Disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2008 R2

This article explains how to disable Internet Explorer enhanced security in Windows Server 2008 and Windows Server 2008 R2 by turning off IE ESC in Server Manager.
Profile photo of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile photo of Michael Pietroforte

Latest posts by Michael Pietroforte (see all)

One of the first things I usually do when I install a new Windows Server in a test environment, is to turn off Internet Explorer Enhanced Security Configuration (IE ESC). I am talking about this little prompts that get on your nerves whenever you open a website in Internet Explorer on a Windows Server. I described how to disable Internet Explorer Enhanced Security in Windows Server 2003 a while back. Since it is one of the popular articles here on 4syosps and because the procedure is different on Windows Server 2008, I decided to post a follow-up to save you from this constant security prompts.

Disable Internet Explorer Enhanced Security Windows Server 2008 R2 - IE

Usually, when you explain publicly how to turn off a security feature you will be confronted with protests in a moralizing undertone. Feel free to do this in a comment box below. I appreciate all kinds of objections. But let me explain first why I think that disabling Internet Explorer Enhanced Security is a good thing to do.

First of all, one shouldn’t open web pages on production server, anyway. So the best way to enhance security would be if one could uninstall IE entirely. Unfortunately, Microsoft doesn’t allow this, though IE ESC comes very close to a disabled Internet Explorer. Not because it really enhances security, but because it makes IE literally useless.

I just tried to access Microsoft’s homepage on a freshly installed Windows Server 2008. I had to click about ten times on this security prompt until the page was finally displayed. If you decide not to add the site to the trusted sites zone you might get away with just six clicks. If you click on any link the click orgy will usually start again. On other sites it might even be worse. I wonder who really uses IE on a server this way. And, I seriously doubt, that those who really do, know what they are actually adding to their trusted site zones all the time.

Anyway, my recommendation is to use Opera if you really have to access web pages on a productive server. This browser is more secure than IE or Firefox because the bad guys usually only focus on popular browsers.

Disable Internet Explorer Enhanced.Security.Windows Server 2008 R2 - Server Manager

In a test environment, where one doesn’t need this extra security, it makes sense to just disable Internet Explorer Enhanced Security. In Windows Server 2003, one has to uninstall the corresponding Windows Component. In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users. The latter probably only makes sense in a Terminal Server environment.

-1+1 (+4 rating, 6 votes)
54 Comments
  1. avatar
    Aaron 8 years ago

    Annoying as IE ESC is (and yeah I almost always disable it too), I think it’s bad advice to increase the attack surface of the server by removing IE ESC and installing Opera. Less targeted software does not make it more secure. Not browsing the web on your server is the best defense.

  2. avatar
    steve 8 years ago

    The fact is, if you check sites like Secunia, Opera IS and has historically been, WAY more secure. Not to mention if you care to learn Opera’s features it will demonstrate just how capable it is in such a small package. Michael’s advice is right-on.

  3. avatar
    1337Ops 8 years ago

    Yo- MS makes us click so many prompts we should all get free carpel tunnel therapy. I agree, IE and Outlook Exp of all things should not be installed on a server.
    Who want’s MS to create a true blue admin login that doesn’t give ares loads of popups, ask you every time if you are ‘sure’ (ie. RDP 6 blows – I mean come on…). Maybe one day boyz!
    I say disable it, the only good thing about windows is that it will keep us all employed for a LONG LONG time.

  4. Profile photo of Michael Pietroforte
    Michael Pietroforte 8 years ago

    Aaron, I agree that not browsing the web is most secure. But you know that also applies to any desktop PC. 😉 Seriously, there are only rare cases where you really need a web browser on a productive server. However, in those cases I wouldn’t use IE. Even though IE’s security improved lately, it is still dangerous to surf the web with this browser in a security sensitive environment. And I don’t see how the bombardment with confirmation prompts could improve security. I absolutely disagree with your view about less targeted software. It is simply a matter of fact that popular software is less secure. Why do you think that Mac users don’t have to worry so much about viruses? Because Apple’s developers are smarter?

    Steve, you’re right Opera is really a nice browser. I just hope that not so many people will find out about this. I am quite sure that it then wouldn’t be the most secure browser anymore. I am also using Opera on the desktop whenever I surf in murky waters.

