Ask Us About... Security, August 2000
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
by Joel Scambray
A couple of new e-mail-based attacks against Microsoft Outlook® and Outlook Express surfaced in July, and in researching these, I delved pretty deep into the client-side of Internet security, as opposed to the server side, which I am most prone to talk about in this space. Most people don't consider this other end of the telescope when talking about Internet security—as long as the servers are secure, who's worried if a few end users get hacked, right? Well, all it takes is even the slightest compromise of personal data while traversing the Internet and most folks realize how myopic this view really is. This month's column will help network administrators and end users alike to shore up those client-side defenses.
On This Page
Same Old Threat, Different Faces
We talked last month about the new Outlook security update http://www.microsoft.com/PressPass/features/2000/jun00/06-08outlook.mspx that helps users deal with malicious e-mail attachments. I won't bore anyone again with the standard lecture on taking adequate precautions with code downloaded from Web sites, or presented as an attachment to an e-mail message. However, downloaded code can take many insidious forms, some of which may not be immediately recognizable to the user. Anyone who uses Internet Explorer or Outlook/Outlook Express should also understand the potential danger of malicious active content embedded in Web pages or in e-mail messages.
Some recently publicized advisories highlight the threat, which includes techniques to download files to arbitrary locations on disk, and potentially to execute them as well, simply by viewing a Web page or opening a mail message. Sound scary? It is only if you haven't set adequate security on Internet Explorer and Outlook. We'll discuss those below.
The two most important considerations when it comes to securing Internet Explorer and Outlook/Outlook Express are:
Maintain all relevant patches to ensure that point problems are addressed.
Disable active content rendering capabilities either selectively or altogether, depending on your level of paranoia.
I'll discuss both below.
Keeping Up with Client-Side Security Patches
Microsoft makes available four primary areas to obtain client software security patches for its products. Finding the right one can sometimes take a bit of detective work to navigate the product-specific literature as well as the security-related download facilities, and also depends somewhat on the user's level of security expertise.
The first spot to check is Microsoft Update http://update.microsoft.com/microsoftupdate. The Windows Update site uses ActiveX® technology to scan your system to see what you have installed and gives you a list of suggested components that need upgrading based on the most up-to-date and accurate versions. For our purposes, selecting the Critical Updates option is recommended to fix known problems (including security issues) specific to your computer. It will even tell you your past installation history and list patches that are already installed at the click of a button. This is a really effective way to get security patches you need, saving wasted time downloading components you have already installed. The only drawback to Windows Update is that freshly-released security patches sometimes take awhile to make their way onto the list of available components. Thus, you may not be as current using Windows Update as you would be visiting the security bulletins page mentioned below. Also, Windows Update covers operating system software and Internet Explorer, primarily, so patches for other product software like Office are not included in the bounty.
For more experiences users, the next spot to check is the list of recent security bulletins http://www.microsoft.com/technet/security/current.aspx. This is the best place to search for purely security-related patches, especially since it was upgraded to allow searching by product or date. For example, by selecting "Internet Explorer 5" and hitting "Go," you can see all security bulletins for that specific product listed in chronological order. This page does require some knowledge on the part of the user, as bulletins are labeled according to the vulnerability that they describe, and are not categorized by patch name or number, and there is no quick way to determine whether one has already applied a certain patch. Thus, IT Pros are more likely to find this a more homey roost than inexperienced users.
One could also visit product-specific security patch download pages. They are available for Internet Explorer http://www.microsoft.com/windows/ie/download/default.htm#critical and Office products http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang=EN. The Internet Explorer download page is a simple, chronological list of security patches that makes it easy to click down the list and get what you need. Unlike Windows Update, however, there is no facility for identifying which patches have already been installed.
Finally, you can search the Microsoft Download Center http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='security_patch'&OpSysID=1 (MDC) for security-related patches using the keyword "security_patch." MDC allows searches by product name, product category, or operating system. Unfortunately, you cannot search by both keyword and these other categories simultaneously, so it is not as effective a search mechanism as the security bulletins page. Use this one if you are only browsing, or if the other methods above failed to produce adequate results.
