Internet Explorer URL Action and Advanced Security Settings in Group Policy

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer URL Action and Advanced Security Settings in Group Policy

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2199

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theEnhanced Security Configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does InternetExplorer Settings in Group Policy do?
    Windows XP Service Pack 2 introduced true policies for theconfigurableactions in theInternetExplorer Security tab settings.
    In addition to incorporating these policies into InternetExplorer in Windows Server 2003 Service Pack 1,additional policies
    werecreated for selected configurableactions in theInternetExplorer Advanced tab,as well as for URL action policies in
    Locked-Down zones used only by the Network Protocol Lockdown security feature. In this release, thesesecurity settings are
    managed using the Group Policy Management Consoleand, if set,can only bechanged by a Group Policy object (GPO) or by
    an administrator.
    An updated Inetres.adm filecontains a list of settings as policies, including Advanced settings, which arealso found in the
    InternetExplorer user interfaceas preferences. Administrators can managethe new featurecontrol policies by using Group
    Policy objects (GPOs).When InternetExplorer is installed, the default HKEY_CURRENT_USER preferences settings for these
    settings areregistered on thecomputer as they werein previous versions.The Administrator has to usethe Group Policy
    Management Console(GPMC) to add thesesettings as policies.
    Who does this feature apply to?
    Group Policy administrators can uniformly configurethe new InternetExplorer Advanced setting policies,as well as policies for
    Locked-Down security zones, for thecomputers and users that they manage. It is important to inform theend-user which
    actions arecontrolled by policy,as theseactions will override user preferencesettings.
    Note
    TheInternet Options control panel will display policy settings when opened and users can interact with user interfaceand
    appear to changetheir preferences. However, these preferences will notactually override Group Policy settings, which may
    causea confusing user experience.Theadministrator can also seta policy to disablethe Advanced page user interfaceso
    that it is clearer to the user that thesesettings are notavailableto bechanged.This is notan issuefor theLocked-Down
    zones’ settings as they are notaccessiblethrough the user interface.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Group Policy InternetExplorer advanced settings
    Detailed description
    Thefollowing definitions apply to InternetExplorer settings for Windows Server 2003 with Service Pack 1:
    Security zones:Locked-Down Intranet Zone,Locked-Down Trusted Sites Zone,Locked-Down Internet Zone,and LockedDown
    Restricted Sites zone.
    Templates:Standard settings for all URL actions in thesesecurity zones.Templates can beapplied in any zone,and
    settings will providea range of choices from low security, medium-low, medium,and up to high security for thezone.
    URL actions:Security settings in theregistry that identify theaction to takefor that featurein thesecurity zone wherethe
    URL resides. URL action settings includeenable, disable, prompt,and others as appropriate.
    URL action policies: URL action policies can beadded individually by enabling the desired URL action policy, then
    selecting thesetting for the policy registry key value.They can also beset by zonetemplate.
    InternetExplorer will look for a policy in thefollowing order:
    HKEY_LOCAL_MACHINE policy hive
    HKEY_CURRENT_USER policy hive
    HKEY_CURRENT_USER preference hive
    HKEY_LOCAL_MACHINE preference hive
    If InternetExplorer finds a policy in the HKEY_LOCAL_MACHINE policy hive, it stops and does not continue; that is thesetting it
    respects. If InternetExplorer does not find a policy in HKEY_LOCAL_MACHINE policy hive, it looks in the HKEY_CURRENT_USER
    policy hive,and so on.Theadministrator can seta policy for one or more URL actions in one or morezones,and allow theend
    user to manage preferences for URL actions that do not require policy-level security management.
    Policy values for URL action
    The new URL action policies havethesame numeric values as their related preferencekeys.Thefollowing table provides a
    referenceto these URL actions.
