Web Browser Secure Settings

ITS Recommended Secure Browser Settings

Note: These settings have not been tested with the Campus Business Systems. Please contact their support for assistance.

It is becoming increasingly popular for attackers to compromise computers through vulnerable web browsers. An insecure web browser can lead to spyware being installed on your computer without your knowledge, attackers taking control of your computer, stealing your information, or even using your computer to attack other computers.

The set-up configuration for many web browsers is not secure by default. UCSC's IT Security Team recommends the following steps to help make your web browser more secure. These settings are especially important if you use your browser to access campus business systems, or if you use your browser to access, send or receive sensitive information.

 

Important: The ITS Support Center supports the following browsers: Firefox, Safari and Internet Explorer.

 
  • Set Firefox as your default browser
  • Keep your browsers up to date (ITS supported software list)
  • Enable automatic updates for your browser
  • Block pop-ups, plug-ins and phishing sites
  • Set your browser not to store passwords. If you do store passwords in your browser, use a master password that conforms to the UCSC Password Standards. Please see below for restrictions for passwords that provide access to restricted data.
  • Disable third-party cookies
  • Browser-specific settings:
    • Firefox: install the NoScript add-on
    • Safari: disable Java
    • IE: set up security zones
(Instructions for all these settings are in the table below.)

Important note: While making your browser more secure helps reduce the risk that someone will be able to use it to compromise your computer, it is still important to have safe computing habits so attackers get fewer chances to try. Don't click on unknown or unsolicited links or open unexpected attachments. Don't download files, programs or tools unless you are positive they are safe.

Choose your browser: FirefoxSafariInternet Explorer or Google Chrome.

Firefox

Setting the default browser - On a Mac, go to Firefox menu > Preferences > Advanced > General tab. On a PC, go to Tools menu > Options > Advanced. Check the box “Always check to see if Firefox is default browser on startup”.

Auto-download updates - On a Mac, Firefox menu > Preferences > Advanced > Update tab. On a PC, go to Tools menu > Options > Advanced > Update tab. Check all checkboxes and select “Automatically install…” & “Warn me…”.

Block unwanted pop-ups - On a Mac, go to Firefox menu > Preferences > Content. On a PC, go to Tools menu > Options > Content. Make sure the first two boxes are checked (Block pop-ups & Load images).

Block unwanted plugins/phishing - On a Mac, go to Firefox menu > Preferences > Security. On a PC, go to Tools menu > Options > Security. Check the top three boxes that start with “Tell me…” and “Block…”.

Set your browser to not set passwords - On a Mac, go to Firefox menu > Preferences > Security. On a PC, go to Tools menu > Options > Security. Uncheck the "Remember passwords..." box.

Using a master password - On a Mac, go to Firefox menu > Preferences > Security. On a PC, go to Tools menu > Options > Security. Check the “Remember passwords…” & “Use a master password” boxes. Then set the password, using 8-12 characters (numbers/letters) to 80-100% quality. Note: The master password setting is not appropriate for passwords that provide access to restricted data. See the campus Password Standards for additional information and alternatives.

Java/javascript - On a Mac, go to Firefox menu > Preferences > Content. On a PC, go to Tools menu > Options > Content. Check the “Enable Javascript” box and then click the Advanced button for Javascript. Make sure none of the boxes are checked.

Handling cookies* - On a Mac, go to Firefox menu > Preferences > Privacy. On a PC, go to Tools menu > Options > Privacy. Check the “Tell websites..." box under Tracking.

Additional suggestions - Use NoScript (strongly recommended) and Locationbar2 (optional) add-ons. (see the installation instructions below)

Safari (Mac)

Setting the default browser - Go to Safari menu > Preferences > General tab and select Safari in the top pulldown menu.

Auto-download updates - Updates for Safari are handled by System Preferences > Software Update located under the Apple menu. Set to Daily updates.

Block unwanted pop-ups - Go to Safari menu > Preferences > Security tab and make sure the “Block pop-up windows” box is checked.

Block unwanted plugins/phishing - Go to Safari menu > Preferences > Security tab and uncheck the “Enable plug-ins” box.

Set your browser to not set passwords - Go to Safari menu > Preferences > AutoFill tab and uncheck the "user names and passwords" box.

Using a master password - Mac users have the Keychain Access utility to keep track of web passwords. It is located in the Utilities folder. Note: The master password setting is not appropriate for passwords that provide access to restricted data. See the campus Password Standards for additional information and alternatives.

Java/javascript - Go to Safari menu > Preferences > Security tab and uncheck “Enable plug-ins” and “Enable Java”. Leave “Enable Javascript” checked.

Handling cookies* - Go to Safari menu > Preferences > Security tab and select “Only from sites you navigate to” for Accepting Cookies.