    1337Ops, you’re right. The best thing about these new security prompts is that more Windows admins are needed now because of the time they waste with clicking all day on them. 😉

  5. avatar
    G.Crow 8 years ago

    I disagree with installing Opera, sorry. In my experience, installing non-production third party software like that WILL result in unpatched/unupdated software sooner or later. This means that even though Opera is more secure, one year down the road half your install base will not be, since no one has logged in to manually update the software.

    On the other hand, yes, they shouldn’t be surfing the web anyhow…

  6. Profile photo of Michael Pietroforte
    Michael Pietroforte 8 years ago

    You’re right, this is certainly a problem. However, it applies to any third party software. The point is that an outdated Opera is still more secure than the latest IE or Firefox.

  7. avatar
    Ian 8 years ago

    Knowing this is absolutely essential if you, like me, run 2K8 server in a virtual machine for software development/testing purposes. Being able to browse the web from inside the VM is very handy.

  8. avatar
    Brent 8 years ago

    The design philosophy of protecting the computer from the user is foolish, especially in the case where the user is an administrator. No admin is going to be surfing nefarious sites on a production server anyway. He is going to be downloading patches and doing useful things. If you don’t trust your admin to know how to safely browse the web, then you are likely in allot more trouble than this.

  9. avatar
    yfki 8 years ago

    Anyone who has used Vista Activation Tool, ServerManager will no longer work

    You can diable IE ESC by running this…

    “C:\Windows\system32\rundll32.exe” C:\Windows\system32\iesetup.dll,IEShowHardeningDialog

  10. Profile photo of Michael Pietroforte
    Michael Pietroforte 8 years ago

    Brent, I think that from Microsoft’s perspective this is just a statistical issue. Implementing such “features” just means that the number of security incidents will go down. So those who are careful have to suffer, too because there certainly are quite a few admins who don’t consider using IE on a productive server.

    yfki, what Vista Activation Tool do you mean?

  11. avatar
    Tony 8 years ago

    I saw a similar writeup over at groovypost. http://www.groovypost.com/howto/microsoft/ie/disable-ie-enhanced-security-configuration-in-windows-server-2008/

    He also mentioned Terminal Services. Can you confirm this? I need to make sure.

  12. avatar
    Core User 8 years ago

    Does anyone know how to disable this feature for Server Core?

  13. avatar
    Ragnar 7 years ago

    Thanks! Just what I needed.

  14. avatar
    Mikey 7 years ago

    Thanks, this is exactly what I was looking for and you pointed me in the right direction perfectly. Thanks!

  15. avatar
    Lee 6 years ago

    Tremendously helpful. Thank you so much.

  16. avatar
    Adam C 6 years ago

    Thanks! 🙂

  17. avatar
    Azhar 6 years ago

    The article was helpful. Thanks.

  18. avatar
    Nick 6 years ago

    Thanks for the info. The setting was right in front of me but I couldn’t see it because my monitor was in the way 🙂

  19. avatar
    peteh 6 years ago

    Helped me a lot. Thanks muchly.

    I am one who falls into the developer category. I do write services as well as applications. And so I have WS 2008 and I do browse as well. We devs have a tendency to ‘google’ quite frequently like the rest of the general population.

    We just look at ‘less interesting’ stuff on sites that tend to be a bit less dangerous then sights we might visit at home.

    As soon as I am able, I will set up Firefox and the ‘No Script’ and ‘AdBlock’ Add-Ons. To me, that is as safe as it gets with any browser.

    Thanks again.

  20. avatar
    sankoch 6 years ago

    Really helpful. Thank you so much…… 🙂

  21. avatar
    Mark 6 years ago

    Must say, I totally agree on the “Dont use the internet on a server”.

    With updates going through a application shall we say there is no need for it.

    I do not plan on putting opera or anything else like that on my servers. We have 10 ranging from PDC’s DC’s email and imaging. They have all worked fine because no one touches them.

    Although as network manager I will never install another internet browser. You can sit there and say its more secure but its not. Its less targetted.

    If everyone switched to Opera right now I promise you it will get attacked and leaked through much easier then IE as much as I hate MS.

  22. avatar
    Paul 6 years ago

    Just turn it back on when you are finished.
    I forgot it was right in front of my face.
    Thanks

  23. avatar
    JoePete 5 years ago

    I find the paranoia about not using a Web browser on a server, even a production server, a bit humorous.

