This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using UTM to emulate Internet Explorer Trusted Sites Zone?

IE has the design feature to split the network into four zones:   Intranet, Trusted Sites, Internet, and Restricted.    Of these, the two most important for UTM are Trusted Sites and Internet.   (I assume that if a site needs to be restricted, it will simply be blocked completely in UTM.)  In IE, the Trusted Site Zone enables a raft of features which are not enabled for the default Internet Zone.   Except for features like ActiveX that are specific to IE, this distinction has limited security benefit because other browsers do not have the zone concept and therefore enable all features equally.

It occurs to me that UTM could emulate the Trusted Sites feature for other browsers fairly easily.   Simply paste the Trusted Sites list into a WebSite exception, to apply a TrustedZone tag (leaving the Category and Reputation unaltered).

Has anyone done something like this?   If so, what UTM features have you implemented differently between the TrustedZone and the default zone?   



This thread was automatically locked due to age.
  • Based on multiple views but no replies, I guess most people think the idea was a little crazy.   Anyway, I review the Windows Internet Options in detail, using a Windows 10 machine, where the defaults had not been modified.  The "Trusted Sites" zone was set to the security level "Medium-High", while the "Internet" zone was set to security level "Medium".   As I compared the individual settings, I kept thinking:  

    • How might this setting be abused against me, if I leave it enabled?  I should earn a doctorate in Internet Explorer before I start using this product.
    • If this setting is so dangerous that I might need to turn it off, why is it there at all?

    Most of the Internet Explorer security settings seem very specific to the product, and did not seem applicable to other browsers.   Additionally, UTM has relatively few things that can be applied differently based on a Tag or other criteria in a Filter Action.

    Consequently, the only potentially useful feature in UTM, which could be driven by the "Trusted Sites" concept, is the Active Content setting.   You could block Active Content by default, apply a Tag to the Trusted URLs, and configure an exception to content blocking for sites with the Trusted tag.   Active Content primarily means ActiveX, Java, and Flash, and each of these have different configuration strategies.   Someone else may be able to add to the list

    Using UTM to filter Active Content still has some limits to usefulness:

    • For domain accounts logged into a domain computer, ActiveX is best controlled using group policies and the ActiveX installer control.   A UTM-based defense might be helpful as a backup strategy to protect against local accounts logged into a domain computer, or any account on a non-domain computer.
    • Java has made so many mistakes, and been locked down so tightly in response, that it is nearly impossible to use Java unless the site has been configured into the Java control panel as a trusted site.   Creating a master list of all Java sites in the organization has some appeal, but would be difficult.   The one solution for configuring the same Java trust list on all computrers is the product PolicyPak.
    • Flash does not have any URL-specific security features, so UTM Trusted tag may be useful here.   However, as I have noted elsewhere, UTM only filters the <object> tag.   It is also possible to invoke Flash (and probably other active content) using Javascript instesd of static tags.   UTM cannot block content that is buried inside Javascript, and due to complexity, is unlikely to do so in the future.   Since it seems impossible to disable Javascript, even this defense is very limited.

     

  • Because it is difficult to analyze the Internet Explorer zone settings, I am pasting in the results of my spreadsheet.   The formatting will be messed up, but it may be useful to someone:

     

    Category Property Trusted/MedHi Intranet/Med Different
    DotNet Framework
    Loose XAML Enable Disable *
    XAML browser Enable Disable *
    XPS Documents Enable Enable

    DotNet Framework-reliant components
    Permissions for Components with Manifests High Safety High Safety
    Run components not signed with Authenticode Enable Enable
    Run components signed with Authenticode Enable Enable

    ActiveX controls and plug-ins
    Allow ActiveX filtering Enable Enable
    Allow previously unused controls to run without prompting Enable Disable *
    Allow Scriptlets Disable Disable
    Automatic prompting for ActiveX Controls Disable Disable
    Binary and Script Behaviors Enable Enable
    Display Video and animation on a webpage that does not use external media player Disable Disable
    Download signed ActiveX controls Prompt Prompt
    Download unsigned ActiveX controls Disable Disable
    Initialize and script ActiveX controls Disable Disable
    Only allow approved domains to use ActiveX controls without prompting Disable Enable *
    Run aciveX controls and plugins Enable Enable
    Run antimalware software on ActiveX controls Disable Enable *
    Script ActiveX controls marked safe for scripting Enable Enable

    Downloads
    File Download Enable Enable
    Font Download Enable Enable

    Enable DotNet Framework Setup
    <enable it?> Enable Enable

    Miscellaneous
    Access data sources across domians Disable Disable
    Allow dragging of content between doamins into separate windows Disable Disable
    Allow dragging of content between doamins into same windows Disable Disable
    Alow META Refresh Enable Enable
    Allow scripting of Microsoft web browser control Disable Disable
    Allow script-initiated windows without size or position constraints Disable Disable
    Allow the TDC Control Enable Disable *
    Allow webpages to use restricted protocosl for active content Prompt Prompt
    Allow websites to open windows without address or status bars Enable Prompt *
    Display mixed content Prompt Prompt
    Don't prompt for digital certificate when only one exists Disable Disable
    Drag and rop or copy and paste files Enable Enable
    Enable MIME Sniffing Enable Enable
    Include local directory path when uploading files to a server Enable Disable *
    Launching applications and unsafe files Enable Prompt *
    Launching programs and fiels in an IFRAME Prompt Prompt
    Navigate windows and frames across different domains Disable Disable
    Render legacy filters Enable Disable *
    Submit non-encrypted form data Enable Enalbe *
    Use Pop-up blocker Enable Enable
    Use SmartScreen Filter Enable Enable
    Userdata persistence Enable Enable
    Websites in less privileged web content zon can navigate into this zone Enable Enable

    Scripting
    Active Scripting Enable Enable
    Allow programmatic clipboard access Prompt Prompt
    Allow status bar updates via scripts Enable Disable *
    Allow websites to prompt for information using scripted windows Enable Disable *
    Enable XSS filter Enable Enable
    Scripting of Java Applets Enable Enable

    User Authentication
    Automatic login only in Intranet zone Yes Yes

  • Interesting thread, Doug.  I've pasted it at the top of the Web Protection forum for a month to see if that helps you get more comments/feedback.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA