internet Explorer and going to the site "http://windowsupdate.microsoft.com".
   
2. Now that you are running version six, click the Tools menu and select "Internet Options":
   
3. Click on the "Security Tab", then the "Trusted Sites" icon, and then "Sites..." button.
   
   
4. For each site that you think will require active scripting, enter that site and then click "Add". Note that adding a site also adds content within that site. So by adding http://acd.ucar.edu for instance, you are by proxy adding sites such as "http://acd.ucar.edu/~fredrick" and do not have to explicitly specify those sites within http://acd.ucar.edu. You could trust all UCAR sites for instance by adding the site http://ucar.edu. Here is an example of a few sites I added:
   
5. The option "require server verification (https:)" can be used to add further restrictions to the trusted site. So if we checked the box while adding http://www.yahoo.com for instance, we would be telling IE not to allow scripts from places such as http://www.yahoo.com but to allow scripts from https://www.yahoo.com (the "https://" means that the web page is encrypted using SSL). I haven't found an example yet where this can be used without causing problems except perhaps with our own http://webmail.acd.ucar.edu webmail site.
6. Now click on OK to accept and trust the sites, and when you go back to the previous dialog box, make sure that "Trusted Sites" is still highlighted, and click on "Custom Level". (you can choose different "levels" of security for each of "Internet", "Local Intranet", "Trusted Sites", and "Restricted Sites"). I opted here to deal with "Trusted Sites" but the other types of sites can be used to further refine your security settings once you are familiar with the process.
   
   
7. Where it says "Reset Custom settings", that can be "Medium-low" for most sites to work properly. But in a few instances, such as with home-built sites such as ours, you may need to set this to "low". Microsoft's default is "low". Remember you are only enabling these settings for sites that you put in the "Trusted Sites" list in steps 4-6.
8. You might like to scroll down and example the various options. You can turn things off and on as you wish. Here are the "low" settings for the entries specific to active scripting:
   
9. Click "OK" to save the settings for your trusted sites.
10. Now highlight each of the Icons "Internet" and "Restricted Sites". For "Internet" click on "Custom Level" and select "high". The "high" setting disables active scripts entirely, disables Java, and automatic file downloads. This is the recommended setting for browsing most of the Internet. When you find that a site isn't working properly, go ahead and decide whether you trust that site, and if you do, use steps 4-6 above to add that site to the "Trusted Sites". For "Restricted Sites" only use the "high" setting. You can add sites here about which you might have been warned, but so far, we don't have a list of such sites to offer. For myself, I only use the "Internet" and "Trusted Sites" icons, disabling scripting for "Internet" and enabling it for "Trusted Sites".
11. Note that in a Domain, these settings are specific to the current login. So if someone else logs onto your machine, they will need to go into Internet Explorer and make their own settings. These are then stored in their profile. Local Administrator is considered a separate account with separate settings for these options. And on a laptop, if you have a local user account, that too is considered a separate account with separate settings.
12. If you upgrade Internet Explorer, please go back to the security settings and make sure they haven't been reset.
13. Also on Outlook, we recommend against using it to read email due to its flawed history in terms of security, and its lack of interoperability with some of the rest of our environment. But if you must use it, be sure to set its security so that you never enable scripts of any sort. There is no reason (except to propogate worms and viruses) that you would ever want to run a script directly out of an email message. To set Outlook settings go to Tools/Options/Security. Under "zone" select "Internet" then click on "Zone Settings". You'll get the same looking dialog box as IE described above. For each of the zones "Internet", "Local Intranet", "Trusted Sites", and "Restricted Sites" set the security settings to "high". This will disable running any kind of script out of Outlook. But again, using Outlook is dangerous, and would would prefer that you use another email agent.
    
14. Now quit Internet Explorer (or Outlook) and restart it for the security settings to take effect. You should then be able to browse to and fully use the sites in your "Trusted Sites" list. As you browse, note that on the bottom of your screen, the type of site will appear. For example, we added "www.cnn.com" to our trusted sites, so while at http://www.cnn.com, I would see a little green icon indicating that I'm on a trusted site on the bottom of the browser pane:
    

With any browser, it is important to stay up to date as the number of browser exploits grows. And in case you are thinking that only "hacker" or other illegitimate sites contain exploits for your browser, in the recent Nimda worm case, many sites running Microsoft's web server were infected. I had heard reports of people picking up the Nimda worm after only visiting sites containing free email services and newspapers. I should also say that Microsoft traditionally makes other components of its operating system dependent on Internet Explorer and its settings. So securing Internet Explorer is important to do, even if you use another browser to go to the web. In ACD, we are making a strong effort to make sure that all of our desktop PC's are running Internet Explorer 6, plus whatever security updates we can find from the http://windowsupdate.microsoft.com site. As always, feel free to submit a work request if you need help securing your browser.