This article explains how to disable the Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 8 Beta/Windows Server 2012 and what options you have to improve security if you have to use a web browser on a server.
Internet Explorer Enhanced Security Configuration is enabled
Internet Explorer Enhanced Security Configuration is enabled

One of the downsides of dealing with a new version of Windows Server is figuring out where things have moved in the new release. In Windows Server 2008 R2, disabling IE ESC was fairly straightforward in the Server Manager. Disabling it in the latest Microsoft Server OS is still performed in the Server Manager. However, the redesign of the Server Manager in Windows Server 2012 has made it a little trickier to find.

Turn off  Internet Explorer Enhanced Security Configuration

  1. Start by running the Server Manager from either the Start Screen or the Desktop.
    Disable Internet Explorer Enhanced Security Configuration - Start Server Manager in Windows Server 2012Disable Internet Explorer Enhanced Security Configuration - Server Manager in Windows Server 2012
    Server Manager in Windows Server 2012
  2. In the Server Manager Dashboard, click on Local Server on the left side.
    Disable Internet Explorer Enhanced Security Configuration - Server Manager Dashboard
    Server Manager Dashboard
  3. In the Server Properties for the Local Server, you’ll see the option for IE Enhanced Security Configuration. Click ‘On’ to change the option.
    Windows Server 2012 IE Enhanced Security Configuration
    Windows Server 2012 IE Enhanced Security Configuration
  4. At this point, you’ll be prompted with the options to turn off Internet Explorer Enhanced Security Configuration for Administrators and/or Users. After selecting your option, click OK.
    Disable Internet Explorer Enhanced Security Configuration for Administrators or Users
    Disable Internet Explorer Enhanced Security Configuration for Administrators or Users
  5. Click the Refresh button at the top of the Server Manager and the IE Enhanced Security Configuration should now show as ‘Off.’
    Disable Internet Explorer Enhanced Security Configuration is off
    Disable Internet Explorer Enhanced Security Configuration is off

Should you turn off IE Enhanced Security Configuration?

Now that you know how to disable Internet Explorer Enhanced Security Configuration in Windows Server 8 Beta/Windows Server 2012, should you? Let’s start off by discussing the purpose of the IE ESC. Microsoft’s reasoning behind locking down IE with this feature is to reduce your server’s exposure to malicious web sites. Ok… security… I can get behind that. We all want our servers to be secure, right?

But have you ever tried to visit a web site from IE on a Windows Server with IE ESC enabled? It’s an effort in futility. As Michael mentioned in his article on disabling IE ESC in Windows Server 2008 R2, you potentially have to click dozens of times just to get one or two pages to come up. Honestly, this is malware-like behavior because it essentially prevents software from working properly.

So, what we need to do is balance security and usability so that we’re keeping the attack surface as small as possible while keeping the server from being completely unusable. Starting with Test and Development boxes, I don’t see any reason why you couldn’t disable IE ESC if it is necessary in your environment.

For Production servers, the story is going to be a little different depending on how you’re using your server, your organization’s security needs, an your organization’s security policies. As a best practice, you really shouldn’t be using a web browser on a server. Ideally, Microsoft would give us a way to uninstall IE completely without completely losing the GUI by running Server Core.

So what are your options? For non-Administrators, disabling IE ESC is probably fairly safe if the users will need access to a web browser. The most common scenario for this is if you’re running Remote Desktop Services (RDS), formerly Terminal Services. As a second option, you could always run an alternate web browser for the standard users, but you’re still not reducing the attack surface of your server since that web browser will still need to be patched and will have its own set of security vulnerabilities. As a third option, you can consider implementing AppLocker in your RDS environment to stop malicious software from running.

Subscribe to 4sysops newsletter!

What about Administrators? A systems administrator that knows what he/she is doing won’t knowingly go to a malicious site, right? While that sounds plausible, consider that there are zero-day exploits out there for IE (and other browsers) that could allow an attacker to run malicious code through the web browser without you ever knowing it. You can check out details on recent vulnerabilities by checking out Zero Day Initiative’s Pwn2Own site.

13 Comments
  1. Joe Moniz 11 years ago

    I just wanted to take a moment to Thank you. There’s not a lot of information about 2012 out there just yet.

    Your article was on point, well illustrated, and helped me through something that could have taken a long while without your help.

    Thank you

    Joe

  2. Mark Fulmer 11 years ago

    Great article Kyle. I agree 100% with Joe.

    Mark

  3. Jonas Mellquist 11 years ago

    Any idea how to do this via cmd or PowerShell?

    -Jonas

  4. Jeff Archambeau 11 years ago

    To do this in powershell…

    function Disable-InternetExplorerESC {
    $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
    $UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
    Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
    Stop-Process -Name Explorer
    Write-Host “IE Enhanced Security Configuration (ESC) has been disabled.” -ForegroundColor Green
    }

  5. jake gardner 10 years ago

    this really annoys me when you jump on a server and this happens. its like well obviously there’s something wrong with the server if I need to browse on it in the first place 🙂

  6. phunktional johnkey 9 years ago

    Thanks a lot man! Well written article.

  7. Tony 7 years ago

    Thank you!

  8. Ve sinh an toan thuc pham 7 years ago

    Thanks

  9. Bryan 7 years ago

    Thank you 🙂

  10. Steven Hatfield 6 years ago

    I just wanted to add a bit in here– we have a regression test server that we use Selenium on and it automates the testing of a web app. Turning off the IE enhanced security is essential for this to work.

  11. Ithelpdesk 6 years ago

    The last thing the Google drive app says is “One moment please” after I successfully entered my credentials.

  12. ryanhs 6 years ago

    I followed these instructions however the

    PS C:\Users\Administrator> Get-ADDomain | fl name.DomainMode

    name.DomainMode : {}

    SS C:\Users\Administrator> Get-ADForest | fl name.ForestMode

    name.ForestMode : {}

    Server Manager AD DS —-

    The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.

    Domain controller:

    Directory partition:
    mydomain.com

    Additional Data
    Error value:
    1355 The specified domain either does not exist or could not be contacted.
    Internal ID:
    320137a

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account