Additional suggestions - In Safari, you can choose to open multimedia (or "safe") files after they download. This can pose a security risk. To not open them after downloading, go to the Safari menu > Preferences > General tab. Uncheck the box that says 'Open "safe" files...'

Under the Safari menu > Preferences > Security, make sure the "Ask before sending a non-secure form..." box is checked.

Internet Explorer (PC)

Setting the default browser - ITS recommends that IE is not used as the default browser. However, you can still use IE to connect to campus systems, without having it set as the default.

Auto-download updates - Updates for Internet Explorer are handled by Windows Update located in Control Panels. Set to Daily updates.

Block unwanted pop-ups - Go to Tools menu > Internet Options > Privacy tab and set the slider to MEDIUM. Check the "turn on pop-up blocker” box.

Block unwanted plugins/phishing - Go to Tools menu > Internet Options > Advanced tab and scroll down to Multimedia. Uncheck Play animations” and “Play sounds” in webpages if they are checked. Then scroll down to Security and select “Turn on automatic website checking” under Phishing Filter.

Set your browser to not set passwords - Go to Tools menu > Internet Options > Content tab and click the AutoComplete button and uncheck the "user names and passwords..." box.

Using a master password - IE doesn't have a master password function, but you should disable the auto-complete function for passwords. See the section above. Note: The master password setting is not appropriate for passwords that provide access to restricted data. See the campus Password Standards for additional information and alternatives.

Java/javascript - Java is handled with Security Zones in IE. See the Additonal suggestions below.

Handling cookies* - Go to Tools menu > Internet Options > Privacy tab and click the “Advanced” button. Check the “Override” box and the “Accept” button for First-party cookies and “Prompt” button for Third-party cookies. The “Always allow…” button should not be checked. Click OK. When done, click the Apply button.

Additional suggestions - IE has security zones that can be set up for different levels of protection. In the Help menu, type"zones" and choose Change IE Security Settings. ITS recommends setting the Internet Security Zone to HIGH. You can also identify "trusted sites" and set those to MEDIUM-HIGH.

Google Chrome

Setting the default browser - Go to Chrome menu > Preferences > Settings and click the "Make Google Chrome My Default Browser" button.

Auto-download updates - To make sure that you're protected by the latest security updates, Google Chrome automatically updates whenever it detects that a new version of the browser is available. The update process happens in the background and doesn't require any action on your part.

Block unwanted pop-ups - Go to Chrome menu > Preferences > Show advanced settings... > click the Privacy/Content Settings button. Scroll down to Pop-ups, chose "Do not allow...".

Block unwanted plugins/phishing - Go to Chrome menu > Preferences > Show advanced settings... > click the Privacy/Content Settings button. Scroll down to Plug-ins, chose "Block all". Also, go to Chrome menu > Preferences > Show advanced settings...  > under Privacy, check the "Enable phishing and malware protection".

Set your browser to not set passwords - Go to Chrome menu > Preferences > Show advanced settings... > under Passwords and forms, uncheck the "Enable Autofill...".

Using a master password - Google Chrome currently does not have a master password feature.

Java/javascript - Go to Chrome menu > Preferences > Show advanced settings... > click the Privacy/Content Settings button. Under Javascript, chose "Allow all sites...".

Handling cookies* - Go to Chrome menu > Preferences > Show advanced settings... > click the Privacy/Content Settings button. Under Cookies, choose "Block third-party cookies and site data".

(*Cookies are little files that web sites leave on your computer to remember settings, login credentials or any other information that your computer needs to make the user experience a bit better. Cookies are generally harmless, but they can be used to track your Internet usage, which is a privacy issue. In general, you probably don't want Internet sites tracking everything you are doing, so it's a good idea to block cookies where appropriate to maintain privacy.)

How to install security add-ons for Firefox:

(For both Mac & PC) Tools menu > Add-ons

Select the "Get Add-ons" button. Type "noscript" in the search field, then Install and restart Firefox. You should see a "S" icon in the bottom right of the browser window. Right click on this icon and select "Options". Select the Appearance tab and uncheck the "allow scripts globally" box. Now it will warn you when unknown scripts are on websites you visit. You can right-click the icon to approve ones that you trust. Follow the same install steps for Locationbar2 (optional).

NoScript - Since JavaScript is a very powerful programming language, it allows savvy attackers to attack your machine just by embedding scripts into a web site. NoScript allows you to control what each script can do and make a choice as to which scripts should run and which should not. Additionally, NoScript will also block Java programs and Flash.

LocationBar2 - Locationbar2 helps users to overcome a technique used by attackers called "URL obfuscation" in which the attacker hides a bad web link inside one that looks familiar to you. Locationbar2 makes it a lot easier to see EXACTLY where you are navigating to.