Inicio > windows > How to disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2012

How to disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2012

Fuente: http://4sysops.com/archives/how-to-disable-internet-explorer-enhanced-security-configuration-ie-esc-in-windows-server-2012/

This article explains how to disable the Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 8 Beta/Windows Server 2012 and what options you have to improve security if you have to use a web browser on a server.

A picture of Kyle Beckman By Kyle Beckman – Mon, May 28, 2012 – 4 comments

Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support.

 

 

Internet Explorer Enhanced Security Configuration is enabled
Internet Explorer Enhanced Security Configuration is enabled

One of the downsides of dealing with a new version of Windows Server is figuring out where things have moved in the new release. In Windows Server 2008 R2, disabling IE ESC was fairly straightforward in the Server Manager. Disabling it in the latest Microsoft Server OS is still performed in the Server Manager. However, the redesign of the Server Manager in Windows Server 2012 has made it a little trickier to find.

  1. Start by running the Server Manager from either the Start Screen or the Desktop.
    Disable Internet Explorer Enhanced Security Configuration - Start Server Manager in Windows Server 2012Disable Internet Explorer Enhanced Security Configuration  - Server Manager in Windows Server 2012
    Server Manager in Windows Server 2012
  2. In the Server Manager Dashboard, click on Local Server on the left side.
    Disable Internet Explorer Enhanced Security Configuration - Server Manager Dashboard
    Server Manager Dashboard
  3. In the Server Properties for the Local Server, you’ll see the option for IE Enhanced Security Configuration. Click ‘On’ to change the option.
    Windows Server 2012 IE Enhanced Security Configuration
    Windows Server 2012 IE Enhanced Security Configuration
  4. At this point, you’ll be prompted with the options to turn off Internet Explorer Enhanced Security Configuration for Administrators and/or Users. After selecting your option, click OK.
    Disable Internet Explorer Enhanced Security Configuration for Administrators or Users
    Disable Internet Explorer Enhanced Security Configuration for Administrators or Users
  5. Click the Refresh button at the top of the Server Manager and the IE Enhanced Security Configuration should now show as ‘Off.’
    Disable Internet Explorer Enhanced Security Configuration is off
    Disable Internet Explorer Enhanced Security Configuration is off

Should you turn off IE Enhanced Security Configuration?

Now that you know how to disable Internet Explorer Enhanced Security Configuration in Windows Server 8 Beta/Windows Server 2012, should you? Let’s start off by discussing the purpose of the IE ESC. Microsoft’s reasoning behind locking down IE with this feature is to reduce your server’s exposure to malicious web sites. Ok… security… I can get behind that. We all want our servers to be secure, right?

But have you ever tried to visit a web site from IE on a Windows Server with IE ESC enabled? It’s an effort in futility. As Michael mentioned in his article on disabling IE ESC in Windows Server 2008 R2, you potentially have to click dozens of times just to get one or two pages to come up. Honestly, this is malware-like behavior because it essentially prevents software from working properly.

So, what we need to do is balance security and usability so that we’re keeping the attack surface as small as possible while keeping the server from being completely unusable. Starting with Test and Development boxes, I don’t see any reason why you couldn’t disable IE ESC if it is necessary in your environment.

For Production servers, the story is going to be a little different depending on how you’re using your server, your organization’s security needs, an your organization’s security policies. As a best practice, you really shouldn’t be using a web browser on a server. Ideally, Microsoft would give us a way to uninstall IE completely without completely losing the GUI by running Server Core.

 

So what are your options? For non-Administrators, disabling IE ESC is probably fairly safe if the users will need access to a web browser. The most common scenario for this is if you’re running Remote Desktop Services (RDS), formerly Terminal Services. As a second option, you could always run an alternate web browser for the standard users, but you’re still not reducing the attack surface of your server since that web browser will still need to be patched and will have its own set of security vulnerabilities. As a third option, you can consider implementing AppLocker in your RDS environment to stop malicious software from running.

What about Administrators? A systems administrator that knows what he/she is doing won’t knowingly go to a malicious site, right? While that sounds plausible, consider that there are zero-day exploits out there for IE (and other browsers) that could allow an attacker to run malicious code through the web browser without you ever knowing it. You can check out details on recent vulnerabilities by checking out Zero Day Initiative’s Pwn2Own site.

Series NavigationFour ways to disable Internet Explorer Enhanced Security Configuration (IE ESC)Disable Internet Explorer Enhanced Security Configuration (IE ESC) remotely with PowerShell

4 Comments – Leave a Reply
  1. Joe Moniz says:

    I just wanted to take a moment to Thank you.  There’s not a lot of information about 2012 out there just yet.

    Your article was on point, well illustrated, and helped me through something that could have taken a long while without your help.

    Thank you

    Joe

     
  2. Great article Kyle.  I agree 100% with Joe.

    Mark

     
  3. Any idea how to do this via cmd or PowerShell?

    -Jonas

     
  4. To do this in powershell…

    function Disable-InternetExplorerESC {     $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” $UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0     Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0     Stop-Process -Name Explorer     Write-Host “IE Enhanced Security Configuration (ESC) has been disabled.” -ForegroundColor Green }

     

     

Categorías:windows Etiquetas:
  1. Aún no hay comentarios.
  1. No trackbacks yet.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: