获取IE7安全改进的细节(上)

Get the details on Internet Explorer 7's security improvements
获取IE7安全改进的细节

by Deb Shinder
作者：Deb Shinder
翻译：Endurer

Tags: Security | Internet Explorer (IE) | Web browsers
标签：安全 | Internet Explorer (IE) | 网页浏览器

英文来源：http://articles.techrepublic.com.com/5100-10877_11-6128517.html?tag=nl.e101

Takeaway: IE 7 offers a number of enhancements designed to make browsing safer. Windows expert Deb Shinder examines some of the major features, such as Active X opt-in, the Phishing Filter, and cross-domain security, along with smaller changes, like 'no add-ons mode' and color coding to denote sites that have undergone identify verification.

导读：IE 7 提供了许多使浏览更安全的增强（特性）。Windows专家Deb Shinder解释了一些主要特性，如Active X 控件选择性加入（Opt-In），网络钓鱼过滤器和跨域安全，相应地一些小改变，如“无插件模式”和颜色编码指示已接受鉴别认定的网站。

《endurer注：1。a number of:许多,若干
2。along with:与...一道(又), 连同...一起, 随同...一起, 沿[顺]着
3。color coding:颜色编码》

This article is also available as PDF download.
这篇文章也有PDF格式下载。

IE 7 includes new end-user features such as tabbed browsing, but its main claim to fame is added security. Both as a browser upgrade for XP and as the built-in browser for Windows Vista, IE7 provides a number of new mechanisms to make Web browsing more secure. Let's look at some of the most important new security features.
IE 7包含了如多页面浏览等新最终用户特性，但它主要成就是增加了安全性。作为XP的浏览器升级和Windows Vista的内置浏览器，IE7 提供了许多新机制以使网页浏览更安全。让我们来看看一些最重要的新安全特性。

《endurer注：1。Claim to fame：主要成就》

Active X marks the (hot) spot

Active X选择性加入

One of the biggest security complaints against Internet Explorer in the past, and the reason many people preferred Firefox and other browsers, was the risk that could be posed by Active X controls. Active X lets Web developers create more sophisticated Web pages than they can with regular HTML. However, because Active X controls are executable programs that can be automatically downloaded and executed by the Web browser, attackers can create malicious controls that manipulate the files on a user's computer, establish connections to other computers, and transfer data without the user's awareness.
过去对IE最大的安全抱怨之一，也是一些人倾向火狐和其它浏览器的原因，是 Active X控件会带来的风险。Active X让网站开发者创建比用常规HTML更复杂的网页。然而，因为Active X控件是可被网页浏览器自动下载和执行的可执行程序，攻击者能创建恶意控件，在用户不知道的情况下，操纵用户计算机中的文件，建立到其它计算机的连接，传送数据。

《endurer注：1。complaint against:对…提出控告》

Microsoft's response to security experts' concern over Active X led to some big changes in IE 7. A new feature called Active X opt-in disables by default the controls installed on your computer. If you go to a Web site that needs one of the disabled controls to work properly, you're prompted with a message in the information bar at the top of browser window that notifies you that the site wants to run the control (along with the name and publisher's name). You can choose whether to allow the control to run.
Microsoft对安全专家对Active X的忧虑的反应引发了IE7一些大改变。一个名为Active X选择性加入的新特性默认禁止控件安装到计算机。如果你去需要被禁止的控件才能正常运作的网站，浏览器窗口顶端的信息条中的信息会提示你，注意网站想运行控件（还有控件名和发布者名），你可以选择是否允许控件运行。
《endurer注：1。response to:对...的反应
2。concern over:对…的关心／忧虑
3。lead to:导致》

The problem with security mechanisms is balancing protection against user convenience. User complaints about Windows Vista's seemingly omnipresent UAC dialog box illustrate the frustrations that in-your-face security can present. In an attempt to enhance security without unduly inconveniencing users, Microsoft included a pre-approved list of controls that aren't automatically disabled by the Active X opt-in feature. These are commonly used controls that are known to be safe. Users won't be prompted before running those controls.
安全机制的问题是使防护与用户方便保持平衡。用户抱怨Windows Vista看上去无处不在的用户帐户控制(User Account Control，UAC)对话框演绎着安全可呈现的失败。为增强安全而又不过度地使用户感到困难，微软包含了一个预许列表，表中的控件不会被 Active X选择性加入特性自动禁止。这些是已知安全的常用控件。在运行这些控件前用户不会被提示。

《endurer注：1。balance against:vt. 和...保持平衡
2。protection against:防；抵御
3。in your face:挑衅，肆无忌惮，咄咄逼人的，故意要惹是生非
4。in an attempt to:力图，试图》

In addition, you can disable Active X opt-in on a per-zone basis. By default, it's enabled on the Internet and restricted sites zones and does not apply to intranet and trusted sites zones. The settings can be changed via the Internet Options | Security tab by selecting the zone and clicking the Custom Level button, then selecting the desired settings (Figure A).
另外，你可以在每个基本域禁用Active X选择性加入。在默认情况下，Active X选择性加入在Internet和受限制的站点是启用的，不用于本地Intranet和受信任的站点。通过 Internet选项 | 安全页可以改变设置，选择域，点击[用户自定义级别]按钮，选择所需设置。

图 A

You can customize the Active X opt-in behavior for each security zone.
你能为每个安全域自定义Active X 选择性加入的行为。

Developers of Active X controls can make their controls more secure by using site-locking (restricting the control to a particular Web site domain) and zone-locking (restricting the control to operate only when IE is in a specific zone, such as the intranet) and by digitally signing their controls.
Active X控件的开发者可以利用锁定站点（将控件限定于特定网站域）技术和锁定域（将控件限定于只在IE处于特定域如Intranet时，才操作。），并将控件数字签名来使控件更安全。

