Lesson 1: Configuring and Troubleshooting Internet Explorer Security

Internet Explorer is one of the most important components of the Windows Vista operating system because it provides access to Web applications on both the public Internet and on internal intranets. However, because it might be used to access untrusted websites, security is a serious concern. In the past, attackers have used websites to trick users into disclosing private information, to gain elevated privileges on client computers, and to distribute malware.

How Internet Explorer Works in 64-bit Versions of Windows Vista

Because it provides a wider data bus, allowing many times greater scalability, 64-bit computing is the future. Right now, however, most users run 32-bit versions of Windows.

Unfortunately, although 64-bit versions of Windows are fundamentally superior, in the real world they do have some compatibility problems. In particular, 64-bit versions of Internet Explorer can’t use 32-bit components (such as ActiveX controls, which might provide critical functionality for many websites). Although 64-bit components are becoming more common, some critical components still aren’t available for 64-bit.

For that reason, the 32-bit version of Internet Explorer is the default even in 64-bit versions of Windows. If a user instead chooses to use the 64-bit version of Internet Explorer (there’s also a shortcut for it on the Start menu), test any problematic webpages in the 32-bit version of Internet Explorer before doing any troubleshooting.

MORE INFO Deploying Internet Explorer To deploy preconfigured versions of Internet Explorer, you can use the Internet Explorer Administration Kit. For more information, visit https://technet.microsoft.com/en-us/ie/bb219556.aspx.

After this lesson, you will be able to:

• Configure add-ons in Internet Explorer (including ActiveX controls) and troubleshoot problems related to add-ons.
• Describe and configure Protected Mode.
• Resolve problems related to Secure Sockets Layer (SSL) certificates.

Estimated lesson time: 40 minutes

Internet Explorer Add-Ons

Add-ons extend Internet Explorer capabilities to enable websites to provide much richer, more interactive content. For example, the following are commonly used add-ons:

• Shockwave Flash An add-on that enables complex animations, games, and other interactive capabilities
• Windows Media Player An add-on that enables webpages to integrate audio and video
• Microsoft Virtual Server VMRC Control An add-on that enables users to remotely control a remote virtual machine from within Internet Explorer

The sections that follow describe how to configure add-ons and troubleshoot problems related to add-ons.

How to Enable and Disable Add-Ons

After starting Internet Explorer, you can disable or delete add-ons by following these steps:

1. Click the Tools button on the toolbar, click Manage Add-Ons, and then click Enable Or Disable Add-Ons.

2. The Manage Add-Ons dialog box appears, as shown in Figure 5-1.

   

   Figure 5-1 The Manage Add-Ons dialog box

3. In the Manage Add-Ons dialog box, select an add-on, and then select Disable to prevent the add-on from automatically loading. If the add-on is an ActiveX control, you can click Delete to permanently remove it.

   If an add-on is causing serious enough problems that you can’t start Internet Explorer, you can disable the add-on without opening Internet Explorer by following these steps:

4. Click Start, and then click Control Panel.

5. Click the Network And Internet link.

6. Under Internet Options, click the Manage Browser Add-Ons link.

7. The Internet Properties dialog box appears.

8. Click the Manage Add-Ons button. .

9. At the Manage Add-Ons dialog box, select an add-on. Then, select Disable and click OK to prevent the add-on from automatically loading.

How to Start Internet Explorer Without Add-Ons

A buggy or malicious add-on can cause problems with starting Internet Explorer. To work around this problem and launch Internet Explorer without add-ons, follow these steps:

1. Click Start. Then, click All Programs, Accessories, and System Tools.

2. Click Internet Explorer (No Add-Ons).

   Internet Explorer starts with all add-ons disabled. If a webpage opens a new window when you click on a link, that new window will also have add-ons disabled. Add-ons will automatically be enabled the next time you start Internet Explorer using the standard shortcut.

Alternatively, you can manually launch Internet Explorer using the –extoff parameter by clicking Start, typing iexplore –extoff, and pressing Enter.

You cannot manage add-ons when you start Internet Explorer in No Add-Ons mode. If you need to disable an add-on without opening Internet Explorer, follow the steps to use Control Panel, as described in the previous section.

