Browser Configuration Policy

Version: 1.00Issue Date: 11/10/2014

1.0 Overview

Given the current state of computer security and internet browser vulnerabilities it is important to configure internet browsers to prevent security intrusions on todays computers and networks.

2.0 Purpose

This Browser Configuration Policy is designed to provide a secure environment by standardizing internet browser configurations using a secure configuration.

3.0 Scope

This Browser Configuration Policy applies to all employees and personnel that use internet browsers on the organizational network or connect to the organizational network. Personnel includes contractors, consultants, and temporary employees. This policy covers configuration of all internet browsers. Exceptions to this policy may be granted based on business need such as when access to a required website is not possible using the standard configuration. Exceptions will be requested through the help desk and approved by the manager of the network. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Browser extension, Browser helper object (BHO), Plug-in - A software program that can be added to an internet browser which can add a function to the internet browser.

5.0 Policy Description

The rest of this policy will describe the browser chosen for use by the organization and it's standard configuration. If a Windows domain is used on the organizational network the browser configuration should be enforced using domain group policy.

6.0 Internet Browser Choice

The organization must choose which internet browser program should be the standard program. To allow multiple browser programs to be used actually would tend to increase the security risk unless those users who use a non-standard browser are computer experts and understand how attackers may attempt to infect their machine through their internet browser.

At the time of this writing the two main browser programs are Internet Explorer version 7 from Microsoft and Mozilla Firefox version 2. Considering the track record of both browsers, my personal preference is currently Firefox, however, it would not be surprising if more exploits against Firefox are utilized and more vulunerabilities exposed as its use increases. Therefore, the important objective is setting the configuration of the chosen browser to prevent security breaches and training users to be aware of how they can be exploited by attackers. I have seen Firefox configured by default in earlier versions to be very insecure.

The Firefox browser does not support ActiveX code which is used by some websites and may be required for navigation or other features. There is a plug in that can be downloaded so Firefox will support ActiveX code. However ActiveX uses an insecure security model relying on a combination of digital signatures to validate the source of the code and the user's judgement whether the source of the ActiveX code can be trusted. Therefore, it may be best not to run ActiveX for most users.

Considering current trends in cross site scripting attacks and injection of links to hostile code into web pages of many sites, it is strongly recommended that internet browsers be configured to only run code on trusted sites.

7.0 Internet Browser Configuration

The internet browser configuration will determine what software can be run on the browser including what plug-in programs and what script programs. It will also specify how long web page history, cookies, and cache are retained. Specify:

  • Allowed plug-ins for the browser such as Flash, Shockwave, Windows Media, and Quicktime.
  • Allowed script and executable programs which may run on the browser such as Javascript, Java, and ActiveX.
  • The conditions under which programs such as Javascript, Java, or ActiveX programs may be allowed to run on the browser. For instance ActiveX programs may be digitally signed. The rule may be set so they give the user the ability to run them or not, if they are digitally signed. In any event, ActiveX controls should not be run unless digitally signed. Some browsers may provide for a limit on the activity the programs may perform on your browser but these options vary from browser to browser and your options will vary based on the browser choice.
  • All browsers should be configured not to remember user IDs or passwords.

Some users may be limited to being able to only access specific websites but this ability would be controlled by a web proxy server or a surf control device.

8.0 Enforcement

Since secure internet browsing is very important to the security of the organization, individuals that this Browser Configuration Policy applies to may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal if they violate this policy. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________