Microsoft Internet Explorer 11 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516
Group -
The Internet Explorer warning about certificate address mismatch must be enforced.
This parameter warns users if the certificate being presented by the website is invalid. Since server certificates are used to validate the identity of the web server it is critical to warn the use...Rule Medium Severity -
The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone).
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not m...Rule Medium Severity -
Accessing data sources across domains must be disallowed (Internet zone).
The ability to access data zones across domains could cause the user to unknowingly access content hosted on an unauthorized server. Access to data sources across multiple domains must be controlle...Rule Medium Severity -
Launching programs and files in IFRAME must be disallowed (Internet zone).
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. Launching of programs in IFRAME ...Rule Medium Severity -
Userdata persistence must be disallowed (Internet zone).
Userdata persistence must have a level of protection based upon the site being accessed. It is possible for sites hosting malicious content to exploit this feature as part of an attack against visi...Rule Medium Severity -
Java permissions must be configured with High Safety (Intranet zone).
Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, options can be chosen from the drop-down bo...Rule Medium Severity -
Java permissions must be configured with High Safety (Trusted Sites zone).
Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, options can be chosen from the drop-down bo...Rule Medium Severity -
Dragging of content from different domains within a window must be disallowed (Restricted Sites zone).
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. If you enable this policy setting, u...Rule Medium Severity -
Prevent bypassing SmartScreen Filter warnings must be enabled.
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host m...Rule Medium Severity -
Prevent per-user installation of ActiveX controls must be enabled.
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If y...Rule Medium Severity -
The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone).
ActiveX controls that are not marked safe for scripting should not be executed. Although this is not a complete security measure for a control to be marked safe for scripting, if a control is not m...Rule Medium Severity -
VBScript must not be allowed to run in Internet Explorer (Internet zone).
This policy setting allows the management of whether VBScript can be run on pages from the specified zone in Internet Explorer. By selecting "Enable" in the drop-down box, VBScript can run without ...Rule Medium Severity -
Java permissions must be disallowed (Restricted Sites zone).
Java applications could contain malicious code; sites located in this security zone are more likely to be hosted by malicious individuals. This policy setting allows you to manage permissions for J...Rule Medium Severity -
Active scripting must be disallowed (Restricted Sites Zone).
Active scripts hosted on sites located in this zone are more likely to contain malicious code. Active scripting must have a level of protection based upon the site being accessed. This policy setti...Rule Medium Severity -
Clipboard operations via script must be disallowed (Restricted Sites zone).
A malicious script could use the clipboard in an undesirable manner, for example, if the user had recently copied confidential information to the clipboard while editing a document, a malicious scr...Rule Medium Severity -
Logon options must be configured and enforced (Restricted Sites zone).
Users could submit credentials to servers operated by malicious individuals who could then attempt to connect to legitimate servers with those captured credentials. Care must be taken with user cre...Rule Medium Severity -
Configuring History setting must be set to 40 days.
This setting specifies the number of days that Internet Explorer keeps track of the pages viewed in the History List. The delete Browsing History option can be accessed using Tools, Internet Option...Rule Medium Severity -
Internet Explorer must be set to disallow users to add/delete sites.
This setting prevents users from adding sites to various security zones. Users should not be able to add sites to different zones, as this could allow them to bypass security controls of the system...Rule Medium Severity -
Internet Explorer must be configured to disallow users to change policies.
Users who change their Internet Explorer security settings could enable the execution of dangerous types of code from the Internet and websites listed in the Restricted Sites zone in the browser. T...Rule Medium Severity -
The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on.
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 6...Rule Medium Severity -
Checking for signatures on downloaded programs must be enforced.
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it has not been modified or tampered...Rule Medium Severity -
Script-initiated windows without size or position constraints must be disallowed (Internet zone).
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows including the title and status bars. If you enable this policy setting, Windows Restrictions sec...Rule Medium Severity -
Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone).
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows including the title and status bars. If you enable this policy setting, Windows Restrictions sec...Rule Medium Severity -
Java permissions must be disallowed (Locked Down Local Machine zone).
Java applications could contain malicious code. This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, options can be chosen from the drop-down bo...Rule Medium Severity -
Java permissions must be disallowed (Locked Down Trusted Sites zone).
