How To Secure Your Web Browser

Internet Explorer, Mozilla Firefox, Netscape*, and Apple's Safari

(*Warning: official support for all Netscape client products ended on March 1st, 2008. Please see the announcement for details.)

These security settings are recommended by the California Institute of Technology, as well as recommendations from CERT at Carnegie Mellon University. SecureFlorida.org recognizes that disabling Java Scripting can cause some Internet-based utilities to run improperly. For answers to questions or concerns, visit the links provided below, or contact your network security professional.

Internet Explorer

Using Internet Explorer 5 or higher

These instructions apply to Internet Explorer versions 5 or higher; if you are using an earlier version, these instructions may not work correctly. (To determine your software version, from the Help menu, select About Internet Explorer. A dialog box appears with information about your browser, including the version number.) If you are using a version of Internet Explorer lower than version 5, Microsoft recommends that you upgrade to a newer version.

  1. Start the Internet Explorer web browser.
  2. From the Tools menu select Internet Options. The Internet Options dialog box appears.
  3. Select the Security tab. The Security Options panel appears.
  4. Click on the picture of the planet labeled "Internet" to select it (it should already be selected.)
  5. Click the Custom Level button. The Security Settings dialog box appears.
  6. Select the Medium option from the pull-down list if it not already selected.
  7. Click the Reset button. A dialog box appears asking if you are sure you want to change the security settings for this zone. Click Yes.
  8. You now need to scroll through the settings list and make the additional changes listed in the following steps.
  9. For the option "Scripting ActiveX controls marked safe for Scripting," check "Prompt."
  10. For the option "Java permissions," check "Disable Java." Note: If you have Microsoft Virtual Machine installed, this setting will be under the Microsoft VM section. If you do not have a Java permissions setting, Java is already disabled.
  11. For the option "Active scripting" under the Scripting section, check "Disable."
  12. Click OK to accept these changes. A dialog box appears asking if you are sure you want to make these changes.
  13. Click Yes.
  14. In the Internet Options dialog box, click the Advanced tab. The Advanced Options panel appears.
  15. Under the Security settings, check "Warn if changing between secure and not secure."
  16. Click Apply to save your changes.
  17. Click OK to close the Internet Options dialog box.

Microsoft maintains a site with security announcements and updates, geared mostly toward system administrators.

Mozilla Firefox

Using Firefox 1 and higher

  1. Start the Mozilla Firefox web browser.
  2. Select Tools, then Options.
  3. Under the Privacy category, select the Cookies tab. You can disable cookies or change your preferences for how the browser handles them. In general, we recommend enabling cookies for the original site only. Additionally, by enabling the option unless I have removed cookies set by the site, a web site can be "blacklisted" from setting cookies when its cookies are removed manually. You may also choose to only keep cookies until I close Firefox. This will delete all cookies when you close Firefox, if you're concerned about privacy. A downside is that web sites will not remember your preferences the next time you log in to them.
  4. Many web browsers will allow you to store login information. In general, we recommend against using such features. Should you decide to use the feature, ensure that you use the measures available to protect the password data on your computer. Under the Privacy category, the Passwords tab contains various options to manage stored passwords, and a Master Password feature to encrypt the data on your system. We encourage you to use this option if you decide to let Mozilla Firefox manage your passwords.
  5. The Content category has an option to Enable Java. Java is a programming language that permits web site designers to run applications on your computer. We recommend disabling this feature unless required by the site you wish to visit. If you determine the site is trustworthy, you would enable Java and then, when finished visiting the site, we recommend disabling Java until you need it again.
  6. The Warn me when web sites try to install extensions or themes option will display a warning bar at the top of the browser when a web site attempts to take such an action.
  7. Press the Advanced button to disable specific JavaScript features. We recommend disabling the options displayed in this dialog.
  8. The Downloads category has an option to modify actions taken when files are downloading. Any time a file type is configured to open automatically with an associated application, this can make the browser more dangerous to use. Click the View & Edit Actions button to view the current download settings and modify them if necessary. The Download Actions dialog box shows the fie types and the actions the browser will perform when it encounters a given file type. For any file type listed, click on either Remove Action or Change Action. If you click on Change Action, select Save them on my computer to save files of that type to the computer. This helps prevent automated exploitation of vulnerabilities that may exist in these applications.
  9. Firefox includes a feature to Clear Private Data. This option will remove potentially sensitive information from the web browser. Select Tools from the top menu of your Firefox browser, then select Clear Private Data to use this privacy feature.