    URL action flag name Security setting UI Numeric
    name
    URLACTION_DOWNLOAD_SIGNED_ACTIVEX Download signed ActiveX controls 1001
    URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX Download unsigned ActiveX controls 1004
    URLACTION_ACTIVEX_RUN Run ActiveX controls and plugins 1200
    URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY Initializeand script ActiveX controls not marked as safe 1201
    URLACTION_SCRIPT_RUN Activescripting 1400
    URLACTION_SCRIPT_JAVA_USE Scripting of Java applets 1402
    URLACTION_SCRIPT_SAFE_ACTIVEX Script ActiveX controls marked safefor scripting 1405
    URLACTION_CROSS_DOMAIN_DATA Access data sources across domains 1406
    URLACTION_SCRIPT_PASTE Allow paste operations via script 1407
    URLACTION_HTML_SUBMIT_FORMS Submit non-encrypted form data 1601
    URLACTION_HTML_FONT_DOWNLOAD Font download 1604
    URLACTION_HTML_USERDATA_SAVE Userdata persistence 1606
    URLACTION_HTML_SUBFRAME_NAVIGATE Navigatesub-frames across different domains 1607
    URLACTION_HTML_META_REFRESH Allow META REFRESH 1608
    URLACTION_HTML_MIXED_CONTENT Display mixed content 1609
    URLACTION_SHELL_INSTALL_DTITEMS Installation of desktop items 1800
    URLACTION_SHELL_MOVE_OR_COPY Drag and drop or copy and pastefiles 1802
    URLACTION_SHELL_FILE_DOWNLOAD File download 1803
    URLACTION_SHELL_VERB Launching applications and files in an IFRAME 1804
    URLACTION_SHELL_POPUPMGR Use Pop-up blocker 1809
    URLACTION_NETWORK_MIN Logon 1A00
    URLACTION_CLIENT_CERT_PROMPT Don’t prompt for client certificateselection when no certificates
    or only onecertificateexists
    1A04
    URLACTION_JAVA_PERMISSIONS Java permissions 1C00
    URLACTION_CHANNEL_SOFTDIST_PERMISSIONS Softwarechannel permissions 1E05
    URLACTION_BEHAVIOR_RUN Scriptand Binary Behaviors 2000
    URLACTION_MANAGED_SIGNED Run .NETFramework-reliant components signed with
    Authenticode
    2001
    URLACTION_MANAGED_UNSIGNED Run .NETFramework-reliant components not signed with
    Authenticode
    2004
    URLACTION_FEATURE_MIME_SNIFFING Open files based on content, not fileextension 2100
    URLACTION_FEATURE_ZONE_ELEVATION Web sites in less privileged Web content zones can navigate
    into this zone
    2101
    URLACTION_FEATURE_WINDOW_RESTRICTIONS Allow script-initiated windows without size or position
    constraints
    2102
    URLACTION_AUTOMATIC_DOWNLOAD_UI Automatic prompting for file downloads 2200
    URLACTION_AUTOMATIC_ACTIVEX_UI Automatic prompting for ActiveX controls 2201
    URLACTION_ALLOW_RESTRICTEDPROTOCOLS Allow activecontent over restricted protocols to access my
    computer
    2300
    For moreinformation about using URL action flags, see”URL Action Flags” on the MSDN Web siteat
    http://go.microsoft.com/fwlink/?LinkId=32776.
    Thefollowing table provides a referenceto thesetting options availablefor each URL action.