How to Configure Add-Ons in Active Directory Domain Environments

As with earlier versions of Internet Explorer, you can use the Group Policy settings in User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management to enable or disable specific add-ons throughout your organization. Typically, you need to use two settings in this group to block all unapproved add-ons in your organization:

• Add-On List Enable this setting, and then specify the approved add-ons in your organization. To specify an add-on, provide the class identifier (CLSID) for the add-on you need to add as the Value Name in the Add-On List. The CLSID should be in brackets, such as “{BDB57FF2-79B9-4205-9447-F5FE85F37312}.” You can find the CLSID for an add-on by reading the <object> tag from the Hypertext Markup Language (HTML) of a webpage that references the add-on. To specify that the add-on should be denied, specify a Value of 0. To allow an add-on, specify a Value of 1. To both allow an add-on and permit users to manage the add-on, specify a Value of 2.
• Deny All Add-Ons Unless Specifically Allowed In The Add-On List After specifying the add-ons you want to allow in the Add-On List setting, enable this policy to automatically block all other add-ons. You can use the combination of these two settings to block all unapproved add-ons.

Two other Group Policy settings related to add-on management are located within both User Configuration and Computer Configuration at Administrative Templates\Windows Compo-nents\Internet Explorer. The settings that relate to managing add-ons are:

• Turn Off Crash Detection By default, Internet Explorer will detect an add-on that crashes and disable it the next time you start Internet Explorer. If you have a problematic add-on that is required for a critical Web application, you can enable this policy to ensure that even a failing add-on continues to run.
• Do Not Allow Users To Enable Or Disable Add-Ons By default, users can open the Manage Add-Ons dialog box and enable or disable add-ons. If you enable this policy, they won’t be able to configure add-ons.

How to Configure ActiveX Add-Ons

ActiveX is a technology that enables powerful applications with rich user interfaces to run within a Web browser. For that reason, many organizations have developed ActiveX components as part of a Web application. For the same reason, many attackers have created ActiveX components to abuse the platform’s capabilities. Some examples of ActiveX controls include:

• A component that enables you to manage virtual computers from a Microsoft Virtual Server webpage.
• A Microsoft Update component that scans your computer for missing updates.
• Shockwave Flash, which many websites use to publish complex animations and games.

Earlier versions of Internet Explorer installed ActiveX controls without prompting the users. This provided an excellent experience for websites that used ActiveX controls because the user was able to enjoy the control’s features without manually choosing to install it. However, mal-ware developers soon abused this capability by creating malicious ActiveX controls that installed software on the user’s computer or changed other settings, such as the user’s home page.

To enable you to use critical ActiveX controls while blocking potentially dangerous ActiveX controls, Microsoft built strong ActiveX management capabilities into Internet Explorer. The sections that follow describe how to configure ActiveX on a single computer and within an enterprise.

How to Configure ActiveX Opt-in

In Internet Explorer 7, ActiveX controls are not installed by default. Instead, when users visit a webpage that includes an ActiveX control, they will see an information bar that informs them that an ActiveX control is required. Users will then have to click the information bar and click Install ActiveX Control. If the users do nothing, Internet Explorer does not install the ActiveX control. Figure 5-2 shows the Genuine Microsoft Software webpage, which requires users to install an ActiveX control before their copy of Windows can be validated as genuine.

Figure 5-2 The Genuine Microsoft Software page

After the user clicks Install ActiveX Control, the user needs to respond to a User Account Control (UAC) prompt for administrative credentials. Then the user receives a second security warning from Internet Explorer, as shown in Figure 5-3. If the user confirms this security warning, Internet Explorer installs and runs the ActiveX control.

Figure 5-3 A second security warning

ActiveX Opt-in is enabled by default for the Internet and Restricted Sites zones but disabled by default for the Local Intranet and Trusted Sites zones. Therefore, any websites on your local intranet should be able to install ActiveX controls without prompting the user. To change the setting default for a zone, follow these steps:

1. Open Internet Explorer. Click the Tools button on the toolbar, and then click Internet Options.

2. In the Internet Options dialog box, click the Security tab. Select the zone you want to edit, and then click the Custom Level button.

3. Scroll down in the Settings list. Under ActiveX Controls And Plug-Ins, change the setting for the first option, which is Allow Previously Unused ActiveX Controls To Run Without Prompt. If this is disabled, ActiveX Opt-in is enabled. Exam Tip The name “ActiveX Opt-in” can be confusing. Enabling ActiveX Opt-in causes Internet Explorer to not install ActiveX controls by default, instead requiring the user to explicitly choose to configure the add-on.

4. Click OK twice.

ActiveX Opt-in applies to most ActiveX controls. However, it does not apply for ActiveX controls on the preapproved list. The preapproved list is maintained in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Pre-Approved. Within this key there are several subkeys, each with a Class ID (CLSID) of a pre-approved ActiveX control. You can identify an ActiveX control’s CLSID by viewing the source of a webpage and searching for the <object> tag. For best results, try searching the source of a webpage for the phrase “<object.”