Setting High Security on Active Content
The second main method for addressing client-side attacks is to cut them off at the pass by disabling active content where prudent. To do this properly requires some understanding of one of the most overlooked aspects of Microsoft Windows® security, security zones. One of the best references for learning about zone security is Microsoft Knowledge Base article 174360 http://support.microsoft.com/default.aspx?scid=kb;en-us;174360&sd=tech. Also try the Internet Explorer Resource Kit, Chapter 27 http://www.microsoft.com/technet/archive/ie/reskit/ie4/part7/part7a.mspx. Essentially, the zone security model allows users to assign varying levels of trust to code downloaded from any of four zones: Local Intranet, Trusted Sites, Internet, and Restricted Sites. A fifth zone called Local Machine exists, but it is not available in the user interface because it is only configurable using the Internet Explorer Administration Kit (IEAK, see below).
Sites can be manually added to every zone except the Internet zone. The Internet zone contains all sites not mapped to any other zone, and any site containing a period (".") in its URL (for example, http://local is part of the Local Intranet zone by default, while http://www.microsoft.com is in the Internet Zone because it has periods in its name). When you visit a site within a zone, the specific security settings for that zone apply to your activities on that site (e.g. "Run ActiveX controls"). Therefore, the most important zone to configure is the Internet Zone, since it contains all of the sites a user is likely to visit by default. Of course, if you manually add sites to any other zone, this rule doesn't apply; be sure to carefully select trusted and untrusted sites when populating the other zones, if you choose to do so at all (typically, other zones will be populated by network administrators for corporate LAN users).
To configure security for the Internet Zone, open Tools | Internet Options | Security within Internet Explorer (or the Internet Options Control Panel), highlight the Internet Zone, hit Default Level, and move the slider up to an appropriate level. I recommend setting it to "High," and even using the "Custom Level" button to disable even more active content. The bad news with this setting is that it may result in problems viewing sites that depend on active content for special effects. For example, try setting security to High and then visiting Windows Update. Since it uses ActiveX to scan and install appropriate patches on a user's system, it just won't work with High security set.
This is where the Trusted Sites zone comes in handy – just add windowsupdate.microsoft.com to the Trusted Sites zone, and deselect "Require https for all sites in this zone." By default, the security level for Trusted Sites is set to Low; I'd recommend setting it to at least Medium-Low, and higher if you can maintain functionality (when I set security at Medium while visiting Windows Update, Internet Explorer barked at me about some ActiveX controls not displaying properly, but the site still seemed to function OK). Individually assigning each site visited on a daily basis to a zone can prove fairly cumbersome, and sites are changing all the time, so once again, I recommend exercising care in populating the customizable zones.
Network administrators can use the Internet Explorer Administration Kit (IEAK) to configure zone settings across the corporate LAN from a centralized distribution point. Check out the IEAK page http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.asp for more information.
And don't forget to assign an appropriate security zone to Outlook or Outlook Express as well, since dynamic content is also prevalent in e-mail. With Outlook and Outlook Express, you only have to choose between the Internet zone and Restricted Sites. Guess which one I recommend? I also suggest customizing the security of Restricted Sites to disable everything—I have yet to find a justification for viewing active content in e-mails at any time (OK, maybe when the holidays arrive and we all get those lovely animated greeting cards—not!).
Oh, and one more thing: some recent attacks also leveraged Office macros to do their dirty work. Make sure to turn macro security to high under Tools | Macro | Security for each Office application (Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Access).
Windows 2000 Internet Security Paper
One last plug before we go: back in fall of 1999, Microsoft briefly hosted a site called Windows2000test.com designed to test the security of Windows 2000 under real-world fire. The results of that test will soon be published in a whitepaper on the Microsoft site—keep an eye out for it. Until next week!
Send your Security questions to the Ask Us About Security mailbox http://go.microsoft.com/?linkid=2544905. If your question is selected, you will see your answer in a forthcoming column.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.