[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040707224729.184E325A819@mail41-ash.bigfish.com>
Date: Wed, 7 Jul 2004 18:47:02 -0400
From: "James C Slora Jr" <Jim.Slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Can we prevent IE exploits a priori?
> So I wanted to know, has anyone tried these programs
> successfully? Can anyone validate their claims? Better yet,
> does anyone have a link to a "how to" doc, that tells smart
> geeks how to make the registry changes ourselves, so we don't
> have to rely on some program to do it for us?
Here is some info about Zone 0 (My Computer Zone).
Search Technet for "explorer security zones" for lots of relevant articles.
The first one to read is:
http://support.microsoft.com/?kbid=182569
The lockdown of Zone 0 works as Thor claims, except when someone can spoof a
higher-trust zone - as noted by http-equiv and Jelmer (and really by Thor
too) on Bugtraq. Because it is now fairly easy to spoof another zone, you
probably should killbit adodb.stream and shell.application controls and get
rid of the HTA MIME-Type. Drew Copley posted a link to sample registry files
for that stuff:
http://www.eeye.com/html/research/alerts/AL20040610.html
Local web page development of course can have complications from locking
down the My Computer Zone. You have to see if it breaks anything in your
environment, and you might consider letting developers toggle the settings
through desktop shortcuts. You might also consider loosening some of the
lockdown - it will be your tradeoff between security and functionality.
To protect against cross-zone attacks, you would also have to lock down the
other Zones 1 through 4. Locking down Trusted Sites, though, defeats the
purpose of Trusted Sites. So you might consider allowing users to unlock
Trusted Sites when they are actually visiting one. Of course that has
training and reliability issues that are possibly insurmountable. You might
also lock down all the zones except Trusted Sites, and make sure that nobody
trusts a guessable domain like microsoft.com - this would provide security
by obscurity against mass exploits, but would not protect against a targeted
exploit. If someone knows who you trust, they can spoof the trusted site
pretty easily.
My Computer Zone (Zone 0) lockdown registry entries, similar to or same as
Qwik-Fix:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000003
"1604"=dword:00000003
"1606"=dword:00000003
"1607"=dword:00000003
"1608"=dword:00000003
"1609"=dword:00000003
"1800"=dword:00000003
"1803"=dword:00000003
"1804"=dword:00000003
Note that these are just the values that are different from the defaults.
The default values for this zone would normally be:
"1001"=dword:00000000
"1004"=dword:00000000
"1201"=dword:00000001
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1601"=dword:00000000
"1604"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
"1608"=dword:00000000
"1609"=dword:00000001
"1800"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000000
You can also consider implementing the changes through HKCU instead of HKLM
so that the settings apply only to the logged on user instead of to all
users on the machine. This does not work if you just apply it to a default
configuration - you have to make some other changes, too. You would have to
make sure that the settings actually applied. KB182569 has info about
heirarchy of settings and permissions. In that case, the key would be:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
Explanation:
Settings - 0 enables, 1 prompts, 3 prohibits (2 is not documented or
supported)
1001 - Download signed ActiveX controls
1004 - Download unsigned ActiveX controls
1200 - Run ActiveX controls and plugins
1201 - Initialize and script ActiveX controls and plugins not marked as safe
1400 - Active Scripting
1402 - Scripting of Java applets
1405 - Script ActiveX controls marked safe for scripting
1406 - Access data sources across domains
1407 - Allow paste operations via script
1601 - Submit non-encrypted form data
1604 - Font download
1605 - Run Java
1606 - User Data persistence
1607 - Navigate sub-frames across different domains
1608 - Allow META REFRESH
1609 - Display mixed content
1800 - Installation of desktop items
1802 - Drag and drop or copy and paste of files
1803 - File download
1804 - Launching programs and files in an IFRAME
There are other values in the Security Zones, but these are the ones that
should be changed from their defaults and that should make a big difference.
The rest of the values are documented in the KB article I mentioned at the
beginning of this post.
The Zones:
0 - My Computer
1 - Local Intranet Zone
2 - Trusted sites Zone
3 - Internet Zone
4 - Restricted Sites Zone
To show the My Computer Zone in the user interface:
From http://support.microsoft.com/?kbid=315933
The Flags value in the following registry key determines whether you can
view the My Computer security zone on the Security tab in the Internet
Options dialog box:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0
The Flags value is a DWORD value. Setting the data value of the Flags value
to 47 (in hexadecimal) causes the My Computer security zone to be displayed.
Setting the data value of the Flags value to 21 (in hexadecimal) causes the
My Computer security zone to be hidden
Powered by blists - more mailing lists