1) Question: What is Microsoft Internet Explorer Enhanced Security Configuration?
Answer: As part of the effort to provide a more secure operating system, Microsoft has included a new Windows component in the Windows Server 2003 family, Internet Explorer Enhanced Security Configuration. This component reapplies the current security templates that are built into Internet Explorer as follows:
·
The following table compares the security levels for specific zones with and without the Internet Explorer Enhanced Security Configuration:
With Internet Explorer Enhanced Security Configuration
Without Internet Explorer Enhanced Security Configuration (The same security levels as Windows 2000)
Internet zone
High security settings
Medium security settings
Trusted sites zone
Medium security settings
Low security settings
Local intranet zone
Medium-Low security settings
(Intranet sites are not automatically detected)
Medium-Low security settings
(Intranet sites are automatically detected)
With Internet Explorer Enhanced Security Configuration, certain Web site functionality is restricted, which decreases the exposure of your server to attacks that can occur through Web content. Depending on for which user groups Internet Explorer Enhanced Security Configuration settings are applied (users in an Administrators group, users not in an Administrators group, or both), Web pages might not display correctly. Internet Explorer Enhanced Security Configuration makes your server more secure, but it also reduces functionality in:
·
·
As an administrator, you have the ability to easily change which sites are assigned to the more secure zone and which sites are assigned to the Trusted sites or Local intranet zones. You can also adjust the detailed security settings that are applied to each zone, and you can determine which users are affected by the Internet Explorer Enhanced Security Configuration settings. Details can be found later in this article.
For a complete list of the settings that are included in each security template (High, Medium, Medium-Low and Low), you can review the Internet Explorer Enhanced Security Configuration documentation by opening Internet Explorer, clicking Help, and then clicking Enhanced Security Configuration. You can also view the settings if you do the following:
1. Tools, click Internet Options, and then click the Security tab.
2.
3. Custom Level.
2) Q: What happens to my Internet Explorer security settings when I upgrade from an earlier version of Windows?
A: Internet Explorer Enhanced Security Configuration replaces the existing security settings. Be aware that this is different from earlier upgrade behavior. In the past, upgrades typically retained the existing security settings. With the Internet Enhanced Security Configuration, the more stringent security settings replace the Internet Explorer configuration of the older operating system.
3) Q: How can I remove Internet Explorer Enhanced Security Configuration?
A: You can remove Internet Explorer Enhanced Security Configuration for the entire computer or for specific user groups (administrators and users not in an Administrators group). If you remove Internet Explorer Enhanced Security Configuration, the security levels revert to the same settings as Windows 2000. Be aware that this will make your server less secure and expose your server to a variety of security risks.
To remove Internet Explorer Enhanced Security Configuration and restore the default Internet Explorer security settings, do the following:
1. Add or Remove Programs, and then click Add/Remove Windows Components.
2. Internet Explorer Enhanced Security Configuration, and then do one of the following:
· Internet Explorer Enhanced Security Configuration check box, and then click Next.
· Details, clear either the For administrator groups check box or the For all other user groups check box, and then click Next.
4) Q: Is there a way to find out if Internet Explorer Enhanced Security Configuration has been removed?
A: This information will be included in the Event Log. You can also review the following registry subkeys:
·
HKEY_Local_Machine/Software/Microsoft/Active Setup/Installed Components/A509B1A7-37EF-4B3F-8CFC-4F3A74704073/IsInstalled
·
HKEY_Local_Machine/Software/Microsoft/Active Setup/Installed Components/A509B1A8-37EF-4B3F-8CFC-4F3A74704073/IsInstalled
The above subkeys will have a value of “0” if the component is not installed for that type of user.
5) Q: How do I enable Internet Explorer Enhanced Security Configuration?
A: Internet Explorer Enhanced Security Configuration is enabled by default in the Windows Server 2003 family. If the Enhanced Security Configuration is disabled and you want to enable it again, do the following:
1. Add or Remove Programs, and then click Add/Remove Windows Components.
2. Internet Explorer Enhanced Security Configuration, and then do one of the following:
· Next.
· Details, select either the For administrator groups check box or the For all other user groups check box, and then click Next.
6) Q: How can I determine if Internet Explorer Enhanced Security Configuration is enabled for the current user or on the current computer?
A: You can use the Add/Remove Windows Components user interface, as described earlier in this article, or view the following registry subkeys:
·
HKEY_Current_User/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Ieharden
·
HKEY_Local_Machine/Software/Microsoft/Active Setup/Installed Components/A509B1A7-37EF-4B3F-8CFC-4F3A74704073/IsInstalled
·
HKEY_Local_Machine/Software/Microsoft/Active Setup/Installed Components/A509B1A8-37EF-4B3F-8CFC-4F3A74704073/IsInstalled
The above subkeys will have a value of “1” if the component is installed for that type of user.
7) Q: What are “zones?”
A: Internet Explorer 4 and later versions of Internet Explorer divide URL namespaces into URL security zones, which are assigned different levels of trust and are therefore assigned different levels of security. Internet Explorer Enhanced Security Configuration changes the default security settings for the predefined zones. However, as an administrator, you can change which Web sites are in which zone (details are described later in this article). For more information on security zones, see: http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp
Note The concept of zones does not apply for versions of Internet Explorer prior to Internet Explorer 4. In earlier versions of Internet Explorer, the same security settings apply to all URL namespaces. A predetermined URL policy, which cannot be changed, handles each URL action for a particular security level.