    Numeric Name URL Action Policy Setting Options
    1001 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1004 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1200 “Administrator approved”=0x00010000
    “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1201 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1400 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1402 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1405 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1406 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1407 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1601 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1604 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1606 “Enable”=0x00000000
    “Disable”=0x00000003
    1607 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1608 “Enable”=0x00000000
    “Disable”=0x00000003
    1609 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1800 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1802 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1803 “Enable”=0x00000000
    “Disable”=0x00000003
    1804 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    1809 “Enable”=0x00000000
    “Disable”=0x00000003
    1A00 “Anonymous logon”=0x00030000
    “Automatic logon only in Intranet zone”=0x00020000
    “Automatic logon with current user nameand password”=0x00000000
    “Prompt for user nameand password”=0x00010000
    1A04 “Enable”=0x00000000
    “Disable”=0x00000003
    1C00 “High safety”=0x00010000
    “Medium safety”=0x00020000
    “Low safety”=0x00030000
    “Custom”=0x00800000
    “DisableJava”=0x00000000
    1E05 “High Safety”=0x00010000
    “Medium Safety”=0x00020000
    “Low Safety”=0x00030000
    2000 “Enable”=0x00000000
    “Administrator approved”=0x00010000
    “Disable”=0x00000003
    2001 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    2004 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    2100 “Enable”=0x00000000
    “Disable”=0x00000003
    2101 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    2102 “Enable”=0x00000000
    “Disable”=0x00000003
    2200 “Enable”=0x00000000
    “Disable”=0x00000003
    2201 “Enable”=0x00000000
    “Disable”=0x00000003
    2300 “Enable”=0x00000000
    “Disable”=0x00000003
    “Prompt”=0x00000001
    Key for numeric translation of URL policy settings
    Value DWORD Setting
    0 0x00000000 Enable
    1 0x00000001 Prompt
    3 0x00000003 Disable
    65536 0x00010000 High Safety
    131072 0x00020000 Medium Safety
    196608 0x00030000 Low Safety
    For descriptions for each of the URL policy settings, see”URL Action Flags” on the MSDN Web siteat
    http://go.microsoft.com/fwlink/?LinkId=32777.
    Default settings for each URL action in zones and templates
    Each URL action has a default that is set in each zoneand set when a specified templateis applied.The default settings for each
    zoneare described in thefollowing table.
    URL action default settings
    URL action numeric
    name
    Locked-Down Restricted
    zone
    Locked-Down Internet
    zone
    Locked-Down Intranet
    zone
    Locked-Down Trusted
    zone
    1001 3 1 1 0
    1004 3 3 3 3
    1200 3 3 3 3
    1201 3 3 3 3
    1400 3 3 3 3
    1402 3 0 0 0
    1405 3 0 0 0
    1406 3 3 1 0
    1407 3 0 0 0
    1601 1 1 0 0
    1604 1 0 0 0
    1606 3 0 0 0
    1607 3 0 0 0
    1608 3 0 0 0
    1609 1 1 1 1
    1800 3 1 1 0
    1802 1 0 0 0
    1803 3 0 0 0
    1804 3 1 1 0
    1809 0 0 3 3
    1A00 65536 131072 131072 0
    1A04 3 3 3 3
    1C00 0 0 0 0
    1E05 65536 131072 131072 196608
    2000 3 65536 65536 65536
    2001 3 3 3 3
    2004 3 3 3 3
    2100 3 3 3 3
    2101 3 3 3 3
    2102 3 3 3 3
    2200 3 3 3 3
    2201 3 3 3 3
    2300 3 1 1 1
    Group Policy Settings Paths
    These paths locatetheavailable Advanced settings in the Group Policy Management Console:
    HKEY_LOCAL_MACHINE policies for Advanced settings:
    \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
    Panel\Advanced Page
    HKEY_CURRENT_USER policies for Advanced settings:
    \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
    Panel\Advanced Page
    These paths locatethesecurity zonesettings in the Group Policy Management Console:
    HKEY_LOCAL_MACHINE policies by security zonefor URL actions:
    \Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
    Panel\Security Page
    HKEY_CURRENT_USER policies by security zonefor URL actions:
    \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control
    Panel\Security Page
