EXAM TIP
The name “ActiveX Opt-in” can be confusing. Enabling ActiveX Opt-in causes Internet
Explorer not to install ActiveX controls by default, instead requiring the user to
explicitly choose to configure the add-on.
ActiveX Opt-in applies to most ActiveX controls. However, it does not apply for ActiveX
controls on the preapproved list. The preapproved list is maintained in the registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved.
Within this key, there are several subkeys, each with a Class ID (CLSID) of a preapproved
ActiveX control. You can identify an ActiveX control’s CLSID by viewing the source of a Web
page and searching for the <object> tag. For best results, try searching for “<object” in the
source of a Web page.
HOW TO CONFIGURE ActiveX ON A SINGLE COMPUTER
The previous section described how to configure ActiveX Opt-in on a single computer. In
addition to that setting, you can configure several other per-zone settings related to ActiveX
from the Security Settings dialog box:
■ Automatic Prompting For ActiveX Controls This setting is disabled by default for all
zones. If you choose to enable this setting, it bypasses the information bar and instead
actively prompts the user to install the ActiveX control.
■ Download Signed ActiveX Controls The developer can sign ActiveX controls.
Typically, signed ActiveX controls are more trustworthy than unsigned controls, but
you shouldn’t trust all signed ActiveX controls. By default, this setting is set to prompt
the user. You can reduce the number of prompts the user receives by changing this
setting to Enable.
■ Download Unsigned ActiveX Controls By default, unsigned ActiveX controls are
disabled. If you must distribute an unsigned ActiveX control, add the site that requires
the control to your Trusted Sites list and change this setting for the Trusted Sites zone
to Prompt.
■ Initialize And Script ActiveX Controls Not Marked As Safe For Scripting This
setting is disabled by default for all zones. You should enable it only if you experience
a problem with a specific ActiveX control and the developer informs you that this
setting is required. In that case, you should add the site to the Trusted Sites list and
enable this control only for that zone.
■ Run ActiveX Controls And Plug-Ins This setting controls whether ActiveX controls
will run, regardless of how other settings are defined. In other words, if this setting
is disabled, users cannot run ActiveX controls, even using ActiveX Opt-in. This setting is
enabled for all zones except for the Restricted Sites zone.
■ Script ActiveX Controls Marked Safe For Scripting Some ActiveX controls are
marked safe for scripting by the developer. This setting is enabled for all zones except
for the Restricted Sites zone. Typically, you should leave this at the default setting.
Because the developer chooses whether the control is marked safe for scripting, this
marking does not indicate that the ActiveX control is more trustworthy than any other
control.
HOW TO MANAGE ActiveX ADD-ONS ON A SINGLE COMPUTER
To configure ActiveX on a single computer, follow these steps:
1. Open Internet Explorer.
2. Click the Tools button on the toolbar, click Manage Add-Ons, and then click Enable Or
Disable Add-Ons.
The Manage Add-Ons dialog box appears.
3. Click the Show list, and then click Downloaded ActiveX Controls.
4. Select the ActiveX control you want to manage, and then select either of the
following. Click OK.
■ Disable to disable the ActiveX control.
■ Delete to remove the ActiveX control.
How to Configure ActiveX Installer Service
Some critical Web applications might require ActiveX controls to run. This can be a challenge
if your users lack administrative credentials because UAC requires administrative credentials
to install ActiveX controls (although any user can access an ActiveX control after it is
installed).
Fortunately, you can use the ActiveX Installer Service to enable standard users to install
specific ActiveX controls. To configure the list of sites approved to install ActiveX controls,
perform these steps:
1. Open the Group Policy Object (GPO) in the Group Policy Object Editor.
2. Browse to Computer Configuration\Administrative Templates\Windows Components\
ActiveX Installer Service.
3. Double-click the Approved Installation Sites For ActiveX Controls setting. Enable it.
4. Click Show to specify host Uniform Resource Locators (URLs) that are allowed to
distribute ActiveX controls. In the Show Contents dialog box, click Add and configure
the host URLs as follows:
■ Configure each item name as the host name of the Web site from which clients will
download the updated ActiveX controls, such as http://activex.microsoft.com.
■ Configure each value name using four numbers separated by commas (such as
“2,1,0,0”). These values are described later in this section.
5. Click OK to save the setting for the new policy.
When you configure the list of approved installation sites for ActiveX Controls, you
configure a name and value pair for each site. The name will always be the URL of the site
hosting the ActiveX control, such as http://activex.microsoft.com. The value consists of four
numbers:
■ Trusted ActiveX Controls Define the first number as 0 to block trusted ActiveX
controls from being installed, as 1 to prompt the user to install trusted ActiveX
controls, or as 2 to install trusted ActiveX controls automatically, without prompting
the user.
