1) Use antivirus software and keep it up-to-date. You should check for new definition updates daily. Most antivirus software can be configured to do this automatically.
Top Antivirus Software
Top Spyware Scanners
2) Install security patches. Vulnerabilities in software are constantly being discovered and they don't discriminate by vendor or platform. It's not simply a matter of updating Windows; at least monthly, check for and apply updates for all software you use.
For Windows updates, visit the Windows Update Center
For all other updates, use the Secunia Software Inspector
3) Use a firewall. No Internet connection is safe without one. Firewalls are necessary even if you have a dial-up Internet connection -- it takes only minutes for a a non-firewalled computer to be infected.
Free ZoneAlarm Firewall
Using the Windows Firewall
4) Secure your browser. Many labor under the dangerous misconception that only Internet Explorer is a problem. It's not the browser you need to be concerned about. Nor is it a matter of simply avoiding certain 'types' of sites. Known, legitimate websites are frequently being compromised and implanted with malicious javascript that foists malware onto visitors' computers. To ensure optimum browsing safety, the best tip is to disable javascript for all but the most essential of sites -- such as your banking or regular ecommerce sites. Not only will you enjoy safer browsing, you'll be able to eliminate unwanted pop-ups as well.
How to Disable Javascript in IE, Firefox, and Opera
5) Take control of your email. Avoid opening email attachments received unexpectedly -- no matter who appears to have sent it. Remember that most worms and trojan-laden spam try to spoof the sender's name. And make sure your email client isn't leaving you open to infection. Reading email in plain text offers important security benefits that more than offset the loss of pretty colored fonts.
Why Plain(text) is Better
How To Secure Your Email
6) Treat IM suspiciously. Instant Messaging is a frequent target of worms and trojans. Treat it just as you would email.
Tips for IM Safety
7) Avoid P2P and distributed filesharing. Torrent, Kazaa, Gnutella, Morpheus and at least a dozen other filesharing networks exist. Most are free. And all are rife with trojans, viruses, worms, adware, spyware, and every other form of malicious code imaginable. There's no such thing as safe anonymous filesharing. Avoid it like the plague.
8) Keep abreast of Internet scams. Criminals think of clever ways to separate you from your hard earned cash. Don't get fooled by emails telling sad stories, or making unsolicited job offers, or promising lotto winnings. Likewise, beware of email masquerading as a security concern from your bank or other eCommerce site.
Internet Scams, Phishing, and Fraud
9) Don't fall victim to virus hoaxes. Dire-sounding email spreading fear, uncertainty and doubt about non-existent threats serve only to spread needless alarm and may even cause you to delete perfectly legitimate files in response.
Hoax Encyclopedia
Urban Legends and Folklore
Remember, there's far more good than bad on the Internet. The goal isn't to be paranoid. The goal is to be cautious, aware, and even suspicious. By following the tips above and becoming actively engaged in your own security, you'll not only be protecting yourself, you'll be contributing to the protection and betterment of the Internet as a whole.
16 Aralık 2011 Cuma
1 Aralık 2011 Perşembe
security tips
Make sure you have a security policy in place -— The security policy is the formal statement of rules on how security will be implemented in your organization. A security policy should define the level of security and the roles and responsibilities of users, administrators and managers.
Y8,Y8,Y8,Y3
Make sure all of your operating systems and applications are patched with the latest service packs and hotfixes -— Keeping your systems patched will close vulnerabilities that can be exploited by hackers.
Keep an inventory of your network devices -— Develop and maintain a list of all hardware/software components, and understand which default software installations
Y8,Y8,Y8,Y3
Make sure all of your operating systems and applications are patched with the latest service packs and hotfixes -— Keeping your systems patched will close vulnerabilities that can be exploited by hackers.
Keep an inventory of your network devices -— Develop and maintain a list of all hardware/software components, and understand which default software installations
18 Kasım 2011 Cuma
Technical details
This section contains registry information - only use if you feel happy working with the registry editor. Make a backup using File+Export.
The two "Allow active content" security settings are stored in the registry. Lockdown is ON if the setting is NOT checked.
Registry key/value Type Lockdown ON Lockdown OFF
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ iexplore.exe DWORD 1 0
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ Settings\ LOCALMACHINE_CD_UNLOCK DWORD 0 1
Windows uses different "zones" to describe web content, as seen in Tools+Internet Options Security tab, ie "Internet", "Local Intranet", "Trusted sites" and "Restricted". The local "My Computer" zone icon is normally hidden (see below to enable it).
There are lots of permission values associated with each zone, ie all the options shown if you click on the "Custom level" button.
Microsoft: URL Action Flags
Microsoft: Description of Internet Explorer security zones registry entries
If Local Machine Lockdown is ON then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\0
If Local Machine Lockdown is OFF then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0
The "Allow active content from CDs" setting also switches between these registry locations for web pages on CD.
When the "My Computer" zone icon is enabled, setting custom levels only changes the permissions that apply when Local Machine Lockdown is OFF (ie in ...\Zones\0). You can change the settings for when Local Machine Lockdown is ON, but you can only do this using the registry editor.
If Lockdown is ON but you change the zone settings (in ...\Lockdown_Zones\0), then an Information Bar warning is shown, but the active content is displayed correctly.
Showing the "My Computer" security zone
If active content is enabled on My Computer (ie Local Machine Lockdown is OFF) then you might want to adjust the permissions, ie actions that can be taken safely. To make adjustments, you will first have to enable the "My Computer" zone icon in the Internet Explorer Tools+Internet Options Security tab.
Microsoft: How to Enable the My Computer Security Zone in Internet Options
There are two ways to make the "My Computer" zone icon visible:
by clicking on this link - EnableMyComputerIcon.reg
or by changing this registry location from hexadecimal 21 to hexadecimal 47:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0\Flags
Screenshots:
When enabled, the 'My Computer' icon appears in Internet Options - Security tab
File download security warning
Registry editor change confirm request
Registry editor change done
Thanks to Marc Castles and Jetski.
New web pages viewed locally - the "Mark of the Web" solution
Microsoft documentation suggests this as a solution for authors - you must change every single one of your web pages. The idea is that you give each web page a "Mark of the Web". Then Internet Explorer treats the page as if it were being viewed in the Internet zone.
In an experiment with a few trial web pages, I found that this technique was successful if I remembered that every single page has to have "the Mark". Links from Mark-ed pages to unMark-ed pages silently do not work (however hard you click...). Some sort of indication of the problem would be nice... and an option to go there as well.
A similar problem exists with links to other types of file. A test HTML file had a link to a PowerPoint presentation. The link did not work if the HTML file had the Mark. The link still did not work if I set the "Hyperlink Base" for the presentation to match the HTML Mark. Links to other file types is very common on CD so many CDs will fail to run correctly if they are given the Mark.
(To do: check what happens with PDFs that have been given a matching Base URL.)
Many types of file do not have the ability to set a Base URL, so they will be unshowable.
This technique did make our FindinSite-CD Java applet work without any problems. However - as above - if any result page did not have a "Mark of the Web" then FindinSite-CD could not show it.
To give a web page a "Mark of the Web" add in "saved from url" comment text at the start of the file, as described by Microsoft's Mark of the Web documentation. There are two possible incantations:
The number in brackets is the decimal length of the string that follows it. The line must end in CR LF.
Microsoft: are you really expecting all the world to add "the Mark" to their pages so that they can be viewed offline?
Another problem:
My guess is that a lot of people - like me - write ordinary static web pages locally and test them locally; however testing locally is not going to be possible.
What do web editor programs do - do they add in "the Mark"?
Microsoft's "IEBLog" on the Mark of the Web.
Another possible workaround: HTAs (HTML Applications)
Another suggestion is to use an HTA (HTML Application) wrapper round your local content. (Microsoft documentation of HTAs). An HTML Application works exactly like Internet Explorer except that all the normal menu and toolbar options are missing - which makes ordinary navigation difficult.
HTML applications are supported by Windows Internet Explorer and Windows Opera but not by Windows Navigator/Mozilla. (Not tested on other platforms yet.)
The idea is that you provide one additional file, eg called index.hta that contains the following:
My HTML Application
Set the green text to an application title and your start web page.
The final job is get Windows Internet Explorer users to view the index.hta, eg by providing a shortcut to it, or setting AutoRun to start it. The shortcut or AutoRun may not work if another browser is the default browser.
Further information I have been told:
You can use frames in the HTA instead of IFRAME if your application already uses frames. Depending on the web application, it may be necessary to add APPLICATION="yes" to all/some FRAME tags.
If an HTA opens another window then this windows does not inherit the "application=yes" trusted status.
9 March 2006: Problems running Java Applets in an HTA container:
If the Microsoft VM is installed, then this is used when HTAs are run by MSHTA.EXE (even if the Sun VM is installed and is being used by IE). This was reported on 26-APR-2004 to Sun (Bug 5037845).
Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA. MSHTA.EXE consumes all available cycles (an infinite loop?), ie the process runs at CPU 99% in the Windows Task Manager Process tab. Reported to Sun as a bug, 9 March 2006.
There is a work around for this problem (thanks to John, see below - 10 Apr 2006). The idea is to use a JavaScript handler for the "onbeforeunload" event to remove the Java applet from the page when the page unloads. This partial example removes the "fisCD" applet from its container "div1" when the page is unloaded:
Another possible workaround: Use ShellRun
Another possible workaround for CDs and DVDs is to use the retail version of our ShellRun Windows software. ShellRun is an AutoRun tool for CDs and DVDs, ie it runs when a CD is inserted. It displays a message or menu while starting a browser etc to show your CD's first page. ShellRun has an option to enable Windows XP SP2+ Internet Explorer Active Content. If active content has to be enabled, ShellRun continues to run in the background until the CD is ejected, the system is shut down or the user logs off; at this point ShellRun restores the setting(s) to their original value(s).
Another possible workaround: Use Dynamic-CD
Another possible workaround is to use our Dynamic-CD Windows software. This is an internet web server that can be put on CD or run anywhere locally.
If used on a CD or DVD, Dynamic-CD AutoRuns when inserted into a Windows computer. Dynamic-CD starts the default browser to display a start page at eg http://127.0.0.1:8080/default.asp. Dynamic-CD itself serves the pages, getting the data from the CD. The 127.0.0.1. address is usually deemed by Internet Explorer to be Intranet Zone, and will therefore allow most content to run.
Dynamic-CD only runs in Windows. However Local Machine Lockdown is a problem only for Windows Internet Explorer, so users of other platforms can view the content normally.
Another possible workaround: Use other browsers
If you are just viewing or developing pages yourself locally and do not expect others to view them locally, then a simple solution is to use another browser. It is sensible anyway to check that your pages are viewable in other browsers.
A variant on this approach is to view your pages locally through a local web server, such as IIS, Apache or Dynamic-CD.
Comments:
(We received many earlier comments by email. However the comment form for posting online was not provided so we cannot list them.)
Manuel, Italy, Sun, 12 Jun 2005 09:12:33 (GMT)
Great advice on this issue! I've been knocking my head on the PC for days, sysadmin had no idea on it. Thank you very much for these infos, hope MS will fix it up soon.
Regards, Manuel
John E Colman, Sun, 26 Jun 2005 22:34:17 (GMT)
Some great tips here I hadn't found elsewhere. I hope that others also stumble onto your site.
Graham, Sun, 03 Jul 2005 09:36:21 (GMT)
I'm glad I found your site, some good tips available. I think microsoft will have to retract this security issue sooner or later, as most marketing catalogues will eventually be produced on CD. We need to lobby them relentlessly.
arul, Mon, 04 Jul 2005 16:55:43 (GMT)
I've been unable to run JavaScript on my IE6 (winXP). Now I have a clearer picture. Thanks a lot for this page. Keep up the good work!
Martin Modin, Thu, 14 Jul 2005 21:19:37 (GMT)
This is great information. I hope it's OK that I blogged about this "http://tinyurl.com/7oboq" if not let me know and I'll remove it.
Peter Zelei, Mon, 25 Jul 2005 13:28:42 (GMT)
you saved my life... thank you very much
amit, Fri, 29 Jul 2005 14:17:36 (GMT)
thanx gratefully
Ed, Tue, 02 Aug 2005 14:35:15 (GMT)
Another workaround - Use Desktop Explorer to map a drive letter to a folder (like My Web) on the C: Drive and use the path to that drive to open the files. The only trick is the path must be in the format: \\PCIdentity\C$\PATH. When files are opened with the new drive letter, they are treated as if they are not on the local drive.
For my browser home page, I have a web page with lots of pull-down menus using scripts that automatically go to the selection when you release the mouse button. Those simple scripts were "flagged" as suspect and I was not willing to right-mouse-click and over-ride every time I launched a browser window. I first tried placing the file on a company file server that was mapped to another drive letter and it didn't come up with any alerts. So the next step was to assign a drive letter to the folder where my files are and that worked.
big boy, Wed, 10 Aug 2005 10:02:47 (GMT)
I was at a loss to figure out what was going, why didn't microsoft have the decency to imform me about this problem, I have spent money on stuff I had been reading for months then suddenly I began to get this content message, now I can't continue this net course that cost me good money until microsoft fixes this problem, I tried going through the steps but still I can't seem to figure it out, guess I'll just have to keep trying or wait for MS to get their shite together !
davidb, Wed, 10 Aug 2005 16:13:24 (GMT)
As a technical writer, this was an incredibly frustrating set of issues to learn about. I now have a process whereby I have to manually add the 'mark of the web' to every HTML page I create for HTML Help. And my company had to change our products' installation procedures by adding an appropriate registry entry so that HTML Help can be read from CD or any mapped drive other than C: -
[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ HTMLHelp\1.x\ItssRestrictions] "MaxAllowedZone"=dword:00000001
Microsoft KB 896054: You cannot open remote content by using the InfoTech protocol
Peter Zaremba, Sat, 03 Sep 2005 19:50:55 (GMT)
Thanks for creating this page. I was going crazy trying to figure out a work around for active content run locally. After reading your page I have a couple of ideas. Thanks again.
Bill Claxton, Tue, 06 Sep 2005 08:54:08 (GMT)
Ed, thank you so much! I've tried the HTA route and don't much like it - for one thing, the application environment doesn't look like a standard browser window.
The best approach is your tip, which not only works, it requires changing only the startup - no web content needs to change at all. I customized my startup script to detect XP and handle other potential problems. Following is the result.
Normally I run an HTML page 'index_cd.htm' when the CD starts. Now I launch this batch script in my 'autorun.inf' (using 'start /min share_cd.bat'), and it works marvellously. @echo off
:detection
ver | find /i "Windows XP" > nul
if not errorlevel 1 goto share_drive
start index_cd.htm
goto end
:share_drive
if "%computername%" == "" goto err1
net share cd_rom /d
for %%d in (c d e f g h i j k l m n o p q r s t u w x y z) do if exist %%d:\share_cd.bat net share cd_rom=%%d:\ /users:1 /r:"This CD-ROM is temporarily shared."
if errorlevel 3 goto err2
start \\%computername%\cd_rom\index_cd.htm
goto end
:err1
echo Error - unable to locate 'computername' environment variable.
goto end
:err2
echo Error - unable to share CD as a network drive. This action requires Win2000 or WinXP.
goto end
:end
echo.
echo Program completed successfully.
Addendum: While 'start' can be used in the batch file, it fails in the 'autorun.inf' on XP and Win2000. All along I've been using 'shellexecute', but I wanted the batch script to run in minimized mode. Fortunately I found a new shareware 'shellexecute' that supports running batch files in minimized mode: ShellExecute
The syntax for the autorun file using this utility is: "open=shellexecute /f:share_cd.bat /r:min".
ShellExecute launches the batch file properly in XP, and using the 'minimize' option you can eliminate the annoying 'DOS box flash'.
[Editor's note: phdcc's retail ShellRun software can also launch a batch file in a minimised DOS box]
elviejo, Sat, 24 Sep 2005 18:30:22 (GMT)
Also I had small javascript and I want to test it. So every time I opened explorer to test it will opene the "Informative Bar" to tell me that this was dynamic content. So I had to tell it that I really wanted to open it.
But the most annoying, yes there is more, is that when ever I changed the local webpage to debug it, Explorer closed by itself, as simple as that you change a local webpage, explorer closes.
This for a hand made webdeveloper is totally unacceptable, arggh!
Christopher Hill, Thu, 29 Sep 2005 12:55:23 (GMT)
Re the comments from Ed and Bill Claxton about sharing the CD drive and connecting to it to fix the problem. If you do this you are opening up a whole can of worms because it means that anyone on your network can view the contents of your CD drive. So if you put a CD with confidential information on anyone can see what it is on it! Additionally, if you're not running as Administrator or Power Users on your workstation (which many corporate and educational users won't be) you won't be able to share the drive anyway, so it won't work.