How to Configure ActiveX on a Single Computer

The previous section described how to configure ActiveX Opt-in on a single computer. In addition to that setting, you can configure several other per-zone settings related to ActiveX from the Security Settings dialog box:

• Automatic Prompting For ActiveX Controls This setting is disabled by default for all zones. If you choose to enable this setting, it bypasses the information bar and instead actively prompts the user to install the ActiveX control.
• Download Signed ActiveX Controls The developer can sign ActiveX controls. Typically, signed ActiveX controls are more trustworthy than unsigned controls, but you shouldn’t trust all signed ActiveX controls. By default, this setting is set to prompt the user. You can reduce the number of prompts the user receives by changing this to Enable.
• Download Unsigned ActiveX Controls By default, unsigned ActiveX controls are disabled. If you must distribute an unsigned ActiveX control, add the site that requires the control to your Trusted Sites list and change this setting for the Trusted Sites zone to Prompt.
• Initialize And Script ActiveX Controls Not Marked As Safe For Scripting This setting is disabled by default for all zones. You should enable it only if you experience a problem with a specific ActiveX control, and the developer informs you that this setting is required. In that case you should add the site to the Trusted Sites list and enable this control only for that zone.
• Run ActiveX Controls And Plug-Ins This setting controls whether ActiveX controls will run, regardless of how other settings are defined. In other words, if this setting is disabled, users will not be able to run ActiveX controls, even using ActiveX Opt-in. This setting is enabled for all zones except for the Restricted Sites zone.
• Script ActiveX Controls Marked Safe For Scripting Some ActiveX controls are marked safe for scripting by the developer. This setting is enabled for all zones except for the Restricted Sites zone. Typically, you should leave this at the default setting. Because the developer chooses whether the control is marked safe for scripting, this marking does not indicate that the ActiveX control is more trustworthy than any other control.

How to Manage ActiveX Add-Ons on a Single Computer

To configure ActiveX on a single computer, follow these steps:

1. Open Internet Explorer.

2. Click the Tools button on the toolbar, click Manage Add-Ons, and then click Enable Or Disable Add-Ons.

   The Manage Add-Ons dialog box appears.

3. Click the Show list, and then click Downloaded ActiveX Controls.

4. Select the ActiveX control you want to manage. Then select:

   • Disable to disable the ActiveX control.
   • Delete to remove the ActiveX control.

5. Click OK.

How to Configure ActiveX Installer Service

Some critical Web applications might require ActiveX controls to run. This can be a challenge if your users lack administrative credentials because UAC requires administrative credentials to install ActiveX controls (although any user can access an ActiveX control after it is installed).

Fortunately, you can use the ActiveX Installer Service to enable standard users to install specific ActiveX controls. The ActiveX Installer Service is a Windows component but is not installed by default. To enable the ActiveX Installer Service on a computer, follow these steps:

1. Click Start, and then click Control Panel.
2. Click the Programs link.
3. Click the Turn Windows Features On Or Off link and reply to the UAC prompt that appears.
4. In the Windows Features dialog box, select the ActiveX Installer Service check box. Click OK.
5. Restart the computer if prompted.
6. Use the Services console (Services.msc) to start the ActiveX Installer (AxInstSV) service and configure it to start automatically. It is set to start manually by default.

After enabling the ActiveX Installer Service on a computer, configure the list of sites approved to install ActiveX controls by following these steps:

1. Open the Group Policy Object (GPO) in the Group Policy Object Editor.
2. Browse to Computer Configuration\Administrative Templates\Windows Components \ActiveX Installer Service.
3. Double-click the Approved Installation Sites For ActiveX Controls setting. Enable it.
4. Click the Show button to specify host Uniform Resource Locators (URLs) that are allowed to distribute ActiveX controls. In the Show Contents dialog box, click Add and configure the host URLs:
   • Configure each item name as the hostname of the website from which clients will download the updated ActiveX controls, such as https://activex.microsoft.com.
   • Configure each value name using four numbers separated by commas (such as “2,1,0,0”). These values are described later in this section.
5. Click OK to save the setting for the new policy.

When you configure the list of approved installation sites for ActiveX Controls, you configure a name and value pair for each site. The name will always be the URL of the site hosting the ActiveX control, such as https://activex.microsoft.com. The value consists of four numbers:

• Trusted ActiveX Controls Define the first number as 0 to block trusted ActiveX controls from being installed, as 1 to prompt the user to install trusted ActiveX controls, or as 2 to automatically install ActiveX controls without prompting the user.
• Signed ActiveX Controls Define the second number as 0 to block signed ActiveX controls from being installed, as 1 to prompt the user to install signed ActiveX controls, or as 2 to automatically install signed ActiveX controls without prompting the user.
• Unsigned ActiveX Controls Define the third number as 0 to block unsigned ActiveX controls from being installed or define this number as 1 to prompt the user to install unsigned ActiveX controls. You cannot configure unsigned ActiveX controls to be automatically installed.
• Server Certificate Policy Set this value to zero to cause the ActiveX Installer Service to abort installation if there are any certificate errors. Alternatively, you can set it to 256 to ignore an unknown CA, 512 to ignore invalid certificate usage, 4096 to ignore an unknown common name in the certificate, or 8192 to ignore an expired certificate. Add these numbers together to ignore multiple types of certificate errors.

For example, the numbers 2,1,0,0 would cause the ActiveX Installer Service to silently install trusted ActiveX controls, prompt the user for signed controls, never install unsigned controls, and abort installation if any Hypertext Transfer Protocol Secure (HTTPS) certificate error occurs.

When a user attempts to install an ActiveX control that has not been approved, the ActiveX Installer Service creates an event in the Application Log with an Event ID of 4097 and a source of AxInstallService. To be automatically notified when users need ActiveX controls that haven’t been approved, configure a trigger for these events. For more information, read Chapter 6, “Monitoring Client Computers.”

Protected Mode

Before Windows Vista, many computers were compromised when websites containing malicious code succeeded in abusing the Web browsers of visitors to run code on the client computer. Because any new process spawned by an existing process inherits the privileges of the parent process and the Web browser ran with the user’s full privileges, maliciously spawned processes received the same privilege as the user. With the user’s elevated privileges, the malicious process could install software and transfer confidential documents.

In Windows Vista, Internet Explorer hopes to reduce this type of risk using a feature called Protected Mode. With Protected Mode, Internet Explorer 7 runs with very limited privileges on the local computer—even fewer privileges than those that the standard user has in Windows Vista. Therefore, even if malicious code on a website were to successfully abuse Internet Explorer to spawn a process, that malicious process would have privileges only to access the Temporary Internet Files folder and a few other locations—it would not be able to install software, reconfigure the computer, or read the user’s documents.

For example, most users log on to Windows XP computers with administrative privileges. If a website exploits a vulnerability in Windows Vista that hasn’t been fixed with an update and successfully launches a process to install spyware, the spyware installation process would have full administrator privileges to the local computer. On a Windows Vista computer the spyware install process would have minimal privileges—even less than those of a standard user—regardless of whether the user was logged on as an administrator.

Protected Mode is a form of defense-in-depth. Protected Mode is a factor only if malicious code successfully compromises the Web browser and runs. In these cases, Protected Mode limits the damage the process can do without the user’s permission. Protected Mode is not available when Internet Explorer 7 is installed on Windows XP because it requires several security features unique to Windows Vista.

The sections that follow provide more information about Protected Mode.

How Protected Mode Works

One of the Windows Vista features that enables Protected Mode is Mandatory Integrity Control (MIC). MIC labels processes, folders, files, and registry keys using one of four integrity access levels (ILs), as shown in Table 5-1. Internet Explorer runs with a low IL, which means it can access only other low IL resources without the user’s permission.

Table 5-1 Mandatory Integrity Control Levels

Low IL resources that Internet Explorer in Protected Mode can access include:

• The History folder.
• The Cookies folder.
• The Favorites folder.
• The %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low \ folder.
• The Windows temporary files folders.
• The HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry key.

Using a feature called User Interface Privilege Isolation (UIPI), low IL also prevents Internet Explorer (or a malicious process launched by Internet Explorer) from sending window messages to other applications. This reduces the risk of shatter attacks, in which a process attempts to elevate privileges by directly attacking another process with higher privileges.

Unfortunately, it’s not only malicious software that needs to elevate privileges. Often, legitimate websites and user tasks require more privileges than Protected Mode provides by default. Some user tasks, such as viewing the source code of a page, also require elevated privileges. In these circumstances, Internet Explorer prompts the user to grant additional privileges. Figure 5-4 shows the dialog box that appears if the user clicks the View menu and then clicks Source; Internet Explorer needs permission because it has to launch Notepad, an external application, to show the source code. Low IL processes cannot launch external applications.

Figure 5-4 Internet Explorer prompts the user before granting elevated privileges

The warning dialog box shown in Figure 5-4 shows a yellow banner, indicating that the privileges requested require a medium IL (standard user privileges). A red banner can also appear, indicating that the privileges require a high IL (administrative privileges). Protected Mode protects Internet Explorer extensions, too, limiting the damage that could be done if an extension is malicious or contains a security vulnerability.