■ Signed ActiveX Controls Define the second number as 0 to block signed ActiveX
controls from being installed, as 1 to prompt the user to install signed ActiveX controls,
or as 2 to install signed ActiveX controls automatically, without prompting the user.
■ Unsigned ActiveX Controls Define the third number as 0 to block unsigned ActiveX
controls from being installed or define this number as 1 to prompt the user to install
unsigned ActiveX controls. You cannot configure unsigned ActiveX controls to be
installed automatically.
■ Server Certificate Policy Set this value to 0 to cause the ActiveX Installer Service to
abort installation if there are any certificate errors. Alternatively, you can set it to 256
to ignore an unknown CA, 512 to ignore invalid certificate usage, 4096 to ignore an
unknown common name in the certificate, or 8192 to ignore an expired certificate.
Add these numbers to ignore multiple types of certificate errors.
For example, the numbers 2,1,0,0 would cause the ActiveX Installer Service to silently
install trusted ActiveX controls, prompt the user for signed controls, never install unsigned
controls, and abort installation if any Hypertext Transfer Protocol Secure (HTTPS) certificate
error occurs.
When a user attempts to install an ActiveX control that has not been approved, the
ActiveX Installer Service creates an event in the Application Log with an Event ID of 4097 and
a source of AxInstallService.
How Internet Explorer Works in 64-bit Versions of Windows 7
Because it provides a wider data bus, allowing many times greater scalability,
64-bit computing is the future. Right now, however, most users run 32-bit
versions of Windows.
Unfortunately, although 64-bit versions of Windows are fundamentally superior,
they do have some compatibility problems in the real world. In particular, 64-bit
versions of Internet Explorer can’t use 32-bit components (such as ActiveX controls,
which might provide critical functionality for many Web sites). Although 64-bit
components are becoming more common, some critical components still aren’t
available for 64-bit.
For that reason, the 32-bit version of Internet Explorer is the default even in 64-bit
versions of Windows. If a user instead chooses to use the 64-bit version of Internet
Explorer (there’s a shortcut for it on the Start menu), test any problematic Web
pages in the 32-bit version of Internet Explorer before doing any troubleshooting.
Adding Sites to the Trusted Sites List
Internet Explorer is configured by default to prevent Internet Web sites from performing
many actions that might compromise the computer’s security or the user’s privacy. However,
some legitimate Web sites might need to perform those actions to allow Web applications to
run properly.
Administrators can add sites to the Trusted Sites list to grant them additional privileges.
To add a site to the Trusted Sites list, follow these steps:
1. In Internet Explorer, click the Tools menu on the toolbar, and then click Internet
Options.
2. In the Internet Options dialog box, click the Security tab. Click Trusted Sites, and then
click Sites.
3. In the Trusted Sites dialog box, clear the Require Server Verification check box if you
access the server using HTTP rather than HTTPS.
4. In the Add This Website To The Zone box, type the URL of the Web site, such as
http://www.contoso.com, and then click Add.
5. Click Close.
The next time you visit the site, Internet Explorer grants it all the privileges assigned to the
Trusted Sites list.
Protected Mode
Before Windows Vista, many computers were compromised when Web sites containing
malicious code succeeded in abusing the Web browsers of visitors to run code on the client
computer. Because any new process spawned by an existing process inherits the privileges
of the parent process and the Web browser ran with the user’s full privileges, maliciously
spawned processes received the same privilege as the user. With the user’s elevated
privileges, the malicious process could install software and transfer confidential documents.
In Windows Vista and Windows 7, Internet Explorer hopes to reduce this type of risk using
a feature called Protected Mode. With Protected Mode (originally introduced with Internet
Explorer 7), Internet Explorer 8 runs with very limited privileges on the local computer—even
fewer privileges than those that the standard user has in Windows 7. Therefore, even if
malicious code on a Web site were to abuse Internet Explorer successfully to spawn a process,
that malicious process would have privileges only to access the Temporary Internet Files
folder and a few other locations—it would not be able to install software, reconfigure the
computer, or read the user’s documents.
For example, most users log on to computers running Windows XP with administrative
privileges. If a Web site exploits a vulnerability in Windows XP that hasn’t been fixed with an
update and successfully starts a process to install spyware, the spyware installation process
would have full administrator privileges to the local computer. On a computer running
Windows 7 the spyware install process would have minimal privileges—even less than those
of a standard user—regardless of whether the user was logged on as an administrator.
