Re: web browser security zones

[Gary Flynn <flynngn () JMU EDU>]

Kevin Shalla wrote:

> This prompts me to ask about web browser security zones.  Does anyone
> make substantial changes to the default IE security zone security?

Not at an organizational level. I do but I can't get very
many others to. :)

I don't use IE unless everything is disabled except for
trusted sites. My day to day browser is Mozilla though
sometimes IE is necessary. I run Mozilla with scripting
and java turned off too and have been running that way
for years.

 How
> effective is this?

Very effective but not convenient or efficient. Too many
extra clicks, particularly for "random web browsing" (though
this is where its most important). It would be a hard sell
to those who value convenience and efficiency over security
unless it gets a lot easier (and universal) for browsers to
be configured for trusted sites ( or events degrade even
further on the Internet ). Then its effectiveness will
depend on the operators' decision making abilities about what
sites to trust which is similar to decisions about what
email attachments, links, and firewall blocked programs to
trust.

  We make a few changes (adding certain sites to the
> trusted sites and granting certain extra access in that zone), but not
> much.

All of our centralized changes, to my knowledge, concern
credential and page caching and adding some often used
favorites.

Do other browsers have such detailed settings by security zone?
> It appears that Firefox has very little granularity (just load images
> and popups) in the security setup.

The January 2006 issue of Information Security has an
article comparing the security features of IE 7, Firefox,
and Netscape concluding "IE 7.0, at least for the near
term, presents a solution that will help secure the
desktop's browsing environment better than the
ompetition".

I don't know about Safari, Opera, and others.

I've seem at least one plug-in for Mozilla and Firefox but
I'm not a fan of third party plug-ins any more than I'm a fan
of third party Active-X controls. I need to take a closer
look though.

I think the plug-ins are based on Mozilla's Configurable
Security Policy capabilities which may have promise:
http://www.mozilla.org/projects/security/components/ConfigPolicy.html
I don't see the ability to wildcard domains (e.g. *.jmu.edu)
though.

With today's browsers and web site practices, I'm convinced
at this point that a more effective and practical risk
reduction measure for the general populace would be to use
a non-administrative account. At least until the malware
authors catch on. Even then, it would prevent more invasive
compromises such as rootkits. I'm stressing that action over
browser reconfigurations here.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security