Internet Explorer Security Features

Windows Internet Explorer 8, included with Windows 7, offers incremental security improvements over Internet Explorer 7. These improvements provide dynamic protection against data theft, fraudulent Web sites, and malicious and hidden software. Microsoft made architectural enhancements to Internet Explorer 7, and has carried those enhancements over to Internet Explorer 8, to make the Web browser less of a target for attackers and other malicious people, which will help users browse with better peace of mind. However, as security is tightened, compatibility and extensibility tend to suffer. With Internet Explorer 8, Microsoft is working hard to ensure that this balance is met effectively so that users can have the safest and best possible browsing experience.

Internet Explorer 8 includes the following security features (some of which are also included with Internet Explorer 7):

• SmartScreen filter. Internet Explorer 8 uses an Internet service to check Uniform Resource Locators (URLs) that a user visits and warns users when they attempt to visit a site that might be unsafe. The SmartScreen filter can also warn users when they attempt to download software that is potentially unsafe. Users still have the ability to complete an action, even if SmartScreen warns them of a risk. In this way, SmartScreen reduces the risk of users visiting phishing sites or downloading malware without limiting what a user can do.

• Cross-Site Scripting (XSS) filter. Sometimes attackers exploit vulnerabilities in a Web site and then use the Web site to extract private information from users who visit the site. This can make a site that is normally safe a security risk—without the site owner’s knowledge. Internet Explorer 8 can detect malicious code running on compromised Web sites, helping to protect users from exploits that can lead to information disclosure, cookie stealing, identity theft, and other risks.

• Domain Highlighting. Attackers often use carefully structured URLs to trick users into thinking they are visiting a legitimate Web site. For example, a Web site owner might use the hostname www.microsoft.com.contoso.com to make a user think they are visiting the www.microsoft.com site—even though contoso.com controls the domain. Domain Highlighting helps users more easily interpret URLs to avoid deceptive Web sites that attempt to trick users with misleading addresses. It does this by highlighting the domain name in the address bar in black, with the remainder of the URL string in gray, making for easier identification of the site’s true identity.

• Data Execution Prevention. DEP is a security feature that can help prevent compromises from viruses and other security threats by preventing certain types of code from writing to executable memory space. Although DEP is an operating system feature included with Windows Vista and Windows 7, Internet Explorer 8 makes use of it to minimize the risk of exploits for Web sites in the Internet zone. DEP is not enabled for Web sites in the intranet zone.

• Internet Explorer Protected Mode. In Protected Mode, Internet Explorer 8 runs with reduced permissions to help prevent user or system files or settings from changing without the user’s explicit permission. The new browser architecture, introduced with Internet Explorer 7, users a “broker” process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. This additional defense helps verify that scripted actions or automatic processes are prevented from downloading data outside of the low-rights directories, such as the Temporary Internet Files folder. Protected Mode is available only when using Internet Explorer 8 with Windows Vista or Windows 7 when UAC is enabled. Protected Mode is not available in Windows XP.

• ActiveX Opt-In ActiveX Opt-In automatically disables all controls that the developer has not explicitly identified for use on the Internet. This mitigates the potential misuse of preinstalled controls. In Windows Vista and Windows 7, users are prompted by the Information Bar before they can access a previously installed ActiveX control that has not yet been used on the Internet but has been designed to be used on the Internet. This notification mechanism enables the user to permit or deny access on a controlby-control basis, further reducing available surface area for attacks. Web sites that attempt automated attacks can no longer secretly attempt to exploit ActiveX controls that were never intended to be used on the Internet.

• Fix My Settings. Most users install and operate applications using the default configuration, so Internet Explorer 7 and Internet Explorer 8 ship with security settings that provide the maximum level of usability while maintaining controlled security. In rare instances, a custom application might legitimately require a user to lower security settings from the default, but it is critical that the user reverse those changes when the custom settings are no longer needed. The Fix My Settings feature warns users with an Information Bar when current security settings might put them at risk. Clicking the
Fix My Settings option in the Information Bar instantly resets Internet Explorer security settings to the Medium-High default level. In AD DS environments, you can configure the required permissions for internal applications so that security restrictions do not need to be a concern.

• Security Status Bar. The Security Status Bar in Internet Explorer 7 and Internet Explorer 8 helps users quickly differentiate authentic Web sites from suspicious or malicious ones by enhancing access to digital certificate information that helps validate the trustworthiness of e-commerce sites. The new Security Status Bar also provides users with clearer, more prominent visual cues indicating the safety and trustworthiness of a site, and it supports information about High Assurance certificates for stronger identification of secure sites (such as banking sites).

• URL handling protections Internet Explorer 7 and Internet Explorer 8 have a single function to process URL data, significantly reducing the internal attack surface. This new data handler ensures greater reliability while providing more features and increased flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets, and domain names.

Additionally, each of these features is configurable by using Group Policy, enabling centralized control over Internet Explorer security. Windows 7 includes Internet Explorer 8, which includes all of these features. Internet Explorer 8 can also be installed on Windows Vista.


Source of Information : Windows 7 Resource Kit 2009 Microsoft Press