Protected Mode is a form of defense-in-depth. Protected Mode is a factor only if malicious
code successfully compromises the Web browser and runs. In these cases, Protected Mode
limits the damage the process can do without the user’s permission. Protected Mode is
not available when Internet Explorer is installed on Windows XP because it requires several
security features unique to Windows Vista and Windows 7.
The sections that follow provide more information about Protected Mode.
How Protected Mode Works
One of the features of Windows 7 that enables Protected Mode is Mandatory Integrity Control
(MIC). MIC labels processes, folders, files, and registry keys using one of four integrity access
levels (ILs), as shown in Table 4-1. Internet Explorer runs with a low IL, which means it can
access only other low IL resources without the user’s permission.
TABLE 4-1 Mandatory Integrity Control Levels
IL | SYSTEM PRIVILEGES |
System | System; processes have unlimited access to the computer. |
High | Administrative; processes can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE. |
Medium | User; processes can create and modify files in the user’s Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER. Most files and folders on a computer have a medium integrity level because any object without a mandatory label has an implied default integrity level of Medium. |
Low | Untrusted; processes can write only to low-integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\ Software\LowRegistry key. |
Low IL resources that Internet Explorer in Protected Mode can access include:
■ The History folder
■ The Cookies folder
■ The Favorites folder
■ The %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\
folder
■ The Temporary Files folders
■ The HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry key
How the Protected Mode Compatibility Layer Works
To minimize both the number of privilege elevation requests and the number of compatibility
problems, Protected Mode provides a compatibility layer. The Protected Mode Compatibility
Layer redirects requests for protected resources to safer locations. For example, any requests
for the Documents library are redirected automatically to subfolders contained within the
hidden %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\
Virtualized folder. The first time that an add-on attempts to write to a protected object, the
Protected Mode Compatibility Layer copies the object to a safe location and accesses the
copy. All future requests for the same protected file access the copy.
The Protected Mode Compatibility Layer applies only to Internet Explorer add-ons written
for versions of Windows prior to Windows Vista because anything written for Windows Vista
or Windows 7 would access files natively in the preferred locations.
How to Enable Compatibility Logging
Some Web applications and Internet Explorer add-ons developed for earlier versions of
Internet Explorer have compatibility problems when you run them with Internet Explorer 8
and Windows 7. One way to identify the exact compatibility problem is to enable compatibility
logging using Group Policy. To enable compatibility logging on your local computer, perform
these steps:
1. Click Start, type gpedit.msc, and then press Enter.
2. In the Group Policy Object Editor, browse to User Configuration\Administrative
Templates\Windows Components\Internet Explorer. If you need to enable compatibility
logging for all users on the computer, browse to Computer Configuration\Administrative
Templates\Windows Components\Internet Explorer.
3. Double-click the Turn On Compatibility Logging setting. Select Enabled, and then
click OK.
4. Restart Internet Explorer if it is currently open; otherwise, start it.
With compatibility logging enabled, you should reproduce the problem you are
experiencing. You can then view events in the Event Viewer snap-in under Applications And
Service Logs\Internet Explorer. Some events, such as Event ID 1037, will not have a description
unless you also install the Application Compatibility Toolkit.
NOTE COMPATIBILITY LOGGING
For more information about compatibility logging, read “Finding Security Compatibility
Issues in Internet Explorer 7,” at http://msdn.microsoft.com/en-us/library/bb250493.aspx.
It applies equally well to Internet Explorer 8.
How to Disable Protected Mode
If you are concerned that Protected Mode is causing problems with a Web application,
you can disable it temporarily to test the application. Protected Mode is enabled on
a zone-by-zone basis and is disabled by default for Trusted Sites.
To disable Protected Mode, perform these steps:
1. Open Internet Explorer.
2. Click the Tools button on the toolbar, and then click Internet Options.
3. Click the Security tab.
4. Select the zone for which you want to disable Protected Mode. Then, clear the Enable
Protected Mode check box.
5. Click OK twice.
6. Restart Internet Explorer.
If the application works when Protected Mode is disabled, the problem is probably related
to Protected Mode. In that case, you should re-enable Protected Mode and work with
the application developer to solve the problems in the Web application. Alternatively, you
could add the site to the Trusted Sites zone, thus permanently disabling Protected Mode for
that site.
How to Troubleshoot Certificate Problems
Certificates are used for several security-related tasks in Internet Explorer:
■ Encrypting traffic The most common use for certificates in Internet Explorer. Many
Web sites, especially e-commerce Web sites that accept credit card numbers, have
an SSL certificate installed. This SSL certificate enables HTTPS communications, which
behave similar to HTTP, but with encryption and authentication. With standard,
unencrypted HTTP, if an attacker has access to the network, the attacker can read
all data transferred to and from the server. With encrypted HTTPS, an attacker can
capture the traffic, but it will be encrypted and cannot be decrypted without the
server’s private certificate.
