Software

Configurare e ottimizzare Windows: Internet Explorer vs CESG

firma oneclickinstaller

La precedente settimana vi abbiamo spiegato come, grazie all'ausilio dei file batch, sia possibile personalizzare in modo facile e veloce le principali impostazioni di IE 11.

Nell'articolo odierno, invece, vogliamo porre una particolare ed esclusiva attenzione su quelli che sono considerati gli aspetti probabilmente più importanti per un browser: la sicurezza.

Molti di voi concorderanno sul fatto che sia spesso difficile mettere dei punti fermi e irremovibili quando si parla di sicurezza in ambiente IT. È per questo che abbiamo deciso di seguire passo passo le raccomandazioni del CESG, la quale ha redatto un documento in cui vengono fornite delle precise indicazioni su come "blindare" Internet Explorer.

Come ormai avrete intuito, lo scopo di questa rubrica non è tanto quello di fornirvi rigide e severe indicazioni su come impostare l'uno o l'altro parametro di Windows e dei suoi applicativi, ma come farlo utilizzando i comodi file ".cmd". Starà poi a voi personalizzare secondo le vostre esigenze ciò che vi abbiamo proposto. Questo vale anche (e soprattutto) per l'articolo odierno, col quale ci rivolgiamo in particolar modo agli utenti più esperti e ai professionisti IT che seguono in prima persona gli aspetti e le problematiche inerenti la sicurezza.

Nel fornirvi i comandi sottostanti, abbiamo inoltre deciso di mantenerne i commenti in inglese, così da facilitarvi il diretto confronto con la guida originale proposta dal CESG.

CESG
Browser Security Guidance – Microsoft Internet Explorer (Published 28 November 2014)

:: User Configuration

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Disable changing Automatic Configuration settings

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v Autoconfig /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Prevent "Fix settings" functionality

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Security" /v DisableFixSecuritySettings /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Prevent managing SmartScreen Filter

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Prevent participation in the Customer Experience Improvement Program

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\SQM" /v DisableCustomerImprovementProgram /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Prevent running First Run wizard

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off suggestions for all user-installed providers

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on compatibility logging

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_logging" /v iexplore.exe /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on Suggested Sites

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Suggested Sites" /v Enabled /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Restrict Accelerators to those deployed through Group Policy

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions" /v UsePolicyActivitiesOnly /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off Accelerators

:: REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Activities" /v NoActivities /t REG_DWORD /d 0 /f

:: REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Activities" /v NoActivities /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Bypass prompting for Clipboard access for scripts running in the Internet Explorer process

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_Paste_URLAction_If_Prompt" /v (Reserved) /t REG_SZ /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_Paste_URLAction_If_Prompt" /v explorer.exe /t REG_SZ /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_Paste_URLAction_If_Prompt" /v iexplore.exe /t REG_SZ /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Help menu: Remove 'Send Feedback' menu option

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v NoHelpItemSendFeedback /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Disable the Advanced page

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v AdvancedTab /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Disable the Connections page

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v ConnectionsTab /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Disable the Privacy page

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v PrivacyTab /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Disable the Security page

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v SecurityTab /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Allow active content from CDs to run on user machines

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings" /v LOCALMACHINE_CD_UNLOCK /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Do not allow resetting Internet Explorer settings

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v DisableRIED /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Do not save encrypted pages to disk

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisableCachingOfSSLPages /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Empty Temporary Internet Files folder when browser is closed

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off encryption support

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v SecureProtocols /t REG_DWORD /d 2688 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off the flip ahead with page prediction feature

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\FlipAhead" /v Enabled /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Use HTTP 1.1

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableHttp1_1 /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Use HTTP 1.1 through proxy connections

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyHttp1.1 /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Site to Zone Assignment List

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v ListBox_Support_ZoneMapKey /t REG_DWORD /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey" /v /t REG_DWORD /d /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Allow cut, copy, or paste operations from the clipboard via script

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1407 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1407 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Allow font downloads

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1604 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1604 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Allow video and animation on a webpage that uses an older media player

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 120A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 120A /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Display mixed content

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1609 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1609 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Include local path when user is uploading files to a server

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 160A /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 160A /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Java permissions

