Windows Vista Internet Explorer 7.0 Overview 謝合宜 微軟特約技術顧問 MCSE : Security/Messaging MVP/MCT

預備知識 熟悉Windows作業系統的使用 熟悉Internet Explorer的使用與管理 Level 200

講題大綱 Microsoft Windows Internet Explorer 7 一般使用者使用經驗的改變 安全架構 IT 管理的情形

Internet Explorer 7 的主要改變 讓每天的工作越簡單 動態的安全保護 架構與管理的改善

Internet Explorer 索引標籤式瀏覽(Tabs & Quick Tabs)

Internet Explorer Page Zoom 之前 現在

Internet Explorer Print Review

Internet Explorer RSS Feed Support

Internet Explorer 自訂搜尋引擎

讓每天的工作越簡單 索引標籤式瀏覽 Page Zoom Print Review RSS Feed Support 自訂搜尋引擎

Internet Explorer 7的安全功能 保護你的系統 URL 問題處理 跨網域的執行碼安全保護 ActiveX Opt-in 危險設定通知修正 使用保護模式來避免惡意程式(Windows Vista only) 透過 Windows Defender 保護程式下載動作 保護使用者個人資料 釣魚過濾防護 不同顏色的網址列標示來分辨安全性 SSL加強防護 International Domain Name (IDN) 網址檢查 (http://www.microsóft.com) 親子控制功能 (Parental Control, Windows Vista only)

ActiveX Opt-in 與保護模式 保護系統免於惡意程式攻擊 減少攻擊面 先前未使用的控制項會被停用 保留 ActiveX 的好處，但是進一步保護使用者 保護模式 減少惡意程式背景安裝 IE 使用低權限且獨立的行程來執行程式 兼顧安全性與相容性 ActiveX Opt-in 已啟用 控制項 Windows 已停用 控制項 使用者 啟用 保護模式 使用者 啟用 IE 快取 我的電腦 (C:) 代理 行程 低權限 IE7 on Vista offers two major security improvements ActiveX Opt-in and Protected Mode. ActiveX Opt-in is designed to give users more control over the software running on their PCs. To reduce the attack surface, ActiveX Opt-in will disable by default ActiveX controls that are rarely used or were never intended to be invoked in IE.  Controls that users have installed via a web download or have been used in IE before upgrading to IE7 will be enabled by default. Users will have the option to enable controls as needed using the same Information Bar they have used to install new controls since Windows XP SP2. While the final implementation is still being developed, the goal is a safer browsing experience for users with the add-ons they value already enabled and ready for use. Protected Mode offers users a powerful security enhancement by reducing the severity of threats faced by malicious attacks. A new feature in IE7 for Windows Vista, Protected Mode eliminates the silent install of malicious code through software vulnerabilities. Protected mode accomplishes this by running IE in isolation from any other application or process in the operating system and limiting the IE process from writing to any location beyond Temporary Internet Files without explicit user consent. Running IE in isolation prevents it from accessing other applications, even other instances of IE, removing any potential for escalation of privilege by using a buffer overrun attack. A Protected Mode IE session will still enable users to enjoy the powerful extensibility and unique website features they are used to having with IE. Protected Mode will only be available in Windows Vista.

用完整權限執行的Internet Explorer 二○一八年十一月十八日 用完整權限執行的Internet Explorer IExplore.exe Admin Rights Access Install an ActiveX control HKLM Program Files Exploit can install MALWARE User Rights Access Change Settings, Download a Picture HKCU My Documents Startup Folder Exploit can install MALWARE Temp Internet Files Cache Web content Untrusted files and settings © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 13

Untrusted files and settings 二○一八年十一月十八日 以最低權限執行的保護模式 Protected Mode Internet Explorer Integrity Control Broker Process Redirected settings and files Compat Redirector Admin Rights Access Install an ActiveX control HKLM HKCR Program Files Broker Process User Rights Access Change settings, Save a picture HKCU My Documents Startup Folder Temp Internet Files Cache Web content Untrusted files and settings © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 14

附加元件管理

動態的安全保護 ActiveX Opt-in 保護模式 SSL保護

URL Reputation Service Phishing Filter URL Reputation Service https://urs.microsoft.com Known Good URLs IEAPFLTR.DAT

URL Reputation Service Phishing Filter的資料收集 URL Reputation Service Grader Confirmed Sites Third Party Phishing databases End User Report Site Owner Report https://urs.microsoft.com

Phishing Filter Parental Control

ITPro Life Cycle Pre Installation Customization Deployment Manageability Troubleshooting / Diagnostics “Application Compatibility Toolkit” “Internet Explorer Administration Kit (IEAK) 7” “Improvements in Group Policy in Internet Explorer 7” “RIES - Reset Internet Explorer Settings”

客製化與部署管理 Internet Explorer Administration Kit (IEAK) 使用情境 公司管理員: 自定 Internet Explorer，在AD環境中透過群組原則來部署、管理 ISP / ICP / ISV: 客製 Internet Explorer 7,透過網站或CD來散佈 公司管理員: 自定 Internet Explorer，在沒有AD環境中透過群組原則來部署、管理

Internet Explorer Administration Kit (IEAK)

Group Policy for IE 7.0

Reset Internet Explorer Settings

Group Policy Reset Internet Explorer Settings

講題總結 IE 7的主要改變 使用者的使用經驗 安全控管 設定管制

For More Information… IE Website TechNet Windows Vista www.microsoft.com/taiwan/technet Windows Vista www.microsoft.com/taiwan/windowsvista Windows Vista: Resources for IT Professional www.microsoft.com/technet/windowsvista/default.mspx IE Website http://www.microsoft.com/windows/ie/ MVP Community社群網站 www.microsoft.com/taiwan/community