Windows Hardening Expert Advice

I want to take a step back from IE7 and start running IE6 again, but am concerned about the security risks. What do I need to worry about in IE6 that I do not need to worry about in IE7? What steps should I take to limit security risks during such a switch?

As far as what you should consider from IE 6 that IE 7 might take off your mind:

• IE 6 doesn't run in low privilege mode, so adware and spyware can infiltrate more easily.
• There is no phishing filter in IE 6, nor are there any obvious warning signs when you're about to enter a phishing site.
• IE 6 doesn't have tabs out of the box. (Not security related, but it's certainly a convenience factor.)

For more information Internet Explorer 7: How it can make your life easier Brien Posey highlights some of the features that should be ready for prime time soon and others that will surface when Vista does.

Make sure you have an antivirus solution installed, watch out for sites that can give you spyware (a popup blocker is necessary here to prevent some automated installs) and check your zone settings to make sure the Internet isn't a trusted place. Or, better yet, install Firefox until you're ready to return to IE 7.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

I am now running AOL 9.0 SE but my Mcafee Firewall tells me that I must remove Microsoft Firewall. Where & how can I find this file & remove it?

Open Control Panel, double-click on Windows Security Center, and disable the firewall from there. You don't need to actually remove it.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

I am trying to prevent users from deleting and moving folders and files on a network share. They should only be able to create, read, execute and write files and folders.

I have already created the group and deny delete and delete subfolder and files. This option is not working for me.

Once the deny delete and delete subfolder is applied

1. Users cannot delete files and folder "First task accomplish"
2. Users cannot move a folder into another folder "Second task accomplish". However it creates an empty folder with the same name of the source folder inside the destination folder. This cannot be deleted and creates confusion for the user and starts filing in the wrong location
3. All files created under the share respond to the deny option however it's not possible to create excel files. Error message cannot save the "file name". The folder is marked as a read only.
4. User cannot move or delete files inside the share but they can creates copies on theirs desktop for security could this be control it.

1. This is expected behavior. You mentioned you don't want users deleting folders and files, so I assume this is the way you want this to behave.
2. Moving a folder is effectively a delete operation with a second create operation (delete the folder at the old destination and recreate it at the new destination), so this won't work with your permissions set the way they are. Of course, this sounds like expected behavior, since you don't want users deleting folders.
3. Are Excel files the only files that respond in this way when you're trying to save them?
4. You can't really control copying data from the server if a user has read access to it. You would essentially have the remove any writeable areas on the local computer, which isn't practical.

For more information Network Access Control Learning Guide Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures.

In the future, the RSoP tools in Windows Server 2003 are very helpful at diagnosing permission oddities and figuring out exactly what effect a permissions change will have on your users. You don't mention if you're using Windows Server 2003, so I can't officially recommend that route, but other users will likely find the tool useful.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

Managing user rights in Group Policy

I have a project and don't know how to approach it. We have a special user that needs administrator rights but I don't want him to have access to download programs or software when he is logged on to the domain. I can give him local admin rights but when he logs on to the domain I want to override his permission so he is not able to download any programs. Is there a way to do this?

To my knowledge you can't do this with the functionality included within Group Policy. You also don't mention the version of Windows you're using on the client. If it's Windows XP, you could consider establishing a software restriction policy that eliminates Internet Explorer use, but he could still bring an FTP program in on, say, a USB key and install from that medium. You may need to investigate third-party software for this particular need.

Click here to view questions and answers from all of our Windows security experts.
Click here to pose your own question to Jonathan Hassell.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Hardening Cross-site Scripting 102: How to defend against cross-site scripting ActiveX security improves with Internet Explorer 8's security features Web security features of Internet Explorer 8 How can I use Process Explorer as a Web security tool? New Windows security tool protects users from keyloggers: XecureCK Cross-site scripting 101: XSS attacks plague Web browsers What's hot in Windows security? New Microsoft Office Security Guide Data protection on the Web: Windows SSL security and other myths What's hot in Windows security: Updating Windows Update; new IE scare Web security tactics that harden Windows networks Group Policy Is a Group Policy setting changing my user rights? Remote management for Windows system upgrades Group Policy Object security in Windows Deny access to Windows system properties with GPOs How can I use a GPO to manage Windows user rights? Is a GPO blocking my VPN security scan? Rights management in Windows: Security expert roundup How can I use Group Policy to manage proxy servers? Why don't I have proper Windows Server 2003 rights to open a GPO? Down the chimney, through the firewall: Holiday quiz Network Firewalls Network security assessment for network infrastructure Hacking for Dummies, 2nd edition: Chapter 9 How can I disable file transfer in MSN Messenger? Hacking for Dummies: Test your firewall rules Setting up IPsec bypass Automatic exceptions: IPsec bypass The hacker handbook: Eleven tips in eleven minutes Wireless network security testing Cisco patches flaws in multiple products Rootkits: Managing the threat with prevention measures

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary