| Internet Explorer security zones settings Effects of Internet Explorer Enhanced Security Configuration on security zones Managing Internet Explorer Enhanced Security Configuration Turning off Internet Explorer Enhanced Security Configuration Browser security best practices |
Internet Explorer Enhanced Security Configuration places your server and Internet Explorer in a configuration that decreases the exposure of your server to potential attacks that can occur through web content and application scripts. As a result, some web sites might not display or perform as expected. Review the following topics for more information about the settings used in this configuration.
Internet Explorer security zones settings
In Internet Explorer, you can configure security settings for several built-in security zones: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. Internet Explorer Enhanced Security Configuration assigns security levels to these zones as follows:
-
For the Internet zone, the security level is set to High.
-
For the Trusted sites zone, the security level is set to Medium, which allows browsing of many Internet sites.
-
For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.
-
For the Restricted sites zone, the security level is set to High.
-
All Internet and intranet sites are assigned to the Internet zone by default. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.
Top of page Effects of Internet Explorer Enhanced Security Configuration on security zones
Internet Explorer Enhanced Security Configuration adjusts the security levels for the existing security zones. The following table describes how each zone is affected.
|
Security zone
|
Default security level
|
Result
|
|
Internet
|
High
|
All web sites are assigned to this zone by default. Web pages might not display as expected, and applications that require the web browser might not work correctly because scripts, ActiveX controls, and file downloads have been disabled. If you trust an Internet web site, you can add that site to the Trusted sites zone.
|
|
Trusted sites
|
Medium
|
This zone is for the Internet sites whose content you trust.
|
|
Local intranet
|
Medium-Low
|
When visiting web sites on your organization's intranet, you might be repeatedly prompted for credentials (your user name and password) because the Enhanced Security Configuration disables the automatic detection of intranet web sites. To automatically send credentials to selected intranet sites, add those sites to the Local intranet zone. Additionally, access to scripts, executable files, and other files in a shared folder are restricted unless the shared folder is added to this zone.
| Caution | |
Do not add Internet web sites to the Local intranet zone, because your credentials are sent automatically to the web site upon request.
|
|
|
Restricted sites
|
High
|
This zone contains sites that are not trusted, such as sites that might damage your computer or data if you attempt to download or run files from them.
|
In addition to raising the default security level of each zone, the Enhanced Security Configuration also adjusts Internet extensibility and security settings to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of the Internet Options dialog box. The following table describes the options that are in effect when the Enhanced Security Configuration is enabled.
|
Setting Name
|
Default
|
Description
|
|
Enable third-party browser extensions
|
Off
|
Disables Internet Explorer add-ons that might have been created by companies other than Microsoft.
|
|
Play sounds in web pages
|
Off
|
Disables music and other sounds.
|
|
Play animations in web pages
|
Off
|
Disables animations.
|
|
Check for publisher’s certificate revocation
|
On
|
Automatically checks a publisher’s certificate to see whether it has been revoked before accepting it as valid.
|
|
Check for server certificate revocation
|
On
|
Automatically checks a web site's certificate to determine if the certificate has been revoked.
|
|
Check for signatures on downloaded programs
|
On
|
Automatically checks that all programs downloaded have a valid digital signature.
|
|
Do not save encrypted pages to disk
|
On
|
Disables saving encrypted information in the Temporary Internet Files folder.
|
|
Empty Temporary Internet Files folder when browser is closed
|
On
|
Automatically clears the Temporary Internet Files folder when Internet Explorer is closed.
|
|
Enable DOM storage
|
On
|
Enables web sites to store information about your browsing session using the Document Object Model (DOM).
|
|
Enable Integrated Windows Authentication
|
On
|
Requires the use of the “Negotiate” authentication protocol to respond to authentication requests from web servers. Negotiate allows for the use of either Kerberos (preferred) or NTLM for authentication.
|
|
Use SSL 3.0
|
On
|
Enables the use of the SSL 3.0 protocol for communicating with a web site that supports encrypted communications.
|
|
Use TLS 1.0
|
On
|
Enables the use of TLS 1.0 protocol for communicating with a web site that supports encrypted communications.
|
|
Warn about certificate address mismatch
|
On
|
Automatically compares the address in the security certificate with the web site's address and displays a warning if the two addresses do not match before loading the web site.
|
|
Warn if POST submittal is redirected to a zone that does not permit posts
|
On
|
Displays a warning when you submit information into a form on a web site that is redirected to an address that is different from the one that is hosting the form. This helps prevent your information or browser from being redirected to a non-secure site.
|
To assist you in getting to necessary resources on the internet with the Enhanced Security Configuration enabled, the following sites and locations are trusted by default:
-
The Microsoft Update web site is added to the Trusted sites zone. This allows you to continue to get important updates for your operating system.
-
The Windows error reporting site is added to the Trusted sites zone. This allows you to report problems encountered with your operating system and search for fixes.
-
The Microsoft TechNet and MSDN sites are added to the Trusted sites zone. This allows you to research information in online articles and other technical topics.
-
The Microsoft redirection site “go.microsoft.com” is added to the Trusted sites zone. This allows you to be connected to the most current versions of Microsoft online content.
