Control Registry Settings with Security Zone Settings In IE: Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Control Registry Settings with Security Zone Settings In IE: Windows Server 2003

Viewing 0 reply threads
  • Author
    • #2198

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What do Feature Control Registry Settings and Security Zone Settings do?
      Feature Control registry settings are provided for InternetExplorer so thata specific process can beconfigured to opt-in to a
      particular security feature.Each security feature has a corresponding registry key thatyou can useto opt-in or opt-out of the
      security feature.
      When a process has been configured to usea security feature, thesecurity featureis running. Oncethefeatureis running,
      there might becorresponding security zonesettings that can beapplied for more precision.Somesecurity features do not
      haveadditional security zonesettings.
      In the Security Settings tab of Internet Options, the user can adjust thesesettings for many of the new featurecontrols. If
      you selectEnable, it lowers thesecurity settings and allows the behavior to run less securely, or in thesame manner as it did
      in previous version of InternetExplorer.Thefeaturecontrol can beapplied again by setting thesecurity zonesetting to
      Disable, which blocks theless-secure behavior whilethefeaturecontrol is enabled for that process.
      Each of theFeature Controls is discussed in more detail in this document.For moreinformation about URL action settings and
      how they relateto security zones, see”About URL Security Zones Templates” on the Microsoft Web siteat
      Using security zonesettings for a feature provides additional precision in control for security features in InternetExplorer and
      can help manageapplication compatibility for organizational intranetapplications. A user or administrator can select different
      behaviors based on risk.
      Who does this feature apply to?
      Web application developers need to beawarethat theInternetExplorer security settings are dependent on thezonein which
      an application is run.Therefore,you should assign security zones carefully; this should bea part of your information security
      considerations.Thesecurity zones thatyou useshould also beconsidered when assessing application compatibility.
      Administrators of Group Policy may want to adjust the defaultvalues for each zoneto suit the particular environments in their
      Unless prevented by policies in Group Policy, users can managethevalues for thesesecurity zonesettings (or URL actions) for
      each zonethrough Internet Options in Control Panel. Notethat theLocal Machinezoneis notavailablethrough Control
      Panel.To access thesecurity settings for a zone,click Start,click Control Panel,click Internet Options,click the Security tab,
      click a Web security zone,and then click Custom Level.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Feature control registry settings
      Detailed description
      Windows Server 2003 Service Pack 1 introduces new featurecontrol registry settings.
      For many of thesefeatures, when theregistry setting is on, users can configurethesecurity settings (also known as URL action
      flags) to finetunethefeaturecontrol in each individual security zone
      If you chooseEnable as theaction to takefor an InternetExplorer featurecontrol, thezoneis secured as it was for the previous
      version of InternetExplorer. Relevant security control features will notapply in this zone; thesecurity zone will run without the
      added layer of security provided by this feature.
      If you chooseto disablethesecurity zonesetting, theactions that may be harmful cannot run; this InternetExplorer security
      feature will beturned on in this zone,as dictated by thefeaturecontrol setting for the process.
      Security settings are often applied to a zone by a URL security zonetemplate.The defaultvalues for thesecurity settings and
      thesettings by zonetemplatearelisted in thesection InternetExplorer URL Action and Advanced Security Settings in Group
      Why is this change important? What threats does it help mitigate?
      As originally envisioned,each featurecontrol setting would either be on or off for all security zones. Customer feedback
      indicated that more precisetuning with thesettings was necessary for somefeatures.For example, theinternal workflow of
      some organizations depends on intranetapplications. A featurecontrol that protects users in theInternet zone may causean
      intranetapplication to stop working. Because of this, Microsoft has incorporated theability to control many security settings by
      What works differently?
      Adding security settings by zone provides moreflexibility in applying the new security features.This flexibility will providea
      more manageableimplementation of this new security feature, particularly in intranet scenarios.
      How do I resolve these issues?
      If thefeaturecontrol setting is suspected of causing problems for an application,changing thefeaturecontrol setting in the
      zone wheretheapplication is running to Enable allows theadministrator or user to return to the previous behavior in that
      zonefor that specific feature while maintaining the moresecure behavior in other security zones.For somesecurity settings,
      additional configuration options such as Promptand Admin-approved areavailable,as well as Enable and Disable.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      If thecode uses the default URLmon security manager, the developer must call CoInternetIsFeatureEnabledForURL to check
      thesecurity settings for a particular zone.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.