Hardening Internet Explorer

Resources used to implement and audit Internet Explorer:

Best practises:

IE 11 Hardening Settings / Compliance Checks

Internet Explorer 11 version check
1.1 Set ‘Turn on Enhanced Protected Mode’ to ‘Enabled’
1.2 Set ‘Allow software to run or install even if the signature is invalid’ to ‘Disabled’
1.3 Set ‘Prevent Bypassing SmartScreen Filter Warnings’ to ‘Enabled’
1.4 Set ‘Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet’ to ‘Enabled’
1.5 Configure ‘Do not allow users to enable or disable add-ons’
1.6 Set ‘Disable Save this program to disk option’ to ‘Enabled’
2.1 Set ‘Prevent per-user installation of ActiveX controls’ to ‘Enabled’
2.2 Set ‘Specify use of ActiveX Installer Service for installation of ActiveX controls’ to ‘Enabled’
2.3 Set ‘Turn on ActiveX Filtering’ to ‘Enabled’
2.4 Set ‘Turn off ActiveX opt-in prompt’ to ‘Disabled’
2.5 Set ‘Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled’ to ‘Enabled’
3.1 Configure ‘Prevent deleting websites that the user has visited’
3.2 Configure ‘Prevent Deleting Cookies’
3.3 Set ‘Disable ‘Configuring History’ to ‘Enabled’
3.4 Set ‘Days to keep pages in History’ to ’40’
3.5 Configure ‘Prevent Deleting Temporary Internet Files’
3.6 Configure ‘Allow deleting browsing history on exit’
3.7 Set ‘Prevent access to Delete Browsing History’ to ‘Enabled’
3.8 Configure ‘Turn off InPrivate Browsing’
4.1 Configure ‘URL to be displayed for updates:’
4.2 Set ‘Update check interval (in days):’ to ‘Enabled:30’
4.3 Configure ‘Automatically check for Internet Explorer updates’
4.4 Configure ‘Install new versions of Internet Explorer automatically’
5.1 Set ‘Turn off Encryption Support’ to ‘Use TLS 1.1 and TLS 1.2’
5.2 Set ‘Check for server certificate revocation’ to ‘Enabled’
5.3 Set ‘Check for signatures on downloaded programs’ to ‘Enabled’
5.4 Set ‘Turn on certificate address mismatch warning’ to ‘Enabled’
5.5 Set ‘Prevent ignoring certificate errors’ to ‘Enabled’
5.6 Set ‘Disable changing certificate settings’ to ‘Enabled’
6.1 Set ‘Turn off browser geolocation’ to ‘Enabled’
6.2 Configure ‘Turn off URL Suggestions’
6.3 Configure ‘Prevent participation in the Customer Experience Improvement Program’
6.4 Configure ‘Turn on Suggested Sites’
7.1 Set ‘Restrict ActiveX Install’ to ‘Enabled’
7.2 Set ‘Scripted Window Security Restrictions’ to ‘Enabled’
7.3 Set ‘Mime Sniffing Safety Feature’ to ‘Enabled’
7.4 Set ‘Notification bar’ to ‘Enabled’
7.5 Set ‘MK Protocol Security Restriction’ to ‘Enabled’
7.6 Set ‘Consistent Mime Handling’ to ‘Enabled’
7.7 Set ‘Restrict File Download’ to ‘Enabled’
7.8 Set ‘Protection From Zone Elevation’ to ‘Enabled’
8.1.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.1.2 Set ‘Allow paste operations via script’ to ‘Enabled:Disable’
8.1.3 Set ‘Protected Mode’ to ‘Enabled:Enable’
8.1.4 Set ‘Turn on Cross-Site Scripting (XSS) Filter’ to ‘Enabled:Enable’
8.1.5 Set ‘Run .NET Framework-reliant components signed with Authenticode’ to ‘Enabled:Disable’
8.1.6 Set ‘Use Pop-up Blocker’ to ‘Enabled:Enable’
8.1.7 Set ‘Scriptlets’ to ‘Enabled:Disable’
8.1.8 Set ‘Only allow approved domains to use ActiveX controls without prompt’ to ‘Enabled:Enable’
8.1.9 Set ‘Allow drag and drop or copy and paste files’ to ‘Enabled:Disable’
8.1.10 Set ‘Run .NET Framework-reliant components not signed with Authenticode’ to ‘Enabled:Disable’
8.1.11 Set ‘Internet Explorer web browser control’ to ‘Enabled:Disable’
8.1.12 Set ‘Download unsigned ActiveX controls’ to ‘Enabled:Disable’
8.1.13 Set ‘Download signed ActiveX controls’ to ‘Enabled:Disable’
8.1.14 Set ‘Allow font downloads’ to ‘Enabled:Disable’
