It is becoming increasingly popular for attackers to compromise computers through vulnerable web browsers. An insecure web browser can lead to spyware being installed on your computer without your knowledge, attackers taking control of your computer, stealing your information, or even using your computer to attack other computers.
The set-up configuration for many web browsers is not secure by default. InCHIP IT Security Team recommends the following steps to help make your web browser more secure. These settings are especially important if you use your browser to access campus business systems, or if you use your browser to access, send or receive sensitive information.
Important: InCHIP IT supports the following browsers: Firefox, Safari and Internet Explorer.
- Set Firefox as your default browser
- Keep your browsers up to date
- Enable automatic updates for your browser
- Block pop-ups, plug-ins and phishing sites
- Set your browser not to store passwords. If you do store passwords in your browser, use a master password that conforms to the InCHIP IT Password Standards. Please see below for restrictions for passwords that provide access to restricted data.
- Disable third-party cookies
- Browser-specific settings:
- Firefox: install the NoScript add-on
- Safari: disable Java
- IE: set up security zones
(Instructions for all these settings are in the table below.)
Important note: While making your browser more secure helps reduce the risk that someone will be able to use it to compromise your computer, it is still important to have safe computing habits so attackers get fewer chances to try. Don’t click on unknown or unsolicited links or open unexpected attachments. Don’t download files, programs or tools unless you are positive they are safe.
Choose your browser:
Setting the default browser
Firefox menu >
Preferences >
Advanced >
General tab.
Tools menu >
Options >
Advanced.
Check the box “Always check to see if Firefox is default browser on startup”.
Auto-download updates
Firefox menu >
Preferences >
Advanced >
Update tab.
Tools menu >
Options >
Advanced >
Update tab.
Check all checkboxes and select “Automatically install…” & “Warn me…”.
Block unwanted pop-ups
Firefox menu >
Preferences >
Content.
Tools menu >
Options >
Content.
Make sure the first two boxes are checked (Block pop-ups & Load images).
Block unwanted plugins/phishing
Firefox menu >
Preferences >
Security.
Tools menu >
Options >
Security.
Check the top three boxes that start with “Tell me…” and “Block…”.
Set your browser to not save passwords
Firefox menu >
Preferences >
Security.
Tools menu >
Options >
Security.
Uncheck the “Remember passwords…” box.
Using a master password
Firefox menu >
Preferences >
Security.
Tools menu >
Options >
Security.
Check the “Remember passwords…” & “Use a master password” boxes.
Then set the password, using 8-12 characters (numbers/letters) to 80-100% quality.
Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.
Java/javascript
Firefox menu >
Preferences >
Content.
Tools menu >
Options >
Content.
Check the “Enable Javascript” box and then click the Advanced button for Javascript. Make sure none of the boxes are checked.
Handling cookies*
Firefox menu >
Preferences >
Privacy.
Tools menu >
Options >
Privacy.
Check the “Tell websites…” box under Tracking.
Additional suggestions
Use NoScript (strongly recommended) and Locationbar2 (optional) add-ons.
How to install security add-ons for Firefox:
(For both Mac & PC) Tools menu > Add-ons
Select the “Get Add-ons” button. Type “noscript” in the search field, then Install and restart Firefox. You should see a “S” icon in the bottom right of the browser window. Right click on this icon and select “Options”. Select the Appearance tab and uncheck the “allow scripts globally” box. Now it will warn you when unknown scripts are on websites you visit. You can right-click the icon to approve ones that you trust. Follow the same install steps for Locationbar2 (optional).
NoScript – Since JavaScript is a very powerful programming language, it allows savvy attackers to attack your machine just by embedding scripts into a web site. NoScript allows you to control what each script can do and make a choice as to which scripts should run and which should not. Additionally, NoScript will also block Java programs and Flash.
LocationBar2 – Locationbar2 helps users to overcome a technique used by attackers called “URL obfuscation” in which the attacker hides a bad web link inside one that looks familiar to you. Locationbar2 makes it a lot easier to see EXACTLY where you are navigating to.
Setting the default browser
Go to Safari menu >
Preferences >
General tab
Select Safari in the top pulldown menu.
Auto-download updates
Updates for Safari are handled by:
System Preferences >
Software Update located under the Apple menu.
Set to Daily updates.
Block unwanted pop-ups
Go to Safari menu >
Preferences >
Security tab
Make sure the “Block pop-up windows” box is checked.
