Internet Explorer remains the most popular web browser for Windows. This makes it a large target for malware and cybercrime. We will focus on securing Internet Explorer 9, and will significantly increase the browser’s security through add-ins and special hardening settings. We are avoiding earlier versions of Internet Explorer and recommend users to upgrade to Internet Explorer 9. It requires Windows Vista or Windows 7 to operate, so if you are running under an older version of Windows, we recommend you to upgrade or buy a new computer. Older versions of Windows like Windows XP were not built with security in mind.
Windows 8 and Internet Explorer 10
Coming in 2012 is a new version of Windows and a new Internet Explorer promising tighter security. ForceASLR will be added, making more applications use the randomization code protection of ASLR. High Entropy ASLR will be added to take advantage of the larger memory address space of 64-bit Windows 8 PCs.
Secure your computer, web browser, Internet connection
Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.
We recommend booting from a Linux CD or USB key when performing mission critical applications such as online banking, online trading, or online shopping. Internet Explorer has seen so many bugs over the years, that even with all our suggestions, security conscious people might want to run Firefox or Chrome instead.
Internet Explorer 9 includes the following security oriented features:
- ActiveX Filtering
- Domain highlighting
- SmartScreen Filter
- Cross site scripting (XSS) filter
- A 128-bit Secure Sockets Layer (SSL)
- Tracking Protection
- InPrivate Browsing
The Golden rules of the Internet:
- Do not trust anyone
- If it is too good to be true, it probably is
- Don’t install software from anonymous sources
- Don’t automatically hit “yes” to any pop-up
- If it looks suspicious, run
Before you make any changes to your system, always back it up.
Internet Explorer Add-ons
Software that enhances Internet Explorer can become targets of malware, adding new entry points into your computer. It is mandatory that you keep any third-party add-ons up to date. Consider removing an add-on if it is rarely used, as you will also be increasing the security of Internet Explorer through its removal.
- Adobe Reader or Adobe Acrobat – This is a major source of internet threats, so consider using an alternative PDF reader such as Foxit Reader, or PDF-XChange.
- Flash Player – This animation enhancement plug-in is widely used but full of security holes, leading to many updates. If you need Flash, you will have to update it contently.
- Java - This language allows many cross platform programs to run in the browser, but is another huge target of malware. We recommend removing it unless you really need it for a particular application. This page checks if Java is installed.
- Quicktime - Is installed when iTunes is added to your system. It is difficult to just remove it unless you stop using iTunes. The best bet is to update it whenever it tells you about a new version.
Hardening Internet Explorer 9′s Settings
Internet Explorer 9 can be secured even more with several key changes to the browser’s settings. Many of these settings were recommended by Microsoft’s Business Oriented Security Compliance Manager Security Guide for Internet Explorer 9. We have selected all the Critical settings for Internet Explorer 9.
1. Selectively Enable ActiveX to increase security
ActiveX is a technology that allows webpages to be more powerful. Because ActiveX code is downloaded from the website you are visiting, it could be crafted to produce security risks such as malware. Our goal is to only use ActiveX when visiting known safe Internet websites.
- Launch Internet Explorer 9
- Click on the Gear Icon in the upper right hand corner
- Select Safety
- Select ActiveX Filtering
When you visit a website that has ActiveX support, a Light Blue circle with a line through it will appear. Click on this icon to enable ActiveX for this particular site. You need to do this once per website.
2. Enable Protected Mode for Intranet and Trusted Site Zones
Protected Mode is usually enabled for Internet Zone, we can enable it for the two other zones for which Protected Mode comes disabled to increase security further.
- Launch Internet Explorer 9
- Click on the Tools Menu
- Select Internet Options
- Click on Security tab
- Click on Local intranet
- Check “Enable Protected Mode“
- Repeat Step 6 after Clicking on “Trusted Sites“
3. Mark Valuable Data Inaccessible to Internet Explorer
Download chml.exe and run it to change the permissions on your valuable files and folders on your system as unreadable to Internet Explorer. (Better yet, use Truecrypt and keep the volume unmounted!)