8.1.15 Set ‘Launching programs and unsafe files’ to ‘Enabled:Disable’
8.1.16 Set ‘Automatic prompting for file downloads’ to ‘Enabled:Disable’
8.1.17 Set ‘Allow installation of desktop items’ to ‘Enabled:Disable’
8.1.18 Set ‘XAML Files’ to ‘Enabled:Disable’
8.1.19 Set ‘Initialize and script ActiveX controls not marked as safe’ to ‘Enabled:Disable’
8.1.20 Set ‘Enable MIME Sniffing’ to ‘Enabled:Enable’
8.1.21 Set ‘Logon options’ to ‘Enabled:Prompt for user name and password’
8.1.22 Set ‘Access data sources across domains’ to ‘Enabled:Disable’
8.1.23 Set ‘Status bar updates via script’ to ‘Enabled:Enable’
8.1.24 Set ‘Include local directory path when uploading files to a server’ to ‘Enabled:Disable’
8.1.25 Set ‘Userdata persistence’ to ‘Enabled:Disable’
8.1.26 Set ‘Enable dragging of content from different domains within a window’ to ‘Enabled:Disable’
8.1.27 Set ‘Navigate windows and frames across different domains’ to ‘Enabled:Disable’
8.1.28 Set ‘Enable dragging of content from different domains across windows’ to ‘Enabled:Disable’
8.1.29 Set ‘Allow script-initiated windows without size or position constraints’ to ‘Enabled:Disable’
8.1.30 Set ‘Launching applications and files in an IFRAME’ to ‘Enabled:Disable’
8.1.31 Set ‘Software channel permissions’ to ‘Enabled:High safety’
8.1.32 Configure ‘First-Run Opt-In’
8.1.33 Set ‘Web sites in less privileged Web content zones can navigate into this zone’ to ‘Enabled:Disable’
8.1.34 Set ‘Don’t run antimalware programs against ActiveX controls’ to ‘Enabled:Disabled’
8.2.1 Set ‘Java permissions’ to ‘Enabled:High safety’
8.2.2 Set ‘Initialize and script ActiveX controls not marked as safe’ to ‘Enabled:Disable’
8.2.3 Set ‘Intranet Sites: Include all network paths (UNCs)’ to ‘Disabled’
8.2.4 Set ‘Don’t run antimalware programs against ActiveX controls’ to ‘Enabled:Disabled’
8.3.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.3.2 Set ‘Allow drag and drop or copy and paste files’ to ‘Enabled:Disable’
8.3.3 Set ‘Download signed ActiveX controls’ to ‘Enabled:Disable’
8.3.4 Set ‘Script ActiveX controls marked safe for scripting’ to ‘Enabled:Disable’
8.3.5 Set ‘Allow active scripting’ to ‘Enabled:Disable’
8.3.6 Set ‘Turn on Cross-Site Scripting (XSS) Filter’ to ‘Enabled:Enable’
8.3.7 Set ‘Initialize and script ActiveX controls not marked as safe’ to ‘Enabled:Disable’
8.3.8 Set ‘Run .NET Framework-reliant components signed with Authenticode’ to ‘Enabled:Disable’
8.3.9 Set ‘Allow paste operations via script’ to ‘Enabled:Disable’
8.3.10 Set ‘Protected Mode’ to ‘Enabled:Enable’
8.3.11 Set ‘Allow installation of desktop items’ to ‘Enabled:Disable’
8.3.12 Set ‘Launching programs and unsafe files’ to ‘Enabled:Prompt’
8.3.13 Set ‘Automatic prompting for file downloads’ to ‘Enabled:Disable’
8.3.14 Set ‘XAML Files’ to ‘Enabled:Disable’
8.3.15 Set ‘Allow font downloads’ to ‘Enabled:Disable’
8.3.16 Set ‘Enable MIME Sniffing’ to ‘Enabled:Enable’
8.3.17 Set ‘Internet Explorer web browser control’ to ‘Enabled:Disable’
8.3.18 Set ‘Allow Binary and Script Behaviors’ to ‘Enabled:Disable’
8.3.19 Set ‘Scripting of Java applets’ to ‘Enabled:Disable’
8.3.20 Set ‘Use Pop-up Blocker’ to ‘Enabled:Enable’
8.3.21 Set ‘Download unsigned ActiveX controls’ to ‘Enabled:Disable’
8.3.22 Set ‘Scriptlets’ to ‘Enabled:Disable’
8.3.23 Set ‘Allow file downloads’ to ‘Enabled:Disable’
8.3.24 Set ‘Only allow approved domains to use ActiveX controls without prompt’ to ‘Enabled:Enable’
8.3.25 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.3.26 Set ‘Run ActiveX controls and plugins’ to ‘Enabled:Disable’