In short - it's a bad idea! Don't do it!
brian, Sat, 01 Oct 2005 18:28:55 (GMT)
wow all this info, for the most of us including me we dont understand half of it,if any of it, i am not thick i use html and java script for making web pages, but i do know that the blocked content popup box is a right pain microsoft should give us a facilty to turn it off.
come on microsoft you are dealing with normal people here we aren't all computer engineers you know
Stacey, Wed, 05 Oct 2005 12:14:21 (GMT)
This page was so helpful! I couldn't figure out why my users were getting the security message but I have a clear understanding now. Thanks.
Paul Baker, Tue, 18 Oct 2005 20:27:09 (GMT)
Although the mark of the web sorts my problem for htm(l) pages, if I save the page as a web archive (mht) the mark is not respected in the resulting mht file. This is despite Microsoft's assurances to the contrary. What seems to happen is that the html is "re-formatted" when the save occurs and the MOTW comment is no longer on its own line but instead shares a line with, say, a tag. Whether this is the problem or not, the MOTW is certainly ineffective in the mht file.
Mario Schmalzl, Fri, 21 Oct 2005 17:02:44 (GMT)
Great approach, but still it doesn't work, if the zone cannot be defined clearly.
For so called "mixed zones" Sites (as in MS-CRM 3.0) you cannot assign a site and/or set security permissions.
Anyone an idea on that?
stephen harris, Tue, 25 Oct 2005 16:32:11 (GMT)
Thank you, very useful and helpful suggestions, I have designed a few medical calculation web pages for distribution to clinicians who cannot access the Hospital Intranet. Most are using Win 2k, but a few are using XP. I will need to experiment to see which is the best option.
Iris, Thu, 03 Nov 2005 23:23:49 (GMT)
This is great info. I have a puzzling scenario though. None - I mean absolutely none - of may applications can open help at all. When I try to open chm files directly, it cannot open mk:@MSITStore:C:\pathto\filename. I have regsitered the hlpctrl.ocx, as advise somewhere else. I have tried to enale the ms-its protocol, no luck. All the help files are on my local machine and the apps run locally, so I shouldn't have this issue. Right?
Any insight would be greatly appreciated!!
Nick, Fri, 18 Nov 2005 00:26:20 (GMT)
Thankyou very much - The HTA work around worked for my CD
Alex Garcia, Wed, 30 Nov 2005 17:32:10 (GMT)
This is great info. Thank you...
Tony, Fri, 02 Dec 2005 05:37:30 (GMT)
The Dynamic-CD program works great. Other than disabling security -- which is not something I think prospective customers would be interested in doing -- nothing else seemed to work when linking to PDF documents. Thank you for this fantastic recourse!
Cheong, ganpuzzle, Thu, 12 Jan 2006 01:27:39 (GMT)
Excellent article. We should all revolt against MS. I am seriously affected because I sell java applet puzzles. Guess what, lately I have a few requests for refund thinking that it is my software that is faulty. Microsoft is trying to kill Java applet, that is for sure.
Do I have a legal case against Microsoft for preventing me from making a living?
Michael Hall, Sat, 21 Jan 2006 00:34:11 (GMT)
I have built a multimedia app in .html. I have put the generic MOTW on every page. The app works in IE with XP SP 2(in Internet Zone) but, the apps performance is so slow it is almost not usable. I have found however, that if I establish a connection to the internet (while running the app locally) then the apps performance is greatly improved. Can you explain why performance is improved by connecting to the internet and also if there are any additional workarounds I can try?
John Page, Fri, 3 Feb 2006 11:20:43 -0700
Good stuff. I am using the Mark of the Web solution, but a couple of comments:
It does not appear to verify the url in the tag. I have found you can put any garbage (non-existent) url there and it still works so long as the byte count is OK.
In that case, what is to stop a malicious coder putting any mark in their code?
Hans, Sun, 12 Feb 2006 11:37:10 (GMT)
Thanx for sharing knowledge regarding sp2 security. It was definately worth the time reading this page.
Mike, Sun, 12 Mar 2006 23:10:20 (GMT)
This is outstanding information. Thanks so much for sharing!
Chris, Fri, 07 Apr 2006 08:10:49 (GMT)
Hello,
Thanks for this article.
But am i the only one seeing another big issue here or am i completely wrong.
I added a MOTW with localhost as source to a web page and executed it locally. Sure enough it runs in the Intranet Zone context?!
So, if malicious code manages to run locally, why don't they just use that MOTW to get around the new Locked-Down Local Machine Zone restrictions from MS?
Scenario:
Malicious webpage manages to execute a file locally.
File has MOTW (localhost)
File runs in Local Intranet zone and can do pretty much whatever it wants?
Install add-ons, system-wide access if user is local admin etc etc.
[Editor: I think the answer is that Local Machine Lockdown is primarily designed to stop injection attacks, ie a page on a web site that somehow sneakily manages to elevate its zone so that some JavaScript can operate with Local Machine privileges. Internet Explorer should not accept a MOTW at this stage, therefore the attack will fail because the local machine is locked down. As I said earlier, stopping unwanted zone elevation would be a better solution. ]
John, Mon, 10 Apr 2006 01:07:26 (GMT)
I encountered the problem you mention:
"Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA."
I found a workaround for my case is to do something like this in the document's onbeforeunload event handler:
document.body.removeChild(document.getElementById("applet"));
Todd, Sat, 29 Apr 2006 18:07:20 -0700
I'm trying to make a local DHTML application that acts as a "shell" for intranet content running in a separate (eventually hidden) frame, and while I'm still stuck, this page has given me lots of food for thought. I've worked around the "Mixed Zone" message, but am still not able to get the onload event to fire when the intranet page loads or updates. There's apparently still something IE doesn't like...
Henry, Wed, 3 May 2006 00:46:51 -0700
Everyone should
(1) Uninstall SP2, and
(2) Start a class-action lawsuit against MS.
I've taken care of step one....
Mike Hutchinson, Sat, 6 May 2006 06:47:18 -0700
Your Article on XP SP2 and making javascripts work locally
Thank you so much. I have been going mad trying all the options in IE6 to make this work. I do a lot of javascript development work. Your article is not only a life saver but presented in simple clear straight forward helpful terms for people to understand with actual examples.
WONDERFUL!
Thank you again for taking the trouble ot clarify this
Brian, Sat, 6 May 2006 11:26:00 -0700
Thanks, your instructions helped tremendously on allowing blocked content from local files.
Ali, Mon, 15 May 2006 23:26:30 -0700
Thank you so much! I've tried the HTA route and I liked it so much! It works for for displaying the 1st HTML page only. When I treid to call another HTA file from the 1st HTML page (to display another HTML page) the security warning window displaying Run|Save|Cancel appeared. Do you have a workaround for this, too?
Answer: You should be able to open another page simply by providing a normal link to the HTML file - the page will then open in the same HTA window. You do not need to wrap all pages in a HTA file.
Thank you very much for your quick reply and assistance. Yes, I did just as you suggested. It works just like I wanted the first time!!
Diana Ost, Tue, 16 May 2006 10:15:16 -0700
Has anyone tried any of these applications with a WebHelp file generated from RoboHelp? Some of the solutions look too difficult for me, but others I might be able to manager. Problem is, the WebHelp file uses frames, with a TOC on the left and content called from the TOC link on the right.
What does everyone suggest as the best solution for this problem?
And, is there any way to register the ActiveX file and give it a certificate to make IE run on our intranet WITHOUT the yellow bar showing up??
Thanks in advance!
Scott, Thu, 08 Jun 2006 01:29:32 (GMT)
Just wanted to thank you for this page. It was very clear and helpful.
Steve, Wed, 21 Jun 2006 19:25:41 (GMT)
Thanks for all the info. Another weaker suggestion for Microsoft would be to at least make the information bar smarter with one-click options to either accept blocked content or see more information. Three clicks starts to make wrist slashing seem like a reasonable alternative...
Makarand Kurkure, Thu, 13 Jul 2006 16:11:45 -0700
The content is very helpful. We had resolved Brio Query insight issue through this.
lisa james, Mon, 31 Jul 2006 23:49:13 -0700
I FOUND YOUR SITE VERY HELPFUL AND TO THE POINT,THANK YOU.
jerry, Fri, 11 Aug 2006 08:05:49 (GMT)
wounderfull information it helped me alot
Steve, Sat, 12 Aug 2006 19:20:30 (GMT)
I wanted to add my thanks for your really excellent information. This is the only proper explanation I've found, after much looking. Microsoft should be truly ashamed for their slapdash "fixes". You describe all aspects of this issue so well.
JJ, Wed, 16 Aug 2006 08:53:03 (GMT)
I've written VBS code to add in a Mark Of The Web to a .mht file that gets created dynamically and saved to the user's TEMP folder. The VBS utility then opens up the .mht file but I'm still getting the Information Bar. However, if I run the .mht file by double-clicking on it I don't get the Information Bar!
So, is there some restriction with the MotW that prevents it from working if the web page is called from a VBS?
Martin, Sun, 20 Aug 2006 17:38:17 (GMT)
Thanks a bunch for setting up this informative website. It saved me a lot of time and aggravation trying to understanding the trouble I went through.
For my personal means I adopted the suggested workaround solution via mapping the local Website \\PCIdentity\C$\PATH to some drive letter -> works like a breeze here.
xicar, Sat, 26 Aug 2006 03:06:21 (GMT)
I m having some troubles when i try to open a zip file directly from a cd/dvd a pop up open telling me that my security settings do not allow this action this happend when i double click on each zip file but if i do it from the tree in the windows explorer i can open it this begin to happend since i update framework.net with the last security patch
can someone tell me how i change this security setting?
thks
mfouchi, Tue, 12 Sep 2006 18:51:34 (GMT)
Thank you, thank you, thank you.
Luckily I came across this site with the solution for Java hanging when closing an HTA process (mshta.exe)
t'ni, Sat, 28 Oct 2006 23:05:10 (GMT)
I bow down to you. This page has all the information I've been looking for for months. Your MOTW solution does seem to work, however I am not editing the 32767 pages I have on my computer.
I always thought the the Local Intranet contained MY computer, glad now you've shown it to me.
Since I already have drives subst'd for E:\Local Trusted Internet Pages\ and E:\Newly Downloaded and NotSo Trusted Internet Pages\ I'll give this mapping bit a try.
Thank you from the bottom of my heart for such an informative article. I am so indebted to you after pulling my hair out for months since being forced to migrate to WinXP Pro SP2.
William Pollard, Sun, 12 Nov 2006 10:45:58 (GMT)
Thank you very much for that info on block content box, it was very useful in allowing my local intranet page to work the way I designed it to.
Bill Wood, Wed, 13 Dec 2006 13:34:52 -0700
Thanks for this page. Its so much clearer than the MS documentation. The only thing I would clarify is what happens when a page marked with MOTW is run in the locked down Local Computer Zone. Contrary to intuition, Local Computer Zone (and the locked down local computer zone which is used by IE) is considered the most privileged of the zones, even when it is locked down (as it is when using IE) to be effectively less privileged. So, MOTW can only switch to a less privileged zone such as Intranet or Internet zones. Using MOTW is also a way to test locally what Internet users would experience if you use the about:blank MOTW.
Another method to mitigate this problem is to implement a simple shell program that hosts an IE active X control. Only IE is subject to lock down, other programs are not (yet)!
Adam Gibson, Fri, 12 Jan 2007 22:14:12 (GMT)
Thanks for the suggestions - fantastic - however - with Vista the above does not work - whats the workaround for this or have I missed something?
Well I am trying to install Class server through our learning gateway at work - the instructions tell me to add "My computer" to the zone area by running the registry change, which I have done, but it still does not appear there so I cannot go any further.
The gateway providers tell me that they have not made this compatible with ie7 (I think its an ie7 problem rather than Vista!) but it must just be a case of adding "My Computer" anyway?
I wondered if there was another security setting that was preventing the registry change from happening although I am told that the change had been successful.
Marko Aho, Thu, 26 Apr 2007 10:32:10 (GMT)
For Vista, the reason for locally stored content not working may be, that the content was saved from email. Vista blocks these automatically, and you will have to enable the (e.g. the index.htm) content through the properties. The same applies to content sent through MS Messenger (even in XP).
Yuriy Shikhanovich, Tue, 15 May 2007 19:34:05 (GMT)
First of thanks for a great resource.
I'd like to respond to a commenter asking about trying to make sure Robohelp works.
What you basically have to do is to add application=yes to any frames and iframes (and just in case framesets, but I don't know if that's required)
Martin, Tue, 19 Jun 2007 04:40:19 (GMT)
This is a great resource but I'm still stuck. I'm trying to launch a pdf in a separate window from web link but I get the activeX message "harm your computer" and business people don't want to go live with this message. I tried calling HTA file from HTML page and I get the "Do you want run..." message and again the business doesn't want to live with this message. Recommendations? Thanks.
Bill Claxton, Fri, 20 Jul 2007 07:56:33 (GMT)
Thought I would update you after rewriting my batch scripts to allow active content. I have described the latest scripts in my blog (http://learningweb.blogspot.com/2007/07/launching-active-content.html), and the scripts are available for download. These not only handle the IE security issue, but also the Flash player security issue. Hope it is helpful, and welcome any feedback.
Incidentally, I think Christopher Hill's remark about network sharing exposing the content of confidential CDs is valid. But none of our CDs are confidential and in my experience this has been less of an issue than simply getting the bloody discs to run without calling tech support.
Perhaps it's an exercise for the sysadmin to cleanup unused network shares.
rotimi Iziduh, Tue, 24 Jul 2007 05:38:33 (GMT)
Hi Guys, Im trying to learn AJAX from scratch. The problem is sample ajax scripts do not run on my internet explorer browser and they return the error message "access denied".Is this because im running them without a server?or is there some other reason? here's the link to the sample page. http://www.webreference.com/programming/javascript/jf/column12/index.html thanks
Answer: you do need to run it on a server
Daniel, Wed, 07 Nov 2007 00:40:44 GMT
You can tell the CD-ROM to open index.htm in it's own browser. For example, you can add HtmlViewer (www.cdmenupro.com, by Klaus Schwenk) to the CD-ROM. It's a simple browser that loads the java applet. You just need to change the CD_Conf.ini here:
[INTRO]
ENABLE=1
PLAYER=_CURRENTDIR_\HtmlView.exe
FILE=_CURRENTDIR_\index.htm
If you need to open pdf files from inside FindInSite, Klaus also has pdfStart.
John Dugdale, Wed, 21 Nov 2007 09:10:08 (GMT)
I have a IE sidebar which shows web pages in a browser component. I still had to put the MOTW on all my pages to avoid the security warning. I can no longer use ajax requests which give the aforementioned access problem. Is there no way round this in the case of a DLL ?
chetan sachania, Wed, 20 Feb 2008 11:30:32 GMT
Hi rotimi Iziduh....
yes if you run AJAX directly it will cause problem in IE7.
for ex: c:/test/index.html <--- if you run html page with ajax like this it will cause Access denine ERROR. Solution: http://localhost/test/index.html you have to configure local site in ur IIS. BV, Mon, 09 Jun 2008 13:58:24 GMT Do you have a suggestion for flash? Adobe is following in MS footsteps, you can develop and run local, but when send it out on cd, it will fail. There are ways around similar to MS, but harder. [Editor: I haven't used Flash so I do not know sorry.] ben, Wed, 12 Nov 2008 00:09:54 GMT thank you so, so much for this. you've saved my neck in a dire emergency. this project's over, now i can flee back to the warm comfort of ubuntu. :P Greg Souders, Wed, 06 May 2009 07:13:53 GMT Thank you Chris Cant for producing this page. I was also struggling with this one. For me the issue arises when testing web pages locally before publishing. I think the best solution for this case is to Map a Network Drive as Ed suggests. Thanks Ed for your suggestion. This solution allows testing local web pages without compromising security. Local Machine Lockdown is bypassed if the pages are accessed via the Network Drive but still active while surfing the web. Ed states that you must use the following format \\PCIdentity\C$\PATH. PCIdentity is the computer name of your machine, C$ is a hidden Administrative share for the C: drive and PATH is the directory path to the folder containing you Web Site(s). This will work for XP Pro machines but not for XP Home. XP home does not create hidden Administrative shares. To overcome this, share the folder where your Web Sites(s) reside and Map your Network drive to the shared folder \\PCIdentity\SHAREDFOLDER. This approach will still bring up the information bar stating "Internet settings are now turned off by default...". However you can click on the bar and select "Don't Show Me this Again" to disable the message for good. The registry value that controls this message is "WarnOnIntranet" and is located here [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] The default value is 1 enabling the message, 0 disables the message. Pál Marosi, Mon, 27 Jul 2009 14:02:53 GMT Thanks for creating this outstanding page. Budhiram Barad, Tue, 05 Oct 2010 08:16:04 GMT THANK YOU jsllearner, Sat, 05 Feb 2011 04:09:41 GMT I am wondering if it is possible for this to be happening without any warnings being issued, no popup no yellow bar, nothing. I seem to be having this problem and have tried fixing my local machine/My Computer settings to allow scripting, MOTW (this did NOT work, making we wonder if this is really the problem, or if somehow the warnings are turned off???), resetting jscript.dll, resetting ie8. I dont want to be mucking around my registry until I am sure this is the problem, and especially if I am not sure it will fix it, as all I know is that no local files can run any javascript, even a simple alert. I am running vista business sp3, ie8. here is a sample code
test
could it be any simpler? all i see is the word "text".
