Latest posts by Michael Pietroforte (see all)
- The Disable-PSRemoting warning - Wed, Dec 6 2017
- New wiki docs about enabling PowerShell remoting - Fri, Dec 1 2017
- New wiki doc about free Microsoft eBooks and new free VMware eBooks - Mon, Oct 30 2017
If you try to open Microsoft.com in Internet Explorer on Windows Server 2012, you have to click 18 times (I counted) until IE ESC believes that the site of Internet Explorer’s maker is secure. If you then click a link, the click orgy starts all over again. I doubt that anybody is using Internet Explorer in this way. I suppose it is the best way to get arthritis in your forefinger.
Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration
Yes, if you work with the zone feature in Internet Explorer, you can at least work with Internet Explorer to access corporate websites. However, it’s only the large organizations that really benefit from this feature.
Don’t get me wrong. Using Internet Explorer on a server is indeed a severe security risk. Thus, it would make sense if one could completely uninstall Internet Explorer. There are political reasons for why this isn’t possible.
The history of Internet Explorer Enhanced Security ^
You might remember that, a while back, some Internet activists were very angry at Microsoft because Microsoft annihilated an ambitious company called Netscape (who, in turn, dared to threaten to destroy Microsoft with its tiny HTML file viewer). The activists managed to persuade some influential politicians that votes can be won by bashing this big and evil company in Redmond that endangers the “free” Internet (whatever that was). This somehow forced Bill Gates and other high-ranking Microsoft managers to testify in court that removing Internet Explorer would cause malfunctions in Windows.
When it became obvious that using a web browser on a server is not really such a good idea, Microsoft faced a dilemma. Of course, it is impossible to admit now that Windows without Internet Explorer is doable. Microsoft’s engineers had to therefore think of a way to remove Internet Explorer without actually removing it. We call the fruits of this tinkering “Internet Explorer Enhanced Security,” and it is the reason why millions of Windows Server admins are in danger of getting forefinger arthritis.
How to avoid forefinger arthritis ^
So what can you do if you want to keep the agility of your forefinger?
1. Don’t use a web browser on a server.
Do you really need a web browser on a server? If Microsoft’s engineers believe it is worth annoying millions of admins with Internet Enhanced Security Configuration, they must have a good reason. All your firewalls, malware, and intrusion detection systems are relatively useless if you invite the bad guys to your network by using a web browser with admin privileges on a server. You are sure you need the browser on your server? Read on.
2. Use a (relatively) secure web browser.
There is no such thing as a secure web browser. However, you can use a web browser that is more secure than Internet Explorer. I know of only two browsers for Windows that deserve this title: Lynx and Opera. I suppose the somewhat limited capabilities of Lynx will make Opera your first choice. It is a good choice because almost no one uses this browser; therefore, the bad guys don’t bother to dig for its security holes. Don’t even think of installing Firefox or Chrome on a server. The security you gain this way is exactly NIL because the market share of these browsers is now comparable to that of Internet Explorer, and the Mozilla and Google developers certainly don’t know more about browser security than Microsoft’s programmers.
3. Disable Internet Explorer Enhanced Security Configuration.
You can disable IE ESC, probably because Microsoft’s lawyers are afraid that in a few years they will get swamped by lawsuits by former admins who got severe forefinger arthritis. There are a few situations where it makes sense to turn off IE ESC—for instance, on a Terminal Server where end users (with standard user rights) need a browser. It is also the first thing I do on a freshly installed test server that runs in a virtual and isolated lab environment. This allows me to download tools I want to test or use web-based admin interfaces on the server. And, of course, the number one reason is that you probably think that you are an admin who knows what you are doing and only surfs to sites that you trust not to load code from sites that you don’t trust. There are various ways to disable IE ESC.
Caution Internet Explorer Enhanced Security Configuration is not enabled
Server Manager / Control Panel ^
In Windows Server 2003, you can disable IE ESC in the Control Panel through the Add or Remove Programs applet with the Add/Remove Windows Components function. You can do this either for administrator groups or for all other user groups.
If you need to turn off IE ESC on multiple servers, you can do so faster by using a PowerShell script. No PowerShell cmdlet exists for this task; however, since you can disable IE ESC in the Registry, it is not a big deal to leverage PowerShell for the task. Don’t worry, this doesn’t involve a lot of type-type. We have already done the work for you.
Group Policy ^
A major downside of using PowerShell for automation tasks is that computers that are offline don’t receive the settings. Thus, if you need to disable IE ESC on a large number of servers, I recommend Microsoft’s fabulous automation GUI tool Group Policy. This is the topic of my next post.
Disable the IE ESC dialog box. ^
I like this option because it allows you to disable the Internet Explorer Enhanced Security Configuration warning dialog box without actually disabling IE ESC. I will cover this option in the last post of this series.