Web Browser Secure Settings

It is becoming increasingly popular for attackers to compromise computers through vulnerable web browsers. An insecure web browser can lead to spyware being installed on your computer without your knowledge, attackers taking control of your computer, stealing your information, or even using your computer to attack other computers.

The set-up configuration for many web browsers is not secure by default. InCHIP IT Security Team recommends the following steps to help make your web browser more secure. These settings are especially important if you use your browser to access campus business systems, or if you use your browser to access, send or receive sensitive information.

Important: InCHIP IT supports the following browsers: Firefox, Safari and Internet Explorer.

  • Set Firefox as your default browser
  • Keep your browsers up to date
  • Enable automatic updates for your browser
  • Block pop-ups, plug-ins and phishing sites
  • Set your browser not to store passwords. If you do store passwords in your browser, use a master password that conforms to the InCHIP IT Password Standards. Please see below for restrictions for passwords that provide access to restricted data.
  • Disable third-party cookies
  • Browser-specific settings:
    • Firefox: install the NoScript add-on
    • Safari: disable Java
    • IE: set up security zones

(Instructions for all these settings are in the table below.)

Important note: While making your browser more secure helps reduce the risk that someone will be able to use it to compromise your computer, it is still important to have safe computing habits so attackers get fewer chances to try. Don’t click on unknown or unsolicited links or open unexpected attachments. Don’t download files, programs or tools unless you are positive they are safe.


Choose your browser:

Setting the default browser

On a Mac, go to:

  Firefox menu >
    Preferences >
      Advanced >
        General tab.

On a PC, go to:

  Tools menu >
    Options >
      Advanced.

Check the box “Always check to see if Firefox is default browser on startup”.


Auto-download updates

On a Mac, go to:

  Firefox menu >
    Preferences >
      Advanced >
      Update tab.

On a PC, go to:

  Tools menu >
    Options >
      Advanced >
        Update tab.

Check all checkboxes and select “Automatically install…” & “Warn me…”.


Block unwanted pop-ups

On a Mac, go to:

  Firefox menu >
    Preferences >
      Content.

On a PC, go to:

 
  Tools menu >
    Options >
      Content. 

Make sure the first two boxes are checked (Block pop-ups & Load images).


Block unwanted plugins/phishing

On a Mac, go to:

  Firefox menu >
    Preferences >
      Security.

On a PC, go to:

  Tools menu >
    Options >
      Security. 

Check the top three boxes that start with “Tell me…” and “Block…”.


Set your browser to not save passwords

On a Mac, go to:

  Firefox menu >
    Preferences >
      Security.

On a PC, go to:

  Tools menu >
    Options >
      Security. 

Uncheck the “Remember passwords…” box.


Using a master password

On a Mac, go to:

  Firefox menu >
    Preferences >
      Security.

On a PC, go to:

  Tools menu >
    Options >
      Security.

Check the “Remember passwords…” & “Use a master password” boxes.
Then set the password, using 8-12 characters (numbers/letters) to 80-100% quality.
Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.


Java/javascript

On a Mac, go to:

  Firefox menu >
    Preferences >
      Content.

On a PC, go to:

  Tools menu >
    Options >
      Content. 

Check the “Enable Javascript” box and then click the Advanced button for Javascript. Make sure none of the boxes are checked.


Handling cookies*

On a Mac, go to:

 Firefox menu >
  Preferences >
   Privacy.

On a PC, go to:

 Tools menu >
  Options >
   Privacy. 

Check the “Tell websites…” box under Tracking.


Additional suggestions

Use NoScript (strongly recommended) and Locationbar2 (optional) add-ons.
How to install security add-ons for Firefox:

(For both Mac & PC) Tools menu > Add-ons

Select the “Get Add-ons” button. Type “noscript” in the search field, then Install and restart Firefox. You should see a “S” icon in the bottom right of the browser window. Right click on this icon and select “Options”. Select the Appearance tab and uncheck the “allow scripts globally” box. Now it will warn you when unknown scripts are on websites you visit. You can right-click the icon to approve ones that you trust. Follow the same install steps for Locationbar2 (optional).

NoScript – Since JavaScript is a very powerful programming language, it allows savvy attackers to attack your machine just by embedding scripts into a web site. NoScript allows you to control what each script can do and make a choice as to which scripts should run and which should not. Additionally, NoScript will also block Java programs and Flash.

LocationBar2 – Locationbar2 helps users to overcome a technique used by attackers called “URL obfuscation” in which the attacker hides a bad web link inside one that looks familiar to you. Locationbar2 makes it a lot easier to see EXACTLY where you are navigating to.

Setting the default browser


Go to Safari menu >
  Preferences >
    General tab

Select Safari in the top pulldown menu.


Auto-download updates


Updates for Safari are handled by:
  System Preferences >
    Software Update located under the Apple menu.

Set to Daily updates.