Later:
well, I fixed the problem. turns out there was an extra entry in my internet zones registry which needed to be deleted (malware/flash?). go figure. see http://www.windowsbbs.com/windows-xp/96205-windows-services.html for what I did
the full solution involves removing trojan fake alert using malwarebyte's antimalware to remove the rest of it.
Luc, Fri, 10 Jun 2011 11:30:20 GMT
Thank you!
The two "Allow active content" security settings are stored in the registry. Lockdown is ON if the setting is NOT checked.
Registry key/value Type Lockdown ON Lockdown OFF
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ iexplore.exe DWORD 1 0
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ FeatureControl\ FEATURE_LOCALMACHINE_LOCKDOWN\ Settings\ LOCALMACHINE_CD_UNLOCK DWORD 0 1
Windows uses different "zones" to describe web content, as seen in Tools+Internet Options Security tab, ie "Internet", "Local Intranet", "Trusted sites" and "Restricted". The local "My Computer" zone icon is normally hidden (see below to enable it).
There are lots of permission values associated with each zone, ie all the options shown if you click on the "Custom level" button.
Microsoft: URL Action Flags
Microsoft: Description of Internet Explorer security zones registry entries
If Local Machine Lockdown is ON then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\0
If Local Machine Lockdown is OFF then the "My Computer" permissions are taken from this registry location:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0
The "Allow active content from CDs" setting also switches between these registry locations for web pages on CD.
When the "My Computer" zone icon is enabled, setting custom levels only changes the permissions that apply when Local Machine Lockdown is OFF (ie in ...\Zones\0). You can change the settings for when Local Machine Lockdown is ON, but you can only do this using the registry editor.
If Lockdown is ON but you change the zone settings (in ...\Lockdown_Zones\0), then an Information Bar warning is shown, but the active content is displayed correctly.
Showing the "My Computer" security zone
If active content is enabled on My Computer (ie Local Machine Lockdown is OFF) then you might want to adjust the permissions, ie actions that can be taken safely. To make adjustments, you will first have to enable the "My Computer" zone icon in the Internet Explorer Tools+Internet Options Security tab.
Microsoft: How to Enable the My Computer Security Zone in Internet Options
There are two ways to make the "My Computer" zone icon visible:
by clicking on this link - EnableMyComputerIcon.reg
or by changing this registry location from hexadecimal 21 to hexadecimal 47:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Zones\0\Flags
Screenshots:
When enabled, the 'My Computer' icon appears in Internet Options - Security tab
File download security warning
Registry editor change confirm request
Registry editor change done
Thanks to Marc Castles and Jetski.
New web pages viewed locally - the "Mark of the Web" solution
Microsoft documentation suggests this as a solution for authors - you must change every single one of your web pages. The idea is that you give each web page a "Mark of the Web". Then Internet Explorer treats the page as if it were being viewed in the Internet zone.
In an experiment with a few trial web pages, I found that this technique was successful if I remembered that every single page has to have "the Mark". Links from Mark-ed pages to unMark-ed pages silently do not work (however hard you click...). Some sort of indication of the problem would be nice... and an option to go there as well.
A similar problem exists with links to other types of file. A test HTML file had a link to a PowerPoint presentation. The link did not work if the HTML file had the Mark. The link still did not work if I set the "Hyperlink Base" for the presentation to match the HTML Mark. Links to other file types is very common on CD so many CDs will fail to run correctly if they are given the Mark.
(To do: check what happens with PDFs that have been given a matching Base URL.)
Many types of file do not have the ability to set a Base URL, so they will be unshowable.
This technique did make our FindinSite-CD Java applet work without any problems. However - as above - if any result page did not have a "Mark of the Web" then FindinSite-CD could not show it.
To give a web page a "Mark of the Web" add in "saved from url" comment text at the start of the file, as described by Microsoft's Mark of the Web documentation. There are two possible incantations:
The number in brackets is the decimal length of the string that follows it. The line must end in CR LF.
Microsoft: are you really expecting all the world to add "the Mark" to their pages so that they can be viewed offline?
Another problem:
My guess is that a lot of people - like me - write ordinary static web pages locally and test them locally; however testing locally is not going to be possible.
What do web editor programs do - do they add in "the Mark"?
Microsoft's "IEBLog" on the Mark of the Web.
Another possible workaround: HTAs (HTML Applications)
Another suggestion is to use an HTA (HTML Application) wrapper round your local content. (Microsoft documentation of HTAs). An HTML Application works exactly like Internet Explorer except that all the normal menu and toolbar options are missing - which makes ordinary navigation difficult.
HTML applications are supported by Windows Internet Explorer and Windows Opera but not by Windows Navigator/Mozilla. (Not tested on other platforms yet.)
The idea is that you provide one additional file, eg called index.hta that contains the following:
Set the green text to an application title and your start web page.
The final job is get Windows Internet Explorer users to view the index.hta, eg by providing a shortcut to it, or setting AutoRun to start it. The shortcut or AutoRun may not work if another browser is the default browser.
Further information I have been told:
You can use frames in the HTA instead of IFRAME if your application already uses frames. Depending on the web application, it may be necessary to add APPLICATION="yes" to all/some FRAME tags.
If an HTA opens another window then this windows does not inherit the "application=yes" trusted status.
9 March 2006: Problems running Java Applets in an HTA container:
If the Microsoft VM is installed, then this is used when HTAs are run by MSHTA.EXE (even if the Sun VM is installed and is being used by IE). This was reported on 26-APR-2004 to Sun (Bug 5037845).
Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA. MSHTA.EXE consumes all available cycles (an infinite loop?), ie the process runs at CPU 99% in the Windows Task Manager Process tab. Reported to Sun as a bug, 9 March 2006.
There is a work around for this problem (thanks to John, see below - 10 Apr 2006). The idea is to use a JavaScript handler for the "onbeforeunload" event to remove the Java applet from the page when the page unloads. This partial example removes the "fisCD" applet from its container "div1" when the page is unloaded:
Another possible workaround: Use ShellRun
Another possible workaround for CDs and DVDs is to use the retail version of our ShellRun Windows software. ShellRun is an AutoRun tool for CDs and DVDs, ie it runs when a CD is inserted. It displays a message or menu while starting a browser etc to show your CD's first page. ShellRun has an option to enable Windows XP SP2+ Internet Explorer Active Content. If active content has to be enabled, ShellRun continues to run in the background until the CD is ejected, the system is shut down or the user logs off; at this point ShellRun restores the setting(s) to their original value(s).
Another possible workaround: Use Dynamic-CD
Another possible workaround is to use our Dynamic-CD Windows software. This is an internet web server that can be put on CD or run anywhere locally.
If used on a CD or DVD, Dynamic-CD AutoRuns when inserted into a Windows computer. Dynamic-CD starts the default browser to display a start page at eg http://127.0.0.1:8080/default.asp. Dynamic-CD itself serves the pages, getting the data from the CD. The 127.0.0.1. address is usually deemed by Internet Explorer to be Intranet Zone, and will therefore allow most content to run.
Dynamic-CD only runs in Windows. However Local Machine Lockdown is a problem only for Windows Internet Explorer, so users of other platforms can view the content normally.
Another possible workaround: Use other browsers
If you are just viewing or developing pages yourself locally and do not expect others to view them locally, then a simple solution is to use another browser. It is sensible anyway to check that your pages are viewable in other browsers.
A variant on this approach is to view your pages locally through a local web server, such as IIS, Apache or Dynamic-CD.
Comments:
(We received many earlier comments by email. However the comment form for posting online was not provided so we cannot list them.)
Manuel, Italy, Sun, 12 Jun 2005 09:12:33 (GMT)
Great advice on this issue! I've been knocking my head on the PC for days, sysadmin had no idea on it. Thank you very much for these infos, hope MS will fix it up soon.
Regards, Manuel
John E Colman, Sun, 26 Jun 2005 22:34:17 (GMT)
Some great tips here I hadn't found elsewhere. I hope that others also stumble onto your site.
Graham, Sun, 03 Jul 2005 09:36:21 (GMT)
I'm glad I found your site, some good tips available. I think microsoft will have to retract this security issue sooner or later, as most marketing catalogues will eventually be produced on CD. We need to lobby them relentlessly.
arul, Mon, 04 Jul 2005 16:55:43 (GMT)
I've been unable to run JavaScript on my IE6 (winXP). Now I have a clearer picture. Thanks a lot for this page. Keep up the good work!
Martin Modin, Thu, 14 Jul 2005 21:19:37 (GMT)
This is great information. I hope it's OK that I blogged about this "http://tinyurl.com/7oboq" if not let me know and I'll remove it.
Peter Zelei, Mon, 25 Jul 2005 13:28:42 (GMT)
you saved my life... thank you very much
amit, Fri, 29 Jul 2005 14:17:36 (GMT)
thanx gratefully
Ed, Tue, 02 Aug 2005 14:35:15 (GMT)
Another workaround - Use Desktop Explorer to map a drive letter to a folder (like My Web) on the C: Drive and use the path to that drive to open the files. The only trick is the path must be in the format: \\PCIdentity\C$\PATH. When files are opened with the new drive letter, they are treated as if they are not on the local drive.
For my browser home page, I have a web page with lots of pull-down menus using scripts that automatically go to the selection when you release the mouse button. Those simple scripts were "flagged" as suspect and I was not willing to right-mouse-click and over-ride every time I launched a browser window. I first tried placing the file on a company file server that was mapped to another drive letter and it didn't come up with any alerts. So the next step was to assign a drive letter to the folder where my files are and that worked.
big boy, Wed, 10 Aug 2005 10:02:47 (GMT)
I was at a loss to figure out what was going, why didn't microsoft have the decency to imform me about this problem, I have spent money on stuff I had been reading for months then suddenly I began to get this content message, now I can't continue this net course that cost me good money until microsoft fixes this problem, I tried going through the steps but still I can't seem to figure it out, guess I'll just have to keep trying or wait for MS to get their shite together !
davidb, Wed, 10 Aug 2005 16:13:24 (GMT)
As a technical writer, this was an incredibly frustrating set of issues to learn about. I now have a process whereby I have to manually add the 'mark of the web' to every HTML page I create for HTML Help. And my company had to change our products' installation procedures by adding an appropriate registry entry so that HTML Help can be read from CD or any mapped drive other than C: -
[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ HTMLHelp\1.x\ItssRestrictions] "MaxAllowedZone"=dword:00000001
Microsoft KB 896054: You cannot open remote content by using the InfoTech protocol
Peter Zaremba, Sat, 03 Sep 2005 19:50:55 (GMT)
Thanks for creating this page. I was going crazy trying to figure out a work around for active content run locally. After reading your page I have a couple of ideas. Thanks again.
Bill Claxton, Tue, 06 Sep 2005 08:54:08 (GMT)
Ed, thank you so much! I've tried the HTA route and don't much like it - for one thing, the application environment doesn't look like a standard browser window.
The best approach is your tip, which not only works, it requires changing only the startup - no web content needs to change at all. I customized my startup script to detect XP and handle other potential problems. Following is the result.
Normally I run an HTML page 'index_cd.htm' when the CD starts. Now I launch this batch script in my 'autorun.inf' (using 'start /min share_cd.bat'), and it works marvellously. @echo off
:detection
ver | find /i "Windows XP" > nul
if not errorlevel 1 goto share_drive
start index_cd.htm
goto end
:share_drive
if "%computername%" == "" goto err1
net share cd_rom /d
for %%d in (c d e f g h i j k l m n o p q r s t u w x y z) do if exist %%d:\share_cd.bat net share cd_rom=%%d:\ /users:1 /r:"This CD-ROM is temporarily shared."
if errorlevel 3 goto err2
start \\%computername%\cd_rom\index_cd.htm
goto end
:err1
echo Error - unable to locate 'computername' environment variable.
goto end
:err2
echo Error - unable to share CD as a network drive. This action requires Win2000 or WinXP.
goto end
:end
echo.
echo Program completed successfully.
Addendum: While 'start' can be used in the batch file, it fails in the 'autorun.inf' on XP and Win2000. All along I've been using 'shellexecute', but I wanted the batch script to run in minimized mode. Fortunately I found a new shareware 'shellexecute' that supports running batch files in minimized mode: ShellExecute
The syntax for the autorun file using this utility is: "open=shellexecute /f:share_cd.bat /r:min".
ShellExecute launches the batch file properly in XP, and using the 'minimize' option you can eliminate the annoying 'DOS box flash'.
[Editor's note: phdcc's retail ShellRun software can also launch a batch file in a minimised DOS box]
elviejo, Sat, 24 Sep 2005 18:30:22 (GMT)
Also I had small javascript and I want to test it. So every time I opened explorer to test it will opene the "Informative Bar" to tell me that this was dynamic content. So I had to tell it that I really wanted to open it.
But the most annoying, yes there is more, is that when ever I changed the local webpage to debug it, Explorer closed by itself, as simple as that you change a local webpage, explorer closes.
This for a hand made webdeveloper is totally unacceptable, arggh!
Christopher Hill, Thu, 29 Sep 2005 12:55:23 (GMT)
Re the comments from Ed and Bill Claxton about sharing the CD drive and connecting to it to fix the problem. If you do this you are opening up a whole can of worms because it means that anyone on your network can view the contents of your CD drive. So if you put a CD with confidential information on anyone can see what it is on it! Additionally, if you're not running as Administrator or Power Users on your workstation (which many corporate and educational users won't be) you won't be able to share the drive anyway, so it won't work.
In short - it's a bad idea! Don't do it!
brian, Sat, 01 Oct 2005 18:28:55 (GMT)
wow all this info, for the most of us including me we dont understand half of it,if any of it, i am not thick i use html and java script for making web pages, but i do know that the blocked content popup box is a right pain microsoft should give us a facilty to turn it off.
come on microsoft you are dealing with normal people here we aren't all computer engineers you know
Stacey, Wed, 05 Oct 2005 12:14:21 (GMT)
This page was so helpful! I couldn't figure out why my users were getting the security message but I have a clear understanding now. Thanks.
Paul Baker, Tue, 18 Oct 2005 20:27:09 (GMT)
Although the mark of the web sorts my problem for htm(l) pages, if I save the page as a web archive (mht) the mark is not respected in the resulting mht file. This is despite Microsoft's assurances to the contrary. What seems to happen is that the html is "re-formatted" when the save occurs and the MOTW comment is no longer on its own line but instead shares a line with, say, a tag. Whether this is the problem or not, the MOTW is certainly ineffective in the mht file.
Mario Schmalzl, Fri, 21 Oct 2005 17:02:44 (GMT)
Great approach, but still it doesn't work, if the zone cannot be defined clearly.
For so called "mixed zones" Sites (as in MS-CRM 3.0) you cannot assign a site and/or set security permissions.
Anyone an idea on that?
stephen harris, Tue, 25 Oct 2005 16:32:11 (GMT)
Thank you, very useful and helpful suggestions, I have designed a few medical calculation web pages for distribution to clinicians who cannot access the Hospital Intranet. Most are using Win 2k, but a few are using XP. I will need to experiment to see which is the best option.
Iris, Thu, 03 Nov 2005 23:23:49 (GMT)
This is great info. I have a puzzling scenario though. None - I mean absolutely none - of may applications can open help at all. When I try to open chm files directly, it cannot open mk:@MSITStore:C:\pathto\filename. I have regsitered the hlpctrl.ocx, as advise somewhere else. I have tried to enale the ms-its protocol, no luck. All the help files are on my local machine and the apps run locally, so I shouldn't have this issue. Right?
Any insight would be greatly appreciated!!
Nick, Fri, 18 Nov 2005 00:26:20 (GMT)
Thankyou very much - The HTA work around worked for my CD
Alex Garcia, Wed, 30 Nov 2005 17:32:10 (GMT)
This is great info. Thank you...
Tony, Fri, 02 Dec 2005 05:37:30 (GMT)
The Dynamic-CD program works great. Other than disabling security -- which is not something I think prospective customers would be interested in doing -- nothing else seemed to work when linking to PDF documents. Thank you for this fantastic recourse!
Cheong, ganpuzzle, Thu, 12 Jan 2006 01:27:39 (GMT)
Excellent article. We should all revolt against MS. I am seriously affected because I sell java applet puzzles. Guess what, lately I have a few requests for refund thinking that it is my software that is faulty. Microsoft is trying to kill Java applet, that is for sure.
Do I have a legal case against Microsoft for preventing me from making a living?