Block unwanted plugins/phishing
Go to Safari menu >
Preferences >
Security tab
Uncheck the “Enable plug-ins” box.
Set your browser to not save passwords
Go to Safari menu >
Preferences >
AutoFill tab
Uncheck the “user names and passwords” box.
Using a master password
Mac users have the Keychain Access utility to keep track of web passwords. It is located in the Utilities folder. Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.
Java/javascript
Go to Safari menu >
Preferences >
Security tab
Uncheck “Enable plug-ins” and “Enable Java”. Leave “Enable Javascript” checked.
Handling cookies*
Go to Safari menu >
Preferences >
Security tab
Select “Only from sites you navigate to” for Accepting Cookies.
Additional suggestions
In Safari, you can choose to open multimedia (or “safe”) files after they download. This can pose a security risk. To not open them after downloading, go to:
The Safari menu >
Preferences >
General tab.
Uncheck the box that says ‘Open “safe” files…’
Under the Safari menu >
Preferences >
Security
Make sure the “Ask before sending a non-secure form…” box is checked.
Setting the default browser
InCHIP IT recommends that IE is not used as the default browser. It would be our prefernce that you use either Firefox or Google Chrome. However, you can still use IE to connect to campus systems, without having it set as the default.
Auto-download updates
NOTE: For computers running the InCHIP or Husky PC image this will not be nessisary as Windows Updates are contolled through Group Policy.
Updates for Internet Explorer are handled by Windows Update located in Control Panels. Set to Daily updates.
Block unwanted pop-ups
Go to Tools menu >
Internet Options >
Privacy tab
Set the slider to MEDIUM.
Check the “turn on pop-up blocker” box.
Block unwanted plugins/phishing
Go to Tools menu >
Internet Options >
Advanced tab
Scroll down to Multimedia.
Uncheck Play animations” and “Play sounds” in webpages if they are checked.
Then scroll down to Security and select “Turn on automatic website checking” under Phishing Filter.
Set your browser to not set passwords
Go to Tools menu >
Internet Options >
Content tab
Click the AutoComplete button and uncheck the “user names and passwords…” box.
Using a master password
IE doesn’t have a master password function, but you should disable the auto-complete function for passwords.
See the section above. Note: The master password setting is not appropriate for passwords that provide access to restricted data.
See the Password Standards for additional information and alternatives.
Java/javascript
Java is handled with Security Zones in IE. See the Additonal suggestions below.
Handling cookies*
Go to Tools menu >
Internet Options >
Privacy tab
Click the “Advanced” button.
Check the “Override” box and the “Accept” button for First-party cookies and “Prompt” button for Third-party cookies.
The “Always allow…” button should not be checked.
Click OK. When done, click the Apply button.
Additional suggestions
IE has security zones that can be set up for different levels of protection. In the Help menu, type”zones” and choose Change IE Security Settings. InCHIP IT recommends setting the Internet Security Zone to HIGH. You can also identify “trusted sites” and set those to MEDIUM-HIGH.
Setting the default browser
Go to Chrome menu >
Preferences >
Settings
Click the “Make Google Chrome My Default Browser” button.
Auto-download updates
To make sure that you’re protected by the latest security updates, Google Chrome automatically updates whenever it detects that a new version of the browser is available.
The update process happens in the background and doesn’t require any action on your part.
Block unwanted pop-ups
Go to Chrome menu >
Preferences >
Show advanced settings… >
Click the Privacy/Content Settings button.
Scroll down to Pop-ups, chose “Do not allow…”.
Block unwanted plugins/phishing
Go to Chrome menu >
Preferences >
Show advanced settings… >
Click the Privacy/Content Settings button.
Scroll down to Plug-ins, chose “Block all”.
Also:
Go to Chrome menu >
Preferences >
Show advanced settings… >
Under Privacy, check the “Enable phishing and malware protection”.
Set your browser to not save passwords
Go to Chrome menu >
Preferences >
Show advanced settings… >
Under Passwords and forms, uncheck the “Enable Autofill…”.
Using a master password
Google Chrome currently does not have a master password feature. By default the computer will prompt you for your current Windows login credentials.
Java/javascript
Go to Chrome menu >
Preferences >
Show advanced settings… >
Click the Privacy/Content Settings button.
Under Javascript, chose “Allow all sites…”.
Handling cookies*
Go to Chrome menu >
Preferences >
Show advanced settings… >
Click the Privacy/Content Settings button.
Under Cookies, choose “Block third-party cookies and site data”.