| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Jul 2004 18:47:02 -0400 From: "James C Slora Jr" <Jim.Slora@...a.com> To: <bugtraq@...urityfocus.com> Subject: RE: Can we prevent IE exploits a priori? > So I wanted to know, has anyone tried these programs > successfully? Can anyone validate their claims? Better yet, > does anyone have a link to a "how to" doc, that tells smart > geeks how to make the registry changes ourselves, so we don't > have to rely on some program to do it for us? Here is some info about Zone 0 (My Computer Zone). Search Technet for "explorer security zones" for lots of relevant articles. The first one to read is: http://support.microsoft.com/?kbid=182569 The lockdown of Zone 0 works as Thor claims, except when someone can spoof a higher-trust zone - as noted by http-equiv and Jelmer (and really by Thor too) on Bugtraq. Because it is now fairly easy to spoof another zone, you probably should killbit adodb.stream and shell.application controls and get rid of the HTA MIME-Type. Drew Copley posted a link to sample registry files for that stuff: http://www.eeye.com/html/research/alerts/AL20040610.html Local web page development of course can have complications from locking down the My Computer Zone. You have to see if it breaks anything in your environment, and you might consider letting developers toggle the settings through desktop shortcuts. You might also consider loosening some of the lockdown - it will be your tradeoff between security and functionality. To protect against cross-zone attacks, you would also have to lock down the other Zones 1 through 4. Locking down Trusted Sites, though, defeats the purpose of Trusted Sites. So you might consider allowing users to unlock Trusted Sites when they are actually visiting one. Of course that has training and reliability issues that are possibly insurmountable. You might also lock down all the zones except Trusted Sites, and make sure that nobody trusts a guessable domain like microsoft.com - this would provide security by obscurity against mass exploits, but would not protect against a targeted exploit. If someone knows who you trust, they can spoof the trusted site pretty easily. My Computer Zone (Zone 0) lockdown registry entries, similar to or same as Qwik-Fix: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 "1201"=dword:00000003 "1400"=dword:00000003 "1402"=dword:00000003 "1405"=dword:00000003 "1406"=dword:00000003 "1407"=dword:00000003 "1601"=dword:00000003 "1604"=dword:00000003 "1606"=dword:00000003 "1607"=dword:00000003 "1608"=dword:00000003 "1609"=dword:00000003 "1800"=dword:00000003 "1803"=dword:00000003 "1804"=dword:00000003 Note that these are just the values that are different from the defaults. The default values for this zone would normally be: "1001"=dword:00000000 "1004"=dword:00000000 "1201"=dword:00000001 "1400"=dword:00000000 "1402"=dword:00000000 "1405"=dword:00000000 "1406"=dword:00000000 "1407"=dword:00000000 "1601"=dword:00000000 "1604"=dword:00000000 "1606"=dword:00000000 "1607"=dword:00000000 "1608"=dword:00000000 "1609"=dword:00000001 "1800"=dword:00000000 "1803"=dword:00000000 "1804"=dword:00000000 You can also consider implementing the changes through HKCU instead of HKLM so that the settings apply only to the logged on user instead of to all users on the machine. This does not work if you just apply it to a default configuration - you have to make some other changes, too. You would have to make sure that the settings actually applied. KB182569 has info about heirarchy of settings and permissions. In that case, the key would be: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] Explanation: Settings - 0 enables, 1 prompts, 3 prohibits (2 is not documented or supported) 1001 - Download signed ActiveX controls 1004 - Download unsigned ActiveX controls 1200 - Run ActiveX controls and plugins 1201 - Initialize and script ActiveX controls and plugins not marked as safe 1400 - Active Scripting 1402 - Scripting of Java applets 1405 - Script ActiveX controls marked safe for scripting 1406 - Access data sources across domains 1407 - Allow paste operations via script 1601 - Submit non-encrypted form data 1604 - Font download 1605 - Run Java 1606 - User Data persistence 1607 - Navigate sub-frames across different domains 1608 - Allow META REFRESH 1609 - Display mixed content 1800 - Installation of desktop items 1802 - Drag and drop or copy and paste of files 1803 - File download 1804 - Launching programs and files in an IFRAME There are other values in the Security Zones, but these are the ones that should be changed from their defaults and that should make a big difference. The rest of the values are documented in the KB article I mentioned at the beginning of this post. The Zones: 0 - My Computer 1 - Local Intranet Zone 2 - Trusted sites Zone 3 - Internet Zone 4 - Restricted Sites Zone To show the My Computer Zone in the user interface: From http://support.microsoft.com/?kbid=315933 The Flags value in the following registry key determines whether you can view the My Computer security zone on the Security tab in the Internet Options dialog box: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 The Flags value is a DWORD value. Setting the data value of the Flags value to 47 (in hexadecimal) causes the My Computer security zone to be displayed. Setting the data value of the Flags value to 21 (in hexadecimal) causes the My Computer security zone to be hidden
Powered by blists - more mailing lists