Secure Your Home Computer

{LANG_NAVORIGIN} Enterprise Security Home Office
By: TomCat Internet Solutions, 03/06/2005

Basic JavaScript Rules

• Never, ever, enable JavaScript for e-mail or e-mail attachments. While JavaScript may be fine for internet browsing, it can be dangerous when enabled for e-mail. See How to disable JavaScript in e-mail programs for step-by-step instructions.
• Never allow your e-mail client to "View Attachment Inline" ...unless you are sure it arrived from a trusted sender.
• Never open e-mail attachments from strangers. Period.
• Never allow a downloaded application or any downloaded executable content to launch on its own, and be especially careful of downloading files that end in exe, bat, vbs, and com.
• Never accept and run an "ActiveX Control" or "Java Class" unless it comes signed and from a trusted site. It is best to force your browser to prompt you for permission. If you are using Internet Explorer, these settings are located under Control Panel - Internet Options - Security - Internet , Custom Level. Mozilla, Opera, and Netscape users are prompted by default.
• Disable "Install on Demand" if you are using Internet Explorer so your browser will be forced to prompt you if additional components are needed in order to display certain content. This setting is located under Control Panel - Internet Options - Advanced.
• Never visit untrusted sites. If you do, be extremely cautious.
• Use a good bi-directional firewall that will monitor all incoming and outgoing traffic and will alert you for access permission if such traffic is detected. It also has the ability to hide your presence from intruders by completely blocking access to the ports that are used for the transfer of information. Select the highest security level for your internet zone and set all programs to prompt you for access - even those you use frequently. When in doubt, deny access of a program until you know for sure its identity.
• Use a virus scanner (anti-virus), keep the virus data files current (check for updates at least once a week), enable the "Heuristics" or "Bloodhound" feature (for detection of virus-like activity of yet-to-be discovered viruses), and set it to scan all downloads and e-mail attachments - before they are opened. Let it quarantine and destroy anything suspicious. If it has settings for scanning ActiveX Controls and Java Classes for potentially harmful content, use that too. For even greater protection and a wider range of configuration options, combine the use of a virus scanner with a Trojan scanner.
• Visit BrowserSpy, a testing site that shows you what information can be gathered from your visits to web sites. Switch JavaScript on/off and compare each set of results. This will give you a better idea of what JavaScript is capable of doing, and it will also show you its limitations.

How to disable JavaScript in e-mail programs

Outlook

1. Select the "Options..." command under the Outlook "Tools" menu.
2. Select the "Security" tab in the "Options" dialog box.
3. Under "Secure Content" section, select "Restricted sites" in the Zone Window.
4. Click on the "Zone settings..." button.
5. Click "OK" for the warning dialog box which pops up on the screen.
6. In the "Security" dialog box, make sure that the "Restricted sites" icon is selected.
7. Make sure that the security level slider control for the zone is set to "High".
8. Click on the "Custom Level..." button.
9. Scroll down to the "Active scripting" entry in the settings list in the "Security Settings" dialog box.
10. Select "Disable" for "Active scripting" entry.
11. Press the "OK" button in the "Security Settings" dialog box.
12. Press the "OK" button in the "Security" dialog box.
13. Press the "OK" button in the "Options" dialog box.

Note on Outlook: By following this procedure, you will accomplish two things. First, you will configure the e-mail client so that all of its network activity happens in the "Restricted" security zone. Second, you will increase the security of the Restricted zone beyond its default setting so that "Active scripting" is disabled. The end result is that your e-mail program will disable Active scripting (which includes JavaScript) whenever it shows you an e-mail, thereby preventing the e-mail wiretap exploit.

Mozilla Mail

1. Select "Edit" from the menu bar.
2. Select "Preferences" from the drop-down list.
3. Select "Advanced" from the Category list.
4. Select "Scripts & Windows" from the Advanced list.
5. Uncheck the box next to "Mail & Newsgroups" under "Enable JavaScript for:"
6. Important: Leaving "Navigator" checked applies to your browser window only. The option in step 5 applies to e-mail only.
7. Click on "OK" to save your settings and close the "Preferences" window.
8. (NOTE: Unlike with Netscape or Outlook, in Mozilla this option is unchecked by default... but it is a good idea to look for yourself.)

Mozilla Thunderbird

1. Select "Tools" from the menu bar.
2. Select "Options" from the drop-down list.
3. Select "Advanced" from the Category list.
4. Uncheck the box next to "Enable JavaScript in mail messages".
5. Click on "OK" to save your settings and close the "Preferences" window.
6. (NOTE: Unlike with Netscape or Outlook, in Thunderbird this option is unchecked by default... but it is a good idea to look for yourself.)

Netscape Messenger

1. Select "Edit" from the menu bar.
2. Select "Preferences" from the drop-down list.
3. Select "Advanced" from the Category list.
4. Uncheck the box next to "Enable JavaScript for Mail and News".
5. Important: Leaving "Enable JavaScript" (version 4.x) or "Enable JavaScript in Navigator" (versions 6/7) checked applies to your browser window only. The option in step 4 applies to e-mail only.
6. Click on "OK" to save your settings and close the "Preferences" window.

Eudora

1. Click on "Tools".
2. Click on "Options".
3. Click on "Viewing Mail".
4. Uncheck the box "Allow executable in HTML content".
5. (NOTE: Unlike with Netscape or Outlook, in Eudora, this option is unchecked by default, but it is a good idea to look for yourself.)

Your IP address will be sent with this e-mail

From e-mail to e-mail