■ Authenticating the server SSL certificates authenticate the server by allowing the
client to verify that the certificate was issued by a trusted CA and that one of the
names in the certificate matches the host name used to access the site. This helps to
prevent man-in-the-middle attacks, whereby an attacker tricks a client computer into
visiting a malicious server that impersonates the legitimate server. Web sites on the
public Internet typically have SSL certificates issued by a third-party CA that is trusted
by default in Internet Explorer. Intranet Web sites can use certificates issued by an
internal CA as long as client computers are configured to trust the internal CA.
■ Authenticating the client Intranet Web sites can issue certificates to clients on their
network and use the client certificates to authenticate internal Web sites. When using
AD DS Group Policy, it is very easy to distribute client certificates throughout your
enterprise.
If Internet Explorer detects a problem with a certificate, it displays the message, “There is
a problem with this website’s security certificate,” as shown in Figure 4-7.
FIGURE 4-7 How Internet Explorer detects mismatched SSL certificates
The following list describes common problems that can occur when using certificates in
Internet Explorer and how to troubleshoot them.
■ The security certificate presented by this Web site was issued for a different Web
site’s address In this case, there are several possible causes:
• The host name you are using to access the Web site is not the Web site’s primary
address. For example, you might be attempting to access the Web site by Internet
Protocol (IP) address. Alternatively, you might be accessing an alternative host
name, such as “constoso.com” instead of “www.contoso.com.”
NOTE SUBJECT ALTERNATIVE NAMES
Historically, SSL certificates have specified the host name for which they are valid by
using the Common Name field. For example, you might specify www.contoso.com
as the Common Name for your Web site certificate. However, if a user accessed the
same site using the host name contoso.com, the browser would return an error.
Since about 2003, most popular browsers have supported SSL certificates with
Subject Alternative Names (SANs). SANs are host names for which an SSL certificate
is valid. For example, you could create an SSL certificate with a SAN list and allow
users to access a single Web server using either contoso.com or www.contoso.com.
You can view a certificate’s SAN list by visiting the site using HTTPS and clicking
the padlock icon in the address bar of Internet Explorer. Click View Certificates, and
then click the Details tab. Select the Subject Alternative Name field to view every
host name for which the certificate is valid.
• The server administrator made a mistake. For example, the administrator might
have mistyped the server’s host name when requesting the certificate or the
administrator might have installed the wrong certificate on the server.
• The server is impersonating a server with a different host name. For example,
an attacker might have set up a Web site to impersonate www.fabrikam.com.
However, the attacker is using a different SSL certificate on the Web site. Earlier
versions of Internet Explorer show a less intimidating error message, so many users
might have bypassed the error and continued to the malicious site.
■ The certificate has expired Certificates have a limited lifespan—usually one to five
years. If the certificate has expired, the server administrator should request an updated
certificate and apply it to the server.
■ Internet Explorer is not configured to trust the certificate authority Anyone,
including attackers, can create a CA and issue certificates. Therefore, Internet Explorer
does not trust all CAs by default. Instead, Internet Explorer trusts only a handful of public
CAs. If the certificate was issued by an untrusted CA and the Web site is on the public
Internet, the server administrator should acquire a certificate from a trusted CA. If the
Web site is on your intranet, a client administrator should configure Internet Explorer
to trust the issuing CA. In AD DS domains, member computers automatically trust
enterprise CAs. For more information, complete the exercises at the end of this lesson.
The following list describes common problems that can occur when using certificates in
Internet Explorer and how to troubleshoot them.
■ The security certificate presented by this Web site was issued for a different Web
site’s address In this case, there are several possible causes:
• The host name you are using to access the Web site is not the Web site’s primary
address. For example, you might be attempting to access the Web site by Internet
Protocol (IP) address. Alternatively, you might be accessing an alternative host
name, such as “constoso.com” instead of “www.contoso.com.”
NOTE SUBJECT ALTERNATIVE NAMES
Historically, SSL certificates have specified the host name for which they are valid by
using the Common Name field. For example, you might specify www.contoso.com
as the Common Name for your Web site certificate. However, if a user accessed the
same site using the host name contoso.com, the browser would return an error.
Since about 2003, most popular browsers have supported SSL certificates with
Subject Alternative Names (SANs). SANs are host names for which an SSL certificate
is valid. For example, you could create an SSL certificate with a SAN list and allow
users to access a single Web server using either contoso.com or www.contoso.com.
