- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
One of the downsides of dealing with a new version of Windows Server is figuring out where things have moved in the new release. In Windows Server 2008 R2, disabling IE ESC was fairly straightforward in the Server Manager. Disabling it in the latest Microsoft Server OS is still performed in the Server Manager. However, the redesign of the Server Manager in Windows Server 2012 has made it a little trickier to find.
Turn off Internet Explorer Enhanced Security Configuration
- Start by running the Server Manager from either the Start Screen or the Desktop.
Server Manager in Windows Server 2012 - In the Server Manager Dashboard, click on Local Server on the left side.
Server Manager Dashboard - In the Server Properties for the Local Server, you’ll see the option for IE Enhanced Security Configuration. Click ‘On’ to change the option.
Windows Server 2012 IE Enhanced Security Configuration - At this point, you’ll be prompted with the options to turn off Internet Explorer Enhanced Security Configuration for Administrators and/or Users. After selecting your option, click OK.
Disable Internet Explorer Enhanced Security Configuration for Administrators or Users - Click the Refresh button at the top of the Server Manager and the IE Enhanced Security Configuration should now show as ‘Off.’
Disable Internet Explorer Enhanced Security Configuration is off
Should you turn off IE Enhanced Security Configuration?
Now that you know how to disable Internet Explorer Enhanced Security Configuration in Windows Server 8 Beta/Windows Server 2012, should you? Let’s start off by discussing the purpose of the IE ESC. Microsoft’s reasoning behind locking down IE with this feature is to reduce your server’s exposure to malicious web sites. Ok… security… I can get behind that. We all want our servers to be secure, right?
But have you ever tried to visit a web site from IE on a Windows Server with IE ESC enabled? It’s an effort in futility. As Michael mentioned in his article on disabling IE ESC in Windows Server 2008 R2, you potentially have to click dozens of times just to get one or two pages to come up. Honestly, this is malware-like behavior because it essentially prevents software from working properly.
So, what we need to do is balance security and usability so that we’re keeping the attack surface as small as possible while keeping the server from being completely unusable. Starting with Test and Development boxes, I don’t see any reason why you couldn’t disable IE ESC if it is necessary in your environment.
For Production servers, the story is going to be a little different depending on how you’re using your server, your organization’s security needs, an your organization’s security policies. As a best practice, you really shouldn’t be using a web browser on a server. Ideally, Microsoft would give us a way to uninstall IE completely without completely losing the GUI by running Server Core.
So what are your options? For non-Administrators, disabling IE ESC is probably fairly safe if the users will need access to a web browser. The most common scenario for this is if you’re running Remote Desktop Services (RDS), formerly Terminal Services. As a second option, you could always run an alternate web browser for the standard users, but you’re still not reducing the attack surface of your server since that web browser will still need to be patched and will have its own set of security vulnerabilities. As a third option, you can consider implementing AppLocker in your RDS environment to stop malicious software from running.
Subscribe to 4sysops newsletter!
What about Administrators? A systems administrator that knows what he/she is doing won’t knowingly go to a malicious site, right? While that sounds plausible, consider that there are zero-day exploits out there for IE (and other browsers) that could allow an attacker to run malicious code through the web browser without you ever knowing it. You can check out details on recent vulnerabilities by checking out Zero Day Initiative’s Pwn2Own site.
I just wanted to take a moment to Thank you. There’s not a lot of information about 2012 out there just yet.
Your article was on point, well illustrated, and helped me through something that could have taken a long while without your help.
Thank you
Joe
Great article Kyle. I agree 100% with Joe.
Mark
Any idea how to do this via cmd or PowerShell?
-Jonas
To do this in powershell…
function Disable-InternetExplorerESC {
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
Write-Host “IE Enhanced Security Configuration (ESC) has been disabled.” -ForegroundColor Green
}
this really annoys me when you jump on a server and this happens. its like well obviously there’s something wrong with the server if I need to browse on it in the first place 🙂
Thanks a lot man! Well written article.
Thank you!
Thanks
Thank you 🙂
I just wanted to add a bit in here– we have a regression test server that we use Selenium on and it automates the testing of a web app. Turning off the IE enhanced security is essential for this to work.
Thanks for providing the information on Selenium.
The last thing the Google drive app says is “One moment please” after I successfully entered my credentials.
I followed these instructions however the
PS C:\Users\Administrator> Get-ADDomain | fl name.DomainMode
name.DomainMode : {}
SS C:\Users\Administrator> Get-ADForest | fl name.ForestMode
name.ForestMode : {}
Server Manager AD DS —-
The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.
Domain controller:
Directory partition:
mydomain.com
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
320137a