IE8 Hardening Frequently Asked Questions (FAQ)Q: How can I use this tool? You can use this hardening tool to quickly and easily upgrade security settings in IE8. This will allow you to evaluate the usability and suitability of these settings for your PC, or your corporate network if you are an IT administrator. It is simple to install and uninstall, so it can be used as a temporary patch, or left on permanently, depending on your needs. Q: You're probably wondering, why didn't Microsoft reduce this attack surface to a minimum by default? A: Usability, compatibility, and lawyers. 1) Usability: Things like ActiveX, JavaScript, XML data handling, and other technologies that provide a great user experience and make the web fun and cool also open up attack vectors for the bad guys to get in. But, once these were released to the public, it's hard to take this candy away from users. And it is actually pretty useful candy; a number of useful corporate and public applications rely on the technology for legitimate business purposes. 2) Compatibility: Next, there are many 3rd party applications, add-ons, and plug-ins for browsers like IE8 (as well as Firefox). These bring two types of problems: first, the plug-ins themselves could have vulnerabilities; think Adobe Reader, Flash, Shockwave, etc. Secondly, the communication channel that makes plug-ins and add-ons possible at all. 3) Legal: Microsoft is a dominant player in the market. Whether or not it chooses to support a 3rd party application on its platform, or from an application, can be the subject of legal action. If Microsoft were to make IE8 more secure by breaking 3rd party applications, it could likely face criticism in the media as well as the court room. Q: Can this tool prevent me from getting a virus or trojan? In some cases yes. But not in all. There are many types of attacks, and this tool provides some additional protection only. Q: Will this tool cause problems with any websites I visit? Yes, almost certainly. Many web sites use ActiveX and JavaScript. Some also provide the ability to display pages without using them. If you visit a site that requires these capabilities, the page will most likely not display as the website owner intended. Q: What changes are made exactly by the IE8 Hardening Tool? Changes to IE8 Security Settings are made via Group Policy Objects. IE 8 Settings | Changes made by IE8 Hardening tool. | Allow Active Scripting | Disabled in response to zero day attack | Internet Explorer Processes (Scripted Window Security Restrictions) | Enabled | Internet Explorer Processes (Zone Elevation Protection) | Enabled | Security Zones: Do not allow users to add/delete sites | Enabled | Security Zones: Do not allow users to change policies | Enabled | Security Zones: Use only machine settings | Not Configured | Prevent Ignoring Certificate Errors | Enabled | Turn on Protected Mode *
* This setting only works in Internet Explorer 8 with Windows Vista | Enabled | Empty Temporary Internet Files folder when browser is closed | Enabled | Disable AutoComplete for forms | Enabled | Turn on the auto-complete feature for user names and passwords on forms | Disabled | Logon Options | Enabled\Prompt for Username and Password | Logon Options | Enabled\Automatic Logon with Current Username and Password | Logon Options | Enabled\Anonymous Logon | Logon Options | Enabled\Automatic Logon only in Intranet Zone | Use SmartScreen Filter | Enabled | Use SmartScreen Filter | Enabled | Use SmartScreen Filter | Enabled | Use SmartScreen Filter | Enabled | Turn off Managing SmartScreen Filter | Enabled | Prevent Bypassing SmartScreen Filter Warnings | Enabled | XSS Filter | Enabled | Do not save encrypted pages to disk | Enabled for environments with sensitive data on Web pages. | Make proxy settings per-machine (rather than per-user) | Enabled for computers in a fixed location.
Disabled for mobile laptops. | Turn off Crash Detection | Enabled | Internet Explorer Processes (Restrict File Download) | Enabled | Allow File Downloads | Disabled | Internet Explorer Processes\Object Caching Protection | Enabled |
Q: What Operating Systems are supported? We have tested 32-bit and 64-bit systems, including Windows XP, Windows Vista, Windows 7. Q: How do I revert to my previous settings? Simply uninstall the tool as you would any other application. Go to the Control Panel, Add/Remove Programs, and select "NSS Labs IE8 hardening tool." The uninstall process will restore the settings to Microsoft defaults. Q: Does NSS Labs plan to maintain this tool? Yes. As a byproduct of our security testing for enterprises, we are pleased to provide this tool to the community. We also invite collaboration and input from other security professionals. | 