You can view a certificate’s SAN list by visiting the site using HTTPS and clicking
the padlock icon in the address bar of Internet Explorer. Click View Certificates, and
then click the Details tab. Select the Subject Alternative Name field to view every
host name for which the certificate is valid.
• The server administrator made a mistake. For example, the administrator might
have mistyped the server’s host name when requesting the certificate or the
administrator might have installed the wrong certificate on the server.
• The server is impersonating a server with a different host name. For example,
an attacker might have set up a Web site to impersonate www.fabrikam.com.
However, the attacker is using a different SSL certificate on the Web site. Earlier
versions of Internet Explorer show a less intimidating error message, so many users
might have bypassed the error and continued to the malicious site.
■ The certificate has expired Certificates have a limited lifespan—usually one to five
years. If the certificate has expired, the server administrator should request an updated
certificate and apply it to the server.
■ Internet Explorer is not configured to trust the certificate authority Anyone,
including attackers, can create a CA and issue certificates. Therefore, Internet Explorer
does not trust all CAs by default. Instead, Internet Explorer trusts only a handful of public
CAs. If the certificate was issued by an untrusted CA and the Web site is on the public
Internet, the server administrator should acquire a certificate from a trusted CA. If the
Web site is on your intranet, a client administrator should configure Internet Explorer
to trust the issuing CA. In AD DS domains, member computers automatically trust
enterprise CAs. For more information, complete the exercises at the end of this lesson.
How to Identify Group Policy Restrictions
Businesses need complete control over their users’ Web browsing abilities, and Internet
Explorer provides an extreme amount of flexibility. For example, administrators can use Group
Policy settings to turn off tabbed browsing, allow pop-ups, turn off suggestions, restrict
search providers, or turn off the Favorites bar.
If a user complains that an Internet Explorer feature is not working correctly, you should
determine whether Group Policy restrictions might be responsible. You can use the Resultant
Set Of Policy tool to determine which settings have been defined for a user or computer, and
which Group Policy objects are responsible. To use the Resultant Set Of Policy tool, perform
these steps:
1. Click Start, type rsop.msc, and press Enter.
2. In the Resultant Set Of Policy window, within both the Computer Configuration or User
Configuration, select the Administrative Templates\Windows Components\Internet
Explorer node.
3. As shown in Figure 4-8, the Details pane shows Internet Explorer settings that have
been defined, and which GPO defined them.
FIGURE 4-8 Resultant Set Of Policy shows which Group Policy settings have been applied
and the Group Policy object responsible
PRACTICE Troubleshoot Certificate Problems
In this practice, you configure the ActiveX Installer Service to trust ActiveX controls from MSN.
Then, you troubleshoot certificate-related problems by generating an untrusted certificate,
viewing how Internet Explorer responds to that certificate, and then configuring Internet
Explorer to trust the certificate.
EXERCISE 1 Simulate an Invalid Certificate
In this exercise, you open a Web page using a host name other than the common name
specified in the SSL certificate and view how Internet Explorer handles it.
1. Open Internet Explorer. In the Address bar, type https://www.microsoft.com.
Press Enter.
Internet Explorer opens the www.microsoft.com home page using encrypted HTTPS.
Note the gold lock in the Address bar, as shown in Figure 4-9.
FIGURE 4-9 The gold lock in the address bar, which signifies that
communications with the site are encrypted and the certificate is valid
2. Click the gold lock in the address bar to display the Web site identification. Notice that
the identification page displays “www.microsoft.com,” which exactly matches the host
name you typed in the address bar.
3. In the Address bar, type https://microsoft.com. Notice that this time the host name
does not begin with “www.” Press Enter.
Internet Explorer displays the There Is A Problem With This Website’s Security
Certificate Web page. This happens because the host name in the certificate,
www.microsoft.com, does not exactly match the host name you typed in the address
bar, microsoft.com. Users would see this same error message if they attempted to visit
a site that was impersonating another site.
EXERCISE 2 Issue an Untrusted Certificate
In this exercise, you must issue an internal certificate to a Web server and determine how
Windows 7 handles it both as a member of the domain and from outside the domain.
1. Connect to a Windows Server 2008 R2 AD DS domain controller in a test environment,
and log on as an administrator.
2. Click Start, click Administrative Tools, and then click Server Manager.
3. In Server Manager, click the Roles node, and then click Add Roles.
4. On the Before You Begin page, click Next.
5. On the Select Server Roles page, select Active Directory Certificate Services, and then
click Next.