How the Protected Mode Compatibility Layer Works

To minimize both the number of privilege elevation requests and the number of compatibility problems, Protected Mode provides a compatibility layer. The compatibility layer redirects requests for protected resources to safer locations. For example, any requests for the My Documents folder (known as the Documents folder in Windows Vista) are automatically redirected to \%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized. The first time an add-on attempts to write to a protected object, the compatibility layer copies the object to a safe location and accesses the copy. All future requests for the same protected file will access the copy.

The compatibility layer applies only to Internet Explorer add-ons written for earlier versions of Windows because anything written for Windows Vista would natively access files in the preferred locations.

How to Enable Compatibility Logging

Some Web applications and Internet Explorer add-ons developed for earlier versions of Inter-net Explorer will have compatibility problems when you run them with Internet Explorer 7 and Windows Vista. One way to identify the exact compatibility problem is to enable compatibility logging using Group Policy. To enable compatibility logging on your local computer, follow these steps:

1. Click Start, type gpedit.msc, and then press Enter. Provide administrative credentials when prompted.
2. In the Group Policy Object Editor, browse to User Configuration\Administrative Tem-plates\Windows Components\Internet Explorer\. If you need to enable compatibility logging for all users on the computer, browse to Computer Configuration\Administra-tive Templates\Windows Components\Internet Explorer\.
3. Double-click the Turn On Compatibility Logging setting. Select Enabled, and then click OK.
4. Restart Internet Explorer if it is currently open.

With compatibility logging enabled, you should reproduce the problem you are experiencing. You can then view events in the Event Viewer snap-in under Applications And Service Logs\Internet Explorer. Some events, such as Event ID 1037, will not have a description unless you also install the Application Compatibility Toolkit.

MORE INFO Compatibility logging For more information about compatibility logging, read “Finding Security Compatibility Issues in Internet Explorer 7” at https://msdn.microsoft.com/library/en-us/IETechCol/cols/dnexpie /ie7_compat_log.asp.

How to Disable Protected Mode

If you are concerned that Internet Explorer Protected Mode is causing problems with a Web application, you can temporarily disable it to test the application. Protected Mode is enabled on a zone-by-zone basis and is disabled by default for trusted sites.

To disable Protected Mode, follow these steps:

1. Open Internet Explorer.
2. Click the Tools button on the toolbar, and then click Internet Options.
3. Click the Security tab.
4. Select the zone for which you want to disable Protected Mode. Then, clear the Enable Protected Mode check box.
5. Click OK.

If the application works when Protected Mode is disabled, the problem is probably related to Protected Mode. In that case, you should reenable Protected Mode and work with the application developer to solve the problems in the Web application. Alternatively, you could add the site to the Trusted Sites zone, thus permanently disabling Protected Mode for that site.

How to Troubleshoot Certificate Problems

Certificates are used for several security-related tasks in Internet Explorer:

• Encrypting traffic The most common use for certificates in Internet Explorer. Many websites, especially e-commerce websites that accept credit card numbers, have a Secure Sockets Layer (SSL) certificate installed. This SSL certificate enables HTTPS communications, which behave similar to HTTP, but with encryption and authentication. With standard, unencrypted HTTP, if an attacker has access to the network, the attacker can read all data transferred to and from the server. With encrypted HTTPS, an attacker can capture the traffic, but it will be encrypted and cannot be decrypted without the server’s private certificate.
• Authenticating the server SSL certificates authenticate the server by allowing the client to verify that the certificate was issued by a trusted certification authority (CA) and that the name in the certificate matches the hostname used to access the site. This helps to prevent man-in-the-middle attacks, whereby an attacker tricks a client computer into visiting a malicious server that impersonates the legitimate server. Websites on the public Internet typically have SSL certificates issued by a third-party CA that is trusted by default in Internet Explorer. Intranet websites can use certificates issued by an internal CA as long as client computers are configured to trust the internal CA.
• Authenticating the client Intranet websites can issue certificates to clients on their network and use the client certificates to authenticate internal websites. When using Active Directory Group Policy, it is very easy to distribute client certificates throughout your enterprise.

If Internet Explorer detects a problem with a certificate, it displays the message, “There is a problem with this website’s security certificate,” as shown in Figure 5-5.