No more going phishing

不再上钓鱼网站
《endurer注：1。No more:不再》

To cope with the escalating problem of phishing, IE 7 has added the Microsoft Phishing Filter. The Phishing Filter automatically checks the Web sites you visit against a list of known phishing sites and warns you if the site has been identified as a phishing site. If you prefer not to have sites checked automatically, you can check specific sites when you suspect they might be phishing sites. To do that, you just click Tools | Phishing Filter | Check This Web Site.
为应对日益扩大的网络钓鱼问题，IE7已增加微软网络钓鱼过滤器。该网络钓鱼过滤器自动在已知网络钓鱼网站列表中检测你访问的网站，如果该网站已被认定为网络钓鱼网站，将发出警告。如果你不想有网站自动检测，当你怀疑特定网站可能是网络钓鱼网站时，可以进行检测。方法是点击 工具 | 网络钓鱼过滤器 | 检测这个网站。
《endurer注：1。cope with:对付(应付,克服)》

If you find a site that you believe is a phishing site and the phishing filter doesn't identify it as such, you can report it to Microsoft and it will be investigated and added to the database if appropriate. If the site you send is on a list of known good sites, it will not be checked. The Phishing Filter uses heuristics to determine whether a site displays common characteristics of phishing sites and if so, flags it as suspicious.
如果你发现你相信一个网站是网络钓鱼网站，而网络钓鱼过滤器未将该网站标记，你可以将该网站报告给微软，该网站将被研究，如果核实会增加到数据库。如果你发送的网站在已知好网站列表中，该网站将不会被检测。网络钓鱼过滤器使用启发式方法判断网站是否显示网络钓鱼网站常用字符，如果发现，将网站标记为可疑。

You can disable the Phishing Filter or turn automatic checking off and on through the Advanced Settings tab in Internet Options, shown in Figure B.
如图B所示，你可以通过Internet选项中的高级设置来 禁用网络钓鱼过滤器或关闭自动检测。

图 B

You can configure the Phishing Filter through the Internet Options Advanced Settings tab.

你通过可以Internet选项中的高级设置页来配置网络钓鱼过滤器

For more information about IE 7's Phishing Filter, see the Phishing Filter FAQ on the Microsoft Web site.
要了解关于IE7的网络钓鱼过滤器的更多信息，可以看微软网站上的网络钓鱼过滤器FAQ。

Cross-domain security

跨域安全

Cross-domain scripting is a tactic used by attackers to cause browser windows that are opened in one security domain to be redirected to a different security domain. IE 7 makes scripts and other Web objects keep the same security context even if they are redirected. By default, the configuration settings are set to deny cross-domain data access in all security zones. IE 7 blocks scripts URLs and blocks redirected navigation in DOM objects when there's a threat of a cross-domain exploit. This means that scripts on Web pages can't interact with the data contained in other domains.
跨域脚本是攻击用来使已在安全域打开的浏览器窗口重定向到不同的安全域的战略。IE7使脚本和其它网页对象保持在同一个安全环境中，即使他们被重定向了。在默认情况下，配置设置被设为在所有安全域中拒绝跨域数据访问。当存在跨域漏洞利用威胁时，IE 7阻塞脚本URLs，阻塞DOM对像中的重定向航行。

IE protected mode in Vista

Vista中的IE保护模式

In Windows Vista, IE 7 works with the User Account Control (UAC) feature to run the browser in protected mode by default. The browser has only the minimum permissions needed to surf the Web, and plug-ins and add-ons run with the lowest privileges possible.
在Windows Vista中，IE 7默认使用用户帐户控制特性来工作，在安全模式下运行浏览器。浏览器有浏览网页所需的最小许可，插件在尽可能低的特权下运行。

Protected mode helps prevent Web sites from installing malicious code on the computer without the user's knowledge. It does this by prohibiting anything from being written to locations on the disk other than the Temporary Internet Files folder unless the user gives permission.
保护模式有助于防止网站在用户不知道的情况下安装恶意代码到电脑。其原理是禁止未经用户允许的写到除磁盘上的Temporary Internet Files文件夹以外的数据。

When it's necessary to write to files outside of the TIF folder, a "broker process" is used to provide a more secure means of elevating privileges. The broker process is designed so that it can't be scripted without user input. For a deeper technical understanding of IE 7 protected mode, see this MSDN article.
当有必要写到TIF文件夹之外的文件时，“代理人”(Broker Process)被用来提供更安全的提升特权方法。“代理人”被设计为无用户输入不能表述。需要理解IE7 保护模式的更深技术，请看MSDN文章。

Locked down security zones

向下锁定的安全域
The security zones in IE 7 are more locked down, with the intranet zone now being disabled by default on computers that don't belong to a Windows domain. This zone typically has less restrictive settings than the Internet zone, but most home and small business users whose networks operate on a peer-to-peer basis don't need the intranet zone because they don't have access to an intranet. In addition, the default settings for the Trusted Zones site provides higher security than before, and you can no longer slide the security setting down to Low or Medium Low--you must use custom settings to attain security settings lower than Medium.
IE 7的安全区域更向下锁定，随之现在默认为禁止的计算机中intranet域不再属于Windows域。这个域通常比Internet域少限制设置，但大多数家庭和以操作于点到点网络小企业用户不需要intranet域，因为他们不访问intranet。另外，信任区网站的默认设置提供了比以前更高的安全，你不再需要把安全设置滑到低或中低——你必须使用自定义设置来获得低于中级的安全设置。
《endurer注：1。have access to:可以到达(可以使用)》