Q: How do I add a site to the Trusted sites zone or the Local intranet zone?
A: By default, all sites are added to the Internet zone. However, it is often necessary for administrators and other users to access internal and external Web sites that use features that are restricted in the Internet zone. In order for users to access these sites, the sites must be added to a less restrictive zone. You can add individual sites to the Trusted sites zone or Local intranet zone, or you can add several sites at one time. It is recommended that you preconfigure trusted sites through automated setup rather than by manually adding the sites to alternate zones on each computer.
There are two methods of adding sites to the Trusted sites or Local intranet zones:
·
To add sites using automated setup, add the appropriate entries to Unattend.txt. You should first identify any Web sites that are trusted and necessary for administrators or other users to access in order to perform their jobs. Then, add entries similar to the following in the installation package that you use to create servers:
[IEHardening]
TrustedSites=*.alpineskihouse.com;www.adatum.com;http://www.adventure-works.com
LocalIntranetSites=*.cohovineyard.com;cohowinery.com;http://mail.cohovineyardandwinery.com
Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
·
To add a single site manually, do the following:
1.
2. File, point to Add this site to, and click Trusted Sites Zone or Local Intranet Zone.
3. Add this Web site to the zone text box (or you can type the Internet address of the Web site you want to add to this zone).
4.
Note When you add a Web page to the Trusted sites zone or the Local intranet zone, you are actually adding the domain for that page. Therefore, all pages within that domain will also be trusted. For example, if you choose to add http://www.alpineskihouse.com/downloads/holiday.asp to your Trusted sites zone, you are adding http://www.alpineskihouse.com.
9) Q: How do I add Internet Explorer Enhanced Security Configuration settings to a Group Policy object?
A: Another method of automating the setup of Internet Explorer security settings is to use Group Policy. By adding the Internet Explorer Enhanced Security Configuration settings to a Group Policy object, you can then distribute that policy to other computers.
1.
2. Open Group Policy Object Editor (Gpedit.msc), and double-click User Configuration, Windows Settings, Internet Explorer Maintenance, and then Security.
3. Security Zones and Content Ratings.
4. Import the current security zones and privacy settings, and then click OK.
10) Q: When should I use the Trusted sites zone as opposed to the Local intranet zone?
A: You should use the Local intranet zone only for intranet sites that require relaxed security settings in order to function properly. All other sites should be set to a more restrictive zone. One of the reasons for this is that the Medium-Low security settings used for intranet sites allow NTLM credentials to be sent to the site. For example, your company might have an internal Human Resources Web site where employees record their hours worked or vacation time. It is necessary for employees to pass security credentials to this Web site in order to access their personal information. Because this is a trusted, internal site, it is appropriate to add this site to the Local intranet zone. However, your employees might also need to visit an external partner’s Web site in order to check the status of orders. This Web site requires functionality beyond what is allowed in the Internet zone but does not require employees to send their security credentials (they instead use a login ID and password that is local to their Web server). Because the site is hosted by a trusted partner and is necessary to access in order for your employees to perform their jobs, this would be appropriate for the Trusted sites zone.
11) Q: Why is the Windows Update Web site included in the Trusted sites zone?
A: Windows Update is a Microsoft-owned Web site from which Windows users can download critical and non-critical software. During installation, the Windows Update Web site is added to the Trusted sites zone so that you can continue to get important updates for your operating system.
12) Q: Can users change the security settings for the various security zones?
A: By default, users who are not administrators cannot change the security settings for their own user profile when Internet Explorer Enhanced Security Configuration settings are applied. Administrators can change this restriction through Group Policy. If you want to allow the users to change their own security settings, use Group Policy to change the value of the following subkey to “0”:
Hkey_Current_User\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
13) Q: When navigating to some Web sites, I get a warning describing the Internet Explorer Enhanced Security Configuration. Why doesn’t this warning appear for all Web sites?
A: This warning will appear only when you navigate to sites that are not in the Trusted sites zone or the Local intranet zone. You can disable the warning by clicking the check box in the warning itself.
14. Q: What if I configure my server as a Terminal Server?
A: The more restrictive security settings that Internet Explorer Enhanced Security Configuration introduces could impact users who typically use the server as a Terminal Server to browse Web sites. Therefore, if you configure your server as a Terminal Server, then, during installation of the Terminal Server components, you will be presented with the option to change to which user groups the Internet Explorer Enhanced Security Configuration settings are applied. The default will be to apply the settings only to administrators. However, you can choose to retain the settings for all users or to disable the settings for all users.
15) Q: Does Internet Explorer Enhanced Security Configuration affect Windows XP?
A: These changes do not affect Windows XP.
16) Q: Do I need to use Internet Explorer Enhanced Security Configuration to increase the security of Internet Explorer?
A: If you do not use Internet Explorer Enhanced Security Configuration, you can strengthen Internet Explorer by using the existing security settings in one of two ways:
·
17) Q: What are some best practices for Internet browsing?
A: Using servers for broad Internet browsing does not adhere to sound security practices because browsing increases the exposure of your server to potential security attacks.
To reduce the risk to your server:
·
·
18) Q: Where can I find more information about Internet Explorer Enhanced Security Configuration?
A: Open Internet Explorer, click Help, and then click Enhanced Security Configuration.
Internet ExplorerInternet Explorer
No Comments »
Filed under: Internet Explorer