Figure 5-5 How Internet Explorer detects mismatched SSL certificates

The following list describes common problems that can occur when using certificates in Inter-net Explorer and how to troubleshoot them:

• The security certificate presented by this website was issued for a different website’s address In this case, there are several possible causes:
  • The hostname you are using to access the website is not the website’s primary address. For example, you might be attempting to access the website by IP address. Alternatively, you might be accessing an alternative hostname, such as “cons-toso.com” instead of “www.contoso.com.”
  • The server is impersonating a server with a different hostname. For example, an attacker might have set up a website to impersonate www.fabrikam.com. However, the attacker is using a different SSL certificate on the website. Earlier versions of Internet Explorer show a less intimidating error message, so many users might have bypassed the error and continued to the malicious site.
  • The server administrator made a mistake. For example, the administrator might have mistyped the server’s hostname when requesting the certificate, or the administrator might have installed the wrong certificate on the server.
• The certificate has expired Certificates have a limited lifespan—usually one to five years. If the certificate has expired, the server administrator should request an updated certificate and apply it to the server.
• Internet Explorer is not configured to trust the certificate authority Anyone, including attackers, can create their own CA and issue certificates. Therefore, Internet Explorer does not trust all CAs by default. Instead, Internet Explorer trusts only a handful of public CAs. If the certificate was issued by an untrusted CA and the website is on the public Internet, the server administrator should acquire a certificate from a trusted CA. If the website is on your intranet, a client administrator should configure Internet Explorer to trust the issuing CA. In Active Directory directory service domains, member computers automatically trust enterprise CAs. For more information, complete the practices at the end of this lesson.

Practice: Troubleshoot Certificate Problems

In this practice, you first configure the ActiveX Installer Service to trust ActiveX controls from MSN. Then, you will practice troubleshooting certificate-related problems by generating an untrusted certificate, viewing how Internet Explorer responds to that certificate, and then configuring Internet Explorer to trust the certificate.

Practice 1: Automate the Installation of an ActiveX Control

In this practice, you configure the ActiveX Installer Service to automatically install an ActiveX control used by MSN.com.

1. Log on as a standard user and open Internet Explorer. Visit https://music.msn.com/client/ install.aspx. Click Install.
2. Click the Information Bar, and then click Install ActiveX Control. The UAC prompt appears, indicating that a standard user would be unable to install the add-on. Click Cancel.
3. Follow these steps to install the ActiveX Installer Service:
   1. Click Start, and then click Control Panel.
   2. Click the Programs link.
   3. Click the Turn Windows Features On Or Off link and reply to the UAC prompt that appears.
   4. In the Windows Features dialog box, select ActiveX Installer Service check box. Click OK.
   5. If prompted, do not restart the computer.
4. Follow these steps to configure Microsoft.com as a trusted installer:

   1. Use administrative privileges to open the local GPO in the Group Policy Object Editor.

   2. Browse to Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service.

   3. Double-click the Approved Installation Sites For ActiveX Controls setting. Select Enable.

   4. Click the Show button.

   5. Click Add. Specify a value name of https://entimg.msn.com/ and a value of 2,2,1,0. NOTE Source URL and CLSID of an ActiveX control You can determine the source URL and CLSID of the ActiveX control by viewing the source of the webpage that installs the ActiveX control. Then, within the source, search for the phrase “<object”.

   6. Click OK three times to save the setting for the new policy.

5. Restart your computer to complete the installation of the ActiveX Installer Service and to apply the updated Group Policy settings.
6. Log back on as a standard user. Open Internet Explorer and visit https://music.msn.com /client/install.aspx again. Click Install. Then, click the Information Bar, and click Install ActiveX Control. Notice that this time, although Internet Explorer prompts you to confirm the installation, no UAC prompt appears. After the ActiveX control is installed, click the information bar again to activate the control.
7. In Internet Explorer, click the Tools button on the toolbar, click Manage Add-Ons, and then click Enable Or Disable Add-Ons.
8. In the Manage Add-Ons dialog box, click the Show list, and then click Downloaded ActiveX Controls. Notice that the newly installed ActiveX control appears on the list.

Practice 2: Simulate an Invalid Certificate

In this practice, you open a webpage using a hostname other than the common name specified in the SSL certificate and view how Internet Explorer handles it.

1. Open Internet Explorer. In the Address bar, type https://www.microsoft.com. Press Enter.

   When prompted to display nonsecure items, click No.

2. Internet Explorer opens the www.microsoft.com home page using encrypted HTTPS. Note the gold lock in the Address bar, as shown in Figure 5-6.

   

   Figure 5-6 The gold lock in the address bar, which signifies that communications with the site are encrypted and the certificate is valid

3. Click the gold lock in the address bar to display the website identification. Notice that the identification page displays “www.microsoft.com,” which exactly matches the host-name you typed in the address bar.

4. In the Address bar, type https://microsoft.com. Notice that this time the hostname does not begin with “www.” Press Enter.