    These paths locatethe Advanced settings in policy and in preferencein the Windows registry (in either
    HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
    Advanced setting
    UI
    Preference key name Policy key name
    Install on Demand
    (InternetExplorer)
    HKCU \Software\Microsoft\InternetExplorer\Main
    \NoJITSetup
    Software\Policies\Microsoft\Internet
    Explorer\Main\NoJITSetup
    Install on Demand
    (Other)
    HKCU\Software\Microsoft\InternetExplorer\Main
    \NoWebJITSetup
    Software\Policies\Microsoft\Internet
    Explorer\Main\NoWebJITSetup
    Third-party Browser
    Extensions
    HKCU\Software\Microsoft\Internet
    Explorer\Main\Enable Browser Extensions
    Software\Policies \Microsoft\Internet
    Explorer\Main\Enable Browser Extensions
    Automatically check
    for IE Updates
    HKCU\Software\Microsoft\InternetExplorer\Main
    \NoUpdateCheck
    Software\Policies \Microsoft\InternetExplorer\Main
    \NoUpdateCheck
    Play Animations in
    Web Pages
    HKCU\Software\Microsoft\InternetExplorer\Main
    \Play_Animations
    Software\Policies \Microsoft\InternetExplorer\Main
    \Play_Animations
    Play Sounds in Web
    Pages
    HKCU\Software\Microsoft\InternetExplorer\Main
    \Play_Background_Sounds
    Software\Policies \Microsoft\InternetExplorer\Main
    \Play_Background_Sounds
    Play Videos in Web
    Pages
    HKCU\Software\Microsoft\Internet
    Explorer\Main\Display Inline Videos
    Software\Policies \Microsoft\Internet
    Explorer\Main\Display Inline Videos
    Allow softwareto run
    or install even if the
    signatureis invalid
    HKCU\Software\Microsoft\Internet
    Explorer\Download \RunInvalidSignatures
    Software\Policies \Microsoft\Internet
    Explorer\Download \RunInvalidSignatures
    Allow activecontent
    from CDs to run on
    user machines
    HKCU\Software\Microsoft\InternetExplorer\Main
    \FeatureControl
    \FEATURE_LOCALMACHINE_LOCKDOWN
    \Settings \LocalMachine_CD_Unlock
    \Software\Policies \Microsoft\Internet
    Explorer\Main \FeatureControl
    \FEATURE_LOCALMACHINE_LOCKDOWN \Settings
    \LocalMachine_CD_Unlock
    Check for Server
    Certificate Revocation
    HKCU\Software\Microsoft\Internet
    Explorer\Download \CertificateRevocation
    Software\Policies \Microsoft\Windows
    \CurrentVersion \InternetSettings
    \CertificateRevocation
    Check for Signatures
    on Downloaded
    Programs
    HKCU\Software\Microsoft\InternetExplorer\Main\
    CheckExeSignatures
    Software\Policies \Microsoft\Internet
    Explorer\Main\ CheckExeSignatures
    Do NotSave
    Encrypted Pages to
    Disk
    HKCU\Software\Microsoft\Windows
    \CurrentVersion \InternetSettings
    \DisableCachingOfSSLPages
    Software\Policies \Microsoft\Windows
    \CurrentVersion \InternetSettings
    \DisableCachingOfSSLPages
    Empty Temporary
    InternetFiles Folder
    When Browser is
    Closed
    HKCU\Software\Microsoft\Internet
    Explorer\Cache\Persistent
    Software\Policies \Microsoft\Windows
    \CurrentVersion \InternetSettings\Cache\Persistent
    These paths locatethesecurity zonesettings in policy and in preferencein the Windows registry (in either
    HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER):
    Location of Locked-Down Intranet zone policy values:
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
    Location of Locked-Down Trusted Sites policy:
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
    Location of Locked-Down Internet zone policy values:
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
    Location of Locked-Down Restricted Sites policy values:
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
    Location of Locked-Down Intranet zonetemplate:
    Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings
    Location of Locked-Down Trusted Sites template:
    Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings
    Location of Locked-Down Internet zonetemplate:
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings
    Location of Locked-Down Restricted Sites template:
    Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings
    Configuring policies and preferences
    Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
    Explorer supports Group Policy management for all new InternetExplorer Feature Controls in Windows Server 2003 Service
    Pack 1,and for Security pagesettings or URL actions. Administrators of Group Policy can managethese new policy settings in
    the AdministrativeTemplates extension of the Group Policy Management Console.