6. On the Introduction To Active Directory Certificate Services page, click Next.
7. On the Select Role Services page, select Certification Authority, Certification Authority
Web Enrollment, and Online Responder. When prompted to add other services, click
Add Required Role Services. Click Next.
8. On the Specify Setup Type page, click Enterprise. Click Next.
9. On the Specify CA Type page, leave Root CA selected, and then click Next.
10. On the Set Up Private Key page, leave Create A New Private Key selected. Click Next.
11. On the Configure Cryptography For CA page, click Next.
12. On the Configure CA Name page, type the host name for your CA (such as
DCSRV1.nwtraders.msft) and then click Next.
13. On the Set Validity Period page, click Next.
14. On the Configure Certificate Database page, click Next.
15. On the Web Server page, click Next.
16. On the Role Services page, click Next.
17. On the Confirmation page, click Install.
18. Click Close, and click Yes to restart the computer.
19. After the computer restarts, log on again. Allow Server Manager to finish completing
the installation of the server roles, and then click Close.
20. Click Start, click Administrative Tools, and then click Internet Information Services (IIS)
Manager.
21. In the Internet Information Services (IIS) Manager, click your computer.
22. Double-click Server Certificates.
23. In the Actions pane, click Create Domain Certificate.
24. On the Distinguished Name Properties page, type the full host name in the
Common Name box, such as dc1.nwtraders.msft. Type Northwind Traders in the
Organization box and type IT in the Organizational Unit box. In the City, State, and
Country boxes, provide your local information. Then, click Next.
25. On the Online Certification Authority page, click Select. Select the domain controller,
and then click OK. In the Friendly Name box, type DC1. Click Finish.
26. In the Internet Information Services (IIS) Manager, expand Sites and then click Default
Web Site. Right-click Default Web Site and then click Edit Bindings.
27. In the Site Bindings dialog box, click Add.
28. In the Add Site Binding dialog box, click the Type list and then select HTTPS. In the SSL
Certificate list, select dc1.nwtraders.msft. Click OK, and then click Close.
29. Now you have configured your domain controller as a Web server with an SSL
certificate. Open Internet Explorer. In the address bar, enter https://common_name,
where common_name is the name you entered in the certificate, such as
dc1.nwtraders.msft. Press Enter.
Internet Explorer opens the page. Notice that the gold lock icon appears in the address
bar, signifying that the SSL certificate is valid.
30. On a second computer running Windows 7 that is not a member of your domain, open
Internet Explorer. Alternatively, if you do not have a second computer, you can remove
your computer running Windows 7 from the domain temporarily. In Internet Explorer,
enter https://common_name and press Enter.
Internet Explorer displays a warning message indicating that the certificate was not
issued by a trusted CA, as shown in Figure 4-10.
FIGURE 4-10 The warning message given by Internet Explorer if it doesn’t trust
the certificate authority
Now, continue to Exercise 3 to resolve this problem.
EXERCISE 3 Trust a Certificate Authority
In this exercise, you must export your CA’s root certificate and trust that certificate on your
nondomain computer running Windows 7 so that you can open the SSL-encrypted Web site
without a warning. To complete this exercise, you must have completed Exercise 2.
1. On your domain controller, in the Certification Authority console, right-click your
server and then click Properties.
2. Click the General tab. Click Certificate #0, and then click View Certificate.
3. In the Certificate dialog box, click the Details tab. Then, click Copy To File.
4. The Certificate Export Wizard appears. Click Next.
5. On the Export File Format page, accept the default export format, and then click Next.
6. On the File To Export tab, type C:\root.cer and then click Next.
7. Click Finish, and then click OK three times.
8. On your client computer running Windows 7 that is not a member of your test domain,
open Internet Explorer. In Internet Explorer, click the Tools button on the toolbar, and
then click Internet Options.
9. In the Internet Options dialog box, click the Content tab and then click Certificates.
10. In the Certificates dialog box, click the Trusted Root Certification Authorities tab and
then click Import.
11. The Certificate Import Wizard appears. On the Welcome To The Certificate Import
Wizard page, click Next.
12. On the File To Import page, click Browse. In the Open dialog box, type \\server_name\
c$\root.cer. Then click Open and click Next.
13. On the Certificate Store page, notice that the Certificate Import Wizard imports the
certificate into the Trusted Root Certification Authorities store by default. This is the
correct place. Click Next.
14. On the Completing The Certificate Import Wizard page, click Finish.
15. A Security Warning dialog box appears. Click Yes to install the certificate and then click
OK.