Michael Hall, Sat, 21 Jan 2006 00:34:11 (GMT)
I have built a multimedia app in .html. I have put the generic MOTW on every page. The app works in IE with XP SP 2(in Internet Zone) but, the apps performance is so slow it is almost not usable. I have found however, that if I establish a connection to the internet (while running the app locally) then the apps performance is greatly improved. Can you explain why performance is improved by connecting to the internet and also if there are any additional workarounds I can try?
John Page, Fri, 3 Feb 2006 11:20:43 -0700
Good stuff. I am using the Mark of the Web solution, but a couple of comments:
It does not appear to verify the url in the tag. I have found you can put any garbage (non-existent) url there and it still works so long as the byte count is OK.
In that case, what is to stop a malicious coder putting any mark in their code?
Hans, Sun, 12 Feb 2006 11:37:10 (GMT)
Thanx for sharing knowledge regarding sp2 security. It was definately worth the time reading this page.
Mike, Sun, 12 Mar 2006 23:10:20 (GMT)
This is outstanding information. Thanks so much for sharing!
Chris, Fri, 07 Apr 2006 08:10:49 (GMT)
Hello,
Thanks for this article.
But am i the only one seeing another big issue here or am i completely wrong.
I added a MOTW with localhost as source to a web page and executed it locally. Sure enough it runs in the Intranet Zone context?!
So, if malicious code manages to run locally, why don't they just use that MOTW to get around the new Locked-Down Local Machine Zone restrictions from MS?
Scenario:
Malicious webpage manages to execute a file locally.
File has MOTW (localhost)
File runs in Local Intranet zone and can do pretty much whatever it wants?
Install add-ons, system-wide access if user is local admin etc etc.
[Editor: I think the answer is that Local Machine Lockdown is primarily designed to stop injection attacks, ie a page on a web site that somehow sneakily manages to elevate its zone so that some JavaScript can operate with Local Machine privileges. Internet Explorer should not accept a MOTW at this stage, therefore the attack will fail because the local machine is locked down. As I said earlier, stopping unwanted zone elevation would be a better solution. ]
John, Mon, 10 Apr 2006 01:07:26 (GMT)
I encountered the problem you mention:
"Using Sun JVM 1.5.0_06, the MSHTA.EXE process keeps running after the HTA window has closed, assuming that a Java applet has been run within the HTA."
I found a workaround for my case is to do something like this in the document's onbeforeunload event handler:
document.body.removeChild(document.getElementById("applet"));
Todd, Sat, 29 Apr 2006 18:07:20 -0700
I'm trying to make a local DHTML application that acts as a "shell" for intranet content running in a separate (eventually hidden) frame, and while I'm still stuck, this page has given me lots of food for thought. I've worked around the "Mixed Zone" message, but am still not able to get the onload event to fire when the intranet page loads or updates. There's apparently still something IE doesn't like...
Henry, Wed, 3 May 2006 00:46:51 -0700
Everyone should
(1) Uninstall SP2, and
(2) Start a class-action lawsuit against MS.
I've taken care of step one....
Mike Hutchinson, Sat, 6 May 2006 06:47:18 -0700
Your Article on XP SP2 and making javascripts work locally
Thank you so much. I have been going mad trying all the options in IE6 to make this work. I do a lot of javascript development work. Your article is not only a life saver but presented in simple clear straight forward helpful terms for people to understand with actual examples.
WONDERFUL!
Thank you again for taking the trouble ot clarify this
Brian, Sat, 6 May 2006 11:26:00 -0700
Thanks, your instructions helped tremendously on allowing blocked content from local files.
Ali, Mon, 15 May 2006 23:26:30 -0700
Thank you so much! I've tried the HTA route and I liked it so much! It works for for displaying the 1st HTML page only. When I treid to call another HTA file from the 1st HTML page (to display another HTML page) the security warning window displaying Run|Save|Cancel appeared. Do you have a workaround for this, too?
Answer: You should be able to open another page simply by providing a normal link to the HTML file - the page will then open in the same HTA window. You do not need to wrap all pages in a HTA file.
Thank you very much for your quick reply and assistance. Yes, I did just as you suggested. It works just like I wanted the first time!!
Diana Ost, Tue, 16 May 2006 10:15:16 -0700
Has anyone tried any of these applications with a WebHelp file generated from RoboHelp? Some of the solutions look too difficult for me, but others I might be able to manager. Problem is, the WebHelp file uses frames, with a TOC on the left and content called from the TOC link on the right.
What does everyone suggest as the best solution for this problem?
And, is there any way to register the ActiveX file and give it a certificate to make IE run on our intranet WITHOUT the yellow bar showing up??
Thanks in advance!
Scott, Thu, 08 Jun 2006 01:29:32 (GMT)
Just wanted to thank you for this page. It was very clear and helpful.
Steve, Wed, 21 Jun 2006 19:25:41 (GMT)
Thanks for all the info. Another weaker suggestion for Microsoft would be to at least make the information bar smarter with one-click options to either accept blocked content or see more information. Three clicks starts to make wrist slashing seem like a reasonable alternative...
Makarand Kurkure, Thu, 13 Jul 2006 16:11:45 -0700
The content is very helpful. We had resolved Brio Query insight issue through this.
lisa james, Mon, 31 Jul 2006 23:49:13 -0700
I FOUND YOUR SITE VERY HELPFUL AND TO THE POINT,THANK YOU.
jerry, Fri, 11 Aug 2006 08:05:49 (GMT)
wounderfull information it helped me alot
Steve, Sat, 12 Aug 2006 19:20:30 (GMT)
I wanted to add my thanks for your really excellent information. This is the only proper explanation I've found, after much looking. Microsoft should be truly ashamed for their slapdash "fixes". You describe all aspects of this issue so well.
JJ, Wed, 16 Aug 2006 08:53:03 (GMT)
I've written VBS code to add in a Mark Of The Web to a .mht file that gets created dynamically and saved to the user's TEMP folder. The VBS utility then opens up the .mht file but I'm still getting the Information Bar. However, if I run the .mht file by double-clicking on it I don't get the Information Bar!
So, is there some restriction with the MotW that prevents it from working if the web page is called from a VBS?
Martin, Sun, 20 Aug 2006 17:38:17 (GMT)
Thanks a bunch for setting up this informative website. It saved me a lot of time and aggravation trying to understanding the trouble I went through.
For my personal means I adopted the suggested workaround solution via mapping the local Website \\PCIdentity\C$\PATH to some drive letter -> works like a breeze here.
xicar, Sat, 26 Aug 2006 03:06:21 (GMT)
I m having some troubles when i try to open a zip file directly from a cd/dvd a pop up open telling me that my security settings do not allow this action this happend when i double click on each zip file but if i do it from the tree in the windows explorer i can open it this begin to happend since i update framework.net with the last security patch
can someone tell me how i change this security setting?
thks
mfouchi, Tue, 12 Sep 2006 18:51:34 (GMT)
Thank you, thank you, thank you.
Luckily I came across this site with the solution for Java hanging when closing an HTA process (mshta.exe)
t'ni, Sat, 28 Oct 2006 23:05:10 (GMT)
I bow down to you. This page has all the information I've been looking for for months. Your MOTW solution does seem to work, however I am not editing the 32767 pages I have on my computer.
I always thought the the Local Intranet contained MY computer, glad now you've shown it to me.
Since I already have drives subst'd for E:\Local Trusted Internet Pages\ and E:\Newly Downloaded and NotSo Trusted Internet Pages\ I'll give this mapping bit a try.
Thank you from the bottom of my heart for such an informative article. I am so indebted to you after pulling my hair out for months since being forced to migrate to WinXP Pro SP2.
William Pollard, Sun, 12 Nov 2006 10:45:58 (GMT)
Thank you very much for that info on block content box, it was very useful in allowing my local intranet page to work the way I designed it to.
Bill Wood, Wed, 13 Dec 2006 13:34:52 -0700
Thanks for this page. Its so much clearer than the MS documentation. The only thing I would clarify is what happens when a page marked with MOTW is run in the locked down Local Computer Zone. Contrary to intuition, Local Computer Zone (and the locked down local computer zone which is used by IE) is considered the most privileged of the zones, even when it is locked down (as it is when using IE) to be effectively less privileged. So, MOTW can only switch to a less privileged zone such as Intranet or Internet zones. Using MOTW is also a way to test locally what Internet users would experience if you use the about:blank MOTW.
Another method to mitigate this problem is to implement a simple shell program that hosts an IE active X control. Only IE is subject to lock down, other programs are not (yet)!
Adam Gibson, Fri, 12 Jan 2007 22:14:12 (GMT)
Thanks for the suggestions - fantastic - however - with Vista the above does not work - whats the workaround for this or have I missed something?
Well I am trying to install Class server through our learning gateway at work - the instructions tell me to add "My computer" to the zone area by running the registry change, which I have done, but it still does not appear there so I cannot go any further.
The gateway providers tell me that they have not made this compatible with ie7 (I think its an ie7 problem rather than Vista!) but it must just be a case of adding "My Computer" anyway?
I wondered if there was another security setting that was preventing the registry change from happening although I am told that the change had been successful.
Marko Aho, Thu, 26 Apr 2007 10:32:10 (GMT)
For Vista, the reason for locally stored content not working may be, that the content was saved from email. Vista blocks these automatically, and you will have to enable the (e.g. the index.htm) content through the properties. The same applies to content sent through MS Messenger (even in XP).
Yuriy Shikhanovich, Tue, 15 May 2007 19:34:05 (GMT)
First of thanks for a great resource.
I'd like to respond to a commenter asking about trying to make sure Robohelp works.
What you basically have to do is to add application=yes to any frames and iframes (and just in case framesets, but I don't know if that's required)
Martin, Tue, 19 Jun 2007 04:40:19 (GMT)
This is a great resource but I'm still stuck. I'm trying to launch a pdf in a separate window from web link but I get the activeX message "harm your computer" and business people don't want to go live with this message. I tried calling HTA file from HTML page and I get the "Do you want run..." message and again the business doesn't want to live with this message. Recommendations? Thanks.
Bill Claxton, Fri, 20 Jul 2007 07:56:33 (GMT)
Thought I would update you after rewriting my batch scripts to allow active content. I have described the latest scripts in my blog (http://learningweb.blogspot.com/2007/07/launching-active-content.html), and the scripts are available for download. These not only handle the IE security issue, but also the Flash player security issue. Hope it is helpful, and welcome any feedback.
Incidentally, I think Christopher Hill's remark about network sharing exposing the content of confidential CDs is valid. But none of our CDs are confidential and in my experience this has been less of an issue than simply getting the bloody discs to run without calling tech support.
Perhaps it's an exercise for the sysadmin to cleanup unused network shares
rotimi Iziduh, Tue, 24 Jul 2007 05:38:33 (GMT)
Hi Guys, Im trying to learn AJAX from scratch. The problem is sample ajax scripts do not run on my internet explorer browser and they return the error message "access denied".Is this because im running them without a server?or is there some other reason? here's the link to the sample page. http://www.webreference.com/programming/javascript/jf/column12/index.html thanks
Answer: you do need to run it on a server
Daniel, Wed, 07 Nov 2007 00:40:44 GMT
You can tell the CD-ROM to open index.htm in it's own browser. For example, you can add HtmlViewer (www.cdmenupro.com, by Klaus Schwenk) to the CD-ROM. It's a simple browser that loads the java applet. You just need to change the CD_Conf.ini here:
[INTRO]
ENABLE=1
PLAYER=_CURRENTDIR_\HtmlView.exe
FILE=_CURRENTDIR_\index.htm
If you need to open pdf files from inside FindInSite, Klaus also has pdfStart.
John Dugdale, Wed, 21 Nov 2007 09:10:08 (GMT)
I have a IE sidebar which shows web pages in a browser component. I still had to put the MOTW on all my pages to avoid the security warning. I can no longer use ajax requests which give the aforementioned access problem. Is there no way round this in the case of a DLL ?
chetan sachania, Wed, 20 Feb 2008 11:30:32 GMT
Hi rotimi Iziduh....
yes if you run AJAX directly it will cause problem in IE7.
for ex: c:/test/index.html <--- if you run html page with ajax like this it will cause Access denine ERROR. Solution: http://localhost/test/index.html you have to configure local site in ur IIS. BV, Mon, 09 Jun 2008 13:58:24 GMT Do you have a suggestion for flash? Adobe is following in MS footsteps, you can develop and run local, but when send it out on cd, it will fail. There are ways around similar to MS, but harder. [Editor: I haven't used Flash so I do not know sorry.] ben, Wed, 12 Nov 2008 00:09:54 GMT thank you so, so much for this. you've saved my neck in a dire emergency. this project's over, now i can flee back to the warm comfort of ubuntu. :P Greg Souders, Wed, 06 May 2009 07:13:53 GMT Thank you Chris Cant for producing this page. I was also struggling with this one. For me the issue arises when testing web pages locally before publishing. I think the best solution for this case is to Map a Network Drive as Ed suggests. Thanks Ed for your suggestion. This solution allows testing local web pages without compromising security. Local Machine Lockdown is bypassed if the pages are accessed via the Network Drive but still active while surfing the web. Ed states that you must use the following format \\PCIdentity\C$\PATH. PCIdentity is the computer name of your machine, C$ is a hidden Administrative share for the C: drive and PATH is the directory path to the folder containing you Web Site(s). This will work for XP Pro machines but not for XP Home. XP home does not create hidden Administrative shares. To overcome this, share the folder where your Web Sites(s) reside and Map your Network drive to the shared folder \\PCIdentity\SHAREDFOLDER. This approach will still bring up the information bar stating "Internet settings are now turned off by default...". However you can click on the bar and select "Don't Show Me this Again" to disable the message for good. The registry value that controls this message is "WarnOnIntranet" and is located here [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] The default value is 1 enabling the message, 0 disables the message. Pál Marosi, Mon, 27 Jul 2009 14:02:53 GMT Thanks for creating this outstanding page. Budhiram Barad, Tue, 05 Oct 2010 08:16:04 GMT THANK YOU jsllearner, Sat, 05 Feb 2011 04:09:41 GMT I am wondering if it is possible for this to be happening without any warnings being issued, no popup no yellow bar, nothing. I seem to be having this problem and have tried fixing my local machine/My Computer settings to allow scripting, MOTW (this did NOT work, making we wonder if this is really the problem, or if somehow the warnings are turned off???), resetting jscript.dll, resetting ie8. I dont want to be mucking around my registry until I am sure this is the problem, and especially if I am not sure it will fix it, as all I know is that no local files can run any javascript, even a simple alert. I am running vista business sp3, ie8. here is a sample code
test
could it be any simpler? all i see is the word "text".
Later:
well, I fixed the problem. turns out there was an extra entry in my internet zones registry which needed to be deleted (malware/flash?). go figure. see http://www.windowsbbs.com/windows-xp/96205-windows-services.html for what I did
the full solution involves removing trojan fake alert using malwarebyte's antimalware to remove the rest of it.
Luc, Fri, 10 Jun 2011 11:30:20 GMT
Thank you!
Other options
The simplest option is to use other browsers yourself or within your organisation. However it may not be sensible to say to your users that your content will not work if viewed in Internet Explorer.
If you are producing information on CD or DVD, then active content warnings can be avoided using our software:
ShellRun which can be set up to turn off warnings.
Dynamic-CD software which runs a CD-based internet server.
Suggestion 1 for Microsoft
Come on Microsoft, you can do better than this...
Do the decent thing... block up the security holes... don't ruin locally viewed content.
Your current way of solving the problem of malicious "cross-zone access" by making the local zone unusable is - need I say it - going to make the local zone unusable. And yes, there are lots of people who provide content to be viewed locally, not just information on CD but product documentation and people authoring web content locally before putting it online.
The browser is the "interface of choice" for many developers - many applications nowadays that do not need an online connection are none-the-less written as web applications. These applications will not now work when viewed by an out-of-the-box XP-with-SP2.
Suggestion 2 for Microsoft
Make the local machine zone equivalent to the Internet zone. A lot of pages work fine when viewed online under SP2, but do not work when viewed locally. Pre-SP2 the local zone was less restricted than the Internet zone - why make it more restricted in SP2?
Suggestion 3 for Microsoft
If you cannot be bothered to handle security properly, then at least make the "Allow active content from CDs" option on by default.
SP2 default security
As described above, any locally viewed web page that contains active content will be stopped from running.
At the top of the page in the Information Bar you will see this warning:
To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...
To enable active content, click on this message and then select:
Allow Blocked Content...
Example showing Internet Explorer trying to run a Java applet locally:
Active content warning for a web page containing a Java applet
You will also be asked to OK this message:
Allowing active content such as script and ActiveX controls can be useful, but active content might also harm your computer.
Are you sure that you want to let this file run active content?
Enabling active content on Local Machine warning
After all this, the active content should run. Note that the active content is only enabled for this Internet Explorer window. If you close this window and come back again you will have to go through the same process again. However, all further active content in this window is enabled (unless you navigate to non-HTML pages such as XML).
SP2 new security options
Microsoft have provided new options to turn off the security on local files to let active content run, as shown on the right.
