- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
If you try to open Microsoft.com in Internet Explorer on Windows Server 2012, you have to click 18 times (I counted) until IE ESC believes that the site of Internet Explorer’s maker is secure. If you then click a link, the click orgy starts all over again. I doubt that anybody is using Internet Explorer in this way. I suppose it is the best way to get arthritis in your forefinger.
Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration
Yes, if you work with the zone feature in Internet Explorer, you can at least work with Internet Explorer to access corporate websites. However, it’s only the large organizations that really benefit from this feature.
Don’t get me wrong. Using Internet Explorer on a server is indeed a severe security risk. Thus, it would make sense if one could completely uninstall Internet Explorer. There are political reasons for why this isn’t possible.
The history of Internet Explorer Enhanced Security
You might remember that, a while back, some Internet activists were very angry at Microsoft because Microsoft annihilated an ambitious company called Netscape (who, in turn, dared to threaten to destroy Microsoft with its tiny HTML file viewer). The activists managed to persuade some influential politicians that votes can be won by bashing this big and evil company in Redmond that endangers the “free” Internet (whatever that was). This somehow forced Bill Gates and other high-ranking Microsoft managers to testify in court that removing Internet Explorer would cause malfunctions in Windows.
When it became obvious that using a web browser on a server is not really such a good idea, Microsoft faced a dilemma. Of course, it is impossible to admit now that Windows without Internet Explorer is doable. Microsoft’s engineers had to therefore think of a way to remove Internet Explorer without actually removing it. We call the fruits of this tinkering “Internet Explorer Enhanced Security,” and it is the reason why millions of Windows Server admins are in danger of getting forefinger arthritis.
How to avoid forefinger arthritis
So what can you do if you want to keep the agility of your forefinger?
1. Don’t use a web browser on a server.
Do you really need a web browser on a server? If Microsoft’s engineers believe it is worth annoying millions of admins with Internet Enhanced Security Configuration, they must have a good reason. All your firewalls, malware, and intrusion detection systems are relatively useless if you invite the bad guys to your network by using a web browser with admin privileges on a server. You are sure you need the browser on your server? Read on.
2. Use a (relatively) secure web browser.
There is no such thing as a secure web browser. However, you can use a web browser that is more secure than Internet Explorer. I know of only two browsers for Windows that deserve this title: Lynx and Opera. I suppose the somewhat limited capabilities of Lynx will make Opera your first choice. It is a good choice because almost no one uses this browser; therefore, the bad guys don’t bother to dig for its security holes. Don’t even think of installing Firefox or Chrome on a server. The security you gain this way is exactly NIL because the market share of these browsers is now comparable to that of Internet Explorer, and the Mozilla and Google developers certainly don’t know more about browser security than Microsoft’s programmers.
3. Disable Internet Explorer Enhanced Security Configuration.
You can disable IE ESC, probably because Microsoft’s lawyers are afraid that in a few years they will get swamped by lawsuits by former admins who got severe forefinger arthritis. There are a few situations where it makes sense to turn off IE ESC—for instance, on a Terminal Server where end users (with standard user rights) need a browser. It is also the first thing I do on a freshly installed test server that runs in a virtual and isolated lab environment. This allows me to download tools I want to test or use web-based admin interfaces on the server. And, of course, the number one reason is that you probably think that you are an admin who knows what you are doing and only surfs to sites that you trust not to load code from sites that you don’t trust. There are various ways to disable IE ESC.
Caution Internet Explorer Enhanced Security Configuration is not enabled
Server Manager / Control Panel
This is the option you use if you only want to disable IE ESC on a single server. We have descriptions for Windows Server 2008 R2 and Windows Server 2012 on 4sysops.
In Windows Server 2003, you can disable IE ESC in the Control Panel through the Add or Remove Programs applet with the Add/Remove Windows Components function. You can do this either for administrator groups or for all other user groups.
PowerShell
If you need to turn off IE ESC on multiple servers, you can do so faster by using a PowerShell script. No PowerShell cmdlet exists for this task; however, since you can disable IE ESC in the Registry, it is not a big deal to leverage PowerShell for the task. Don’t worry, this doesn’t involve a lot of type-type. We have already done the work for you.
Group Policy
A major downside of using PowerShell for automation tasks is that computers that are offline don’t receive the settings. Thus, if you need to disable IE ESC on a large number of servers, I recommend Microsoft’s fabulous automation GUI tool Group Policy. This is the topic of my next post.
Disable the IE ESC dialog box.
I like this option because it allows you to disable the Internet Explorer Enhanced Security Configuration warning dialog box without actually disabling IE ESC. I will cover this option in the last post of this series.
As a note, for IIS there are now some add-ons that are very difficult to install without using the Web Platform Installer. This is essentially just a browser-based app (based on IE), and so you need browsability to use WPI. And you run smack into IESC.
You are so correct Stephen. And you run right into this on a Terminal Server that has it disable, when you add a new user. ESC is turned on and you have to reset IE then not accept the defaults so that the app will run correctly. I have not found away to just simply turn is off. When I check it says that it is already off. Guess one day I will run a diff on the registry and figure out what changes between the settings.
In GPO Management, within your selected GPO, navigate to “Computer Configuration“, “Preferences“, “Windows Settings“, “Registry”. Use the following settings for Admins:
Action: Update
Properties: Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Value name IsInstalled
Value type REG_DWORD
Value data 0x0 (0)
In GPO Management, within your selected GPO, navigate to “Computer Configuration“, “Preferences“, “Windows Settings“, “Registry”. Use the following settings for Users:
Action: Update
Properties: Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Value name IsInstalled
Value type REG_DWORD
Value data 0x0 (0)
That should solve your problem.
I just added http://ftp.mozilla.org to trusted sites and installed mozilla firefox and used it 😛
I've disabled the IE ES on my Windows Server 2016 but it turns back on when the server is rebooted. What could be causing this?
Great technical info, but ESC wasn't a result of the anti-trust settlement and fallout from Netscape. That was years earlier. ESC was a result of the negative attention Microsoft caught for malicious code being run on servers when users browsed with IIS on a server console. This was one of those times where MS was trying to protect users from themselves, as you generally shouldn't use a browser from a server console unless you absolutely need to.
I've followed free and open-source technologies since the very late 1990's, and it's been an interesting time… The "free" and open internet was one not dominated by AOL, Prodigy, and Compuserve holding content in a "walled garden". We are seeing this happen again with social media and such. No need to panic, but I always try to support technologies and products which respect users and administrators by supporting free/libre/open-source software, open standards, and open formats for files/documents.