For example if your sensitive data is stored in the folder C:\Sensitive_Data – You would do:
- Press Start menu
- Go to All Programs
- Go to Accessories
- Right-Click on Command Prompt
- Select Run as Administrator
- Type “chml C:\Sensitive_Data -i:m -nr -nx -nw“
- Press Enter to Execute the Command
- Type Exit to end the Command Prompt
4. Set Internet Explorer 9 to High Security
US-CERT recommends the High security setting be applied for the Internet Zone. (Default is Medium-High security) High security will cause several features including ActiveX, Active Scripting, and Java to be disabled. With these features disabled, the browser will be much more secure but many websites may not load correctly, forcing you to tediously add them to the Trusted Zone list so they load properly. Many folks may not want to perform this step.
- Launch Internet Explorer 9
- Click on the Tools Menu
- Select Internet Options
- Click on Security tab
- Click on Internet
- Select High for Security level for this zone
- Check “Enable Protected Mode“
5. Internet Explorer 9 security settings
These settings are not available to Vista Home or Windows 7 Home.
If you are running Windows Vista Pro or Ultimate or Windows 7 Pro or Ultimate do the following:
- Hit Windows key and the letter R
- Type “gpedit.msc” into the Box, Hit OK
- If User Account Control is enabled, Hit Yes
Now that Group Policy Editor is open, we will make several changes to increase the security of Internet Explorer 9.
Disable AutoComplete for forms – It is possible that this feature will cache sensitive data.
- Navigate to “User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable AutoComplete for forms”
- Check Enabled and Press OK
Disable Save this program to disk option - Users could download and execute hostile code from Web sites.
- Navigate to “User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus\Disable Save this program to disk option”
- Check Enabled and Press OK
Disable changing certificate settings – Users could import new certificates, remove approved certificates, or change settings for previously configured ones.
- Navigate to “User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable changing certificate settings”
- Check Enabled and Press OK
Prevent users from bypassing SmartScreen – Reduces risk of malware infection via visiting malicious websites.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Prevent users from bypassing SmartScreen Filter’s application reputation warnings about files that are not commonly downloaded from the Internet”
- Check Enabled and Press OK
Only use the ActiveX Installer Service for installation of ActiveX Controls – The standard installation process is less secure than using the ActiveX Installer Service.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Only use the ActiveX Installer Service for installation of ActiveX Controls”
- Check Enabled and Press OK
Prevent Bypassing SmartScreen Filter Warnings – The user can ignore a SmartScreen Filter warning and navigate to a site determined to be unsafe.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Prevent Bypassing SmartScreen Filter Warnings”
- Check Enabled and Press OK
Turn off Managing SmartScreen Filter for Internet Explorer 9 – Reduces risk of malware infection via visiting malicious websites.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn off Managing SmartScreen Filter for Internet Explorer 9″
- Check Enabled and Press OK
Java permissions - Java applications could contain malicious code.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Java permissions”
- Check Enabled and Press OK
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Java permissions“
- Check Enabled and Press OK
Turn on ActiveX Filtering – Without ActiveX Filtering you cannot make an informed decision about every ActiveX control you run.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX Filtering”
- Check Enabled and Press OK
Security Zones: Do not allow users to change policies – Users who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Internet.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Zones: Do not allow users to change policies”
- Check Enabled and Press OK
Security Zones: Do not allow users to add/delete sites – Users will be able to add or remove sites from the Trusted Sites and Restricted Sites zones at will and change settings in the Local Intranet zone.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Zones: Do not allow users to add/delete sites”
- Check Enabled and Press OK
Security Zones: Use only machine settings - Users who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Internet.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Zones: Use only machine settings”
- Check Enabled and Press OK
Turn off Crash Detection – A crash report might contain sensitive information from the computer’s memory.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Turn off Crash Detection”
- Check Enabled and Press OK
Turn off Encryption Support – The allowed encryption protocols determines the possible encryption types that can be used.
