Back

Configure Internet Browser security options according to organizational standards.


CONTROL ID
02166
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting., CC ID: 04910
  • Configure the "Disable Internet Connection wizard" setting., CC ID: 02242
  • Configure the "Disable Automatic Install of Internet Explorer components" setting., CC ID: 04337
  • Configure the "Disable Periodic Check for Internet Explorer software updates" setting., CC ID: 04338
  • Configure the "Do not allow users to enable or disable add-ons" setting in Internet Explorer properly., CC ID: 04340
  • Configure the "Turn off Crash Detection" setting in Internet Explorer properly., CC ID: 04345
  • Configure the "internet explorer processes (mk protocol)" setting., CC ID: 04347
  • Configure the "internet explorer processes (consistent MIME handling)" setting., CC ID: 04348
  • Configure the "internet explorer processes (MIME sniffing)" setting., CC ID: 04349
  • Configure the "Internet Explorer Processes (Restrict ActiveX Install)" setting., CC ID: 04352
  • Configure the "internet explorer processes (restrict file download)" setting., CC ID: 04353
  • Configure the "Deny all add-ons unless specifically allowed in the Add-on List" setting., CC ID: 04354
  • Configure the "Disable Save this program to disk option" setting in limited functionality environments properly., CC ID: 04366
  • Configure the "Disable the Advanced Page" setting in limited functionality environments., CC ID: 04367
  • Configure the "Disable the Security Page" setting in limited functionality environments properly., CC ID: 04368
  • Configure the "Disable adding channels" setting in Internet Explorer properly., CC ID: 04369
  • Configure the "Disable adding schedules for offline pages" setting., CC ID: 04370
  • Configure the "Disable all scheduled offline pages" setting., CC ID: 04371
  • Configure the "Disable channel user interface completely" setting., CC ID: 04372
  • Configure the "Disable downloading of site subscription content" setting., CC ID: 04373
  • Configure the "Disable editing and creating of schedule groups" setting., CC ID: 04374
  • Configure the "Disable editing schedules for offline pages" setting., CC ID: 04375
  • Configure the "Disable offline page hit logging" setting., CC ID: 04376
  • Configure the "Disable removing channels" setting., CC ID: 04377
  • Configure the "Disable removing schedules for offline pages" setting., CC ID: 04378
  • Configure the "Disable 'Configuring History'" setting in specialized security environments properly., CC ID: 04405
  • Configure the "Disable AutoComplete for forms" setting in limited functionality environments properly., CC ID: 04406
  • Configure the "Prevent 'fix settings' functionality" setting in limited functionality environments properly., CC ID: 04407
  • Configure the "Prevent deletion of 'Temporary Internet Files and Cookies'" setting in limited functionality environments properly., CC ID: 04408
  • Configure the "Turn Off 'Delete Browsing History' Functionality" setting in limited functionality environments properly., CC ID: 04409
  • Configure the "Turn off the Security Settings Check feature" setting in limited functionality environments properly., CC ID: 04410
  • Configure the "Prevent ignoring certificate errors" setting in limited functionality environments properly., CC ID: 04411
  • Configure the "allow install on demand (Internet Explorer)" setting in limited functionality environments properly., CC ID: 04412
  • Configure the "Check for server certificate revocation" setting in limited functionality environments properly., CC ID: 04413
  • Configure the "Access data sources across domains" setting., CC ID: 04415
  • Configure the "Allow active scripting" setting in limited functionality environments properly., CC ID: 04416
  • Configure the "Allow binary and script behaviors" setting in limited functionality environments properly., CC ID: 04417
  • Configure the "Allow cut, copy, or paste operations from the clipboard via script" setting., CC ID: 04418
  • Configure the "Allow drag and drop or copy and paste files" setting., CC ID: 04419
  • Configure the "Allow file downloads" setting in limited functionality environments properly., CC ID: 04420
  • Configure the "Allow font downloads" setting in limited functionality environments properly., CC ID: 04421
  • Configure the "Allow installation of desktop items" setting in limited functionality environments properly., CC ID: 04422
  • Configure the "Allow META REFRESH" setting in limited functionality environments properly., CC ID: 04423
  • Configure the "Allow script-initiated windows without size or position constraints" setting in limited functionality environments properly., CC ID: 04424
  • Configure the "Allow status bar updates via script" setting in limited functionality environments properly., CC ID: 04425
  • Configure the "Automatic prompting for file downloads" setting in limited functionality environments properly., CC ID: 04426
  • Configure the "Download signed ActiveX controls" setting in limited functionality environments properly., CC ID: 04427
  • Configure the "Download unsigned ActiveX controls" setting in limited functionality environments properly., CC ID: 04428
