• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Locking down IE via registry

I know there has to be some a good list of resitry lockdowns somewhere to help stop spyware, etc, I just can't find them.  Does anyone have a comprehensive list?
0
TASINetwork
Asked:
TASINetwork
  • 4
  • 4
  • 3
  • +1
1 Solution
 
DVation191Commented:
TASINetwork,
This partical program was designed to stop spyware in IE through the registry.

RegFreeze
http://www.scanwith.com/download/RegFreeze.htm
Most spyware changes your browser's start page or search page. RegFreeze is intended to prevent the destructive consequences of spyware. RegFreeze 's primary objective is to prevent any important preferences (such as your browser's start page etc.) from being changed without your knowledge.
RegFreeze detects changes in a timely manner and notifies you about them (or, if an automatic mode is enabled, processes changes automatically).


Of course other spyware programs, like SpySweeper for instance and Microsoft's Anti Spyware program will both monitor system changes (like new IE plug ins or start up items) and ask you if you want to allow it before it gets a chance to infect your machine. Evaluate each product to see which product fits your needs the best.

hope this helps.
0
 
Phil_AgcaoiliCommented:
I don't think this list of IE-based registry security measures exists because software is available to proactively prevent and detect spyware/adware such as Microsoft AntiSpyware, the security settings in IE's Tools-->Internet Options--> Security & Privacy tabs AND...

Firefox and Mozilla prevent a majority of the spyware/adware threat because they are designed more securely and do not have the added Microsoft IE features that have historically been the weak point through which spyware defeats Internet Explorer.

If you look around, default protection from spyware/adware is one of the reasons why Firefox has quickly gained Browser market share over IE in the past year.

Also, Microsoft is about to release a badly needed security update for IE this Summer to address the spyware/adware threat and tightening IE's overall security. Consider the release similar to XP SP2 on the depth of security changes made to the browser.

What you're asking for is equivalent to asking for registry lock down information to protect from Antivirus...
That's what A/V software is for.

Virus attack flaws in the OS.
-Antivirus and system patching are the preventative tools to eradicate [most] malware.
Spyware attack flaws in the Browser.
-Antispyware and system patching are the preventative tools to eradicate [most] spyware.

HTH.
0
 
Rich RumbleSecurity SamuraiCommented:
The way to stop spy-ware is to block certain activeX controls- primarily.... there are utilitites that can give you a list of well known activeX controls to disallow, and this is done in the registry. But the best way to stop spy-ware is to eliminate activeX altogether, I recommend switching to a different browser such as firefox, opera or mozilla.

http://www.spywareguide.com/blockfile.php
http://support.microsoft.com/kb/240797

These methods do work, for known spy-ware, but are a poor substitute for security... activeX should have better controls and security in place, but M$ refuses to lock it down, but they do have a good spy-ware program company they purchased, still ad-aware and spy-bot find lot's that M$'s tool misses, and vice versa... IE should be replaced with a better more standard compliant browser such as FireFox.

This doesn't stop some js pop-up's or other types but should keep most software from installing without concent.
-rich
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
TASINetworkAuthor Commented:
Firefox is not an option for me.  It breaks too many things (especially ActiveX content).  Even recommended settings in IE would help (I can then try and track down the reg keys for them).

This is NOT like like a reg lockdown for an antivirus.  It is part of a multilayered approach (more similiar to having AV to stop known virii and prohibiting the download of any executable and disabling scripting).

My multilayer setup so far is:
SpySweeper
SpyBot S&D
SpywareBlaster
Then I want to lockdown IE to help stop spyware in the wild.
0
 
Rich RumbleSecurity SamuraiCommented:
As indicated, you either have to use the "kill-bit" activex controls method http://support.microsoft.com/kb/240797 and hope that a site like http://www.spywareguide.com/blockfile.php can keep up, or you disable activex scripting contols. M$'s spy-ware program can aid in this as well but it is not very good at doing much in my opinion with reguard to prevention. It does a good job of clean up like most of the others out there.
http://www.compu-docs.com/activex.htm
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://bookofhook.com/phpBB/viewtopic.php?t=387
-rich
0
 
Phil_AgcaoiliCommented:
I agree with rich, the spywareguide blockfile is the most up to date place for this and the kill bit is the best approach.

Since you need ActiveX and IE, you're stuck with its overall security and the security changes that they are incorporating *may help you.

"Gates announced Internet Explorer 7.0, designed to add new levels of security to Windows XP SP2 while maintaining the level of extensibility and compatibility that customers have come to expect. Internet Explorer 7.0 will also provide even stronger defenses against phishing, malicious software and spyware. The beta release is scheduled to be available this summer."

http://www.microsoft-watch.com/article2/0,1995,1776290,00.asp

0
 
Phil_AgcaoiliCommented:
ActiveX security relies entirely on human judgement. ActiveX programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program.

Think of a digital signature as being like a person's signature on paper. Your browser can look at a digital signature and see whether it is genuine, so you can know for sure who signed a program. (That's the theory, at least. Things don't always work out so neatly in practice.)

Once your browser has verified the signatures, it tells you who signed the program and asks you whether or not to run it. You have two choices: either accept the program and let it do whatever it wants on your machine, or reject it completely.

ActiveX security relies on you to make correct decisions about which programs to accept. If you accept a malicious program, you are in big trouble.

The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. One way this can happen is that some person you trust turns out not to deserve that trust.

The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. So you rationalize: the odds that this particular program is hostile are very small, so why not go ahead and accept it? After all, you accepted three programs yesterday and nothing went wrong. It's just human nature to accept the program.

Even if the risk of accepting one program is low, the risk adds up when you repeatedly accept programs. And when you do get the one bad program, there is no limit on how much damage it can do.

The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well.

Who has the self-discipline to do that?
0
 
TASINetworkAuthor Commented:
You all are missing the whole point entirely.  Yes, I know that you need a good anti-spyware program, but I also know that you need to lock down the settings to help minimize your attack surface for those threats that the anti-spyware programs do not have detection for yet.  IE 7.0 is still a little ways out, so I need something now.  Even something like set this to prompt and that to disable is at least a start...
0
 
Rich RumbleSecurity SamuraiCommented:
0
 
DVation191Commented:
"RegFreeze 's primary objective is to prevent any important preferences (such as your browser's start page etc.) from being changed without your knowledge."
Is that not exactly what you asked for? A way of locking IE settings so spyware can't change them??
0
 
Rich RumbleSecurity SamuraiCommented:
No, he wanted to know what settings in the registry needed to be changed to keep spy-ware from getting on machines easily. The activeX controls in IE's zones are the place to set them, as activeX accounts for 99% of the infefction method for spyware.
-rich
0
 
DVation191Commented:
But he already has that taken care of with SpywareBlaster, doesn't he? Thats what the program does...automatically locks out the activex controls of spyware.
0
 
Phil_AgcaoiliCommented:
TASINetwork,

I'm the voice of reason, so...

What you're missing is that what you are asking for does not exist today.

If you build something to do this, share it and we'll see how it does compared to the current tools to prevent exactly what you're asking to do.

The proactive tools currently available are the ones rich and I supplied above.

HTH.
0
 
TASINetworkAuthor Commented:
I'm going with richrumble's answer.  There are more ways to lockdown a PC from spyware besides activex kill bits (blocking unsigned controls, prompting on other stuff, and disabling others)  This works in addition to kill bits, but kill bits only block certain existing spywares, and won't do anything at all for anything new.  Some of the other things that I do in general are to lock down every autorun section of the PC so a standard user has read only and only an admin can modify (this help a bit too).
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now