For more information on Mozilla security alerts and announcements, you can see their site regarding the issue.

Netscape

Using Netscape 3.0 through 6.2.3

These instructions apply primarily to versions of Netscape from 3.0 through 6.2.3. (To determine your software version, from the Help menu, select About Communicator. A page should appear with your version number listed at the top.) If you are using Netscape 7.0 or higher, scroll down for instructions on securing your browser. According to the security announcements supplied by Netscape, it is not necessary to disable Java or JavaScript in versions 7.0 and higher.

  1. Start the Netscape Communicator browser.
  2. From the Edit menu, select Preferences. The Preferences dialog box appears.
  3. From the Category list, click on Advanced. The Advanced Preferences panel appears.
  4. Uncheck Enable Java.
  5. Uncheck Enable JavaScript.
  6. Click OK to accept the changes.
  7. Click the Padlock icon in the lower left-hand corner of your browser. The Security Info dialog box appears.
  8. Click the Navigator link from the list on the left. The Navigator Security Settings panel appears.
  9. In the Show a warning before: section, check Viewing a page with encrypted/unencrypted mix and Leaving an encrypted site.
  10. Click OK to accept the changes and close the dialog box.

Instructions for Netscape 7.0 and higher

According to the security release posted on Netscape?s web site, it should be unnecessary to disable Java or JavaScript in versions 7.0 or higher; however, the instructions to do so are below. Also below are instructions for enabling the pop-up suppressant feature. Steps 7-10 are automatically enabled when Netscape is installed, however if you would like to check this setting the instructions to do this are also below.

  1. Start the Netscape Communicator browser.
  2. From the Edit menu, select Preferences. The Preferences dialog box appears.
  3. From the Category list, click on Advanced. The Advanced Preferences panel appears.
  4. Uncheck Enable Java.
  5. You will now need to expand the Advanced tab by clicking on the triangle next to the word Advanced.
  6. Now click on Scripts & Plugins and the Scripts & Plugins panel appears.
  7. Uncheck the box to the left of Navigator to disable JavaScript in the Navigator (Netscape) web browser.
  8. To suppress popup windows, expand the Privacy & Security tab by clicking on the triangle next to the words Privacy & Security.
  9. Now click on Popup Windows and the Popup Windows panel appears.
  10. Click on the radio button (circle) next to Suppress popups and select whether you want your browser to play a sound or display an icon in the Navigator status bar when a popup has been suppressed.
  11. Finally, to check your encryption warning settings, you will need to click on SSL, still under Privacy and Security settings. The SSL panel will appear.
  12. Under SSL Warnings, you will see a list of the warnings that will be shown.

For more information on Netscape security announcements and updates, you can see their site regarding the issue.

Apple's Safari

Using Safari

Safari supports many of the same features as Mozilla Firefox. This section describes steps to disable various features in Safari.

  1. Start the Safari browser.
  2. Mac users: Select Safari from the top menu and then select Preferences.
    Windows users: Select Edit from the top menu and then select Preferences.
  3. Under the General category, we recommend that you save downloaded files to a temporary folder that you create for downloading files. For Mac users, we also recommend that you deselect the Open "safe" files after downloading option.
  4. Under the Autofill category, you can select what types of forms your browser will fill in automatically. In general, we recommend against using AutoFill features. If someone can gain access to your computer, or to the data files, then the AutoFill feature may permit them even easier access to other sites that they would not otherwise have the ability to access.
  5. The Security category provides several options. The Web Content section permits you to enable or disable various forms of scripting and active content. We recommend disabling the first two options in this section, and only enabling them when you require the functionality of these features. We recommend selecting the Block Pop-up Windows option. You can also limit cookies to the sites you navigate to by selecting the option Only from sites you navigate to. This will permit sites that you visit to set cookies, but not third-party sites. We also recommend selecting the Ask before sending a non-secure form to a secure website option. This will alert you when data is sent to a secure web site over an insecure channel.

For more information on Apple's security announcements and updates, you can see their site regarding the issue.