8.3.27 Set ‘Run .NET Framework-reliant components not signed with Authenticode’ to ‘Enabled:Disable’
8.3.28 Set ‘Logon options’ to ‘Enabled:Anonymous logon’
8.3.29 Set ‘Allow script-initiated windows without size or position constraints’ to ‘Enabled:Disable’
8.3.30 Set ‘Allow META REFRESH’ to ‘Enabled:Disable’
8.3.31 Set ‘Userdata persistence’ to ‘Enabled:Disable’
8.3.32 Set ‘Navigate windows and frames across different domains’ to ‘Enabled:Disable’
8.3.33 Set ‘Software channel permissions’ to ‘Enabled:High safety’
8.3.34 Set ‘Include local directory path when uploading files to a server’ to ‘Enabled:Disable’
8.3.35 Set ‘Enable dragging of content from different domains within a window’ to ‘Enabled:Disable’
8.3.36 Set ‘Status bar updates via script’ to ‘Enabled:Enable’
8.3.37 Set ‘Access data sources across domains’ to ‘Enabled:Disable’
8.3.38 Set ‘Web sites in less privileged Web content zones can navigate into this zone’ to ‘Enabled:Disable’
8.3.39 Configure ‘First-Run Opt-In’
8.3.40 Set ‘Enable dragging of content from different domains across windows’ to ‘Enabled:Disable’
8.3.41 Set ‘Launching applications and files in an IFRAME’ to ‘Enabled:Disable’
8.3.42 Set ‘Don’t run antimalware programs against ActiveX controls’ to ‘Enabled:Disabled’
8.4.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.4.2 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.4.3 Set ‘Don’t run antimalware programs against ActiveX controls’ to ‘Enabled:Disabled’
8.5.1 Set ‘Java permissions’ to ‘Enabled:High safety’
8.5.2 Set ‘Initialize and script ActiveX controls not marked as safe’ to ‘Enabled:Disable’
8.5.3 Set ‘Don’t run antimalware programs against ActiveX controls’ to ‘Enabled:Disabled’
8.6.1 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.6.2 Set ‘Only allow approved domains to use ActiveX controls without prompt’ to ‘Enabled:Enable’
8.7.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.7.2 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.8.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.8.2 Set ‘Only allow approved domains to use ActiveX controls without prompt’ to ‘Enabled:Enable’
8.8.3 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.9.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.9.2 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.10.1 Set ‘Java permissions’ to ‘Enabled:Disable Java’
8.10.2 Set ‘Use SmartScreen Filter’ to ‘Enabled:Enable’
8.11 Set ‘Security Zones: Do not allow users to change policies’ to ‘Enabled’
8.12 Set ‘Security Zones: Do not allow users to add/delete sites’ to ‘Enabled’
8.13 Set ‘Security Zones: Use only machine settings’ to ‘Enabled’
9.1 Set ‘Disable the Security page’ to ‘Enabled’
9.2 Set ‘Disable the Advanced page’ to ‘Enabled’
9.3 Set ‘Prevent downloading of enclosures’ to ‘Enabled’
9.4 Set ‘Turn on Basic feed authentication over HTTP’ to ‘Not Configured’
9.5 Configure ‘Make proxy settings per-machine (rather than per-user)’
9.6 Configure ‘Do not display the reveal password button’
9.7 Set ‘Prevent changing proxy settings’ to ‘Enabled’
9.8 Configure ‘Disable changing Automatic Configuration settings’
9.9 Set ‘Prevent ‘Fix settings’ functionality’ to ‘Disabled’
9.10 Set ‘Turn off the Security Settings Check feature’ to ‘Disabled’
9.11 Configure ‘Disable changing connection settings’
9.12 Set ‘Turn off Crash Detection’ to ‘Enabled’
9.13 Set ‘Disable AutoComplete for forms’ to ‘Enabled’
9.14 Set ‘Turn on the auto-complete feature for user names and passwords on forms’ to ‘Disabled’
9.15 Set ‘Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows’ to ‘Enabled’

 

Vulnerabilities:

Nessus:

Nessus Plugins for Internet Explorer