16. Click Close and then click OK.
17. In Internet Explorer, enter https://common_name and press Enter.
Internet Explorer opens the page. Notice that the gold lock icon appears in the
address bar, signifying that the SSL certificate is valid. Because this computer is not
a member of the AD DS domain, you had to trust the root certificate manually. Then,
all certificates issued by that CA will be trusted. If the computer had been a member
of the AD DS domain, Group Policy would have caused the computer to trust the
enterprise CA automatically.
Lesson Summary
■ Web application developers often use Internet Explorer add-ons to extend the
Web browser’s capabilities. However, some add-ons can cause reliability problems,
and others might compromise your organization’s security. Fortunately, Internet
Explorer provides tools to disable add-ons and delete ActiveX controls. If an add-on is
preventing Internet Explorer from starting, you can start Internet Explorer with all
add-ons disabled.
■ Internet Explorer restricts what Web sites on the public Internet can do to help protect
the user’s security. However, these restrictions can prevent some legitimate Web
applications from working correctly. If you encounter a Web application that does not
work correctly and you trust the Web site, you can add the Web site to the Trusted
Sites list. Sites on the Trusted Sites list receive more privileges than sites on the public
Internet, and thus are more likely to be compatible.
■ Protected Mode is one of the most important security features of Windows Internet
Explorer 8.0, and it’s available only when using Windows Vista or Windows 7. By
default, Protected Mode causes Internet Explorer to run with low privileges, which
prevents Internet Explorer (or any process started by Internet Explorer) from accessing
most resources on the computer. The user must Confirm permissions if Internet
Explorer or an add-on requires elevated privileges.
■ Many Web sites use certificates to authenticate the Web server and to provide
encrypted communications. Certificates are extremely important for Web sites
that provide access to confidential information or that collect private information
from users (such as credit card numbers). The most common certificate problem is
a nonmatching server host name, which typically can be resolved by providing the
host name listed in the certificate. For servers on your intranet, users might experience
certificate problems if the computer hasn’t been correctly configured to trust the CA.
■ Group Policy gives administrators detailed control over Internet Explorer features.
If a user has a problem because a feature does not seem to be working correctly, it
might be the result of a deliberate configuration setting by administrators. To check
which Internet Explorer Group Policy restrictions are applied to a computer, run the
Resultant Set Of Policy tool (Rsop.msc). Then, browse to the Computer Configuration\
Administrative Templates\Windows Components\Internet Explorer and User
Configuration\Administrative Templates\Windows Components\Internet Explorer
nodes. The Resultant Set Of Policy tool shows all settings that have been defined and
the GPOs that define them.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Configuring and Troubleshooting Internet Explorer Security.” The questions are also available
on the companion CD if you prefer to review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. A user is attempting to visit one of the many internal Web sites run by your IT
department. The user’s shortcut is set up to use SSL by default. Today, when the user
attempted to open the page, Internet Explorer showed the user the following message:
There is a problem with this Web site's security certificate.
The security certificate presented by this Web site was issued for a different
Web site's address.
Which of the following might cause this message? (Choose all that apply.)
A. The certificate is expired.
B. An attacker is redirecting traffic to a malicious Web server.
C. Internet Explorer no longer trusts the CA that issued the certificate.
D. The Web site certificate was issued for a different host name than that stored in
the user’s shortcut.
2. Which of the following would Internet Explorer block by default (until Confirmed by
a user)? (Choose all that apply.)
A. Animated GIFs
B. Background music in a Web page
C. Video embedded in a Web page
D. Viewing the source code of a Web page
3. Which of the following types of requests would the Internet Explorer Protected Mode
Compatibility Layer redirect to a virtualized location?
A. Storing a cookie
B. Storing a file in the Documents folder
C. Prompting the user to choose a file to upload to a Web site
D. Storing a file in the Temporary Internet Files folder
4. You receive a support call from a user attempting to access a Web page. The user
recently upgraded to Windows 7; previously, the user had been using Windows XP and
Internet Explorer 6.0. The Web page contains an ActiveX control, but it isn’t appearing
on the Web page for the user. Which of the following are valid ways for the user to
resolve the problem? (Choose all that apply.)
A. Right-click the page, and then click Run ActiveX Control.
B. Click the Information Bar, and then click Run ActiveX Control.
C. Add the site to the Trusted Sites list.
D. Clear the Enable Protected Mode check box in the Internet Security dialog box.
Lesson 3: Using Encryption to Control Access to Data
If an attacker has physical access to data, that person can easily circumvent operating system
security features such as NTFS file permissions. However, with encryption, you can protect
data even if it falls into the wrong hands.
Encryption makes data completely unreadable without a valid decryption key. With
encryption, attackers need access to both the data and the decryption key before they
can access your private files. Windows 7 provides two file encryption technologies: EFS (for
encrypting individual files and folders) and BitLocker (for encrypting the entire system drive).