Block unwanted pop-ups


Go to Safari menu >
  Preferences >
    Security tab

Make sure the “Block pop-up windows” box is checked.


Block unwanted plugins/phishing


Go to Safari menu >
  Preferences >
    Security tab

Uncheck the “Enable plug-ins” box.


Set your browser to not save passwords


Go to Safari menu >
  Preferences >
    AutoFill tab

Uncheck the “user names and passwords” box.


Using a master password


Mac users have the Keychain Access utility to keep track of web passwords. It is located in the Utilities folder. Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.


Java/javascript


Go to Safari menu >
  Preferences >
    Security tab

Uncheck “Enable plug-ins” and “Enable Java”. Leave “Enable Javascript” checked.


Handling cookies*


Go to Safari menu >
  Preferences >
    Security tab

Select “Only from sites you navigate to” for Accepting Cookies.


Additional suggestions


In Safari, you can choose to open multimedia (or “safe”) files after they download. This can pose a security risk. To not open them after downloading, go to:
The Safari menu >
  Preferences >
    General tab.

Uncheck the box that says ‘Open “safe” files…’

Under the Safari menu >
  Preferences >
    Security

Make sure the “Ask before sending a non-secure form…” box is checked.

Setting the default browser


InCHIP IT recommends that IE is not used as the default browser. It would be our prefernce that you use either Firefox or Google Chrome. However, you can still use IE to connect to campus systems, without having it set as the default.


Auto-download updates


NOTE: For computers running the InCHIP or Husky PC image this will not be nessisary as Windows Updates are contolled through Group Policy.
Updates for Internet Explorer are handled by Windows Update located in Control Panels. Set to Daily updates.


Block unwanted pop-ups


Go to Tools menu >
  Internet Options >
    Privacy tab

Set the slider to MEDIUM.
Check the “turn on pop-up blocker” box.


Block unwanted plugins/phishing


Go to Tools menu >
  Internet Options >
    Advanced tab
      Scroll down to Multimedia.

Uncheck Play animations” and “Play sounds” in webpages if they are checked.
Then scroll down to Security and select “Turn on automatic website checking” under Phishing Filter.


Set your browser to not set passwords


Go to Tools menu >
  Internet Options >
    Content tab

Click the AutoComplete button and uncheck the “user names and passwords…” box.


Using a master password


IE doesn’t have a master password function, but you should disable the auto-complete function for passwords.
See the section above. Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.


Java/javascript


Java is handled with Security Zones in IE. See the Additonal suggestions below.


Handling cookies*


Go to Tools menu >
  Internet Options >
    Privacy tab
      Click the “Advanced” button.

Check the “Override” box and the “Accept” button for First-party cookies and “Prompt” button for Third-party cookies.
The “Always allow…” button should not be checked.
Click OK. When done, click the Apply button.


Additional suggestions


IE has security zones that can be set up for different levels of protection. In the Help menu, type”zones” and choose Change IE Security Settings. InCHIP IT recommends setting the Internet Security Zone to HIGH. You can also identify “trusted sites” and set those to MEDIUM-HIGH.

Setting the default browser


Go to Chrome menu >
  Preferences >
    Settings

Click the “Make Google Chrome My Default Browser” button.


Auto-download updates


To make sure that you’re protected by the latest security updates, Google Chrome automatically updates whenever it detects that a new version of the browser is available.
The update process happens in the background and doesn’t require any action on your part.


Block unwanted pop-ups


Go to Chrome menu >
  Preferences >
    Show advanced settings… >
      Click the Privacy/Content Settings button.

Scroll down to Pop-ups, chose “Do not allow…”.


Block unwanted plugins/phishing


Go to Chrome menu >
  Preferences >
    Show advanced settings… >
      Click the Privacy/Content Settings button.

Scroll down to Plug-ins, chose “Block all”.

Also:
Go to Chrome menu >
  Preferences >
    Show advanced settings…  >

Under Privacy, check the “Enable phishing and malware protection”.


Set your browser to not save passwords


Go to Chrome menu >
  Preferences >
    Show advanced settings… >

Under Passwords and forms, uncheck the “Enable Autofill…”.


Using a master password


Google Chrome currently does not have a master password feature. By default the computer will prompt you for your current Windows login credentials.


Java/javascript


Go to Chrome menu >
  Preferences >
    Show advanced settings… >
      Click the Privacy/Content Settings button.

Under Javascript, chose “Allow all sites…”.


Handling cookies*


Go to Chrome menu >
  Preferences >
    Show advanced settings… >
      Click the Privacy/Content Settings button.

Under Cookies, choose “Block third-party cookies and site data”.


(*Cookies are little files that web sites leave on your computer to remember settings, login credentials or any other information that your computer needs to make the user experience a bit better. Cookies are generally harmless, but they can be used to track your Internet usage, which is a privacy issue. In general, you probably don’t want Internet sites tracking everything you are doing, so it’s a good idea to block cookies where appropriate to maintain privacy.)