Browser & Email Security
There are two main considerations when securing web browsers and email programs. The first is security threat from the Internet, and the second is security threats from the user. Both web browsers and email programs must be protected from viruses and other potentially harmful threats and vulnerabilities that come from the Internet. This can be done through virus protection programs, configuration settings, and program selection considerations. Especially for public access workstations, web browsers and email programs can be locked down through third party applications and configuration settings. This prevents any intentional or unintentional damage caused by overly curious or malicious patrons.
Menu and Toolbar Customization
Similar to Microsoft Office applications, Internet Explorer 5.5 and above allows you to fully customize the button toolbar but not the menu bar. The menu bar can be partially restricted through policies. For a more thorough discussion of securing Internet Explorer (versions 5 on) see this Microsoft TechNet library article.
IE Policies allow you to control many features, but you are limited in restricting menu items. It is often necessary to utilize third party applications to fully lock down Internet Explorer. Some features Internet Explorer policies allow you to control are:
- Menu restrictions
- Custom toolbars, logo, bitmaps, and browser title
- Connection settings
- Security zone and content rating settings
Internet Explorer can be run in a special mode called "Kiosk" mode. The command line for running this mode is "iexplore.exe -k". This mode fully eliminates menus, toolbars, the address bar, and status bar. It is intended for kiosks that only need to utilize a browser interface. Any functions that the user is supposed to be able to control need to be contained on IE's opening web page.
Microsoft Internet Explorer offers various security settings depending on what sites you are visiting. Sites are divided by zones: Internet (anything outside your firewall or on a different subnet) and Intranet (anything on your local subnet). Depending on what zone a user is visiting, you can specify various security settings; probably one of the most important is controlling how Java and ActiveX scripts are run. Internet Explorer also gives the ability to allow or disallow visiting particular sites in a particular zone.
Because Firefox has several different versions that are commonly used and is an open source, it is hard to comprehensively discuss Firefox lockdown methods.
One excellent place to start to explore options for securing Firefox is Mozilla's Firefox Privacy & Security Add-Ons page.
There are many different email clients out there, so going into client-specific detail is beyond the sope of this overview. But the basics of email security apply to all:
- Install all updates to your email client as soon as they are released
- Use anti-virus software AND keep it up-to-date!
- Don't download attachments that come from unknown sources (watch out especially for files using the extensions BAT, COM, EXE, or PIF)
- Don't share your email password!
- If you use webmail, always login using https and be sure to log out when you're done!
HTML Enabled Email Clients
Because most people have become keen on opening file attachments, viruses are now frequently deployed as scripts. In order to display email written in HTML (the language of the web,) most email clients integrate with a web browser. Web browsers run Java Applets and ActiveX scripts which can make the client vulnerable. To address this and other issues, different email clients provide options for various security measures. Because there are so many issues specific to each client, they are too long to list. Here are some ways to address only a few of the major issues concerning security and email clients.
Mail Filtering Services
An excellent way to protect you from email borne viruses is by subscribing to an email filtering service. Instead of your client directly receiving emails, they are first processed by an email filtering service that scours all emails for viruses or inappropriate content. It is up to the service to stay protected against the latest viruses, thereby relieving the user from the burden. Because they are usually large services with many resources, they can stay protected against the latest viruses faster than an individual user. An example of an email filtering service is Mail Watch, http://www.mailwatch.com.
A security consideration independent of viruses is privacy. Although it's unlikely when sending and receiving email over the Internet, it's possible for someone to intercept it and read its contents. Encryption is a tool that allows you to "lock" your email so that it is very difficult for anyone without the key to the lock to read it. There are various encryption methods. They all involve giving the recipient some kind of key so that emails can be "unlocked" and read. The two main encryption methods are:
- Conventional ("password") Encryption
- Public Key Encryption
- PGP "Pretty Good Encryption" is the de facto method of Public Key Encryption
For more information about email encryption and why it's a good idea, read this about.com article.