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1C00 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1C00 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Render legacy filters

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 270B /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 270B /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Run .NET Framework-reliant components not signed with Authenticode

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 2004 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 2004 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Run .NET Framework-reliant components signed with Authenticode

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 2001 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 2001 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Scripting of Java applets

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1402 /t REG_DWORD /d 3 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1402 /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on Cross-Site Scripting Filter

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 1409 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 1409 /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on Protected Mode

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 2500 /t REG_DWORD /d 0 /f

REG ADD "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" /v 2500 /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on script debugging

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Start the Internet Connection Wizard automatically

REG ADD "HKCU\Software\Policies\Microsoft\Internet Connection Wizard" /v DisableICW /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn on inline AutoComplete

REG ADD HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete /v "Append Completion" /t REG_SZ /d no /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off Windows Search AutoComplete

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch" /v EnabledScopes /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Establish Tracking Protection threshold

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v TrackingProtectionThreshold /t REG_DWORD /d 3 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Turn off Data URI support

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI" /v iexplore.exe /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Add-on List

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext /v ListBox_Support_CLSID /t REG_DWORD /d 1 /f

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID /v {D27CDB6E-AE6D-11CF-96B8-444553540000} /t REG_SZ /d 1 /f

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID /v {CA8A9780-280D-11CF-A24D-444553540000} /t REG_SZ /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Deny all add-ons unless specifically allowed in the Add-on List

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext /v RestrictToList /t REG_DWORD /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > All Settings > Remove "Run this time" button for outdated ActiveX controls in Internet Explorer

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext /v RunThisTimeEnabled /t REG_DWORD /d 0 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature > Internet Explorer Processes

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" /v (Reserved) /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" /v explorer.exe /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" /v iexplore.exe /t REG_SZ /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction > Internet Explorer Processes

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" /v (Reserved) /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" /v explorer.exe /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" /v iexplore.exe /t REG_SZ /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation > Internet Explorer Processes

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" /v (Reserved) /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" /v explorer.exe /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" /v iexplore.exe /t REG_SZ /d 1 /f

:: Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions > Internet Explorer Processes

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" /v (Reserved) /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" /v explorer.exe /t REG_SZ /d 1 /f

REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" /v iexplore.exe /t REG_SZ /d 1 /f

:: Add-On Management (User Configuration)

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID /v {D27CDB6E-AE6D-11CF-96B8-444553540000} /t REG_SZ /d 1 /f

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID /v {CA8A9780-280D-11CF-A24D-444553540000} /t REG_SZ /d 1 /f

:: Cookie Control (User Configuration)

:: Run > regedit

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v PrivacyAdvanced /t REG_DWORD /d 1 /f

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v {AEBA21FA-782A-4A90-978D-B72164C80120} /t REG_BINARY /d 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a /f

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v {A8A88C49-5EB2-4990-A1A2-0876022C854F} /t REG_BINARY /d 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a1539 /f

:: Proxy Settings (User Configuration)

:: Control Panel > Internet Options > Connections > Local Area Network (LAN) settings > LAN settings > Proxy server > Use a proxy server for your LAN (These settings will not apply to a dial-up or VPN connections).

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

:: Control Panel > Internet Options > Connections > Local Area Network (LAN) settings > LAN settings > Proxy server > Address:

:: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d Address:Port /f

:: Control Panel > Internet Options > Connections > Local Area Network (LAN) settings > LAN settings > Proxy server > Bypass proxy server for local addresses

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /t REG_SZ /d "" /f

:: Computer Configuration

:: Run > gpedit.msc > Computer Configuration > Administrative Templates > All Settings >  Security Zones: Use only machine settings

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v Security_HKLM_only /t REG_DWORD /d 1 /f

Ora che sotto la scocca del vostro PC vegliano le indicazioni del CESG, potrete anche vantarvi con colleghi ed amici di avere la stessa configurazione dei servizi segreti di Sua Maestà… loro non vi prenderanno di certo sul serio, ma voi saprete che sotto sotto un fondo di verità c'è sicuramente…

Agenti rimanete sintonizzati, perchè la prossima settimana vi aspettano nuovi ed interessanti batch!