Re: Question about Internet Security Settings
From: Kutulu (kutulu@kutulu.org)Date: 09/21/01
- Previous message: jerryctx: "Re: Question about Internet Security Settings"
- In reply to: S.G.: "Question about Internet Security Settings"
- Next in thread: Adam Shephard: "RE: Question about Internet Security Settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <008a01c142a8$33ea0c00$9f230f0a@educate.com> From: "Kutulu" <kutulu@kutulu.org> To: <sg@cchono.com>, <focus-ms@securityfocus.com> Subject: Re: Question about Internet Security Settings Date: Fri, 21 Sep 2001 10:17:45 -0400
----- Original Message -----
From: "S.G." <sg@cchono.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, September 21, 2001 12:00 AM
Subject: Question about Internet Security Settings
> Is there really a difference between
> signed and unsigned scripts? What would be the best method for
> protecting users from potentially malicious sites without blocking
> them from web access? Thank you.
The only difference between signed and unsigned scripts or ActiveX controls
is that you can tell where they came from. There is some effort and cost
involved in getting a key signed by one of the root certificate authorities
IE recognizes (places like Verisign etc.). Aside from that, nothing
prevents a malicious coder from signing a malicious script or control. You
can be fairly certain of the identity of said person, since that is required
to get a signing key to begin with, but that will only help you after the
fact.
The setup MIS uses here is to set all 'signed' or 'marked safe' options to
"Prompt", and all unsigned options to "Disable". My personal machine has
everything marked as "Prompt", since I know there are a huge number of
totally benign ActiveX controls and scripts that are not signed (due to the
above mentioned costs), but typical users may not be able to tell the
difference. The only down side to this is, it requires users to make
judgement calls regarding which companies they trust. While it's not a big
deal for well-known entities ("Always Trust content from
Microsoft/CNET/Yahoo/whomever" is a safe bet), if they surf other places
they may get controls signed by unknown companies and need to determine if
they should trust them.
Also, depending on how hands-on an admin you want to be, you can require
administrative approval for ActiveX controls (not scripts) to run at all.
One alternative that was tried here, with some mild success, was to set up
the Internet zone at very restrictive settings (disable everything), then
explain to users how to add web sites like microsoft or yahoo to their
trusted zone, and permit signed controls only from that zone. Again, this
requires users to make judgement calls, but theoretically on a more
site-wide basis. We dropped it when it became difficult to train large
numbers of new users how to tell when a site needed to be added, and how to
then go do it, when we really did not want to *encourage* them to surf the
web at work :)
--K
- Previous message: jerryctx: "Re: Question about Internet Security Settings"
- In reply to: S.G.: "Question about Internet Security Settings"
- Next in thread: Adam Shephard: "RE: Question about Internet Security Settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
