Library Computer and Network Security: Workstation Security - Browser & E-mail Security

Overview

There are two main considerations when securing web browsers and email programs. The first is security threat from the Internet, and the second is security threats from the user. Both web browsers and email programs must be protected from viruses and other potentially harmful threats and vulnerabilities that come from the Internet. This can be done through virus protection programs, configuration settings, and program selection considerations. Especially for public access workstations, web browsers and email programs can be locked down through third party applications and configuration settings. This prevents any intentional or unintentional damage caused by overly curious or malicious patrons.

Internet Explorer

Menu and Toolbar Customization

Similar to Microsoft Office applications, Internet Explorer 5.5 and above allows you to fully customize the button toolbar but not the menu bar. The menu bar can be partially restricted through policies.

Policies

IE Policies allow you to control many features, but you are limited in restricting menu items. It is often necessary to utilize third party applications to fully lock down Internet Explorer. Some features Internet Explorer policies allow you to control are:

Menu restrictions
Custom toolbars, logo, bitmaps, and browser title
Connection settings
Security zone and content rating settings

Kiosk Mode

Internet Explorer can be run in a special mode called "Kiosk" mode. The command line for running this mode is "iexplore.exe -k". This mode fully eliminates menus, toolbars, the address bar, and status bar. It is intended for kiosks that only need to utilize a browser interface. Any functions that the user is supposed to be able to control need to be contained on IE's opening web page.

Security Settings

Microsoft Internet Explorer offers various security settings depending on what sites you are visiting. Sites are divided by zones: Internet (anything outside your firewall or on a different subnet) and Intranet (anything on your local subnet). Depending on what zone a user is visiting, you can specify various security settings; probably one of the most important is controlling how Java and ActiveX scripts are run. Internet Explorer also gives the ability to allow or disallow visiting particular sites in a particular zone.

Netscape

Because Netscape has many different versions that are commonly used, it is hard to comprehensively discuss Netscape lockdown methods. The latest version of Netscape is developed on a Java platform and is not commonly used in libraries. This outline will cover Netscape 4.x, a version very popular with libraries. Even within version 4.x, the methods can vary for each release. The following list contains information about some of the most common "version independent" ways to secure Netscape in the 4.x releases.

Also see Securing Netscape 4 in the Public Library for more details. This site provides an excellent outline on most ways to secure Netscape.

Modify resdll.dll

By modifying this file you can modify, restrict, or eliminate just about any menu item, button, or hotkey. You will need a C++ editor to do this. Infopeople provides a modified resdll.dll file that can be used for locking down Netscape. See How to Add Netscape to Your Gates Computer for more information.

Set User Files to Read Only

By setting the following user files in the \Netscape\users\"profile name" directory to read only, you can lock certain functions:

bookmark.htm - locks bookmarks
cookies.htm - prevents cookies from being saved
liprefs.js and prefs.js - locks preferences like homepage, location bar, etc. but can sometimes cause Netscape to crash

Rename prefui32.dll

Renaming this file will eliminate the preferences menu item.

Kiosk Mode

Run netscape.exe with a (-k) switch to launch it in kiosk mode. This mode includes the button bar only.

Super Kiosk Mode

Run netscape.exe with a (-sk) switch to launch it in super kiosk mode. This mode does not include the button bar.

Run with a Specific Netscape User Profile

Run netscape.exe with a (-P"profilename") switch to make it start up with a specific user profile.

Email Clients

This section will cover the following email clients: Microsoft Outlook, Outlook Express, Eudora, Netscape and Pegasus. Because Lotus Notes/cc:Mail are mainly corporate programs, they will not be covered here; however, the principles below apply to these programs as well.

Email Clients and Viruses

The primary security consideration with email clients is viruses. The first line of protection is anti-virus software; however, there are other safeguards.

File Attachments

The most popular way to spread viruses through email clients is using file attachments. Any attachment from an unknown source should not be opened. An attachment can be a program, macro, or script. email users should be especially aware of attachments with extensions like EXE, COM, BAT, HTM, etc. Remember Microsoft Office programs can contain macros and therefore viruses too. Most email programs warn you before opening attachments, but you should always be careful.

HTML Enabled Email Clients

Because most people have become keen on opening file attachments, viruses are now frequently deployed as scripts. In order to display email written in HTML (the language of the web,) most email clients integrate with a web browser. web browsers run Java Applets and ActiveX scripts which can make the client vulnerable. To address this and other issues, different email clients provide options for various security measures. Because there are so many issues specific to each client, they are too long to list. Here are some ways to address only a few of the major issues concerning security and email clients.

Eudora
1. "Allow executables in HTML content" and "Use Microsoft's Viewer" should be disabled.
2. There is a major vulnerability related to the "Attachments" directory. This directory should be renamed.
3. See http://eudora.qualcomm.com/security.html for more information on security with Eudora.
Outlook and Outlook Express
Outlook is the most popular email client for security attacks.
1. An interesting vulnerability is the ability of viruses to gain access to the Outlook address book using scripting controls and then replicate itself by emailing itself to contacts in the address book. This can be made less likely by applying the latest patches (see Updating email Clients).
2. Outlook uses the Internet Explorer browser to display active content in emails written in HTML. If you disable Java and ActiveX controls in Internet Explorer, they won't be activated in emails, either. However, a drawback is that this can affect display quality of HTML content.
Netscape
Like Outlook, you can disable Java scripting under "Preferences." Again, this prevents scripts from running in emails written in HTML format.
Pegasus
Pegasus is a free email client program. Although not as popular as other email programs, its creator claims that is one of the safest against virus vulnerabilities.
1. It doesn't fully execute Java and ActiveX scripts at a cost in quality of displaying HTML.
2. By default it makes it very difficult to open attachments that may be dangerous.

Updating Email Clients

A crucial step in keeping email clients secure is ensuring that they are always updated with the latest patches. Because email clients have their own unique vulnerabilities, it is always necessary to apply their specific updates.

Mail Filtering Services

An excellent way to protect you from email borne viruses is by subscribing to an email filtering service. Instead of your client directly receiving emails, they are first processed by an email filtering service that scours all emails for viruses or inappropriate content. It is up to the service to stay protected against the latest viruses, thereby relieving the user from the burden. Because they are usually large services with many resources, they can stay protected against the latest viruses faster than an individual user. An example of an email filtering service is: Mail Watch, http://www.mailwatch.com.

Email Encryption

A security consideration independent of viruses is privacy. Although it's unlikely when sending and receiving email over the Internet, it's possible for someone to intercept it and read its contents. Encryption is a tool that allows you to "lock" your email so that it is very difficult for anyone without the key to the lock to read it. There are various encryption methods. They all involve giving the recipient some kind of key so that emails can be "unlocked" and read. The two main encryption methods are:

Conventional ("password") Encryption
Public Key Encryption
- PGP "Pretty Good Encryption" is the de facto method of Public Key Encryption

For information about training, or using materials found on this website, please contact the Infopeople Project Assistant by email at assist@infopeople.org or by phone at 650-578-9685.

© 2008 Infopeople Project. Material on this website is licensed under a Creative Commons License. The Infopeople Project is supported by the U.S. Institute of Museum and Library Services under the provisions of the Library Services and Technology Act, administered in California by the State Librarian.