   Internet Explorer displays the There Is A Problem With This Website’s Security Certificate webpage. This happens because the hostname in the certificate, www.microsoft.com, does not exactly match the hostname you typed in the address bar, microsoft.com. Users would see this same error message if they attempted to visit a site that was impersonating another site.

Practice 3: Issue an Untrusted Certificate

In this practice, you must issue an internal certificate to a Web server and determine how Windows Vista handles it both as a member of the domain and from outside the domain.

1. Connect to a Windows Server 2003 Active Directory domain controller in a test environment and log on as an administrator.

2. Certificate Services requires Internet Information Services (IIS). Therefore, you need to install the Application Server role if it is not already installed. Click Start, click Administrative Tools, and then click Manage Your Server. If the Application Server role is already installed, skip to step Otherwise, click Add Or Remove A Role to start the Configure Your Server Wizard.

3. On the Preliminary Steps page, click Next.

4. On the Server Role page, select Application Server (IIS, ASP.NET), and then click Next. Follow the prompts that appear to install IIS with ASP.NET enabled. Finally, click Finish.

5. After you have installed IIS, click Start, click Control Panel, and then click Add Or Remove Programs. Click Add/Remove Windows Components.

6. If the Certificate Services check box is already selected, skip to step Otherwise, select the Certificate Services check box, click Yes to close the Microsoft Certificate Services message box, and then click Next.

7. On the CA Type page, leave Enterprise Root CA selected, and then click Next.

8. On the CA Identifying Information page, type the hostname for your CA (such as DCSRV1.nwtraders.msft), and then click Next to accept the default settings. If prompted to stop IIS, click Yes.

9. On the Certificate Database Settings page, click Next. Respond to any prompts that appear to complete the installation of Certificate Services. Finally, click Finish.

10. Click Start, click All Programs, click Administrative Tools, and then click IIS Manager.

11. In the IIS Manager, expand your computer and expand Web Sites. Then, right-click Default Web Site and click Properties.

12. In the Default Web Site Properties dialog box, click the Directory Security tab. Then, click the Server Certificate button.

13. The Web Server Certificate Wizard appears. On the Welcome To The Web Server Certificate Wizard page, click Next.

14. On the Server Certificate page, select Create A New Certificate, and then click Next.

15. On the Delayed Or Immediate Request page, select Send The Request Immediately To An Online Certification Authority. Then, click Next.

16. On the Name And Security Settings page, accept the default settings by clicking Next.

17. On the Organization Information page, type Northwind Traders in the Organization box and type IT in the Organizational Unit box. Then, click Next.

18. On the Your Site’s Common Name page, note that the default setting matches the site’s computer name. This setting is extremely important because it must exactly match the name that users type to access your website. Computer names work well on intranet sites, but for public Internet sites the common name should resemble www.nwtraders.com. Click Next to accept the default setting because this site will be accessed like an intranet site.

19. On the Geographical Information page, enter your geographic information. Then, click Next.

20. On the SSL Port page, accept the default standard setting of 44. Then, click Next.

21. On the Choose A Certification Authority page, verify that the CA listed matches the domain controller. Click Next.

22. On the Certificate Request Submission page, click Next.

23. On the Completing The Web Server Certificate Wizard page, click Finish.

24. In the Default Web Site Properties dialog box, click OK.

25. Now you have configured your domain controller as a Web server with an SSL certificate. On your Windows Vista client computer, open Internet Explorer. In the address bar, enter https://common_name, where common_name is the name you entered in step 19 (such as https://dcsrv1). Press Enter.

    Internet Explorer opens the page. Notice that the gold lock icon appears in the address bar, signifying that the SSL certificate is valid.

26. On a second Windows Vista computer that is not a member of your domain, open Inter-net Explorer. Alternatively, if you do not have a second computer, you can temporarily remove your Windows Vista computer from the domain. In Internet Explorer, enter https://common_name and press Enter.

    Internet Explorer displays a warning message indicating that the certificate was not issued by a trusted certificate authority, as shown in Figure 5-7.

    

    Figure 5-7 The warning message given by Internet Explorer if it doesn’t trust the certificate authority

    Now, continue working with Practice 4 to resolve this problem.

Practice 4: Trust a Certificate Authority

In this practice, you must export your CA’s root certificate and trust that certificate on your nondomain Windows Vista computer so that you can open the SSL-encrypted website without a warning. To complete this practice, you must have completed Practice 2.