    When implementing policy settings, it is recommended thatyou configuretemplate policy settings in one Group Policy object
    (GPO) and configureany related individual policy settings in a separate GPO. You can then use Group Policy management
    features (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
    Policies can beread by users but can only bechanged by via Group Policy management or by an administrator. Preference
    settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions, by using InternetExplorer.
    Settings specified by Group Policy take precedence over settings specified using preferences.
    Why is this change important?
    By adding the new Advanced setting policies and Locked-Down security policies to Group Policy,administrators can manage
    thesetrue policies to establish standard settings for all thecomputers that they configure.Theadministrator can control these
    settings in such a way that they cannot bechanged except through Group Policy or by a user with administrator privileges,
    thus ensuring that security and certain Advanced settings are not set by end users.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Windows Server 2003 Service Pack 1 adds new policies to Group Policy but does not change how policies are managed.
    Developers need to beaware of how each Feature Control and URL action setting or setting combination affects securityrelated
    behavior for their applications in each security zone.
    For greater security, theadministrator should enable policies for all zones, so that thereis a known configuration set by policy
    rather than an unknown setting read from HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER preferencesettings not set by
    policy. If theadministrator sets policies for all zones, werecommend that the policy to disablethe Security page beenabled,
    which will makethe user interfacein InternetExplorer unavailable.
    Feature Control Policies
    Theadministrator should also understand theFeature Control policy settings.Some of the URL action settings will not bevalid
    unless thecorresponding Feature Control policy is enabled. InternetExplorer checks to see whether thefeatureis enabled,and
    if it is, then looks for thesetting for theaction based on thesecurity zone of the URL.
    Zone Map Policies
    The method for adding Zone Map keys to policy is as follows:
    1. To set computer policy, go to \Computer Configuration\AdministrativeTemplates\Windows Components\Internet
    Explorer\Internet Control Panel\Security Page within Group Policy.To set user policy, go to \User
    Configuration\AdministrativeTemplates\Windows Components\InternetExplorer\Internet Control Panel\Security Page
    within Group Policy.
    2. Select the Site to Zone AssignmentList policy.
    3. SelectEnabled and click Show…
    4. For each siteyou would liketo map:
    a. Click Add…
    b. Enter the name, IP address, or IP range of thesiteyou want to map (for example, http://www.contoso.com,
    http://www.contoso.com, 127.0.0.1, 127.0.0.1-10)
    c. Enter thevalueidentifying thezoneto which this siteshould be mapped.Thechoices are(1) Intranet zone, (2)
    Trusted Sites zone, (3) Internet zone, (4) Restricted Sites zone.
    d. Click OK.
    e. Thesite nameand valueshould appear in thelist.
    5. Click OK in the Show Contents window.
    6. Click OK again to closethe Site to Zone AssignmentList Properties window.
    Note
    Policies created by following theseinstructions areignored by computers with the Windows Server 2003 Internet
    Explorer Enhanced Security Configuration component installed.To set zone map policy on a computer with Windows
    Server 2003 InternetExplorer Enhanced Security Configuration component installed, usetheInternetExplorer
    Maintenance(IEM) snap-in to Group Policy.When using theIEM to createa Group Policy object to apply to a computer
    with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component installed,you must be
    using a computer with the Windows Server 2003 InternetExplorer Enhanced Security Configuration component
    installed.
    Note
    For moreinformation about using Group Policy, see”Implementing Registry-based Group Policy” on the Microsoft Web site
    at http://go.microsoft.com/fwlink/?LinkId=28188.For moreinformation about using InternetExplorer security zoneand
    privacy settings, see”Description of InternetExplorer Security Zones Registry Entries” on the Microsoft Knowledge Base Web
    siteat http://go.microsoft.com/fwlink/?LinkId=28195.

You must be logged in to reply to this topic.