Control Registry Settings with Security Zone Settings In IE: Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Control Registry Settings with Security Zone Settings In IE: Windows Server 2003

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2198

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What do Feature Control Registry Settings and Security Zone Settings do?
    Feature Control registry settings are provided for InternetExplorer so thata specific process can beconfigured to opt-in to a
    particular security feature.Each security feature has a corresponding registry key thatyou can useto opt-in or opt-out of the
    security feature.
    When a process has been configured to usea security feature, thesecurity featureis running. Oncethefeatureis running,
    there might becorresponding security zonesettings that can beapplied for more precision.Somesecurity features do not
    haveadditional security zonesettings.
    In the Security Settings tab of Internet Options, the user can adjust thesesettings for many of the new featurecontrols. If
    you selectEnable, it lowers thesecurity settings and allows the behavior to run less securely, or in thesame manner as it did
    in previous version of InternetExplorer.Thefeaturecontrol can beapplied again by setting thesecurity zonesetting to
    Disable, which blocks theless-secure behavior whilethefeaturecontrol is enabled for that process.
    Each of theFeature Controls is discussed in more detail in this document.For moreinformation about URL action settings and
    how they relateto security zones, see”About URL Security Zones Templates” on the Microsoft Web siteat
    http://go.microsoft.com/fwlink/?LinkId=26001.
    Using security zonesettings for a feature provides additional precision in control for security features in InternetExplorer and
    can help manageapplication compatibility for organizational intranetapplications. A user or administrator can select different
    behaviors based on risk.
    Who does this feature apply to?
    Web application developers need to beawarethat theInternetExplorer security settings are dependent on thezonein which
    an application is run.Therefore,you should assign security zones carefully; this should bea part of your information security
    considerations.Thesecurity zones thatyou useshould also beconsidered when assessing application compatibility.
    Administrators of Group Policy may want to adjust the defaultvalues for each zoneto suit the particular environments in their
    organization.
    Unless prevented by policies in Group Policy, users can managethevalues for thesesecurity zonesettings (or URL actions) for
    each zonethrough Internet Options in Control Panel. Notethat theLocal Machinezoneis notavailablethrough Control
    Panel.To access thesecurity settings for a zone,click Start,click Control Panel,click Internet Options,click the Security tab,
    click a Web security zone,and then click Custom Level.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Feature control registry settings
    Detailed description
    Windows Server 2003 Service Pack 1 introduces new featurecontrol registry settings.
    For many of thesefeatures, when theregistry setting is on, users can configurethesecurity settings (also known as URL action
    flags) to finetunethefeaturecontrol in each individual security zone
    If you chooseEnable as theaction to takefor an InternetExplorer featurecontrol, thezoneis secured as it was for the previous
    version of InternetExplorer. Relevant security control features will notapply in this zone; thesecurity zone will run without the
    added layer of security provided by this feature.
    If you chooseto disablethesecurity zonesetting, theactions that may be harmful cannot run; this InternetExplorer security
    feature will beturned on in this zone,as dictated by thefeaturecontrol setting for the process.
    Security settings are often applied to a zone by a URL security zonetemplate.The defaultvalues for thesecurity settings and
    thesettings by zonetemplatearelisted in thesection InternetExplorer URL Action and Advanced Security Settings in Group
    Policy.
    Why is this change important? What threats does it help mitigate?
    As originally envisioned,each featurecontrol setting would either be on or off for all security zones. Customer feedback
    indicated that more precisetuning with thesettings was necessary for somefeatures.For example, theinternal workflow of
    some organizations depends on intranetapplications. A featurecontrol that protects users in theInternet zone may causean
    intranetapplication to stop working. Because of this, Microsoft has incorporated theability to control many security settings by
    zone.
    What works differently?
    Adding security settings by zone provides moreflexibility in applying the new security features.This flexibility will providea
    more manageableimplementation of this new security feature, particularly in intranet scenarios.
    How do I resolve these issues?
    If thefeaturecontrol setting is suspected of causing problems for an application,changing thefeaturecontrol setting in the
    zone wheretheapplication is running to Enable allows theadministrator or user to return to the previous behavior in that
    zonefor that specific feature while maintaining the moresecure behavior in other security zones.For somesecurity settings,
    additional configuration options such as Promptand Admin-approved areavailable,as well as Enable and Disable.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    If thecode uses the default URLmon security manager, the developer must call CoInternetIsFeatureEnabledForURL to check
    thesecurity settings for a particular zone.

You must be logged in to reply to this topic.