InternetExplorerFeature Control Settings in Group Policy In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion InternetExplorerFeature Control Settings in Group Policy In Windows Server 2003

Viewing 0 reply threads
  • Author
    Posts
    • #2197
      Webmaster
      Keymaster

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does InternetExplorer Feature Control Settings in Group Policy do?
      Windows XP Service Pack 2 introduced new registry keys and values for InternetExplorer security features called Feature
      Controls.Thesesecurity features have been incorporated in Windows Server 2003 Service Pack 1.Thespecific behavior of the
      featurecontrol registry settings is discussed with each security featurethroughout this section.
      A modified Inetres.adm filecontains thefeaturecontrol settings as policies. Administrators can managethefeaturecontrol
      policies by using Group Policy objects (GPOs).When InternetExplorer is installed, the default preferences settings for these
      featurecontrols areregistered on thecomputer in HKEY_LOCAL_MACHINE. In Group Policy, the Administrator can set them in
      either HKEY_LOCAL_MACHINE (Computer Configuration) or HKEY_CURRENT_USER (User Configuration).
      Who does this feature apply to?
      Group Policy administrators can uniformly configuretheInternetExplorer Feature Control settings for thecomputers and
      users that they manage.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Group Policy InternetExplorer settings
      Detailed description
      The new featurecontrol policies are:
      Binary Behavior Security Restriction
      MK Protocol Security Restriction
      Local Machine ZoneLockdown Security
      Consistent MIME Handling
      MIMESniffing Safety Feature
      Object Caching Protection
      Scripted Window Security Restrictions
      Protection from ZoneElevation
      Information Bar
      Restrict ActiveX Install
      RestrictFile Download
      Add-on Management
      Network Protocol Lockdown
      In the Group Policy Management Console, thelocal computer policies for Feature Controls arein \Computer
      Configuration\Administrative Templates\Windows Components\InternetExplorer\Security Features.
      Thecurrent user policies for Feature Controls arein \User Configuration\Administrative Templates\Windows
      Components\InternetExplorer\Security Features.
      The policy for thefeature needs to beenabled for the process — for example, IExplore.exe — beforethezones’ individual
      security setting policies or preferences will beapplied.For moreabout the behavior of Feature Controls keys and setting them
      for a process, seethesection on each featureand thesection InternetExplorer Using Feature Control Registry Settings with
      Security ZoneSettings.For moreinformation about specific security settings by zone, seeInternetExplorer URL Action and
      Advanced Security Settings in Group Policy.
      Administrators of Group Policy can managethese new policies in the AdministrativeTemplates extension to the Group Policy
      Management Console.When configuring these policies, theadministrator can enable or disablethesecurity featurefor
      explorer processes (InternetExplorer and Windows Explorer), for executable processes that they defined, or for all processes
      that host the WebOC.
      Users cannot seethefeaturecontrol policies or preferencesettings through theInternetExplorer user interface,except for
      Local Machine ZoneLockdown Security.Featurecontrol policies can only beset using the Group Policy Management Console,
      and featurecontrol preferencesettings can only bechanged programmatically or by editing theregistry.
      Configuring policies and preferences
      Group Policy is therecommended tool for managing InternetExplorer for client computers on a corporate network. Internet
      Explorer supports Group Policy management for theIE featurecontrols included in Windows XP Service Pack 2 and Windows
      Server 2003 Service Pack 1 as well as for Security pagesettings or URL actions. Administrators of Group Policy can manage
      these policy settings in the AdministrativeTemplates extension of the Group Policy Management Console.
      When implementing policy settings, it is recommended to configuretemplate policy settings in one Group Policy object (GPO)
      and configureany related individual policy settings in a separate GPO. You can then use Group Policy management features
      (for example, precedence, inheritance, or enforce) to apply individual settings to specific client computers.
      Policies can beread by users but can only bechanged by Group Policy management or by an administrator. Preference
      settings can bechanged programmatically, by editing theregistry, or in thecase of URL actions and Local Machine Zone
      Lockdown Security, by using InternetExplorer. Notethat settings thatareassociated with policies will take precedence over
      settings specified using InternetExplorer preferences.
      IEAK/IEM
      For operating systems prior to Windows XP SP2 and Windows Server 2003 SP1 and previous InternetExplorer versions,
      InternetExplorer Administration Kit (IEAK) 6 Service Pack 1 remains therecommended tool for solution providers and
      application developers to customizeInternetExplorer for their end users. IEAK supportand theIEAK/IEM process does not
      changefor InternetExplorer versions prior to Windows XP Service Pack 2.The process also has not changed for using
      IEAK/IEM to set user setting preferences in InternetExplorer versions prior to and including Windows Server 2003 SP1.This
      includes the new InternetExplorer 6 in Windows XP Service Pack 2 and Windows Server 2003 SP1 preferencesettings.
      However, thetrue policy settings incorporated by this featurecan only be managed within Group Policy.For moreinformation
      about IEAK, see”Microsoft InternetExplorer 6 Administration KitService Pack 1″ on the Microsoft Web siteat
      http://go.microsoft.com/fwlink/?LinkId=26002.
      In summary, theIEAK can still be used as beforefor all InternetExplorer versions prior to Windows XP Service Pack 2,and is
      still thetool to usefor branding in Windows XP Service Pack 2 and Windows Server 2003 SP1. IEM/IEAK can bestill be used to
      set user preferencesettings, but true policies should beset using the Group Policy Management Console.
      Frequently asked questions for existing users of the IEAK
      Question Answer
      I currently usetheIEAK with a corporate
      licenseto configureInternetExplorer on
      desktop computers and I don’t have Active
      Directory in my organization. How can I
      configureInternetExplorer if theIEAK doesn’t
      work with Windows XP SP2 or Windows
      Server 2003 SP1?
      You can still use Group Policy to configuresettings even if you don’t use Active
      Directory. You can use Group Policy to createa local Group Policy object (GPO)
      with your settings and then deploy that GPO. After you haveconfigured your
      GPO for InternetExplorer,you can deploy it using your standard deployment
      methods.For example,you might usestartup or logon scripts,Systems
      ManagementServer scripts, or you might send links to users in e-mail.
      I currently usetheIEAK with a corporate
      licenseto configureInternetExplorer on
      desktops and I don’t have Active Directory in
      my organization.What happens if Ikeep
      running my IEAK 6 SP1 packages against
      Windows XP SP2 or Windows Server 2003
      SP1?
      If you install an IEAK 6 SP1 package on a computer running either Windows XP
      SP2 or Windows Server 2003 SP1, thesettings from InternetExplorer 6 SP1
      will be updated, but thesecurity settings will not beconfigurable, sinceIEAK 6
      SP1 wasn’t designed to deploy thosesettings.
      I currently usetheIEAK with an Internet
      service provider (ISP) licenseto brand Internet
      Explorer bits and setup connections for my ISP
      customers.Will my IEAK 6 SP1 packages still
      beableto apply settings on Windows XP SP2
      and Windows Server 2003 SP1?
      The branding settings in your ISP licenseIEAK 6 SP1 packageshould beapplied
      correctly.
      Why is this change important?
      By adding theInternetExplorer Feature Controls policies to Group Policy,administrators can managethesetrue policies to
      establish standard security settings for all thecomputers that they configure.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      InternetExplorer in Windows Server 2003 SP1 adds policies to Group Policy but does not change how policies are managed.
      Developers need to beaware of how each featurecontrol setting affects security-related behavior for their applications.The
      effects of the different security-related behaviors on application developmentare discussed within this document in the
      specific sections for each feature.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.