Security

How Secure Is Internet Explorer?

Security zones

Without a doubt, one of Internet Explorer's most powerful enterprise features is its ability to change browser functionality and security settings based on five different security zones: Internet, Local intranet, Trusted sites, Restricted sites, and Local Computer. Most other browsers don't have the concept of security zones or only allow limited per-site exceptions, essentially creating two zones. Any nonlocal Web site is launched in the Internet zone by default, unless the user places the site into a more trusted zone. Each security zone can be paired with a particular security level (High, Medium-High, Medium, Medium-Low, Low, and custom). Some zones cannot be paired with particular security levels. For example, the Internet zone cannot be placed in a security level lower than Medium.

Zones allow not only custom control over dozens of security settings, but also play a role in keeping Internet content from exploiting a system. By default, executables downloaded from the Internet zone cannot automatically run in the Local Computer (the most trusted) zone. ActiveX controls intended to be launched only in the browser can execute only in the browser. By the same token, ActiveX controls intended for Local Computer execution cannot be launched via the browser. This prevents malicious Web sites from using installed ActiveX controls in malicious ways.

IE has always had good cryptography support. IE's initial SSL/TLS (Secure Sockets Layer/ Transport Layer Security) ciphers aren't as strong as those of Firefox and Opera. However, IE was one of the first browsers to support AES (Advanced Encryption Standard), EV (Extended Validation) certs, server revocation checking, ECC (Elliptical Curve Cryptography), and OCSP (Online Certificate Status Protocol), and it is the only browser to allow the enforcement of the U.S. government's Federal Information Process Standards ciphers. Not only is IE very "in your face" about certificate errors, but administrators can prevent end-users from visiting Web sites without valid digital certificates.

IE passed all of my Web browser security tests and scored in the middle on the remote password-handling tests. Local password handling was excellent; passwords are never revealed, and they are securely stored. Like the other leading browsers I tested (Firefox, Chrome, Opera, and Safari), IE didn't allow any malware to be silently installed from real-life malicious sites, and in most cases, it was very vocal about Web sites trying to install malware. Unfortunately, it too eventually got overwhelmed by the most malicious DoS Web site in my tests, and the browser had to be restarted. It should be noted that IE lasted more than a minute before succumbing to the DoS attack; in contrast, most browsers fell in less than 30 seconds, and some required complete system reboots.

IE has no peer in enterprise deployment features. Using the Internet Explorer 8 Deployment Guide, administrators can deploy and configure more than 1,300 IE-related settings via Active Directory Group Policy or the Internet Explorer Administration Kit. It is the only browser in the review to support Kerberos authentication over the Web.

IE's popularity makes it the most attacked Web browser by far, and its support of ActiveX controls has invited many exploits that are not possible on other browsers. But IE's mature security granularity, security zones, and deep enterprise features backs up its acceptance in the enterprise.

recommended for you

How Secure Is Firefox?

Read more »

Subscribe to the Security Watch Newsletter

Comments