1. On your domain controller, in the Certification Authority console, right-click your server, and then click Properties.
2. Click the General tab. Click Certificate #0, and then click the View Certificate button.
3. In the Certificate dialog box, click the Details tab. Then, click Copy To File.
4. The Certificate Export Wizard appears. Click Next.
5. On the Export File Format page, accept the default export format, and then click Next.
6. On the File To Export tab, type C:\root.cer, and then click Next.
7. Click Finish. Then, click OK twice.
8. On your Windows Vista client computer that is not a member of your test domain, open Internet Explorer. In Internet Explorer, click the Tools button on the toolbar, and then click Internet Options.
9. In the Internet Options dialog box, click the Content tab, and then click Certificates.
10. In the Certificates dialog box, click the Trusted Root Certification Authorities tab. Then, click the Import button.
11. The Certificate Import Wizard appears. On the Welcome To The Certificate Import Wizard page, click Next.
12. On the File To Import page, click the Browse button. In the Open dialog box, type \\server_name\c$\root.cer. Then, click Open. Click Next.
13. On the Certificate Store page, notice that the Certificate Import Wizard will import the certificate into the Trusted Root Certification Authorities store by default. This is the correct place. Click Next.
14. On the Completing The Certificate Import Wizard page, click Finish.
15. A Security Warning dialog box appears. Click Yes to install the certificate. Then, click OK.
16. Click Close, and then click OK.
17. In Internet Explorer, enter https://common_name, and press Enter. Internet Explorer opens the page. Notice that the gold lock icon appears in the address bar, signifying that the SSL certificate is valid. Because this computer is not a member of the Active Directory domain, you had to manually trust the root certificate. Then, all certificates issued by that CA will be trusted. If the computer had been a member of the Active Directory domain, Group Policy would have caused the computer to automatically trust the enterprise CA.

Lesson Summary

• Web application developers often use Internet Explorer add-ons to extend the Web browser’s capabilities. However, some add-ons can cause reliability problems, and others might compromise your organization’s security. Fortunately, Internet Explorer provides tools to disable add-ons and delete ActiveX controls. If an add-on is preventing Internet Explorer from starting, you can start Internet Explorer with all add-ons disabled.
• Protected Mode is one of Internet Explorer 7.0’s most significant security improvements, and it’s available only when using Windows Vista. By default, Protected Mode causes Internet Explorer to run with low privileges, which prevents Internet Explorer (or any process launched by Internet Explorer) from accessing most resources on the computer. The user must confirm permissions if Internet Explorer or an add-on require elevated privileges.
• Many websites use certificates to authenticate the Web server and to provide encrypted communications. Certificates are extremely important for websites that provide access to confidential information or that collect private information from users (such as credit card numbers). The most common certificate problem is a nonmatching server host-name, which can typically be resolved by providing the hostname listed in the certificate. For servers on your intranet, users might experience certificate problems if the computer hasn’t been correctly configured to trust the CA.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1, “Configuring and Troubleshooting Internet Explorer Security.” The questions are also available on the companion CD if you prefer to review them in electronic form.

NOTE AnswersAnswers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book.

1. A user is attempting to visit one of the many internal websites run by your IT department. The user’s shortcut is set up to use SSL by default. Today, when the user attempted to open the page, Internet Explorer showed the user the following message:

   There is a problem with this website’s security certificate. The security certificate presented by this website was issued for a different website’s address.

   Which of the following might cause this message? (Choose all that apply.)

   1. The certificate is expired.
   2. An attacker is redirecting traffic to a malicious Web server.
   3. Internet Explorer no longer trusts the CA that issued the certificate.
   4. The website certificate was issued for a different hostname than that stored in the user’s shortcut.

2. Which of the following would Internet Explorer block by default (until confirmed by a user)? (Choose all that apply.)

   1. Animated GIFs
   2. Background music in a webpage
   3. Video embedded in a webpage
   4. Viewing the source code of a webpage

3. Which of the following types of requests would the Internet Explorer compatibility layer redirect to a virtualized location?

   1. Storing a cookie
   2. Storing a file in the Documents folder
   3. Prompting the user to choose a file to upload to a website
   4. Storing a file in the Temporary Internet Files folder

4. You receive a support call from a user attempting to access an internal webpage. The user recently upgraded to Windows Vista; previously, the user had been using Windows XP and Internet Explorer 6.0. The webpage contains an ActiveX control, but it isn’t appearing on the webpage for the user. Which of the following are valid ways for the user to resolve the problem? (Choose two. Each correct answer is a complete solution.)

   1. Right-click the page, and then click Run ActiveX Control.
   2. Click the Information Bar, and then click Run ActiveX Control.
   3. Add the site to the Trusted Sites list.
   4. Clear the Enable Protected Mode check box in the Internet Security dialog box.

< Back      Next >

© Microsoft. All Rights Reserved.