    Take a look at the traffic going in and out of that server – already there is probably a lot going over port 80 even exclusive of the Web server. Regardless on any number of ports you have incoming and outgoing traffic to the Internet. Now, if you all are saying that you don’t want to be using a browser because you are afraid of user error – well that is an access problem. One would assume the only folks with a login to a production server know what they are doing.

  24. avatar
    Tom L 5 years ago

    Thanks for the info on disabling enhanced security. I just want to start installing Exchange 2010 and it made it impossible to even start the process. Unbelieveable to me because I have been installing Exchange on servers since 4.o was new and never have I been blocked to even prep for the install before.I don’t care about opera and all the rest of the arguments because being a net admin of over 200 users I know it does not matter what the program is. The weakest link is always between the Keyboard and the chair. Thanks again for the helpful post in the beginning. Tom

  25. avatar
    vadim 5 years ago

    Thanks for the info! I had to reboot the machine for the settings to be applied. Probably, just a relogin would have be sufficient, though.

  26. avatar
    TonyP 5 years ago

    I wasted 30 min on Microsoft’s website and searching the server itself trying to find how to uninstall the enhanced security (being used to 2003).

    Thanks for the point in the right direction!

  27. avatar
    HeadInTheClouds 5 years ago

    I am testing using VMWare and Server 20008 R2, running datacenter mode.
    With IE ESC enabled IE takes 5 or more minutes to load, not to mention the barrage of messages and add to trusted. It gets to be impossible to work at all! To configure and check IIS (for me) requires a little playing with IE to test it is working at localhost / local ip address.

    Disable IE ESC and IE loads in a few seconds – phew! Thanks for this tip, I am seriously relieved! I am no longer about to dip the keyboard in a bucket of water… 😉

  28. avatar
    Jeff 5 years ago

    Please use the proper terminology – it is a “PRODUCTION” server, not a “productive” server. But, hopefully it also is very productive – LOL! 😉

  29. avatar
    Mark 5 years ago

    Thanks. Your article has shown me exactly what to do to switch off ESC. I agree with your sentiments. This is not the way to make a browser more secure; instead it just makes use of the browser really annoying. I set up Internet Explorer for many of my clients and I make a point of switching off ESC each time, because it renders the browser unusable.

  30. avatar
    Phil 5 years ago

    I find that having those prompts is a great feature. Often times when working on a mix of servers and workstations I sometimes forget that I am working on a server when I want to look something up quickly. Having this added security is perfect way of asking me.. are you sure you want to browse the web on this computer?

  31. Profile photo of Michael Pietroforte
    Michael Pietroforte 5 years ago

    Jeff, thank you so much.

    Phil, I agree that it makes sense to display a warning once. But why 10 or 20 times per page?

  32. avatar
    Rick Payne 5 years ago

    Thank you Michael !! It was annoying me to no end that as an administrator I couldn’t modify any of the security settings, other than adding/removing sites from the lists.

  33. avatar
    A Concerned Citizen 5 years ago

    Generally, if you’re running Windows at all, the server is already insecure, so you might as well disable IE ESC.

  34. avatar
    shalene 5 years ago

    i tried it but it is not heplful

  35. Profile photo of Michael Pietroforte
    Michael Pietroforte 5 years ago

    shalene, hmm maybe you have to try harder? 😉

  36. avatar
    Jan 5 years ago

    Thanks!!
    As a newbie it was just the information I needed to be at least able to open websites to find out how to do something ‘usefull’ with Win server 2008 …
    I love it however more than win 7 … strange?
    My main platform is OSX and Linux … Windows is a struggle.!

  37. avatar
    Gordon Lincoln 5 years ago

    Thanks for the article – installing SBS 2011 Std on a Dell, installing various updates and tools, was getting tired of ESC. There are times when browsing to the mfgr’s or publisher’s website from a server is more ergonomic and vastly more efficient than the typical flash drive sneakernet alternative.

    I’m far more afraid of technicians walking around with their personal flash drives, who end up using them to transport an update or driver to a critical server, than I am a responsible IT technician using IE with ESC turned off. Carelessly passed around flash drives are the most frequent root source of viruses I encounter in corporate systems.

  38. avatar
    Richard Hussain 4 years ago

    Thanks. This resolved my issue.

  39. avatar
    AndyMac 4 years ago

    I think VMware vCenter (on Server 2008 R2) uses web reporting for some things and IE ESC messes with it? Presumably, also any other app that uses http protocols are affected & if installed, these are a good reason to disable this feature?

