How to disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2012
This article explains how to disable the Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 8 Beta/Windows Server 2012 and what options you have to improve security if you have to use a web browser on a server.
Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support.
One of the downsides of dealing with a new version of Windows Server is figuring out where things have moved in the new release. In Windows Server 2008 R2, disabling IE ESC was fairly straightforward in the Server Manager. Disabling it in the latest Microsoft Server OS is still performed in the Server Manager. However, the redesign of the Server Manager in Windows Server 2012 has made it a little trickier to find.
- Start by running the Server Manager from either the Start Screen or the Desktop.
Server Manager in Windows Server 2012
- In the Server Manager Dashboard, click on Local Server on the left side.
Server Manager Dashboard
- In the Server Properties for the Local Server, you’ll see the option for IE Enhanced Security Configuration. Click ‘On’ to change the option.
Windows Server 2012 IE Enhanced Security Configuration
- At this point, you’ll be prompted with the options to turn off Internet Explorer Enhanced Security Configuration for Administrators and/or Users. After selecting your option, click OK.
Disable Internet Explorer Enhanced Security Configuration for Administrators or Users
- Click the Refresh button at the top of the Server Manager and the IE Enhanced Security Configuration should now show as ‘Off.’
Disable Internet Explorer Enhanced Security Configuration is off
Should you turn off IE Enhanced Security Configuration?
Now that you know how to disable Internet Explorer Enhanced Security Configuration in Windows Server 8 Beta/Windows Server 2012, should you? Let’s start off by discussing the purpose of the IE ESC. Microsoft’s reasoning behind locking down IE with this feature is to reduce your server’s exposure to malicious web sites. Ok… security… I can get behind that. We all want our servers to be secure, right?
But have you ever tried to visit a web site from IE on a Windows Server with IE ESC enabled? It’s an effort in futility. As Michael mentioned in his article on disabling IE ESC in Windows Server 2008 R2, you potentially have to click dozens of times just to get one or two pages to come up. Honestly, this is malware-like behavior because it essentially prevents software from working properly.
So, what we need to do is balance security and usability so that we’re keeping the attack surface as small as possible while keeping the server from being completely unusable. Starting with Test and Development boxes, I don’t see any reason why you couldn’t disable IE ESC if it is necessary in your environment.
For Production servers, the story is going to be a little different depending on how you’re using your server, your organization’s security needs, an your organization’s security policies. As a best practice, you really shouldn’t be using a web browser on a server. Ideally, Microsoft would give us a way to uninstall IE completely without completely losing the GUI by running Server Core.
So what are your options? For non-Administrators, disabling IE ESC is probably fairly safe if the users will need access to a web browser. The most common scenario for this is if you’re running Remote Desktop Services (RDS), formerly Terminal Services. As a second option, you could always run an alternate web browser for the standard users, but you’re still not reducing the attack surface of your server since that web browser will still need to be patched and will have its own set of security vulnerabilities. As a third option, you can consider implementing AppLocker in your RDS environment to stop malicious software from running.
What about Administrators? A systems administrator that knows what he/she is doing won’t knowingly go to a malicious site, right? While that sounds plausible, consider that there are zero-day exploits out there for IE (and other browsers) that could allow an attacker to run malicious code through the web browser without you ever knowing it. You can check out details on recent vulnerabilities by checking out Zero Day Initiative’s Pwn2Own site.