Matt Heller Aaron Margosis Microsoft Corporation CLI 314
Overview New Security Features (15 min) New Privacy Features (15 min) Managing & Configuring Security Features (35 min) Q&A (10 min)
Threat Vectors Increasing Severity & Ways of Risk Blended threats shifting from the browser to sites Impact to data governance & regulations Rapid pace of threat innovation Consumer & employee data at risk
Web Challenge or Opportunity? Efficiency, Economics & Expectations Syndicated content and ad business model enables sites and business Growth in ecommerce depends on consumer trust Trust may be undermined by less than transparent collection of data and inadequate protection of privacy Unknown accountability -1st party & 3rd parties Potential backlash & heightened consumer concerns
Internet Explorer 8 Trustworthy Browsing Confidently bank, communicate & shop Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain Highlighting Enhanced Delete Browsing History InPrivate™ Browsing & Filtering Build on a secure foundation Security Development Lifecycle (SDL) Protected Mode ActiveX Controls DEP - Data Execution Prevention Extends browser protection to the web server Http only cookies Group Policies XDomainRequest - Cross Domain Requests XDM - Cross Domain Messaging XSS Filter - Cross Site Scripting Anti-ClickJacking Web Server & Applications Browser Vulnerabilities Social Engineering & Privacy
Domain Highlighting More accurately ascertain the domain of the visiting The domain is black, vs. other characters which are gray.
Social Engineering Emerging threat vector & diversification Address concerns of Users and Site owners SmartScreen® Filter Integrated Phishing & Malware download protection Examines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sites Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users). Group Policy support – Key IT requirement 24 x 7support processes and feedback mechanisms
SmartScreen Filter
Identifies & neuters the attack Blocks the malicious script from executing. IE 8 XSS Filter Web Server & Applications
Cross Site Scripting Filter
Granular level control provides ultimate control & flexibility Domain Administrators have full control over approved ActiveX lists
Per-User ActiveX Controls Per-Site ActiveX Controls
Per-User ActiveX Conversion Toolkit
Protected Mode Limits Access to File system and Registry Reduces Escalation of Privilege Attacks Application Compatibility Impacts Shims Read/Write Failures Broker Process
Internet Explorer 7 Process Model
Internet Explorer 8 Process Model (LCIE)
Security vs. Privacy Security Core engineering issues Protection from harm Protection from fraud Privacy Control over preferences Control over how information is shared
Privacy is all about being in control Control == Notice + Consent
Does Privacy Exist? Having records online, using surveillance cameras – not necessarily illegal It’s because “contextual integrity” is violated Information is transferred in context A context has a set of norms When information is transferred from one context to another without notice and consent, contextual integrity is violated.
Web Privacy Issues Today – some examples
Internet Explorer 8 Privacy Goals Put the user in control of the web browser Shared PC Delete Browsing History InPrivate™ Browsing On the Web InPrivate™ Filtering Build, useful, convenient features to make it easy to stay in control Leap ahead of the competition InPrivate Filtering Preserve Favorites data
Delete Browsing History Preserve data from Favorites sites Keep the useful stuff, delete the no-so-useful stuff Convenient Checkboxes! Delete Browsing History on Exit! Group Policy!
Delete Browsing History
InPrivate Browsing Creates a new browsing window that does not record browsing history Some things that are turned off History Cookies (accepted, but downgraded to session-only) Suggested Sites Form data saving Things that are deleted when you exit Temporary Internet Files Compatibility View list ActiveX Opt-In list
InPrivate™ Browsing
InPrivate Browsing FAQ Parental Controls Disables InPrivate Browsing IT Scenarios InPrivate Browsing can be disabled via GP Does not interfere with proxy servers Proxy servers will record sites browsed Does not provide anonymization Add-ons UI Toolbars, BHOs - not loaded by default APIs are available for ActiveX Controls Suggested sites feature is turned off
Third Party Content Serving Over time, users’ history and profiles can unknowingly be aggregated Any third-party content can be used like a tracking cookie There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc…. Unclear accountability with third party security & privacy policies User Visits Unique Sites msn.comebay.comamazon.comcnn.comcnet.comabout.commsnbc.com Prosware-sol.com 3 rd party Syndicator Web server nytimes.com
InPrivate Filtering Helps give you control over which 3 rd -party content providers have a line of sight into your web browsing Keeps a table of 3 rd -party content and the 1 st -party sites the content was loaded from Allows you to block content that passes a configurable threshold (10 1 st -party sites by default)
InPrivate Filtering
InPrivate Filtering FAQ (short list) If I have a website, what do I do? Will my website break? IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled Not an ad blocker Some advertisements may be blocked InPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history
3rdParty.html
Understanding Security Zones Security Zones Settings: Policies and Preferences Templates Some Things To Know
Security Zones 0. Computer zone, a.k.a., Local Machine Zone 1. Local Intranet 2. Trusted Sites 3. Internet 4. Restricted Sites
Security Zone Settings User Preferences and Machine Preferences User Policies and Machine Policies
Precedence Order for Each Setting Machine Policies User Policies User Preferences Machine Preferences
“Use Only Machine Settings” Machine Policies User Policies User Preferences Machine Preferences
Templates Pre-defined sets of settings: High Medium-High Medium Medium-Low Low Can be copied into Preferences for a zone Click “Default level” button in IE Properties Not used by Group Policy
Some Things To Know Local Intranet vs. Trusted Sites In IE 6 and earlier: Local Intranet Medium-Low template Trusted Sites Low template In IE 7 and 8: Local Intranet Medium-Low template Trusted Sites Medium template
Some Things To Know Local Intranet vs. Trusted Sites
Mapping Sites to Zones Default mappings Site to Zone Assignment List Computer Configuration | Windows Components | Internet Explorer | Internet Control Panel | Security Page Proxy Bypass List
Some Things To Know The “Lockdown Zones” Local Machine Lockdown Zone The only interesting one Introduced in Windows XP SP2 Makes LMZ very restrictive until user approves
Some Things To Know Viewing Settings on a policy-controlled system
IEZoneAnalyzer
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Related Content WCL20 – HOL Deploying Internet Explorer 8 In the Enterprise WCL21 – HOL Preparing for Windows Internet Explorer 8: Application Compatibility WCL22 – HOL Using Accelerators and WebSlices in the Enterprise WCL25 – Internet Explorer 8: Build Your Own Search Suggestions Provider WCL26 – Internet Explorer 8: Building Web Slices WCL27 – Internet Explorer 8: Managing Security Settings in the Enterprise WCL28 – Managing Internet Explorer 8 In the Enterprise Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.
References and Resources Security Zones IE blog posts on the FDCC blog Series of posts explaining security zones and some effects of strict policies IEZoneAnalyzer utility The Local Intranet Zone and Proxies Security Zone registry entries (KB )KB IE blogs (Eric Lawrence)
Internet Explorer Resources Internet Explorer Site Engineering Blog blogs.msdn.com/ie Internet Explorer TechNet Site technet.microsoft.com/ie technet.microsoft.com/ie Group Policy Settings for IE D-24B2790BF592&displaylang=en Desktop Security Guide 4bf0-b92b-a8e545573a3e&displaylang=enhttp:// 4bf0-b92b-a8e545573a3e&displaylang=en
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide