Lock Down IE on Windows, Even If You Don't Use It.
Listening to Security Now today, Steve Gibson hands out an important point about Internet Explorer on Windows. Whether or not you're using it, it's still there. And if you're forced to use Outlook at work as I am, IE vulnerabilities can still bite you.
What Steve suggests is locking down IE so that it is useful only as a Windows Update tool, which is important in Windows XP. If you're a Windows 7 or Vista user, you can skip the second half of this trick. Everyone should be following the first part, though. Open up Internet Options and adjust the slider to "High" for "Internet" and "Local Intranet." This will disable Javascript and practically every other browser option for any non-trusted website that you, or IE, visit. While you're there, make sure that "Trusted Sites" and "Restricted Sites" have their default settings.
Once that's done, select "Trusted Sites" and then click the "Sites" button. To make Windows Update work on Windows XP, you'll need to add the following to the list:
- *.microsoft.com
- *.windowsupdate.com
If you have any sites that specifically require IE to function, you'll also want to add those sites to the zone. For my own sanity I had to disable the "Require https:" option for some of the sites my workplace requires IE. Now, when other applications like Outlook access the IE components to render content, that content should be rendered under the "High" security settings that we set earlier, and things like Flash, Javascript and ActiveX shouldn't be issues. This doesn't mean IE becomes invulnerable, but it's a simple trick to reduce your risk surface, so no reason not to do it.