To run active content on all CDs without warnings, you must change a security setting in Internet Explorer:
Open menu Tools+Internet Options+Advanced tab
Scroll down to the Security section.
Make sure that "Allow active content from CDs to run on My Computer" is checked.
If you want to run active content in all files on your hard disk or similar, then you need to:
Make sure that "Allow active content to run in files on My Computer" is checked.
Note: With "Allow active content from CDs" selected, I have found that the Information Bar sometimes still appears saying that it has restricted active content, even though the content runs OK.
The Internet Explorer Internet Options Advanced options settings needed to run FindinSite-CD
Are the new security options enough?
Many people view web content on local files in hard disk and on CD. Some will be generating content, while most will simply be viewing content. All these people will be affected by SP2.
Are the new security options enough to make these people happy? My guess is that the answer is NO.
Many people (and their system administrators) will be keen to reduce security intrusions as much as possible. Any loosening of the security settings will therefore not be acceptable.
One of our customers has already requested a refund on a software licence purchase because "we don't have control over our end-users machines. We can't simply tell them to change their settings."
If you are producing information on CD or DVD, then active content warnings can be avoided using our software:
ShellRun which can be set up to turn off warnings.
Dynamic-CD software which runs a CD-based internet server.
Suggestion 1 for Microsoft
Come on Microsoft, you can do better than this...
Do the decent thing... block up the security holes... don't ruin locally viewed content.
Your current way of solving the problem of malicious "cross-zone access" by making the local zone unusable is - need I say it - going to make the local zone unusable. And yes, there are lots of people who provide content to be viewed locally, not just information on CD but product documentation and people authoring web content locally before putting it online.
The browser is the "interface of choice" for many developers - many applications nowadays that do not need an online connection are none-the-less written as web applications. These applications will not now work when viewed by an out-of-the-box XP-with-SP2.
Suggestion 2 for Microsoft
Make the local machine zone equivalent to the Internet zone. A lot of pages work fine when viewed online under SP2, but do not work when viewed locally. Pre-SP2 the local zone was less restricted than the Internet zone - why make it more restricted in SP2?
Suggestion 3 for Microsoft
If you cannot be bothered to handle security properly, then at least make the "Allow active content from CDs" option on by default.
SP2 default security
As described above, any locally viewed web page that contains active content will be stopped from running.
At the top of the page in the Information Bar you will see this warning:
To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...
To enable active content, click on this message and then select:
Allow Blocked Content...
Example showing Internet Explorer trying to run a Java applet locally:
Active content warning for a web page containing a Java applet
You will also be asked to OK this message:
Allowing active content such as script and ActiveX controls can be useful, but active content might also harm your computer.
Are you sure that you want to let this file run active content?
Enabling active content on Local Machine warning
After all this, the active content should run. Note that the active content is only enabled for this Internet Explorer window. If you close this window and come back again you will have to go through the same process again. However, all further active content in this window is enabled (unless you navigate to non-HTML pages such as XML).
SP2 new security options
Microsoft have provided new options to turn off the security on local files to let active content run, as shown on the right.
To run active content on all CDs without warnings, you must change a security setting in Internet Explorer:
Open menu Tools+Internet Options+Advanced tab
Scroll down to the Security section.
Make sure that "Allow active content from CDs to run on My Computer" is checked.
If you want to run active content in all files on your hard disk or similar, then you need to:
Make sure that "Allow active content to run in files on My Computer" is checked.
Note: With "Allow active content from CDs" selected, I have found that the Information Bar sometimes still appears saying that it has restricted active content, even though the content runs OK.
The Internet Explorer Internet Options Advanced options settings needed to run FindinSite-CD
Are the new security options enough?
Many people view web content on local files in hard disk and on CD. Some will be generating content, while most will simply be viewing content. All these people will be affected by SP2.
Are the new security options enough to make these people happy? My guess is that the answer is NO.
Many people (and their system administrators) will be keen to reduce security intrusions as much as possible. Any loosening of the security settings will therefore not be acceptable.
One of our customers has already requested a refund on a software licence purchase because "we don't have control over our end-users machines. We can't simply tell them to change their settings."
How Windows XP Service Pack 2 and Vista affect web pages running locally on your computer
Last modified: 19 December 2006. Any comments or suggestions - please fill in form below. Chris Cant.
Chris is now available for paid-for consultation, software development or web programming - contact us using the form below.
Web pages with active content running locally
XP SP2, Vista and equivalent affect any web page with "active content" running locally on your computer in Internet Explorer. Many people provide web page information on CD or DVD, provide product documentation as web pages, or work with web pages locally before putting them online. Even very innocuous JavaScript is deemed to be active content and a user will have to agree to very worrying warning messages to see a page - or change a security setting. Some valid active content may not work even if the user has enabled active content for the current window.
See below for screen shots of SP2 when trying to run a Java applet locally.
In all the following text, SP2 refers to Windows XP with Service Pack 2 or later, Windows Vista and equivalent Windows operating systems.
Web pages on your local computer
Windows XP SP2 and Vista Introduction
Windows XP SP2, Vista and equivalent include improvements to Internet Explorer security that are intended to help most users by stopping local web pages that contain "active content" from accessing your computer maliciously. "Active content" includes JavaScript, Java applets and ActiveX controls.
Users and developers of CDs containing our FindinSite-CD applet - please read our How to run FindinSite-CD in XP SP2 instructions.
Changes for web pages running locally
By default in SP2, Internet Explorer will not let any active content run in web pages that run locally (on the Local Machine, ie My Computer). The user will see a warning message in the new yellow Information Bar - clicking in there will let the user "Allow Blocked Content" - after agreeing to another dire warning.
The likely effect of this is that most users will not let local active content run, even if it is only mundane JavaScript to run a menu system.
The browser is becoming the standard interface for many applications, including those that run locally. Many people provide web page information on CD or provide product documentation as web pages. In addition many people write and test web pages locally.
Although Microsoft have provided two options to enable local content, these new security restrictions make life much harder for people who create or view content that is used locally. Most people will not want to reduce their default security settings for fear of having their computers corrupted.
Information Bar introduction box
The Information Bar is aptly named - it bars you from viewing information locally...
Why are Microsoft doing this?
We understand that the main problem is online web sites that find security holes so as to be able to run code locally. Code that runs locally used to be able to damage your system because it ran with the highest privileges. So - rather than block up the security holes - Microsoft have decided to clamp down on all local web page active content so that the user has to agree to various dire warnings before letting it run.
All local web pages (including that on CD) are currently affected. There are ways to turn off this security feature (as described below). However if turned off to make ordinary local content run, then users are susceptible to the same security holes as before.
We also posted a letter to Microsoft UK on 1 July 2004, but to date have had no reply.
We tried to highlight this issue with Microsoft in the SP2 preview forums - to no avail: the advice was simply to adapt to the new situation, ie the decision had been made and it was not going to change. Perhaps Microsoft thinks that the problems are a price worth paying to make online surfing safe. Or perhaps they have not realised that many people view content locally. One of our big users in the USA produces 800,000 CDs every April - the CDs will not run in the default SP2 settings. We have lost another order because the client could not tell their users to change their security settings.
What do Microsoft suggest?
These seem to be Microsoft's suggestions... but they are not good enough... (see below for full details)
Turn off local machine security
But: We have already had to refund an order because "we don't have control over our end-users machines. We can't simply tell them to change their settings."
Give all pages "the Mark of the Web"
But: You cannot seriously expect all pages to have this added. And links to other file types don't work.
Wrap your application in an HTA file
But: Superficially this isn't too awful a job, but why does the world have to do this? (Existing local content will not be fixed.)
Microsoft information pages:
Local Machine Zone Lockdown
Local Machine Zone Lockdown - Developer Implications
Internet Explorer 6 Resource Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Internet Explorer Administration Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Changes to Functionality in XP SP2: Part 5: Enhanced Browsing Security - click on "Internet Explorer Local Machine Zone Lockdown"
Chris is now available for paid-for consultation, software development or web programming - contact us using the form below.
Web pages with active content running locally
XP SP2, Vista and equivalent affect any web page with "active content" running locally on your computer in Internet Explorer. Many people provide web page information on CD or DVD, provide product documentation as web pages, or work with web pages locally before putting them online. Even very innocuous JavaScript is deemed to be active content and a user will have to agree to very worrying warning messages to see a page - or change a security setting. Some valid active content may not work even if the user has enabled active content for the current window.
See below for screen shots of SP2 when trying to run a Java applet locally.
In all the following text, SP2 refers to Windows XP with Service Pack 2 or later, Windows Vista and equivalent Windows operating systems.
Web pages on your local computer
Windows XP SP2 and Vista Introduction
Windows XP SP2, Vista and equivalent include improvements to Internet Explorer security that are intended to help most users by stopping local web pages that contain "active content" from accessing your computer maliciously. "Active content" includes JavaScript, Java applets and ActiveX controls.
Users and developers of CDs containing our FindinSite-CD applet - please read our How to run FindinSite-CD in XP SP2 instructions.
Changes for web pages running locally
By default in SP2, Internet Explorer will not let any active content run in web pages that run locally (on the Local Machine, ie My Computer). The user will see a warning message in the new yellow Information Bar - clicking in there will let the user "Allow Blocked Content" - after agreeing to another dire warning.
The likely effect of this is that most users will not let local active content run, even if it is only mundane JavaScript to run a menu system.
The browser is becoming the standard interface for many applications, including those that run locally. Many people provide web page information on CD or provide product documentation as web pages. In addition many people write and test web pages locally.
Although Microsoft have provided two options to enable local content, these new security restrictions make life much harder for people who create or view content that is used locally. Most people will not want to reduce their default security settings for fear of having their computers corrupted.
Information Bar introduction box
The Information Bar is aptly named - it bars you from viewing information locally...
Why are Microsoft doing this?
We understand that the main problem is online web sites that find security holes so as to be able to run code locally. Code that runs locally used to be able to damage your system because it ran with the highest privileges. So - rather than block up the security holes - Microsoft have decided to clamp down on all local web page active content so that the user has to agree to various dire warnings before letting it run.
All local web pages (including that on CD) are currently affected. There are ways to turn off this security feature (as described below). However if turned off to make ordinary local content run, then users are susceptible to the same security holes as before.
We also posted a letter to Microsoft UK on 1 July 2004, but to date have had no reply.
We tried to highlight this issue with Microsoft in the SP2 preview forums - to no avail: the advice was simply to adapt to the new situation, ie the decision had been made and it was not going to change. Perhaps Microsoft thinks that the problems are a price worth paying to make online surfing safe. Or perhaps they have not realised that many people view content locally. One of our big users in the USA produces 800,000 CDs every April - the CDs will not run in the default SP2 settings. We have lost another order because the client could not tell their users to change their security settings.
What do Microsoft suggest?
These seem to be Microsoft's suggestions... but they are not good enough... (see below for full details)
Turn off local machine security
But: We have already had to refund an order because "we don't have control over our end-users machines. We can't simply tell them to change their settings."
Give all pages "the Mark of the Web"
But: You cannot seriously expect all pages to have this added. And links to other file types don't work.
Wrap your application in an HTA file
But: Superficially this isn't too awful a job, but why does the world have to do this? (Existing local content will not be fixed.)
Microsoft information pages:
Local Machine Zone Lockdown
Local Machine Zone Lockdown - Developer Implications
Internet Explorer 6 Resource Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Internet Explorer Administration Kit: XP SP2 Enhancements to Internet Explorer 6 - click on "Local Machine Zone Lockdown"
Changes to Functionality in XP SP2: Part 5: Enhanced Browsing Security - click on "Internet Explorer Local Machine Zone Lockdown"
3 Kasım 2011 Perşembe
Understanding ISPs
What is an ISP?
An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services. With the development of smart phones, many cell phone providers are also ISPs.
ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.
What services do ISPs provide?
Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Some ISPs bundle internet service with other services, such as television and telephone service. Many ISPs offer a wireless modem as part of their service so that customers can use devices equipped with Wi-Fi.
As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement (see Understanding Firewalls for more information).
How do you choose an ISP?
Traditional, broadband ISPs typically offer internet access through cable, DSL, or fiberoptic options. The availability of these options may depend where you live. In addition to the type of access, there are other factors that you may want to consider:
security - Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)? If the ISP provides a wireless modem, what wireless security standards does it support, and are those standards compatible with your existing devices?
privacy - Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
services - Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services? If the ISP provides a wireless modem, are its wireless standards compatible with your existing devices?
cost - Are the ISP's costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
reliability - Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
user support - Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
speed - How fast is your ISP's connection? Is it sufficient for accessing your email or navigating the internet?
recommendations - Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you've uncovered negative points, are they factors you are concerned about?
An ISP, or internet service provider, is a company that provides its customers access to the internet and other web services. In addition to maintaining a direct line to the internet, the company usually maintains web servers. By supplying necessary software, a password-protected user account, and a way to connect to the internet (e.g., modem), ISPs offer their customers the capability to browse the web and exchange email with other people. Some ISPs also offer additional services. With the development of smart phones, many cell phone providers are also ISPs.
ISPs can vary in size—some are operated by one individual, while others are large corporations. They may also vary in scope—some only support users in a particular city, while others have regional or national capabilities.
What services do ISPs provide?
Almost all ISPs offer email and web browsing capabilities. They also offer varying degrees of user support, usually in the form of an email address or customer support hotline. Most ISPs also offer web hosting capabilities, allowing users to create and maintain personal web pages; and some may even offer the service of developing the pages for you. Some ISPs bundle internet service with other services, such as television and telephone service. Many ISPs offer a wireless modem as part of their service so that customers can use devices equipped with Wi-Fi.
As part of normal operation, most ISPs perform backups of email and web files. If the ability to recover email and web files is important to you, check with your ISP to see if they back up the data; it might not be advertised as a service. Additionally, most ISPs implement firewalls to block some portion of incoming traffic, although you should consider this a supplement to your own security precautions, not a replacement (see Understanding Firewalls for more information).
How do you choose an ISP?
Traditional, broadband ISPs typically offer internet access through cable, DSL, or fiberoptic options. The availability of these options may depend where you live. In addition to the type of access, there are other factors that you may want to consider:
security - Do you feel that the ISP is concerned about security? Does it use encryption and SSL (see Protecting Your Privacy for more information) to protect any information you submit (e.g., user name, password)? If the ISP provides a wireless modem, what wireless security standards does it support, and are those standards compatible with your existing devices?
privacy - Does the ISP have a published privacy policy? Are you comfortable with who has access to your information and how it is being handled and used?
services - Does your ISP offer the services you want? Do they meet your requirements? Is there adequate support for the services? If the ISP provides a wireless modem, are its wireless standards compatible with your existing devices?
cost - Are the ISP's costs affordable? Are they reasonable for the number of services you receive, as well as the level of those services? Are you sacrificing quality and security to get the lowest price?
reliability - Are the services your ISP provides reliable, or are they frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons? If the ISP knows that services will be unavailable for a particular reason, does it adequately communicate that information?
user support - Are there published methods for contacting customer support? Do you receive prompt and friendly service? Do their hours of availability accommodate your needs? Do the consultants have the appropriate level of knowledge?
speed - How fast is your ISP's connection? Is it sufficient for accessing your email or navigating the internet?
recommendations - Have you heard or seen positive reviews about the ISP? Were they from trusted sources? Does the ISP serve your geographic area? If you've uncovered negative points, are they factors you are concerned about?
Guidelines for Publishing Information Online
Why is it important to remember that the internet is public?
Because the internet is so accessible and contains a wealth of information, it has become a popular resource for communicating, for researching topics, and for finding information about people. It may seem less intimidating than actually interacting with other people because there is a sense of anonymity. However, you are not really anonymous when you are online, and it is just as easy for people to find information about you as it is for you to find information about them. Unfortunately, many people have become so familiar and comfortable with the internet that they may adopt practices that make them vulnerable. For example, although people are typically wary of sharing personal information with strangers they meet on the street, they may not hesitate to post that same information online. Once it is online, it can be accessed by a world of strangers, and you have no idea what they might do with that information.
What guidelines can you follow when publishing information on the internet?
View the internet as a novel, not a diary - Make sure you are comfortable with anyone seeing the information you put online. Expect that people you have never met will find your page; even if you are keeping an online journal or blog, write it with the expectation that it is available for public consumption. Some sites may use passwords or other security restrictions to protect the information, but these methods are not usually used for most websites. If you want the information to be private or restricted to a small, select group of people, the internet is probably not the best forum.
Be careful what you advertise - In the past, it was difficult to find information about people other than their phone numbers or address. Now, an increasing amount of personal information is available online, especially because people are creating personal web pages with information about themselves. When deciding how much information to reveal, realize that you are broadcasting it to the world. Supplying your email address may increase the amount of spam you receive (see Reducing Spam for more information). Providing details about your hobbies, your job, your family and friends, and your past may give attackers enough information to perform a successful social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information).
