Sunday, July 25, 2010

IE8 lockdown report

This is not a flaw with Internet Explorer at all, the flaw was in the security theory. Even though I had sites blocked before locking IE, I decided to lift the block after removing the address bar which I thought was the only way to get to other sites... this was not the case and I was so intrigued by this one that had to write a little report about it.

After locking IE and the entire user profile down I was convinced that users cannot go to any other sites than those we intended, i.e. the home page and links on desktop and without an address bar they couldn't get anywhere else. What never even crossed my mind and I had not thought of, is that one of our links' webpages was leading to google maps to show an address, seems harmless enough but from there the user can simply click on the web search and google anything and get to where they want! (assuming it does shows up on google of course - at least there will be no malicious sites)

The solution is another group policy object to only allow IE to get to sites we decided (read post), can include google too but if they try getting to another site it will be blocked.

So there you have it folks, even with security in mind you cannot always think, see or find the flaws in your system until it is used in production with real users daily tasks and them trying to exploit the system. In this case: with no address bar it is still possible to get to any site you want via search engine if it's linked ANYWHERE.

Let me know what you think in the comments below.

No comments: