Securing Your Browser

Overview -
Why are security settings for web browsers important?
Your web browser is your primary connection to the rest of the internet, and multiple applications may rely on your browser, or elements within your browser, to function. This makes the security settings within your browser even more important. Many web applications try to enhance your browsing experience by enabling different types of functionality, but this functionality might be unnecessary and may leave you susceptible to being attacked. The safest policy is to disable the majority of those features unless you decide they are necessary. If you determine that a site is trustworthy, you can choose to enable the functionality temporarily and then disable it once you are finished visiting the site.

While every application has settings that are selected by default, you may discover that your browser also has predefined security levels that you can select. For example, Internet Explorer offers custom settings that allow you to select a particular level of security; features are enabled or disabled based on your selection. Even with these guides, it is helpful to have an understanding of what the different terms mean so that you can evaluate the features to determine which settings are appropriate for you.

How do you know what your settings should be?
Ideally, you would set your security for the highest level possible. However, restricting certain features may limit some web pages from loading or functioning properly. The best approach is to adopt the highest level of security and only enable features when you require their functionality.

What do the different terms mean?
Different browsers use different terms, but here are some terms and options you may find:

Zones - Your browser may give you the option of putting web sites into different segments, or zones, and allow you to define different security restrictions for each zone.

For example, Internet Explorer identifies the following zones:

Internet - This is the general zone for all public web sites. When you browse the internet, the settings for this zone are automatically applied to the sites you visit. To give you the best protection as you browse, you should set the security to the highest level; at the very least, you should maintain a medium level.

Local intranet - If you are in an office setting that has its own intranet, this zone contains those internal pages. Because the web content is maintained on an internal web server, it is usually safe to have less restrictive settings for these pages. However, some viruses have tapped into this zone, so be aware of what sites are listed and what privileges they are being given.

Trusted sites - If you believe that certain sites are designed with security in mind, and you feel that content from the site can be trusted not to contain malicious materials, you can add them to your trusted sites and apply settings accordingly. You may also require that only sites that implement Secure Sockets Layer (SSL) can be active in this zone. This permits you to verify that the site you are visiting is the site that it claims to be (see Protecting Your Privacy for more information). This is an optional zone but may be useful if you personally maintain multiple web sites or if your organization has multiple sites. Even if you trust them, avoid applying low security levels to external sites—if they are attacked, you might also become a victim.

Restricted sites - If there are particular sites you think might not be safe, you can identify them and define heightened security settings. Because the security settings may not be enough to protect you, the best precaution is to avoid navigating to any sites that make you question whether or not they're safe.

JavaScript - Some web sites rely on web scripts such as JavaScript to achieve a certain appearance or functionality, but these scripts may be used in attacks.

Java and ActiveX controls - These programs are used to develop or execute active content that provides some functionality, but they may put you at risk.

Plug-ins - Sometimes browsers require the installation of additional software known as plug-ins to provide additional functionality. Like Java and ActiveX controls, plug-ins may be used in an attack, so before installing them, make sure that they are necessary and that the site you have to download them from is trustworthy.

You may also find options that allow you to take the following security measures:

Manage cookies - You can disable, restrict, or allow cookies as appropriate. Generally, it is best to disable cookies and then enable them if you visit a site you trust that requires them.

Block pop-up windows - Although turning this feature on could restrict the functionality of certain web sites, it will also minimize the number of pop-up ads you receive, some of which may be malicious .

The below steps will help you make your browser more secure. They should be used in conjunction with other security measures to ensure computer safety and should not be considered a fix-all solution.

Using Internet Explorer 5 or higher -
These instructions apply to Internet Explorer versions 5 or higher; if you are using a earlier version, these instructions may not work correctly. (To determine your software version, from the Help menu, select About Internet Explorer. A dialog box appears with information about your browser, including the version number.) If you are using a version of Internet Explorer lower than version 5, Microsoft recommends that you upgrade to a newer version.

1. Start the Internet Explorer web browser.
2. From the Tools menu select Internet Options. The Internet Options dialog box appears.
3. Select the Security tab. The Security Options panel appears.
4. Click on the picture of the planet labeled "Internet" to select it (it should already be selected.)
5. Click the Custom Level button. The Security Settings dialog box appears.
6. Select the Medium option from the pull-down list if it not already selected.
7. Click the Reset button. A dialog box appears asking if you are sure you want to change the security settings for this zone. Click Yes.
8. You now need to scroll through the settings list and make the additional changes listed in the following steps.
9. For the option "Scripting ActiveX controls marked safe for Scripting," check "Prompt."
10. For the option "Java permissions," check "Disable Java."
Note: If you have Microsoft Virtual Machine installed, this setting will be under the Microsoft VM section. If you do not have a Java permissions setting, Java is already disabled.
11. For the option "Active scripting" under the Scripting section, check "Disable."
12. Click OK to accept these changes. A dialog box appears asking if you are sure you want to make these changes.
13. Click Yes.
14. In the Internet Options dialog box, click the Advanced tab. The Advanced Options panel appears.
15. Uner the Security settings, check "Warn if changing between secure and not secure."
16. Click Apply to save your changes.
17. Click OK to close the Internet Options dialog box.

Using Netscape 3.0 through 6.2.3
These instructions apply primarily to versions of Netscape from 3.0 through 6.2.3. (To determine your software version, from the Help menu, select About Communicator. A page should appear with your version number listed at the top.) If you are using Netscape 7.0 or higher, scroll down for instructions on securing your browser. According to the security announcements supplied by Netscape it is not necessary to disable Java or JavaScript in versions 7.0 and higher.

1. Start the Netscape Communicator browser.
2. From the Edit menu, select Preferences. The Preferences dialog box appears.
3. From the Category list, click on Advanced. The Advanced Preferences panel appears.
4. Uncheck Enable Java.
5. Uncheck Enable JavaScript.
6. Click OK to accept the changes.
7. Click the Padlock icon in the lower left-hand corner of your browser. The Security Info dialog box appears.
8. Click the Navigator link from the list on the left. The Navigator Security Settings panel appears.
9. In the "Show a warning before:" section, check "Viewing a page with encrypted/unencrypted mix" and "Leaving an encrypted site."
10. Click OK to accept the changes and close the dialog box.


Instructions for Netscape 7.0 and higher
According to the security release posted on Netscape’s web site, it should be unnecessary to disable Java or JavaScript in versions 7.0 or higher, however the instructions to do so are below. Also below are instructions for enabling the pop-up suppressant feature. Steps 7-10 are automatically enabled when Netscape is installed, however if you would like to check this setting the instructions to do this are also below.

1. Start the Netscape Communicator browser.
2. From the Edit menu, select Preferences. The Preferences dialog box appears.
3. From the Category list, click on Advanced. The Advanced Preferences panel appears.
4. Uncheck Enable Java.
5. You will now need to expand the Advanced tab by clicking on the triangle next to the word "Advanced."
6. Now click on Scripts & Plugins and the Scripts & Plugins panel appears.
7. Uncheck the box to the left of Navigator to disable JavaScript in the Navigator (Netscape) web browser.
8. To suppress popup windows expand the Privacy & Security tab by clicking on the triangle next to the words Privacy & Security.
9. Now click on Popup Windows and the Popup Windows panel appears.
10. Click on the radio button (circle) next to Suppress popups and select whether you want your browser to play a sound or display an icon in the Navigator status bar when a popup has been suppressed.
11. Finally, to check your encryption warning settings you will need to click on SSL, still under Privacy and Security settings. The SSL panel will appear.
12. Under SSL Warnings you will see a list of the warnings that will be shown.


NEXT >>>