Realize that you can't take it back - Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original version. Even if you try to remove the page(s) from the internet, someone may have saved a copy of the page or used excerpts in another source. Some search engines "cache" copies of web pages; these cached copies may be available after a web page has been deleted or altered. Some web browsers may also maintain a cache of the web pages a user has visited, so the original version may be stored in a temporary file on the user's computer. Think about these implications before publishing information—once something is out there, you can't guarantee that you can completely remove it.
As a general practice, let your common sense guide your decisions about what to post online. Before you publish something on the internet, determine what value it provides and consider the implications of having the information available to the public. Identity theft is an increasing problem, and the more information an attacker can gather about you, the easier it is to pretend to be you. Behave online the way you would behave in your daily life, especially when it involves taking precautions to protect yourself.
Because the internet is so accessible and contains a wealth of information, it has become a popular resource for communicating, for researching topics, and for finding information about people. It may seem less intimidating than actually interacting with other people because there is a sense of anonymity. However, you are not really anonymous when you are online, and it is just as easy for people to find information about you as it is for you to find information about them. Unfortunately, many people have become so familiar and comfortable with the internet that they may adopt practices that make them vulnerable. For example, although people are typically wary of sharing personal information with strangers they meet on the street, they may not hesitate to post that same information online. Once it is online, it can be accessed by a world of strangers, and you have no idea what they might do with that information.
What guidelines can you follow when publishing information on the internet?
View the internet as a novel, not a diary - Make sure you are comfortable with anyone seeing the information you put online. Expect that people you have never met will find your page; even if you are keeping an online journal or blog, write it with the expectation that it is available for public consumption. Some sites may use passwords or other security restrictions to protect the information, but these methods are not usually used for most websites. If you want the information to be private or restricted to a small, select group of people, the internet is probably not the best forum.
Be careful what you advertise - In the past, it was difficult to find information about people other than their phone numbers or address. Now, an increasing amount of personal information is available online, especially because people are creating personal web pages with information about themselves. When deciding how much information to reveal, realize that you are broadcasting it to the world. Supplying your email address may increase the amount of spam you receive (see Reducing Spam for more information). Providing details about your hobbies, your job, your family and friends, and your past may give attackers enough information to perform a successful social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information).
Realize that you can't take it back - Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original version. Even if you try to remove the page(s) from the internet, someone may have saved a copy of the page or used excerpts in another source. Some search engines "cache" copies of web pages; these cached copies may be available after a web page has been deleted or altered. Some web browsers may also maintain a cache of the web pages a user has visited, so the original version may be stored in a temporary file on the user's computer. Think about these implications before publishing information—once something is out there, you can't guarantee that you can completely remove it.
As a general practice, let your common sense guide your decisions about what to post online. Before you publish something on the internet, determine what value it provides and consider the implications of having the information available to the public. Identity theft is an increasing problem, and the more information an attacker can gather about you, the easier it is to pretend to be you. Behave online the way you would behave in your daily life, especially when it involves taking precautions to protect yourself.
Cyber Security Tip
What is cyber security?
It seems that everything relies on computers and the internet now — communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system?
Cyber security involves protecting that information by preventing, detecting, and responding to attacks.
What are the risks?
There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Unfortunately, there's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances.
What can you do?
The first step in protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them.
Hacker, attacker, or intruder - These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes fairly benign and motivated solely by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information).
Malicious code - Malicious code, sometimes called malware, is a broad category that includes any code that could be used to attack your computer. Malicious code can have the following characteristics:
It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page.
Some forms propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected, the malicious code will attempt to find and infect other computers. This code can also propagate via email, websites, or network-based software.
Some malicious code claims to be one thing while in fact doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending confidential information to a remote intruder.
Viruses and worms are examples of malicious code.
Vulnerability - In most cases, vulnerabilities are caused by programming errors in software. Attackers might be able to take advantage of these errors to infect your computer, so it is important to apply updates or patches that address known vulnerabilities (see Understanding Patches for more information).
This series of cyber security tips will give you more information about how to recognize and protect yourself from attacks.
It seems that everything relies on computers and the internet now — communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system?
Cyber security involves protecting that information by preventing, detecting, and responding to attacks.
What are the risks?
There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Unfortunately, there's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances.
What can you do?
The first step in protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them.
Hacker, attacker, or intruder - These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes fairly benign and motivated solely by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information).
Malicious code - Malicious code, sometimes called malware, is a broad category that includes any code that could be used to attack your computer. Malicious code can have the following characteristics:
It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page.
Some forms propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected, the malicious code will attempt to find and infect other computers. This code can also propagate via email, websites, or network-based software.
Some malicious code claims to be one thing while in fact doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending confidential information to a remote intruder.
Viruses and worms are examples of malicious code.
Vulnerability - In most cases, vulnerabilities are caused by programming errors in software. Attackers might be able to take advantage of these errors to infect your computer, so it is important to apply updates or patches that address known vulnerabilities (see Understanding Patches for more information).
This series of cyber security tips will give you more information about how to recognize and protect yourself from attacks.
20 Ekim 2011 Perşembe
avast Internet Security 2012
Avast is well known for their free antivirus software, but they've also expanded their product line to include Internet security software.
While it's certainly not a bad transition, avast Internet Security 2012 emerged only with average results during our tests. In fact, due to it's lackluster firewall, avast came in towards the end our list this year. Without a solid firewall, we can't consider avast an effective Internet security suite.
TOP FEATURES
Nice User Interface
Lite Resource Usage
Good Real-time Protection
On the plus side, avast has adequate real-time protection as well as decent scanning functions. Email protection and anti-phishing were only average, but they've got a nice user interface with plenty of easy-to-use settings. We just hope to see better performance to go along with those nice options in the future.
For overall Internet security, avast Internet Security 2012 isn't going to cut it this year. With a poor firewall, average real-time protection, and questionable technical support, we're forced to send avast to the back of the line.
While it's certainly not a bad transition, avast Internet Security 2012 emerged only with average results during our tests. In fact, due to it's lackluster firewall, avast came in towards the end our list this year. Without a solid firewall, we can't consider avast an effective Internet security suite.
TOP FEATURES
Nice User Interface
Lite Resource Usage
Good Real-time Protection
On the plus side, avast has adequate real-time protection as well as decent scanning functions. Email protection and anti-phishing were only average, but they've got a nice user interface with plenty of easy-to-use settings. We just hope to see better performance to go along with those nice options in the future.
For overall Internet security, avast Internet Security 2012 isn't going to cut it this year. With a poor firewall, average real-time protection, and questionable technical support, we're forced to send avast to the back of the line.
AVG Internet Security 2012
VG has come a long way through their well known free antivirus software. They've since branched out and created a worthy Internet security suite.
While their free antivirus software has served many consumers over the years, it serves only as light protection, since it lacks firewall software, download protection, and several other critical features.
A more heavy-duty Internet security suite was needed sooner or later, and this year AVG comes out with a respectable product: not perfect, but respectable.
The features that didn't stand up to our rigorous tests included: IM protection, anti-phishing, and AVG's inconsistent customer support.
TOP FEATURES
Good real-time protection
Adequate firewall
Nice user interface
On the plus side, AVG's durable antivirus engine proved top-notch. Their real-time protection proved to be as good as their best competition. The firewall for AVG Internet Security 2012 was not as strong as we'd like to see but reasonably secure.
The manual and USB scanning were thorough, although AVG doesn't automatically prompt for an automatic scan of USB drives. Even still, the majority of our malware threats were easily detected and cleaned.
Their customer support is set up via a third party company, which can make serious technical support somewhat confusing.
Despite some issues and being outmatched at some tasks when you compare antivirus software performance head-to-head, AVG Internet Security 2012 proves itself a worthy competitor and a very reasonable choice to secure your PC.
While their free antivirus software has served many consumers over the years, it serves only as light protection, since it lacks firewall software, download protection, and several other critical features.
A more heavy-duty Internet security suite was needed sooner or later, and this year AVG comes out with a respectable product: not perfect, but respectable.
The features that didn't stand up to our rigorous tests included: IM protection, anti-phishing, and AVG's inconsistent customer support.
TOP FEATURES
Good real-time protection
Adequate firewall
Nice user interface
On the plus side, AVG's durable antivirus engine proved top-notch. Their real-time protection proved to be as good as their best competition. The firewall for AVG Internet Security 2012 was not as strong as we'd like to see but reasonably secure.
The manual and USB scanning were thorough, although AVG doesn't automatically prompt for an automatic scan of USB drives. Even still, the majority of our malware threats were easily detected and cleaned.
Their customer support is set up via a third party company, which can make serious technical support somewhat confusing.
Despite some issues and being outmatched at some tasks when you compare antivirus software performance head-to-head, AVG Internet Security 2012 proves itself a worthy competitor and a very reasonable choice to secure your PC.
Kaspersky Internet Security 2012
Kaspersky continues to grow as a household name every year, and for good reason. Over the years, they've completely rebuilt what it means to be an antivirus engine, while increasing the overall user experience.
The top testing labs around the world have given Kaspersky high awards and certifications:
West Coast Labs
Anti-Malware
OPSWAT
Virus Bulletin
AV-Comparatives
AV-Test
Kaspersky Internet Security 2012 is just as strong as ever when it comes to antivirus and firewall protection, but they still aren't as refined as some of their competitors when it comes to overall usability.
For one thing, their user interface is still full of nagging issues that should have been easily fixed, but weren't.
Protection against zero-day threats, and emerging viruses is strong according to tough, independent testing around the world. Their firewall is top-notch, and their cloud-based antivirus protection is on the move.
However, there are several holes in certain key areas that could make or break your final decision about Kaspersky Internet Security: their antiphishing scored lower than even Internet Explorer's in some tests. Their social network protection isn't as holistic as it could be. And their tech support is rife with problems.
We still like Kaspersky for its sheer protection power, but it's sliding back on our list this year due to some missteps that are too much to ignore.
The top testing labs around the world have given Kaspersky high awards and certifications:
West Coast Labs
Anti-Malware
OPSWAT
Virus Bulletin
AV-Comparatives
AV-Test
Kaspersky Internet Security 2012 is just as strong as ever when it comes to antivirus and firewall protection, but they still aren't as refined as some of their competitors when it comes to overall usability.
For one thing, their user interface is still full of nagging issues that should have been easily fixed, but weren't.
Protection against zero-day threats, and emerging viruses is strong according to tough, independent testing around the world. Their firewall is top-notch, and their cloud-based antivirus protection is on the move.
However, there are several holes in certain key areas that could make or break your final decision about Kaspersky Internet Security: their antiphishing scored lower than even Internet Explorer's in some tests. Their social network protection isn't as holistic as it could be. And their tech support is rife with problems.
We still like Kaspersky for its sheer protection power, but it's sliding back on our list this year due to some missteps that are too much to ignore.
BitDefender Internet Security 2012
BitDefender comes through again this year with another excellent antivirus software. BitDefender Internet Security 2012 continues to be that same great antivirus protection but with a new an improved user interface.
How well does BitDefender Internet Security 2012 actually protect your computer? Let's put it this way: all of the top testing labs in the world have given BitDefender high scores for excellent real-time antivirus protection, resource usage, and virus removal. They put BitDefender through the ringer, and it keeps coming up strong.
Our system resource tests showed BitDefender to be light to average when scanning your system. We found no significant system drain.
We like the new, clean user interface. It's much easier to use and find any information you need.
Customer service continues to be a problem with BitDefender, but they provide adequate self-help options that will satisfy most people.
Overall, BitDefender remains one of our top choices yet again this year. Why? It's light, it's easy to use. It's stable. And most importantly, it has one of the best records for protecting your computer against viruses and other malware.
How well does BitDefender Internet Security 2012 actually protect your computer? Let's put it this way: all of the top testing labs in the world have given BitDefender high scores for excellent real-time antivirus protection, resource usage, and virus removal. They put BitDefender through the ringer, and it keeps coming up strong.
Our system resource tests showed BitDefender to be light to average when scanning your system. We found no significant system drain.
We like the new, clean user interface. It's much easier to use and find any information you need.
Customer service continues to be a problem with BitDefender, but they provide adequate self-help options that will satisfy most people.
Overall, BitDefender remains one of our top choices yet again this year. Why? It's light, it's easy to use. It's stable. And most importantly, it has one of the best records for protecting your computer against viruses and other malware.
14 Ekim 2011 Cuma
Shore up your system
In addition to using good anti-virus tools, there are steps you can take to protect yourself and your computer.
To combat viruses, worms and similar threats:
Switch to a non-Microsoft email program. Many mass-mailing worms are written specifically to exploit vulnerabilities in Outlook Express and Microsoft Outlook. You can guard yourself against such threats by using an alternative email client such as Thunderbird or Eudora.
Beware attachments! Never open an email attachment from someone you don't know. Don't open attachments from people you do know, unless you're expecting the attachment. Don't open attachments directly from within your email: save them to your desktop first and open then from there. Before you open any attachment, right-click it and choose the anti-virus scanning option from the pop-up menu (most anti-virus programs add such an option when you install them).
Turn the reading/preview pane off. Most email programs display part of an email in a viewing pane beside the list of received email. Switch this viewing pane off. Sometimes your system can get infected merely by displaying code in this window.
Run a full system anti-virus scan weekly, at a minimum.
To keep adware and spyware off your system:
Pay for software instead of opting for the free, advertising supported version.
Avoid surfing on the fringe. Porn sites, crackz and warez (pirated software), file swapping and other on-the-edge sites are havens for unscrupulous people.
Use a non-Microsoft browser. Internet Explorer has proved itself to be hideously susceptible to attack and infestation. One of the best defences against a variety of threats is to use an alternative browser, such as Firefox. It's free from the Mozilla Foundation, the same organisation which also offers the freeware email client, Thunderbird. Use the two together, or install the Mozilla Suite which combines browser, email, chat and Web editor.
Never, ever click OK on a pop-up window or dialog box when you're browsing without reading it thoroughly. Use the close box to close such windows.
Use safe emailing practices.
To avoid phishing scams:
Never click on links in email you receive from an unknown source or from a known source seeking financial or sensitive information. Instead, type the address directly into your browser. Links in email can be dummied to look as if they're taking you one place when they are, in fact, taking you somewhere else.
If you have any doubt whatsoever about an email apparently from your bank or other financial institution, either go directly to the bank's Web site or get on the phone and speak to someone at the bank directly.
Be sceptical of any email which asks you to update your log-in details or other sensitive information.
Never click any link in spam.
To manage spam:
Never open spam email.
Never buy anything advertised in spam, even it seems like a really good deal. If you wonder why spammers indulge in a process which seems tailor-made to infuriate potential customers, it's because some people actually buy spam goods.
Never divulge more information on Web site forms than is absolutely necessary.
Always read a site's privacy policy before you sign up or purchase goods.
Don't get hijacked:
Use a non-Microsoft browser.
Never click OK on pop-up windows online without reading them thoroughly.
Adjust your browser's settings to prevent ActiveX and JavaScript programs from running.
To keep others from prying:
Set up multiple logons for your family PC and use a password on each log on.
Always use strong passwords. Not sure what constitutes a strong password? Visit Web Passwords Made Easy
To combat viruses, worms and similar threats:
Switch to a non-Microsoft email program. Many mass-mailing worms are written specifically to exploit vulnerabilities in Outlook Express and Microsoft Outlook. You can guard yourself against such threats by using an alternative email client such as Thunderbird or Eudora.
Beware attachments! Never open an email attachment from someone you don't know. Don't open attachments from people you do know, unless you're expecting the attachment. Don't open attachments directly from within your email: save them to your desktop first and open then from there. Before you open any attachment, right-click it and choose the anti-virus scanning option from the pop-up menu (most anti-virus programs add such an option when you install them).
Turn the reading/preview pane off. Most email programs display part of an email in a viewing pane beside the list of received email. Switch this viewing pane off. Sometimes your system can get infected merely by displaying code in this window.
Run a full system anti-virus scan weekly, at a minimum.
To keep adware and spyware off your system:
Pay for software instead of opting for the free, advertising supported version.
Avoid surfing on the fringe. Porn sites, crackz and warez (pirated software), file swapping and other on-the-edge sites are havens for unscrupulous people.
Use a non-Microsoft browser. Internet Explorer has proved itself to be hideously susceptible to attack and infestation. One of the best defences against a variety of threats is to use an alternative browser, such as Firefox. It's free from the Mozilla Foundation, the same organisation which also offers the freeware email client, Thunderbird. Use the two together, or install the Mozilla Suite which combines browser, email, chat and Web editor.
Never, ever click OK on a pop-up window or dialog box when you're browsing without reading it thoroughly. Use the close box to close such windows.
Use safe emailing practices.
To avoid phishing scams:
Never click on links in email you receive from an unknown source or from a known source seeking financial or sensitive information. Instead, type the address directly into your browser. Links in email can be dummied to look as if they're taking you one place when they are, in fact, taking you somewhere else.
If you have any doubt whatsoever about an email apparently from your bank or other financial institution, either go directly to the bank's Web site or get on the phone and speak to someone at the bank directly.
Be sceptical of any email which asks you to update your log-in details or other sensitive information.
Never click any link in spam.
To manage spam:
Never open spam email.
Never buy anything advertised in spam, even it seems like a really good deal. If you wonder why spammers indulge in a process which seems tailor-made to infuriate potential customers, it's because some people actually buy spam goods.
Never divulge more information on Web site forms than is absolutely necessary.
Always read a site's privacy policy before you sign up or purchase goods.
Don't get hijacked:
Use a non-Microsoft browser.
Never click OK on pop-up windows online without reading them thoroughly.
Adjust your browser's settings to prevent ActiveX and JavaScript programs from running.
To keep others from prying:
Set up multiple logons for your family PC and use a password on each log on.
Always use strong passwords. Not sure what constitutes a strong password? Visit Web Passwords Made Easy
Pack your toolkit
That daunting list of threats may leave you feeling demoralised, certainly weary. The good news is you don't have to fight the onslaught on your own. There are some handy software tools you can use to help secure your system. Keep in mind, though, that even with excellent software defences installed you'll need to keep your guard up.
While some good security tools are free, be prepared to spend money on securing your computer. This is one area where it doesn't pay to be penny pinching.
So, what should you pack in your security and privacy toolkit? Here's a good starting list:
Anti-virus software. There are some useful free anti-virus tools, but over the years they have not proved to be the best line of defence. You're better off going with one of the well-known products with a proven track record, such as PC-Cillin, Norton AntiVirus 2005, Eset NOD32, and Kaspersky Anti-Virus. Make sure your anti-virus software protects your email and guards against Web site threats, as well as monitoring your system for infection from other sources.
Use your anti-virus program's update feature at least a couple of times each week. (Click the image to see a full-sized screenshot.)
Anti-spyware and anti-key-logging software. When it comes to anti-spyware tools, adopt the boots-and-braces approach. Because of the rapid proliferation of spyware threats, no software program can keep up with the flow, so it pays to install at least two anti-spyware programs. The good news is, two of the best tools available are free, Spybot Search & Destroy and Ad Aware. Note, though, that the freeware version of Ad Aware is significantly less aggressive than the commercial version. If you're really worried about spyware (and you should be), buy a copy of Ad Aware SE Professional or the equally good Spy Sweeper 3.0.
If you use Internet Explorer, a risky activity in itself, install the free BHODemon as well, to stop unwanted programs installing within IE.
A spam blocker. Top choices are Ella, EmailProtect and Norton AntiSpam. If you use Microsoft Outlook as your email client, upgrade to version 2003 if possible; it has very good built-in junk mail handling. Thunderbird email also has decent junk filters.
A firewall. A firewall monitors incoming and outgoing traffic between your computer and the Internet, and prevents any unauthorised activity. It's your best defence against being turned into a zombie, and can also trap the activity of spyware and key loggers. Windows XP has a built-in firewall which has been vastly improved with Service Pack 2. Still, it doesn't do a complete job of monitoring traffic, so you should install a third-party scanner instead (don't use two software firewalls concurrently). Check out Outpost Firewall Pro and BlackICE PC Protection. If you have a high-speed, always-on connection, you should consider using a hardware firewall in conjunction with your software firewall. Many cable/DSL routers have a hardware firewall built in.
If you share your computer with others or keep sensitive information on an easily accessible desktop or notebook computer, add password protection to your data. Darn! Passwords is an excellent and affordable password manager which will let you protect your passwords, PINs, serial numbers, account numbers and more.
Your entire toolkit should cost no more than $200, and probably much less than that as it's likely you already have at least some of these tools installed. If you're starting from scratch, you can reduce the cost by buying one of the security suites, such as Norton Internet Security or PC-Cillin. Each of these combines anti-virus, firewall, and anti-spam components with additional features such as anti-spyware or parental controls.
While some good security tools are free, be prepared to spend money on securing your computer. This is one area where it doesn't pay to be penny pinching.
So, what should you pack in your security and privacy toolkit? Here's a good starting list:
Anti-virus software. There are some useful free anti-virus tools, but over the years they have not proved to be the best line of defence. You're better off going with one of the well-known products with a proven track record, such as PC-Cillin, Norton AntiVirus 2005, Eset NOD32, and Kaspersky Anti-Virus. Make sure your anti-virus software protects your email and guards against Web site threats, as well as monitoring your system for infection from other sources.
Use your anti-virus program's update feature at least a couple of times each week. (Click the image to see a full-sized screenshot.)
Anti-spyware and anti-key-logging software. When it comes to anti-spyware tools, adopt the boots-and-braces approach. Because of the rapid proliferation of spyware threats, no software program can keep up with the flow, so it pays to install at least two anti-spyware programs. The good news is, two of the best tools available are free, Spybot Search & Destroy and Ad Aware. Note, though, that the freeware version of Ad Aware is significantly less aggressive than the commercial version. If you're really worried about spyware (and you should be), buy a copy of Ad Aware SE Professional or the equally good Spy Sweeper 3.0.
If you use Internet Explorer, a risky activity in itself, install the free BHODemon as well, to stop unwanted programs installing within IE.
A spam blocker. Top choices are Ella, EmailProtect and Norton AntiSpam. If you use Microsoft Outlook as your email client, upgrade to version 2003 if possible; it has very good built-in junk mail handling. Thunderbird email also has decent junk filters.
A firewall. A firewall monitors incoming and outgoing traffic between your computer and the Internet, and prevents any unauthorised activity. It's your best defence against being turned into a zombie, and can also trap the activity of spyware and key loggers. Windows XP has a built-in firewall which has been vastly improved with Service Pack 2. Still, it doesn't do a complete job of monitoring traffic, so you should install a third-party scanner instead (don't use two software firewalls concurrently). Check out Outpost Firewall Pro and BlackICE PC Protection. If you have a high-speed, always-on connection, you should consider using a hardware firewall in conjunction with your software firewall. Many cable/DSL routers have a hardware firewall built in.
If you share your computer with others or keep sensitive information on an easily accessible desktop or notebook computer, add password protection to your data. Darn! Passwords is an excellent and affordable password manager which will let you protect your passwords, PINs, serial numbers, account numbers and more.
Your entire toolkit should cost no more than $200, and probably much less than that as it's likely you already have at least some of these tools installed. If you're starting from scratch, you can reduce the cost by buying one of the security suites, such as Norton Internet Security or PC-Cillin. Each of these combines anti-virus, firewall, and anti-spam components with additional features such as anti-spyware or parental controls.
Family, friends and colleagues
If your computer sits in an office shared with others or if your family computes together, there's a risk someone will get interested in what you're up to. Some of those things – tracking financial information, your secret diary, your Christmas purchases – you may not wish to share.
With the threats from viruses and spyware, it's all too easy to forget that some of the biggest threats to your privacy and security are posed by people who can physically get their hands on your computer.
Zombies and DoS
If you've read this far and are thinking "I'm safe – there's nothing on my computer except a bunch of games," have another think. There are people out there who couldn't care less about the information stored on your computer, but they are certainly interested in your computer itself.
Spammers, hackers and virus writers have a vested interest in keeping their identity secret. To stay hidden, one tactic they use is to find unprotected computers on the Internet and use those computers to launch attacks or send spam. Your humble Internet-connected home PC is thus a valuable pawn in their schemes.
Hackers use a piece of code called an agent or daemon to control remote PCs without the owner's knowledge. They then use one or thousands of controlled PCs, known as zombies, to launch attacks on juicier targets. Zombie PCs are crucial in Denial of Service (DoS) attacks, designed to bring the Internet or a part of it to a standstill.
As well as hackers, spammers may find your computer a useful way station. Some spammers seek out vulnerable PCs and, when they find one, install a complete email server on it. They then use this hidden mail server to deliver tens of thousands of spams.
With the threats from viruses and spyware, it's all too easy to forget that some of the biggest threats to your privacy and security are posed by people who can physically get their hands on your computer.
Zombies and DoS
If you've read this far and are thinking "I'm safe – there's nothing on my computer except a bunch of games," have another think. There are people out there who couldn't care less about the information stored on your computer, but they are certainly interested in your computer itself.
Spammers, hackers and virus writers have a vested interest in keeping their identity secret. To stay hidden, one tactic they use is to find unprotected computers on the Internet and use those computers to launch attacks or send spam. Your humble Internet-connected home PC is thus a valuable pawn in their schemes.
Hackers use a piece of code called an agent or daemon to control remote PCs without the owner's knowledge. They then use one or thousands of controlled PCs, known as zombies, to launch attacks on juicier targets. Zombie PCs are crucial in Denial of Service (DoS) attacks, designed to bring the Internet or a part of it to a standstill.
As well as hackers, spammers may find your computer a useful way station. Some spammers seek out vulnerable PCs and, when they find one, install a complete email server on it. They then use this hidden mail server to deliver tens of thousands of spams.
Viruses and worms
Viruses used to be the biggest bogey on the Internet. These days, they seem to take a back seat to spyware and spam and phishing scams. But don't let that shift lead you to regarding viruses lightly: get infected with a nasty virus and you'll know the definition of computer hell.
A virus is a small program that infects other code and then replicates. Some viruses also delete or corrupt other files, change computer settings and, in the worst cases, render your computer unusable.
Worms are also self replicating, but they do it alone without attaching to another program as viruses do. The most common form of worm is called a mass-mailing worm. Such a worm uses email to replicate itself. When activated, it may scan your entire computer system for email addresses and then email itself to those addresses. The worm may also place one of the addresses it uncovers into the "From:" field of the infected email, making it seem like it came from a completely different source (a technique known as spoofing the address).
Adware, spyware and key loggers
Adware is software which displays advertising while you use it. Many very useful free utilities and applications use the adware model to raise money. Most adware updates the ads displayed through an Internet connection; some tracks your computer usage in order to target the advertising to your interests.
Spyware is software installed without your knowledge or consent which tracks you while you use the computer and the Internet. Spyware may come piggybacking on other "legitimate" software or it may be installed via a Web site, when you unwisely click a pop-up dialog box to clear it from your screen.
Look for the padlock at the bottom of your browser's window before entering sensitive data online, and double-click the padlock to ensure the site's security certificate is in order.
As you might guess, the line between adware and spyware is sometimes measured in nanometres. Things get particularly nasty when spyware not only tracks your usage in order to target advertising, but also to gather personal information about you. In its most pernicious form, spyware may install a key logger on your computer. The key logger lurks hidden on your system and keeps track of every single thing you do, including everything you type. With a key logger active on your system, your security and privacy is completely compromised.
Phishing
Phishers use email and Web sites to try to reel in your private information, including bank account and credit card numbers, PINs and site passwords.
Of course, if you received an email saying "hand over your bank account details", you'd hit the Delete key before you blinked. But what if that email appeared to come from a bank with which you have online access? And what if the email said "There's a problem with your account, if you don't log in and fix the problem we'll suspend account access within 3 days"? And what if, on clicking the link supplied in the email, you found yourself, apparently, at your bank's Web site?
In that case, you might well think the email was on the up and up and complete the log in, in the process handing over your account number and password. Within minutes, the phisher can be working on making you poorer and sullying your credit record.
Telltale signs of a phishing scam: poor grammar and a fake Web address. (Click the image to see a full-size screenshot.)
That's how phishers work. They fake – spoof – email addresses, email content and Web sites, right down to using the same graphics, wording and other components you find on the legitimate sites. By using some sneaky coding techniques, they can mask Web addresses, fake the padlock security icon on secure pages, and make it difficult, indeed, to spot the fraud.
Spam
We all know spam is a nuisance, but does it rate as a security threat?
Well, apart from the complete invasion of privacy caused by having pornographic spam splattered all over your inbox (and your children's inboxes), the answer is…yes. Many spam emails contain Web bugs – invisible graphics containing tracking code designed for the same purposes as spyware. In addition, the sheer volume of spam and the frustration of having to deal with it may lead to incautious behaviour. That is particularly the case when spam is used as the delivery method for a virus or spyware or phishing scam. An unthinking click in the wrong email and, bam!, you've granted entry to the scammers.
Browser hijacking
Browser hijacking is the use of programming tools, in the form of scripts, to modify your browser's default settings. This may be as trivial as adding a new link to your favourites or bookmarks, or as unconscionable as changing your home page persistently via a combination of scripting, registry changes and auto-running programs.
What's the point of hijacking? To bring you back, over and over, to a site or a site's sponsor, in the hope of boosting business. The site to which you are hijacked may also house spyware, and the more often you end up on the site trying to close in-your-face pop-ups and escape, the more chance you'll accidentally install that spyware.
A virus is a small program that infects other code and then replicates. Some viruses also delete or corrupt other files, change computer settings and, in the worst cases, render your computer unusable.
Worms are also self replicating, but they do it alone without attaching to another program as viruses do. The most common form of worm is called a mass-mailing worm. Such a worm uses email to replicate itself. When activated, it may scan your entire computer system for email addresses and then email itself to those addresses. The worm may also place one of the addresses it uncovers into the "From:" field of the infected email, making it seem like it came from a completely different source (a technique known as spoofing the address).
Adware, spyware and key loggers
Adware is software which displays advertising while you use it. Many very useful free utilities and applications use the adware model to raise money. Most adware updates the ads displayed through an Internet connection; some tracks your computer usage in order to target the advertising to your interests.
Spyware is software installed without your knowledge or consent which tracks you while you use the computer and the Internet. Spyware may come piggybacking on other "legitimate" software or it may be installed via a Web site, when you unwisely click a pop-up dialog box to clear it from your screen.
Look for the padlock at the bottom of your browser's window before entering sensitive data online, and double-click the padlock to ensure the site's security certificate is in order.
As you might guess, the line between adware and spyware is sometimes measured in nanometres. Things get particularly nasty when spyware not only tracks your usage in order to target advertising, but also to gather personal information about you. In its most pernicious form, spyware may install a key logger on your computer. The key logger lurks hidden on your system and keeps track of every single thing you do, including everything you type. With a key logger active on your system, your security and privacy is completely compromised.
Phishing
Phishers use email and Web sites to try to reel in your private information, including bank account and credit card numbers, PINs and site passwords.
Of course, if you received an email saying "hand over your bank account details", you'd hit the Delete key before you blinked. But what if that email appeared to come from a bank with which you have online access? And what if the email said "There's a problem with your account, if you don't log in and fix the problem we'll suspend account access within 3 days"? And what if, on clicking the link supplied in the email, you found yourself, apparently, at your bank's Web site?
In that case, you might well think the email was on the up and up and complete the log in, in the process handing over your account number and password. Within minutes, the phisher can be working on making you poorer and sullying your credit record.
Telltale signs of a phishing scam: poor grammar and a fake Web address. (Click the image to see a full-size screenshot.)
That's how phishers work. They fake – spoof – email addresses, email content and Web sites, right down to using the same graphics, wording and other components you find on the legitimate sites. By using some sneaky coding techniques, they can mask Web addresses, fake the padlock security icon on secure pages, and make it difficult, indeed, to spot the fraud.
Spam
We all know spam is a nuisance, but does it rate as a security threat?
Well, apart from the complete invasion of privacy caused by having pornographic spam splattered all over your inbox (and your children's inboxes), the answer is…yes. Many spam emails contain Web bugs – invisible graphics containing tracking code designed for the same purposes as spyware. In addition, the sheer volume of spam and the frustration of having to deal with it may lead to incautious behaviour. That is particularly the case when spam is used as the delivery method for a virus or spyware or phishing scam. An unthinking click in the wrong email and, bam!, you've granted entry to the scammers.
Browser hijacking
Browser hijacking is the use of programming tools, in the form of scripts, to modify your browser's default settings. This may be as trivial as adding a new link to your favourites or bookmarks, or as unconscionable as changing your home page persistently via a combination of scripting, registry changes and auto-running programs.
What's the point of hijacking? To bring you back, over and over, to a site or a site's sponsor, in the hope of boosting business. The site to which you are hijacked may also house spyware, and the more often you end up on the site trying to close in-your-face pop-ups and escape, the more chance you'll accidentally install that spyware.
A beginner's guide to Internet security
Do you ever get the feeling your computing life has degenerated into a constant battle against viruses and spam, spyware and hackers…and you're on the losing side?
You're not alone.
While the past twenty years have seen computers evolve in extraordinary fashion, the safety of the average computer user has been on a downwards spiral for at least the past decade.
Blame it on the popularity and affordability of the humble PC, which has put power into the hands of the many; blame it on the Internet, which connects everyone with everyone else; blame it on the alignment of the planets. No matter who or what you blame, there's no getting around it: computing now is a riskier proposition than it was in the good old days of the '80s and early '90s.
In those ancient times, sighting a real live virus was cause for commotion, and spyware was unheard of. All you needed to do to compute safely was to use anti-virus software and make backups. These days, if your only security tool is an anti-virus program, you're leaving yourself wide open to the vast majority of security risks and privacy threats.