In many environments you will need to use both together.
This lesson describes how to configure and troubleshoot EFS and BitLocker.
After this lesson, you will be able to:
■ Configure EFS, grant multiple users access to EFS-encrypted files, and back up
and recover EFS certificates.
■ Describe how BitLocker encryption differs from EFS, enable BitLocker,
and recover data on a BitLocker-encrypted volume.
Estimated lesson time: 40 minutes
Encrypting File System (EFS)
EFS is a file encryption technology (supported only on NTFS volumes) that protects files
from offline attacks such as hard disk theft. Because EFS works at the file system level, EFS is
entirely transparent to users and applications. In fact, the encryption is apparent only when
a user who doesn’t have a decryption key attempts to access an encrypted file. In that case,
the file is completely inaccessible.
EFS is designed to protect sensitive data on mobile or shared computers, which are
more susceptible to attack by techniques that circumvent the restrictions of access control
lists (ACLs) such as file permissions. An attacker can steal a computer, remove the hard disk
drives, place the drives in another system, and gain access to the stored files (even if they’re
protected by file permissions). When the attacker does not have the decryption key, however,
files encrypted by EFS appear as unintelligible characters.
In most ways, EFS in Windows 7 is exactly the same as it was in Windows XP and Windows
Vista.
NOTE VERSIONS OF WINDOWS 7 THAT DO NOT FULLY SUPPORT EFS
Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium do not
support EFS.
How to Encrypt a Folder with EFS
With EFS, you can encrypt specific files and folders. To enable EFS for a folder, perform these
steps:
1. Click Start, and then click Computer.
A Windows Explorer window opens.
2. Right-click the folder you want to encrypt and then click Properties. For example, if you
want to encrypt the user’s profile, expand C:\Users\, right-click the user’s profile folder,
and then click Properties.
3. On the General tab, click Advanced.
4. In the Advanced Attributes dialog box, select the Encrypt Contents To Secure Data
check box.
5. Click OK twice.
6. In the Confirm Attribute Changes dialog box, accept the default setting to encrypt
subfolders by clicking OK.
NOTE RECOGNIZING EFS-ENCRYPTED FILES AND FOLDERS IN WINDOWS EXPLORER
In Windows Explorer, EFS-encrypted files and folders are colored green. Other users can
still browse EFS-encrypted folders, but they cannot access EFS-encrypted files.
During the encryption process, you might receive error messages saying that a file
(such as NTUSER.dat, the user registry hive) is currently in use. In addition, to prevent
users from encrypting a file that might stop the computer from starting, you cannot
encrypt any file that is marked with the System attribute. Encrypted files cannot be
compressed with NTFS compression.
NOTE EFS ENCRYPTED FILES CANNOT BE INDEXED
By default, EFS encrypted files are not indexed and will not be returned with search
results. You can enable indexing of encrypted files by opening the Indexing Options
tool in Control Panel, clicking Advanced, and then selecting the Index Encrypted
Files check box. Alternatively, you can enable the Allow Indexing Of Encrypted File
Group Policy setting at Computer Configuration\Administrative Templates\Windows
Components\Search\.
How to Create and Back Up EFS Certificates
EFS uses certificates to encrypt and decrypt data. If you lose an EFS certificate, you will be
unable to decrypt your files. Therefore, it is extremely important to back up EFS certificates.
The backup tools built into Windows automatically back up your certificates. In addition,
Windows 7 provides a wizard interface for manually creating and backing up EFS certificates.
To use the interface, perform these steps:
1. Click Start, and then click Control Panel.
2. Click the User Accounts link. Then, click the User Accounts link again.
3. In the left pane, click the Manage Your File Encryption Certificates link.
The Encrypting File System Wizard appears.
4. On the Manage Your File Encryption Certificates page, click Next.
5. On the Select Or Create A File Encryption Certificate page, as shown in Figure 4-11,
select Use This Certificate if an EFS certificate already exists (Windows 7 automatically
generates a certificate the first time a user encrypts a file) and you want to back it up.
To select a different certificate than the default, click Select Certificate. If you want to
generate a certificate manually, select Create A New Certificate.
FIGURE 4-11 Using the Encrypting File System Wizard to back up EFS certificates
6. If you are creating a new certificate, the Which Type Of Certificate Do You Want To
Create? page appears. If you want to use a smart card to store the certificate, insert
your smart card and select A Self-Signed Certificate Stored On My Smart Card. If your
domain has an enterprise CA available, select A Certificate Issued By My Domain’s
No hay comentarios:
Publicar un comentario