Comments on: How to disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2008

By: Mikey

Mikey — Wed, 23 Dec 2009 20:11:04 +0000

Thanks, this is exactly what I was looking for and you pointed me in the right direction perfectly. Thanks!

By: Ragnar

Ragnar — Sun, 20 Sep 2009 12:09:47 +0000

Thanks! Just what I needed.

By: Core User

Core User — Wed, 21 Jan 2009 19:38:23 +0000

Does anyone know how to disable this feature for Server Core?

By: Tony

Tony — Thu, 30 Oct 2008 15:59:42 +0000

He also mentioned Terminal Services. Can you confirm this? I need to make sure.

By: Michael

Michael — Mon, 28 Apr 2008 18:51:36 +0000

Brent, I think that from Microsoft’s perspective this is just a statistical issue. Implementing such “features” just means that the number of security incidents will go down. So those who are careful have to suffer, too because there certainly are quite a few admins who don’t consider using IE on a productive server.

yfki, what Vista Activation Tool do you mean?

By: yfki

yfki — Mon, 28 Apr 2008 18:15:30 +0000

Anyone who has used Vista Activation Tool, ServerManager will no longer work

You can diable IE ESC by running this…

“C:\Windows\system32\rundll32.exe” C:\Windows\system32\iesetup.dll,IEShowHardeningDialog

By: Brent

Brent — Sat, 26 Apr 2008 04:29:00 +0000

The design philosophy of protecting the computer from the user is foolish, especially in the case where the user is an administrator. No admin is going to be surfing nefarious sites on a production server anyway. He is going to be downloading patches and doing useful things. If you don’t trust your admin to know how to safely browse the web, then you are likely in allot more trouble than this.

By: Ian

Ian — Sun, 13 Apr 2008 23:37:47 +0000

Knowing this is absolutely essential if you, like me, run 2K8 server in a virtual machine for software development/testing purposes. Being able to browse the web from inside the VM is very handy.

By: Michael

Michael — Mon, 31 Mar 2008 20:10:15 +0000

You’re right, this is certainly a problem. However, it applies to any third party software. The point is that an outdated Opera is still more secure than the latest IE or Firefox.

By: G.Crow

G.Crow — Sun, 16 Mar 2008 00:22:56 +0000

I disagree with installing Opera, sorry. In my experience, installing non-production third party software like that WILL result in unpatched/unupdated software sooner or later. This means that even though Opera is more secure, one year down the road half your install base will not be, since no one has logged in to manually update the software.

On the other hand, yes, they shouldn’t be surfing the web anyhow…

By: Michael

Michael — Thu, 13 Mar 2008 21:48:30 +0000

Aaron, I agree that not browsing the web is most secure. But you know that also applies to any desktop PC. Seriously, there are only rare cases where you really need a web browser on a productive server. However, in those cases I wouldn’t use IE. Even though IE’s security improved lately, it is still dangerous to surf the web with this browser in a security sensitive environment. And I don’t see how the bombardment with confirmation prompts could improve security. I absolutely disagree with your view about less targeted software. It is simply a matter of fact that popular software is less secure. Why do you think that Mac users don’t have to worry so much about viruses? Because Apple’s developers are smarter?

Steve, you’re right Opera is really a nice browser. I just hope that not so many people will find out about this. I am quite sure that it then wouldn’t be the most secure browser anymore. I am also using Opera on the desktop whenever I surf in murky waters.

1337Ops, you’re right. The best thing about these new security prompts is that more Windows admins are needed now because of the time they waste with clicking all day on them.

By: 1337Ops

1337Ops — Thu, 13 Mar 2008 17:46:36 +0000

Yo- MS makes us click so many prompts we should all get free carpel tunnel therapy. I agree, IE and Outlook Exp of all things should not be installed on a server.
Who want’s MS to create a true blue admin login that doesn’t give ares loads of popups, ask you every time if you are ’sure’ (ie. RDP 6 blows – I mean come on…). Maybe one day boyz!
I say disable it, the only good thing about windows is that it will keep us all employed for a LONG LONG time.

By: steve

steve — Thu, 13 Mar 2008 16:14:08 +0000

The fact is, if you check sites like Secunia, Opera IS and has historically been, WAY more secure. Not to mention if you care to learn Opera’s features it will demonstrate just how capable it is in such a small package. Michael’s advice is right-on.

By: Aaron

Aaron — Wed, 12 Mar 2008 22:32:39 +0000

Annoying as IE ESC is (and yeah I almost always disable it too), I think it’s bad advice to increase the attack surface of the server by removing IE ESC and installing Opera. Less targeted software does not make it more secure. Not browsing the web on your server is the best defense.