-
Several local computer sites (such as http://localhost, https://localhost, and hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks.
-
The privacy level is set to Medium for the Trusted sites zone. You can make the privacy setting more restrictive by blocking specific sites, preventing location awareness, and blocking cookies from specific sites.
Top of page Managing Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is designed to reduce your server's exposure to security threats. To ensure that you get the most benefit from Enhanced Security Configuration, consider these browser management recommendations:
-
All Internet and intranet sites are assigned to the Internet zone by default. If you trust an Internet or intranet site and need it to be functional, add the Internet site to the Trusted sites zone, and add the intranet site to the Local intranet zone.
-
If you want to run a browser-based client application over the Internet, you should add the web page that hosts the application to the Trusted sites zone.
-
If you want to run a browser-based client application over a protected and secure local intranet, you should add the web page that hosts the application to the Local intranet zone.
-
Add internal sites and local servers to the Local intranet zone to make sure you have access to, and can run, applications from your servers.
-
Use unattend.txt to add intranet sites and UNC servers to the Local intranet zone inclusion list as part of the installation process.
-
Use client computers to download drivers, service packs, and other updates. Avoid any browsing from servers.
-
If you use disk imaging to install operating systems on your servers, add the intranet sites and UNC servers you trust to the Local intranet zone, and add the Internet sites that you trust to the Trusted sites zone on the base image. You can then change the list on images for different server types and needs.
The following procedures describe how to add site to the Trusted sites and the Local intranet zone:
| Add sites to the Trusted sites zone |
-
Navigate to the site that you want to add. Click the Tools icon and then select Internet options.
-
Click the Security tab.
-
Click Trusted sites and then click Sites.
-
In the Trusted sites dialog box, click Add to add the site to the list, and then click Close.
-
Refresh the page to view the site from its new zone.
| Note |
-
A web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.
-
Internet Explorer maintains two different lists of sites for the Trusted sites zone. One list is in effect when Enhanced Security Configuration is enabled, and a separate list is in effect when Enhanced Security Configuration is disabled. When you add a web page to the Trusted sites zone, you are adding it only to the list that is currently in effect.
-
When you add a web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. Many Internet sites use more than one domain to host their content. You may have to add several domains to the Trusted sites zone to have full functionality for one site. For example, if you add http://www.microsoft.com/windows/ to your Trusted sites zone, you are adding http://www.microsoft.com. If you then want to view the Support site, you will have to add http://support.microsoft.com separately, because the Support site is a separate domain.
-
You can use wildcard characters to add all subdomains for a given domain. For example, you can add *.microsoft.com to the list, which adds both www.microsoft.com and support.microsoft.com.
|
| Add sites to the Local intranet zone |
-
Navigate to the site that you want to add. Click the Tools icon and then select Internet options.
-
Click the Security tab.
-
Click Local intranet and then click Sites.
-
In the Local intranet dialog box, click Add to add the site to the list, and then click Close.
-
Refresh the page to view the site from its new zone.
| Note |
-
Do not add Internet sites to the Local intranet zone because your credentials are sent automatically to the site if they are requested.
-
A web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.
-
Internet Explorer maintains two different lists of sites for the Local intranet zone. One list is in effect when Enhanced Security Configuration is enabled, and a separate list is in effect when Enhanced Security Configuration is disabled. When you add a web page to the Local intranet zone, you are adding it only to the list that is currently in effect.
-
Enhanced Security Configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone.
|
Top of page Turning off Internet Explorer Enhanced Security Configuration
Keeping the Internet Explorer Enhanced Security Configuration enabled on your servers is recommended to help ensure that your servers are not inadvertently exposed to malware or other browser-based attacks. However, in some environments you might wish to turn off the Internet Explorer Enhanced Security Configuration protections to enable easier browsing for administrators or standard users.
| To turn off Internet Explorer Enhanced Security Configuration |
-
Close any Internet Explorer browser windows that you might have open.
-
Open Server Manager
-
If your server is running Windows Server® 2008 R2, in the Security Information section of Server Summary, click Configure IE ESC to open the Internet Explorer Enhanced Security Configuration dialog.
If your server is running Windows Server® 2012, click Configure this local server to open the Local Server configuration page. Then, in the Properties area, next to IE Enhanced Security Configuration, click On to open the Internet Explorer Enhanced Security Configuration dialog.
-
To allow members of the local Administrators group to use Internet Explorer in its default client configuration, under Administrators click Off.
To allow members of all other groups to use Internet Explorer in its default client configuration, under Users click Off.
| Note | |
Once the Internet Explorer Enhanced Configuration is turned off for one set of users, Server Manager will display Off next to Internet Explorer Enhanced Security Configuration.
|
-
Click OK to apply your changes.
Top of page Browser security best practices
Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.
To reduce the risk to your server of potential attacks from malicious web-based content:
-
Do not use servers for browsing general web content.
-
Use client computers to download drivers, service packs, and other updates.
-
Do not view web sites you cannot confirm are secure.
-
Use a limited user account instead of an administrator account for general web browsing.
-
Use Group Policy settings to keep unauthorized users from making inappropriate changes to browser security settings.
Top of page |