So, should you throw up your hands in defeat and take the PC to the tip? Not on your life. All you need to defeat the forces of evil at their own game is a bit of savvy, a small collection of tools and some commonsense. This article will provide you with the first two and we'll even throw in some guidelines for applying your own good sense.
You're not alone.
While the past twenty years have seen computers evolve in extraordinary fashion, the safety of the average computer user has been on a downwards spiral for at least the past decade.
Blame it on the popularity and affordability of the humble PC, which has put power into the hands of the many; blame it on the Internet, which connects everyone with everyone else; blame it on the alignment of the planets. No matter who or what you blame, there's no getting around it: computing now is a riskier proposition than it was in the good old days of the '80s and early '90s.
In those ancient times, sighting a real live virus was cause for commotion, and spyware was unheard of. All you needed to do to compute safely was to use anti-virus software and make backups. These days, if your only security tool is an anti-virus program, you're leaving yourself wide open to the vast majority of security risks and privacy threats.
So, should you throw up your hands in defeat and take the PC to the tip? Not on your life. All you need to defeat the forces of evil at their own game is a bit of savvy, a small collection of tools and some commonsense. This article will provide you with the first two and we'll even throw in some guidelines for applying your own good sense.
6 Ekim 2011 Perşembe
Anti-virus Packages
Virus protection software is packaged with most
computers and can counter most virus threats if the
software is regularly updated and correctly maintained.
The anti-virus industry relies on a vast network of users to
provide early warnings of new viruses, so that antidotes
can be developed and distributed quickly. With thousands
of new viruses being generated every month, it is essential
that the virus database is kept up to date. The virus
database is the record held by the anti-virus package that
helps it to identify known viruses when they attempt to
strike. Reputable anti-virus software vendors will publish
the latest antidotes on their Web sites, and the software
can prompt users to periodically collect new data.
Network security policy should stipulate that all
computers on the network are kept up to date and, ideally,
are all protected by the same anti-virus package—if only
to keep maintenance and update costs to a minimum. It is
also essential to update the software itself on a regular
basis. Virus authors often make getting past the anti-virus
packages their first priority.
Security Policies
When setting up a network, whether it is a local area
network (LAN), virtual LAN (VLAN), or wide area
network (WAN), it is important to initially set the
fundamental security policies. Security policies are rules
that are electronically programmed and stored within
security equipment to control such areas as access
privileges. Of course, security policies are also written or
verbal regulations by which an organization operates. In
addition, companies must decide who is responsible for
enforcing and managing these policies and determine how
employees are informed of the rules and watch guards.
Security Policy, Device, and Multidevice Management
functions as a central security control room where security
personnel monitor building or campus security, initiate
patrols, and activate alarms.
What are the policies?
The policies that are implemented should control who
has access to which areas of the network and how
unauthorized users are going to be prevented from entering
restricted areas. For example, generally only members of
the human resources department should have access to
employee salary histories. Passwords usually prevent
employees from entering restricted areas, but only if the
passwords remain private. Written policies as basic as to
warn employees against posting their passwords in work
areas can often preempt security breaches. Customers or
suppliers with access to certain parts of the network, must
be adequately regulated by the policies as well.
Who will enforce and manage the policies?
The individual or group of people who police and
maintain the network and its security must have access to
every area of the network. Therefore, the security policy
management function should be assigned to people who
are extremely trustworthy and have the technical
competence required. As noted earlier, the majority of
network security breaches come from within, so this
person or group must not be a potential threat. Once
assigned, network managers may take advantage of
sophisticated software tools that can help define,
distribute, enforce, and audit security policies through
browser-based interfaces.
computers and can counter most virus threats if the
software is regularly updated and correctly maintained.
The anti-virus industry relies on a vast network of users to
provide early warnings of new viruses, so that antidotes
can be developed and distributed quickly. With thousands
of new viruses being generated every month, it is essential
that the virus database is kept up to date. The virus
database is the record held by the anti-virus package that
helps it to identify known viruses when they attempt to
strike. Reputable anti-virus software vendors will publish
the latest antidotes on their Web sites, and the software
can prompt users to periodically collect new data.
Network security policy should stipulate that all
computers on the network are kept up to date and, ideally,
are all protected by the same anti-virus package—if only
to keep maintenance and update costs to a minimum. It is
also essential to update the software itself on a regular
basis. Virus authors often make getting past the anti-virus
packages their first priority.
Security Policies
When setting up a network, whether it is a local area
network (LAN), virtual LAN (VLAN), or wide area
network (WAN), it is important to initially set the
fundamental security policies. Security policies are rules
that are electronically programmed and stored within
security equipment to control such areas as access
privileges. Of course, security policies are also written or
verbal regulations by which an organization operates. In
addition, companies must decide who is responsible for
enforcing and managing these policies and determine how
employees are informed of the rules and watch guards.
Security Policy, Device, and Multidevice Management
functions as a central security control room where security
personnel monitor building or campus security, initiate
patrols, and activate alarms.
What are the policies?
The policies that are implemented should control who
has access to which areas of the network and how
unauthorized users are going to be prevented from entering
restricted areas. For example, generally only members of
the human resources department should have access to
employee salary histories. Passwords usually prevent
employees from entering restricted areas, but only if the
passwords remain private. Written policies as basic as to
warn employees against posting their passwords in work
areas can often preempt security breaches. Customers or
suppliers with access to certain parts of the network, must
be adequately regulated by the policies as well.
Who will enforce and manage the policies?
The individual or group of people who police and
maintain the network and its security must have access to
every area of the network. Therefore, the security policy
management function should be assigned to people who
are extremely trustworthy and have the technical
competence required. As noted earlier, the majority of
network security breaches come from within, so this
person or group must not be a potential threat. Once
assigned, network managers may take advantage of
sophisticated software tools that can help define,
distribute, enforce, and audit security policies through
browser-based interfaces.
Security Tools
Security Tools
After the potential sources of threats and the types of
damage that can occur have been identified, putting the
proper security policies and safeguards in place becomes
much easier. Organizations have an extensive choice of
technologies, ranging from anti-virus software packages
to dedicated network security hardware, such as firewalls
and intrusion detection systems, to provide protection for
all areas of the network.
Top Ten Security Tips
1. Encourage or require employees to choose
passwords that are not obvious.
2. Require employees to change passwords every
90 days.
3. Make sure your virus protection subscription
is current.
4. Educate employees about the security risks of
e-mail attachments.
5. Implement a complete and comprehensive
network security solution.
6. Assess your security posture regularly.
7. When an employee leaves a company, remove
that employee’s network access immediately.
8. If you allow people to work from home, provide
a secure, centrally managed server for remote
traffic.
9. Update your Web server software regularly.
10. Do not run any unnecessary network services.
After the potential sources of threats and the types of
damage that can occur have been identified, putting the
proper security policies and safeguards in place becomes
much easier. Organizations have an extensive choice of
technologies, ranging from anti-virus software packages
to dedicated network security hardware, such as firewalls
and intrusion detection systems, to provide protection for
all areas of the network.
Top Ten Security Tips
1. Encourage or require employees to choose
passwords that are not obvious.
2. Require employees to change passwords every
90 days.
3. Make sure your virus protection subscription
is current.
4. Educate employees about the security risks of
e-mail attachments.
5. Implement a complete and comprehensive
network security solution.
6. Assess your security posture regularly.
7. When an employee leaves a company, remove
that employee’s network access immediately.
8. If you allow people to work from home, provide
a secure, centrally managed server for remote
traffic.
9. Update your Web server software regularly.
10. Do not run any unnecessary network services.
What can these enemies do?
Viruses
Viruses are the most widely known security threats,
because they often garner extensive press coverage.
Viruses are computer programs that are written by
devious programmers and are designed to replicate
themselves and infect computers when triggered by a
specific event. For example, viruses called macro viruses
attach themselves to files that contain macro instructions
(routines that can be repeated automatically, such as mail
merges) and are then activated every time the macro runs.
The effects of some viruses are relatively benign and cause
annoying interruptions such as displaying a comical
message when striking a certain letter on the keyboard.
Other viruses are more destructive and cause such
problems as deleting files from a hard drive or slowing
down a system.
A network can be infected by a virus only if the virus
enters the network through an outside source—most
often through an infected floppy disk or a file downloaded
from the Internet. When one computer on the network
becomes infected, the other computers on the network are
highly susceptible to contracting the virus.
“85 percent of respondents detected computer security
breaches within the last 12 months, up 42% from 1996.”
—Annual Computer Security Institute and FBI Survey, 2001
Trojan Horse Programs
Trojan horse programs, or trojans, are delivery vehicles
for destructive code. Trojans appear to be harmless or
useful software programs, such as computer games, but
they are actually enemies in disguise. Trojans can delete
data, mail copies of themselves to e-mail address lists, and
open up computers to additional attacks. Trojans can be
contracted only by copying the trojan horse program to
a system, via a disk, downloading from the Internet, or
opening an e-mail attachment. Neither trojans nor viruses
can be spread through an e-mail message itself—they are
spread only through e-mail attachments.
Vandals
Web sites have come alive through the development of
such software applications as ActiveX and Java Applets.
These devices enable animation and other special effects
to run, making Web sites more attractive and interactive.
However, the ease with which these applications can be
downloaded and run has provided a new vehicle for
inflicting damage. A vandal is a software application or
applet that causes destruction of varying degrees. A
vandal can destroy just a single file or a major portion
of a computer system.
Attacks
Innumerable types of network attacks have been
documented, and they are commonly classified in three
general categories: reconnaissance attacks, access attacks,
and denial of service (DoS) attacks.
• Reconnaissance attacks are essentially information
gathering activities by which hackers collect data that is
used to later compromise networks. Usually, software
tools, such as sniffers and scanners, are used to map out
network resources and exploit potential weaknesses in
the targeted networks, hosts, and applications. For
example, software exists that is specifically designed to
crack passwords. Such software was created for
network administrators to assist employees who have
forgotten their passwords or to determine the passwords
of employees who have left the company without telling
anyone what their passwords were. Placed in the wrong
hands, however, this software can become a very
dangerous weapon.
• Access attacks are conducted to exploit vulnerabilities in
such network areas as authentication services and File
Transfer Protocol (FTP) functionality in order to gain
entry to e-mail accounts, databases, and other
confidential information.
• DoS attacks prevent access to part or all of a computer
system. They are usually achieved by sending large
amounts of jumbled or otherwise unmanageable data to
a machine that is connected to a corporate network or
the Internet, blocking legitimate traffic from getting
through. Even more malicious is a Distributed Denial of
Service attack (DDoS) in which the attacker
compromises multiple machines or hosts.
Data Interception
Data transmitted via any type of network can be subject
to interception by unauthorized parties. The perpetrators
might eavesdrop on communications or even alter the
data packets being transmitted. Perpetrators can use
various methods to intercept the data. IP spoofing, for
example, entails posing as an authorized party in the data
transmission by using the Internet Protocol (IP) address of
one of the data recipients.
Social Engineering
Social engineering is the increasingly prevalent act of
obtaining confidential network security information
through non-technical means. For example, a social
engineer might pose as a technical support representative
and make calls to employees to gather password
information. Other examples of social engineering include
bribing a coworker to gain access to a server or searching
a colleague’s office to find a password that has been
written in a hidden spot.
Spam
Spam is the commonly used term for unsolicited electronic
mail or the action of broadcasting unsolicited advertising
messages via e-mail. Spam is usually harmless, but it can
be a nuisance, taking up the recipient’s time and storage
space.
Viruses are the most widely known security threats,
because they often garner extensive press coverage.
Viruses are computer programs that are written by
devious programmers and are designed to replicate
themselves and infect computers when triggered by a
specific event. For example, viruses called macro viruses
attach themselves to files that contain macro instructions
(routines that can be repeated automatically, such as mail
merges) and are then activated every time the macro runs.
The effects of some viruses are relatively benign and cause
annoying interruptions such as displaying a comical
message when striking a certain letter on the keyboard.
Other viruses are more destructive and cause such
problems as deleting files from a hard drive or slowing
down a system.
A network can be infected by a virus only if the virus
enters the network through an outside source—most
often through an infected floppy disk or a file downloaded
from the Internet. When one computer on the network
becomes infected, the other computers on the network are
highly susceptible to contracting the virus.
“85 percent of respondents detected computer security
breaches within the last 12 months, up 42% from 1996.”
—Annual Computer Security Institute and FBI Survey, 2001
Trojan Horse Programs
Trojan horse programs, or trojans, are delivery vehicles
for destructive code. Trojans appear to be harmless or
useful software programs, such as computer games, but
they are actually enemies in disguise. Trojans can delete
data, mail copies of themselves to e-mail address lists, and
open up computers to additional attacks. Trojans can be
contracted only by copying the trojan horse program to
a system, via a disk, downloading from the Internet, or
opening an e-mail attachment. Neither trojans nor viruses
can be spread through an e-mail message itself—they are
spread only through e-mail attachments.
Vandals
Web sites have come alive through the development of
such software applications as ActiveX and Java Applets.
These devices enable animation and other special effects
to run, making Web sites more attractive and interactive.
However, the ease with which these applications can be
downloaded and run has provided a new vehicle for
inflicting damage. A vandal is a software application or
applet that causes destruction of varying degrees. A
vandal can destroy just a single file or a major portion
of a computer system.
Attacks
Innumerable types of network attacks have been
documented, and they are commonly classified in three
general categories: reconnaissance attacks, access attacks,
and denial of service (DoS) attacks.
• Reconnaissance attacks are essentially information
gathering activities by which hackers collect data that is
used to later compromise networks. Usually, software
tools, such as sniffers and scanners, are used to map out
network resources and exploit potential weaknesses in
the targeted networks, hosts, and applications. For
example, software exists that is specifically designed to
crack passwords. Such software was created for
network administrators to assist employees who have
forgotten their passwords or to determine the passwords
of employees who have left the company without telling
anyone what their passwords were. Placed in the wrong
hands, however, this software can become a very
dangerous weapon.
• Access attacks are conducted to exploit vulnerabilities in
such network areas as authentication services and File
Transfer Protocol (FTP) functionality in order to gain
entry to e-mail accounts, databases, and other
confidential information.
• DoS attacks prevent access to part or all of a computer
system. They are usually achieved by sending large
amounts of jumbled or otherwise unmanageable data to
a machine that is connected to a corporate network or
the Internet, blocking legitimate traffic from getting
through. Even more malicious is a Distributed Denial of
Service attack (DDoS) in which the attacker
compromises multiple machines or hosts.
Data Interception
Data transmitted via any type of network can be subject
to interception by unauthorized parties. The perpetrators
might eavesdrop on communications or even alter the
data packets being transmitted. Perpetrators can use
various methods to intercept the data. IP spoofing, for
example, entails posing as an authorized party in the data
transmission by using the Internet Protocol (IP) address of
one of the data recipients.
Social Engineering
Social engineering is the increasingly prevalent act of
obtaining confidential network security information
through non-technical means. For example, a social
engineer might pose as a technical support representative
and make calls to employees to gather password
information. Other examples of social engineering include
bribing a coworker to gain access to a server or searching
a colleague’s office to find a password that has been
written in a hidden spot.
Spam
Spam is the commonly used term for unsolicited electronic
mail or the action of broadcasting unsolicited advertising
messages via e-mail. Spam is usually harmless, but it can
be a nuisance, taking up the recipient’s time and storage
space.
Who are the enemies?
Disgruntled Staff
Far more unsettling than the prospect of employee error
causing harm to a network is the potential for an angry or
vengeful staff member to inflict damage. Angry employees,
often those who have been reprimanded, fired, or laid off,
might vindictively infect their corporate networks with
viruses or intentionally delete crucial files. This group is
especially dangerous because it is usually far more aware
of the network, the value of the information within it,
where high-priority information is located, and the
safeguards protecting it.
Snoops
Whether content or disgruntled, some employees might
also be curious or mischievous. Employees known as
“snoops” partake in corporate espionage, gaining
unauthorized access to confidential data in order to
provide competitors with otherwise inaccessible
information. Others are simply satisfying their personal
curiosities by accessing private information, such as
financial data, a romantic e-mail correspondence between
coworkers, or the salary of a colleague. Some of these
activities might be relatively harmless, but others, such as
Far more unsettling than the prospect of employee error
causing harm to a network is the potential for an angry or
vengeful staff member to inflict damage. Angry employees,
often those who have been reprimanded, fired, or laid off,
might vindictively infect their corporate networks with
viruses or intentionally delete crucial files. This group is
especially dangerous because it is usually far more aware
of the network, the value of the information within it,
where high-priority information is located, and the
safeguards protecting it.
Snoops
Whether content or disgruntled, some employees might
also be curious or mischievous. Employees known as
“snoops” partake in corporate espionage, gaining
unauthorized access to confidential data in order to
provide competitors with otherwise inaccessible
information. Others are simply satisfying their personal
curiosities by accessing private information, such as
financial data, a romantic e-mail correspondence between
coworkers, or the salary of a colleague. Some of these
activities might be relatively harmless, but others, such as
Kaydol:
Kayıtlar (Atom)