- Navigate to “Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Turn off Encryption Support”
- Check Enabled and Press OK
Helpful Internet Explorer 9 Add-ins
Web of Trust (WOT) for Internet Explorer – Displays a simple gauge showing the website’s danger levels.
Qualys BrowserCheck – Performs a security scan on your browser and its plug-ins (Windows)
Phising Toolbars – Internet Explorer 9 already includes the SmartScreen Filter that detects dangerous websites and warns you. If you would like to install a supplemental toolbar add-in, see our Free Internet Security Software article.
Internet Security Software – Supplemental internet security software including Anti-Virus and Anti-Spyware software is a necessity when surfing on the Internet. See our Free Internet Security Software article for links to various free software utilities.
Password Managers – It is critical that you generate, store, and use secure passwords on the Internet. See our How to Create, Store, and Use Secure Passwords article for details on several password management programs.
Sandboxie - Creates a sandbox or safe environment in which programs execute. This sandbox is a isolated space which prevents programs like Internet Explorer from making permanent changes to other programs and data in your computer. Free for 30-days, then 29 euros.
Other Internet Explorer 9 Security Enhancements
Google Public DNS – A high performance domain name server (DNS) replacement for your ISP’s DNS. Protects against Spoofing attacks and DoS and amplification attacks. Be sure to write down your existing DNS settings before changing them.
Norton ConnectSafe for Home - Similar to Google DNS, but includes options to filter porn or be family friendly.
Dyn Internet Guide – Free Web content filtering.
Internet Explorer Virtual Machine – Designed for web developers to test compatibility with different versions of Internet Explorer, these Virtual Machines for Microsoft’s Virtual PC allow you to run a Virtual computer on your desktop with Internet Explorer pre-installed. If you mess up the Virtual computer, you can just delete it and start fresh from a new image. Keep in mind some malware is capable of detecting virtual machines and acting innocent until you move into your main system.
If you use VMware Player, you can add the following line to your .vmx file so that it writes all changes to a temporary file, which will be deleted when you power off the virtual machine.:
ide0:0.mode = “independent-nonpersistent”
Secure Web Browsing with HTTPS
Normal website access using HTTP:// causes information to be sent and received in plain text. This type of connection is not secure; a hacker could capture all the information being transferred and steal your data. While this is not important when you are casually surfing, you do not want your email or online trading information to be captured by others.
Force websites to use secure connections – It is important to utilize secure connections or HTTPS whenever possible. Several large websites have configuration options to force these secure connections. Here is more information on configuring HTTPS with: Gmail, Facebook, Twitter, Google. Google.com defaults to HTTPS if you are signed into your Google Account, if you are not, just manually add the s after http to force a secure connection ie - https://www.google.com
HTTPS causes a secure connection to be made using SSL security. Certificates are digital documents that verify a site’s identity. They are sold by certificate authorities. If a certificate is not signed correctly, your browser will pop up a warning. Recently, a Dutch certificate authority got breached, causing forged certificates to be created. To workaround issues like this, Internet browsers are updated to remove the forged SSL certificates. It is crucial that you keep your browser up-to-date.
If you have applications other than your web browser accessing the Internet (FTP client, desktop mail client, etc.), make sure you enable SSL secure connections within each application.
Use a password manager to create, use, and store passwords for websites. See our password manager guide for details.
By applying special Internet Explorer 9 settings, we can significantly increase the security of our Windows notebook and desktop PCs.
This concludes our How to Secure a Windows based personal computer article. Other articles on Safegadget.com help you secure the other aspects of your personal computer, including How to Set up a Secure wireless Internet Router, and How to Secure Internet Explorer article, or How to Secure Firefox Article. Please see our other articles on security tips for your e-mail, iPad, online banking, online shopping, smart phones, and more.