Tightening Up Internet Explorer Security

If you want a real lockdown, there are precautions you can take. But they may be more trouble than they're worth. Doing it right requires Windows Server 2003 and the new "Internet Explorer Enhanced Security Configuration."

Discuss this column in our forum.

It took many years of browser development before we started fearing them. Until about version 4 of Netscape and IE the only talk of security was theoretical and usually unrealistic, such as whether Java or ActiveX were big holes when neither has turned out to be. The real holes have turned out to be elsewhere.

Since last weeks AOL-Microsoft settlement seems to spell doom for the vestigial bump that is Netscape, Internet Explorers role as the only browser that matters is further cemented. You can still use other browsers if you want (Mozilla, Opera, etc.), but sometimes you just have to use IE and its just a matter of taking proper precautions.

Precautions have gotten far more serious in Windows Server 2003. One of the less-noticed changes in that product is that the use of IE in it has been severely restricted. This configuration is called Internet Explorer Enhanced Security Configuration (lets call it ESC), and it applies to the use of the server console itself, not clients of the server (with one caveat having to do with Terminal Services, described below). If IE is ever a vector for an attack on Windows Server 2003 it will likely because the adminisrator opened up the facility.

So what exactly does ESC do? Much of it employs Internet Zones, a feature of IE that goes back, I think, to the Truman administration, but which isnt appreciated by many users. Zones allow you to say which features web sites can use by default, and provide for a whitelist and a kind of blacklist. The two main zones are the Internet Zone and Local Intranet Zone. The Internet Zone is for all sites not specifically in other zones. The Local Intranet Zone contains sites accessed by UNC paths (like "\\server\share\windows\cmd.exe"). Then there are Trusted Sites and Restricted Sites. When you put a site in Trusted Sites it faces very liberal restrictions. When a site is in Restricted Sites, IE will let it do very little other than to display HTML.

When ESC is active the default settings for these zones changes from normal to conservative, and I mean "Pat Buchanan is a bleeding-heart liberal" conservative. Scripts and controls dont work, which means a lot of what adminstrators do wont work. Browser Helper Objects are disallowed. Multimedia content is generally blocked. The browser automatically checks for server certificates. HTTPS pages are never cached, and the browser cache is always emptied when the browser shuts.

And its not just what is obviously IE; these same rules apply to any application that uses the WebBrowser control. Its likely that administrators will run into problems under these restrictions, so there is a separate set of trusted sites called the ESC Trusted sites and an API for application developers to use to write themselves into it. So when you install a new MMC-based administrative application, for example, the install program can add itself to this list. Still there can be unexpected problems. Office applications sometimes use data access pages with ActiveX controls and these will be blocked. Also, while the Windows Update site is automatically put in the Trusted list, the same is not true of Office Update.

Of course, this is for a server. Could it be that this portends a default restriction on browser usage in future versions of desktop Windows? Not likely. These restrictions are severe and would make normal day-to-day browsing of the type Microsoft itself has been pushing difficult. Quite a bit of microsoft.com would be inaccessible under ESC.

I mentioned above that there is an exception to these rules for Terminal Services, and there ought to be, since they would make browsing difficult for Terminal Services users. The rules for when ESC applies to various classes of users under Terminal Services are complex. For example, the rules change depending on whether Terminal Server was installed manually or through an unattended install. See this TechNet article and this knowledge base article for more on it.

This all follows the general philosophical approach of Windows Server 2003, which is that facilities are locked-down unless the adminstrator chooses to open then up. Many observers have been arguing for this for years and I guess its fair to say that the default opening of services is the major failure of Windows 2000. But Im still curious to see how administrators react to this approach, since it forces them to make a lot of important decisions. In the past Microsoft made these decisions for you and (perhaps naively) made a lot of them badly.

Microsoft has put out copious literature on ESC and the administration of it. There is an article on TechNet that describes the changes in settings under various circumstances. There is also a much more detailed document for administrators that includes scripts for the management of large networks.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Discuss this column in our forum.