  40. avatar
    jomebrew 4 years ago

    Thanks for the helpful and easy to follow procedure.

  41. avatar
    TekServer 4 years ago

    (sigh) Why does MS always have to move stuff around? I swear it seems like the wait till we figure out where everything is, then release a new version just to move everything around so we have to pull our hair out finding it again!
    Thanks for the info; most helpful!
    😉

  42. avatar
    James 4 years ago

    How about because ESC is a redundant and ANNOYING feature that is unnessasary.If you run your server through a router ( most do, mutliple routers infact ) and set it up correctly, This feature is completly assinine.

  43. avatar
    georgy 4 years ago

    thanks a ton

  44. avatar
    Mike 4 years ago

    Since when has putting ‘Internet zone’ websites into the ‘Trusted zone’ enhanced security?

  45. avatar
    Joseph G 4 years ago

    Thanks for this! It helped!

  46. avatar
    Bill Dickerson 3 years ago

    For those complaining that this opens up holes and the solution is to “stop browsing the web on a server” – I will toss this back at ya – this is NOT impacting “web browsing” as we don’t do that on a server. However, it DOES impact even LOCAL or INTRANET applets, applications, services and consoles. We run some security software that uses IE as the LOCAL INTERFACE to the services running ON THAT SERVER. The requests never leave the box, but IE won’t allow things to work properly thanks to all the griping it does. Sure – your next comment “then just add it to….” nope, doesn’t work. IE doesn’t care where the site (even the LOCAL MACHINE FILES) are listed, local, intranet, safe or trusted sites and so on. The only way to make some software work – including MICROSOFT SECURITY PATCHES in IE on 2008R2 is to turn this protection off.
    We’re fine with it as we restrict access to server consoles, we audit and track all logins, and we don’t “browse the web” on servers. We to that on our own desktop/notebook systems. If we need to search or research, we do it on a computer that is not a server. Remote to the server on one monitor, run Windows on the other monitor, you still get the work done safely – but faster.
    Please give us a bit of credit. I know what’s not safe –

  47. avatar
    Leslie Parece 3 years ago

    Thank you. We have a lot of other tools that do a better job for the security.

  48. avatar
    Ben Dyson 3 years ago

    Hi all and thanks to Michael for posting, it was very helpful.

    I’ve not used Opera so my comment is merely academic and isn’t intended to single out Opera, just the concept of less popular browsers being safer.

    If more people are trying to hack popular browsers, like Chrome and IE that means that the developers are always plugging gaps and holes will be reported faster due to the larger user base. Where as Opera is smaller, less targeted but presumably doesn’t have the same sized dev team, and Michaels comment “Because Apple’s developers are smarter?” also applies here. Opera still has holes to exploit because it was programmed by fallible people just like IE. But doesn’t Opera have a smaller user base to highlight issues and less developers to fix them?

    In summary I suggest that with popular browsers Hackers are more likely to find holes to exploit but that they will be be plugged relatively quickly. However less popular browsers are less likely to be targeted but “IF” exploited will pose a greater security risk* and for longer.

    * There is also the concept that you have greater faith in your browser and therefor your guard is lower.

    I suspect that from an academic POV I have a valid point, but the reality is the stats involved would show that Opera is still the safer option.

  49. avatar
    Natalia 2 years ago

    I am installing SQL Server 2012 on Windows Server 2008 R2, this feature does not allow me to go through installation, looking for updates. Am I doing something wrong? I made this installation couple times already, never had this problem before.

  50. avatar
    Tim 2 years ago

    I knew all about this setting. However, on my RDS Hosts this is turned off for both “Users” and “Administrators” but is still popping up for users in the RDS environment….Very annoying

  51. avatar
    Carlyle 1 year ago

    Thank you very helpful!!
    A very annoying feature for Microsoft to enable on a server.

  52. avatar
    Alex 10 months ago

    Michael, you are my hero!

  53. avatar
    Marie M 9 months ago

    The information is helpful and fantastic !!! keep give us more info!
    Thanks God bless you!

  54. avatar
    mitch 4 months ago

    Thank you Michael , I didn’t know how to get rid of it. unfortunately sometime you do need a web browser for updates and if you need to access your server remotely you must have internet connection to the server. just dont surf the web with the server.

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?

Create Account