Java applications could contain malicious code; sites located in this security zone are more likely to be hosted by malicious individuals. This policy setting allows you to manage permissions for J...Rule Medium Severity -
XAML files must be disallowed (Internet zone).
These are eXtensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that leverage the Window...Rule Medium Severity -
Pop-up Blocker must be enforced (Restricted Sites zone).
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, m...Rule Medium Severity -
Websites in less privileged web content zones must be prevented from navigating into the Internet zone.
This policy setting allows a user to manage whether websites from less privileged zones, such as Restricted Sites, can navigate into the Internet zone. If this policy setting is enabled, websites f...Rule Medium Severity -
Allow binary and script behaviors must be disallowed (Restricted Sites zone).
This policy setting allows you to manage dynamic binary and script behaviors of components that encapsulate specific functionality for HTML elements, to which they were attached. If you enable this...Rule Medium Severity -
Internet Explorer Processes for MIME handling must be enforced. (Reserved)
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a web server. The Consistent MIME Handling\Internet Explore...Rule Medium Severity -
Internet Explorer Processes for MIME handling must be enforced (Explorer).
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a web server. The Consistent MIME Handling\Internet Explore...Rule Medium Severity -
Internet Explorer Processes for MIME sniffing must be enforced (Explorer).
MIME sniffing is the process of examining the content of a MIME file to determine its context - whether it is a data file, an executable file, or some other type of file. This policy setting determ...Rule Medium Severity -
Internet Explorer Processes for MK protocol must be enforced (Explorer).
The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older web applications use the MK protocol to retrieve information from...Rule Medium Severity -
Internet Explorer Processes for MK protocol must be enforced (iexplore).
The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the seldom used MK protocol. Some older web applications use the MK protocol to retrieve information from...Rule Medium Severity -
Internet Explorer Processes for Restrict File Download must be enforced (Reserved).
In certain circumstances, websites can initiate file download prompts without interaction from users. This technique can allow websites to put unauthorized files on users' hard drives if they click...Rule Medium Severity -
Internet Explorer Processes for Restrict File Download must be enforced (iexplore).
In certain circumstances, websites can initiate file download prompts without interaction from users. This technique can allow websites to put unauthorized files on users' hard drives if they click...Rule Medium Severity -
Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer).
Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable websites will resize windows to either hide other windows or force a ...Rule Medium Severity -
Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore).
Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable websites will resize windows to either hide other windows or force a ...Rule Medium Severity -
Scripting of Java applets must be disallowed (Restricted Sites zone).
This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user interventio...Rule Medium Severity -
AutoComplete feature for forms must be disallowed.
This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might no...Rule Medium Severity -
Turn on the auto-complete feature for user names and passwords on forms must be disabled.
This policy setting controls automatic completion of fields in forms on web pages. It is possible that malware could be developed which would be able to extract the cached user names and passwords ...Rule Medium Severity -
Deleting websites that the user has visited must be disallowed.
This policy prevents users from deleting the history of websites the user has visited. If you enable this policy setting, websites the user has visited will be preserved when the user clicks "Delet...Rule Medium Severity -
Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone).
This policy setting controls whether a page may control embedded WebBrowser control via script. Scripted code hosted on sites located in this zone is more likely to contain malicious code. If you e...Rule Medium Severity -
Internet Explorer Processes for Notification Bars must be enforced (Reserved).
This policy setting allows you to manage whether the Notification Bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification Bar is dis...Rule Medium Severity -
Cross-Site Scripting Filter must be enforced (Internet zone).
The Cross-Site Scripting Filter is designed to prevent users from becoming victims of unintentional information disclosure. This setting controls if the Cross-Site Scripting (XSS) Filter detects an...Rule Medium Severity -
ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone).
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. If the user were to disable ...Rule Medium Severity -
Cross-Site Scripting Filter property must be enforced (Restricted Sites zone).
The Cross-Site Scripting Filter is designed to prevent users from becoming victims of unintentional information disclosure. This setting controls if the Cross-Site Scripting (XSS) Filter detects an...Rule Medium Severity -
Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved).
Users often choose to install software such as ActiveX controls that are not permitted by their organization's security policy. Such software can pose significant security and privacy risks to netw...Rule Medium Severity -
.NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone).
Unsigned components are more likely to contain malicious code and it is more difficult to determine the author of the application - therefore they should be avoided if possible. This policy setting...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.