  • Configure the "Initialize and script ActiveX controls not marked as safe" setting in limited functionality environments properly., CC ID: 04429
  • Configure the "Java permissions" setting in limited functionality environments properly., CC ID: 04430
  • Configure the "Launching applications and files in an IFRAME" setting in limited functionality environments properly., CC ID: 04431
  • Configure the "Logon Options" setting in limited functionality environments., CC ID: 04432
  • Configure the "Navigate sub-frames across different domains" setting in limited functionality environments properly., CC ID: 04433
  • Configure the "Open file based on content, not on file extension" setting in limited functionality environments properly., CC ID: 04434
  • Configure the "Run.NET Framework-reliant components not signed with Authenticode" setting in limited functionality environments properly., CC ID: 04435
  • Configure the "Run.NET Framework-reliant components signed with Authenticode" setting in limited functionality environments properly., CC ID: 04436
  • Configure the "Run ActiveX controls and plugins" setting in limited functionality environments properly., CC ID: 04437
  • Configure the "Script ActiveX controls marked safe for scripting" setting in limited functionality environments properly., CC ID: 04438
  • Configure the "Scripting of Java applets" setting in limited functionality environments properly., CC ID: 04439
  • Configure the "Software channel permissions" setting in limited functionality environments properly., CC ID: 04440
  • Configure the "Use Pop-up Blocker" setting in limited functionality environments properly., CC ID: 04441
  • Configure the "Web sites in less privileged Web content zones could navigate into this zone" setting in limited functionality environments properly., CC ID: 04442
  • Configure the .NET Framework to prevent unauthorized mobile code from executing., CC ID: 04531
  • Configure the "Turn off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting., CC ID: 04644
  • Configure the "Prevent performance of first run customize settings" setting., CC ID: 04645
  • Configure the "Allow Scriptlets" setting in limited functionality environments properly., CC ID: 02237
  • Configure the "Disable showing the splash screen" setting., CC ID: 02238
  • Configure the "Add-on List" setting., CC ID: 02239
  • Configure the "Loose XAML" setting in limited functionality environments properly., CC ID: 02240
  • Configure the "Disable the Privacy page" setting., CC ID: 02241
  • Configure the "XPS documents" setting in limited functionality environments properly., CC ID: 02243
  • Configure the "Turn off Managing Phishing filter" setting., CC ID: 02244
  • Configure the "Turn on Protected Mode" setting in limited functionality environments properly., CC ID: 02245
  • Configure the "Userdata persistence" setting in limited functionality environments properly., CC ID: 02246
  • Configure the "Display mixed content" setting in limited functionality environments properly., CC ID: 02247
  • Configure the "Check for signature on download programs" setting., CC ID: 02250
  • Configure the "Turn on the Internet Connection Wizard Auto Detect" setting., CC ID: 02252
  • Configure the "Web Browser Applications" setting for the Restricted Sites Zone properly., CC ID: 02254
  • Configure the "Turn off page transitions" setting., CC ID: 02255
  • Configure the "Turn off configuring the update check interval (in days)" setting., CC ID: 02257
  • Configure the "Web Browser Applications" setting for the Internet Zone properly., CC ID: 02259
  • Configure the "Turn Off First-Run Opt-In" setting in limited functionality environments properly., CC ID: 02261
  • Configure the "Do not allow resetting Internet Explorer settings" setting., CC ID: 02262
  • Configure the "Enable third-party browser extensions" setting., CC ID: 02263
  • Configure the "Disable the reset Web settings feature" setting., CC ID: 02264
  • Configure the "Disable external branding of Internet Explorer" setting., CC ID: 02266
  • Configure the "Enable Native XMLHttp Support" setting., CC ID: 02267
  • Configure the "Site to Zone Assignment List" to organizational standards., CC ID: 08650
  • Configure the "Notification bar" setting to organizational standards., CC ID: 10008


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Web browsers are configured to block or disable support for Flash content. (Security Control: 1484; Revision: 1, Australian Government Information Security Manual)
  • Web browsers are configured to block web advertisements. (Security Control: 1485; Revision: 0, Australian Government Information Security Manual)
  • Web browsers are configured to block Java from the internet. (Security Control: 1486; Revision: 0, Australian Government Information Security Manual)
  • The organization should consider blocking cookies and client-side active content (Java and ActiveX). If cookies are allowed, the organization should limit the life of the cookies to the current session. Files downloaded from external websites should be blocked from running automatically. (§ 3.5.41 thru § 3.5.43, Australian Government ICT Security Manual (ACSI 33))
  • The following preferences should be set for Safari: Auto Fill options should be disabled, cookies should be disabled and existing cookies removed, and private browsing should be enabled. When the user has finished viewing web pages and is not online, the cache should be emptied. (Pg 114, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • The unauthorized disclosure of information about system configuration (that could be useful to hackers) should be prevented by preventing source code of server-side executables and scripts from being viewed by a web browser. (CF.04.02.05c, The Standard of Good Practice for Information Security)
  • Web application sessions should be protected against being hijacked or cloned by configuring the security parameters in 'cookies' used to hold session information. (CF.04.02.06b, The Standard of Good Practice for Information Security)
  • Mobile devices that require access to the Internet (typically using web browser software) should route web browser traffic via a web proxy server. (CF.14.03.06b, The Standard of Good Practice for Information Security)
  • Mobile web browser software should be configured to limit the caching of information. (CF.14.03.07b, The Standard of Good Practice for Information Security)
  • Mobile web browser software should be configured to restrict pop-up windows. (CF.14.03.07c, The Standard of Good Practice for Information Security)
  • Mobile web browser software should be configured to enable the web browsers privacy mode (or equivalent) to stop the browser storing authentication information, such as passwords or tracking information. (CF.14.03.07d, The Standard of Good Practice for Information Security)
  • The unauthorized disclosure of information about system configuration (that could be useful to hackers) should be prevented by preventing source code of server-side executables and scripts from being viewed by a web browser. (CF.04.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Web application sessions should be protected against being hijacked or cloned by configuring the security parameters in 'cookies' used to hold session information. (CF.04.02.06b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices that require access to the Internet (typically using web browser software) should route web browser traffic via a web proxy server. (CF.14.03.06b, The Standard of Good Practice for Information Security, 2013)
  • Mobile web browser software should be configured to limit the caching of information. (CF.14.03.07b, The Standard of Good Practice for Information Security, 2013)
  • Mobile web browser software should be configured to restrict pop-up windows. (CF.14.03.07c, The Standard of Good Practice for Information Security, 2013)
  • Mobile web browser software should be configured to enable the web browsers privacy mode (or equivalent) to stop the browser storing authentication information, such as passwords or tracking information. (CF.14.03.07d, The Standard of Good Practice for Information Security, 2013)
  • The organization must prohibit persistent cookies, unless prior approval has been obtained in writing from the CMS SSG. (CSR 10.6.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • These requirements are for all Internet browsers. The system administrator should ensure the browser is capable of 128-bit encryption, the software update feature is not enabled, JavaScript and Java are disabled, the home page should be the local site home page or a blank page, it is a supported ver… (§ 4.6, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Web browsers must be configured in accordance with the Desktop Application STIG. Cookies must be disabled or accepted only from the originating web site. Unsigned ActiveX, Windows Scripting Host, and Shell Scripts must not be allowed to be executed, unless they are from a trusted source and are sign… (§ 5.3, App D, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Broadband or high-speed connections used for Remote Access, Mobile Access and Telework, introduces a greater risk of an attack compared to dial-up connections since users are connected for much longer periods and these connections often use static IP addresses provided by Internet Service Providers … (§ 2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate. Technical Mechanisms: GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to … (CCE-4763-9, Common Configuration Enumeration List, Combined XML: Internet Explorer 7, 5.20130214)
  • The "Site to Zone Assignment List" machine setting should be configured correctly. Technical Mechanisms: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List HKEY_LOCAL_MACHINE\Software\Policies\Micros… (CCE-15815-4, Common Configuration Enumeration List, Combined XML: Microsoft Internet Explorer 8, 5.20130214)
  • If the RP is using a front-channel presentation mechanism, as defined in Section 7.2 (e.g., the OpenID Connect Implicit Client profile or the SAML Web SSO profile), it SHALL require FAL2 or greater in order to protect the information in the assertion from disclosure to the browser or other parties i… (4 ¶ 6, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate. (oval:gov.nist.fdcc.ie7:def:9998, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4)
  • Site to Zone Assignment List (site_to_zone_assignment_list_local_computer, NIST SCAP Microsoft Internet Explorer Version 7 (fdcc-ie7-xccdf.xml), FDCC IE7 (1.2) SCAP Content - OVAL 5.4)