Internet Explorer 7 and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Internet Explorer 7
Internet Explorer Enhanced Security Configuration
Examples of the Security-Related Features Offered in Internet Explorer 7
Resources for Learning About Topics Related to Security in Internet Explorer 7
Procedures for Controlling Internet Explorer in Windows Server 2008
Section Summary
This section provides information about:
The benefits of Microsoft Internet Explorer 7 in Windows Server 2008.
A description of Internet Explorer Enhanced Security Configuration, which is enabled by default when you install Windows Server 2008.
Examples of the security-related features offered in Internet Explorer 7.
Note that Phishing Filter, one of the security-related features in Internet Explorer 7, is described in Phishing Filter and Resulting Internet Communication in Windows Server 2008, later in this white paper.
Resources for learning about topics related to security in Internet Explorer 7. This includes resources that help you learn about:
Security and privacy settings in Internet Explorer 7.
Mitigating the risks inherent in Web-based applications and scripts.
Methods for controlling the configuration of Internet Explorer 7 in your organization by using Group Policy, the Internet Explorer Administration Kit (IEAK), or both.
Information about performing specific actions related to Internet Explorer 7 in Windows Server 2008. These actions include:
Specifying the Web browser, either during unattended installation or with the Default Programs interface.
Turning Internet Explorer Enhanced Security Configuration off and on.
Setting the security level to High for specific Web sites.
Note
This section of this white paper describes Internet Explorer 7, but it does not describe related features such as Content Advisor or the wizard for making a connection to the Internet. It also does not describe Windows Mail (which is an optional in the Desktop Experience in Windows Server 2008), Phishing Filter in Internet Explorer, or error reporting for Internet Explorer. For information about these features, see the following sections of this white paper:
Appendix L: Wizards in Windows Server 2008 Related to Connecting to the Internet
Phishing Filter and Resulting Internet Communication in Windows Server 2008
Windows Error Reporting and the Problem Reports and Solutions Feature in Windows Server 2008
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users perform such actions as connecting to Web sites, running software from the Internet, or downloading items from the Internet. This section, however, provides overview information as well as suggestions for other sources of information about how to balance users’ requirements for Internet access with your organization’s requirements for protection of networked assets.
For more information about Internet Explorer, see the following resources:
Help for Internet Explorer (with Internet Explorer open, press F1)
The Internet Explorer page on the Microsoft Web site at:
The privacy statement for Internet Explorer 7. This privacy statement is on the Microsoft Web site at:
Benefits and Purposes of Internet Explorer 7
Internet Explorer 7 in Windows Server 2008 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from many of the other features described in this white paper in that its main function is to communicate with sites on the Internet or an intranet (which contrasts with features that communicate with the Internet in the process of supporting another activity).
Internet Explorer 7 is also designed to be highly configurable, with security and privacy settings that can help protect your organization’s networked assets while at the same time providing access to useful information and tools. In addition, Internet Explorer Enhanced Security Configuration, which is enabled by default when you install Windows Server 2008, helps to make your computer more secure by limiting its exposure to malicious Web sites.
With this enhanced level of security, however, you might find that some Web sites are not displayed correctly in Internet Explorer when you are browsing from a server. Also, you might be prompted to enter your credentials when accessing network resources, such as files in shared folders with Universal Naming Convention (UNC) names. As an administrator, you can turn Internet Explorer Enhanced Security Configuration off and on.
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is turned on by default when you install Windows Server 2008. This configuration assigns specific levels of security settings to the four zones defined in Internet Explorer 7: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. For example, it assigns High security settings to both the Internet zone and the Restricted sites zone. The configuration also contains a variety of other settings. These include specific settings such as whether the Temporary Internet Files folder is emptied when the browser is closed, and settings that determine which zone certain standard Web sites are added to (for example, the Windows Update Web site is added to the Trusted sites zone). As an administrator, you can turn Internet Explorer Enhanced Security Configuration off and on.
For more information about Internet Explorer Enhanced Security Configuration, on a server running Windows Server 2008, click Start, click Internet Explorer and then click a link that is displayed:
If Internet Explorer Enhanced Security Configuration is turned on, click Effects of Internet Explorer Enhanced Security Configuration.
If Internet Explorer Enhanced Security Configuration is turned off, click Internet Explorer Enhanced Security Configuration.
Examples of the Security-Related Features Offered in Internet Explorer 7
This subsection describes enhancements in some of the security-related features in Internet Explorer 7. Some of the features are added since Internet Explorer 6 and some have been continued from Internet Explorer 6.
Some of the security-related features that have been added since Internet Explorer 6 include:
Microsoft Phishing Filter: Internet Explorer 7 includes functionality to help protect against phishing Web sites that attempt to trick the person at the computer into revealing personally identifiable information. The Microsoft Phishing Filter is described in Phishing Filter and Resulting Internet Communication in Windows Server 2008.
Protected Mode: Internet Explorer Protected Mode helps reduce the severity of threats to both Internet Explorer and Internet Explorer add-ons by requiring user interaction for actions that would affect the operating system. Even if the user gives permission, Internet Explorer can affect only areas directly controlled by the user, meaning a more secure locked-down environment. This feature takes advantage of other operating system features, called the integrity mechanism and User Interface Privilege Isolation (UIPI). Protected Mode also includes compatibility features that allow most extensions to continue running with no changes and provide impacted extensions with clear alternative options.
For more information about Protected Mode, see the MSDN Web site at:
Secure Sockets Layer (SSL): Internet Explorer 7 makes it easier to see whether Web transactions are secured by SSL or Transport Layer Security (TLS). A security report icon appears to the right of the address bar when you view a page using a Hypertext Transfer Protocol Secure (HTTPS) connection. Clicking this icon displays a report describing the certificate used to encrypt the connection and the certification authority that issued the certificate. The security report also provides links to more detailed information. Internet Explorer 7 also supports High Assurance certificates, giving further guidance to users that they are, in fact, communicating with a verified organization. This verification will be granted by existing certification authorities and show up in the browser as a clear green fill in the address bar.
Microsoft ActiveX Opt-In: Internet Explorer 7 disables all ActiveX controls that were not used in Internet Explorer 6 and all ActiveX controls that are not flagged for use on the Internet. When users encounter an ActiveX control for the first time, they see a gold bar asking if they want to use the control. Users can then selectively allow or prevent running the control. Note that by default, the ActiveX opt-in does not apply to Intranet and Trusted Site zones; controls on those zones, including a short list of preapproved controls, run without prompting.
The following list names some of the security-related features that have been continued from Internet Explorer 6. Documentation for either Internet Explorer 6 or Internet Explorer 7 describes these features in more detail:
A Privacy tab that provides flexibility in blocking and allowing cookies based on the Web site that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy.
Security settings that define "Security Zones" and for each zone, provide control over the way that Internet Explorer 7 handles higher-risk items such as ActiveX controls, downloads, and scripts.
Support for content-restricted inline floating frames (IFrames). This type of support enables developers to implement IFrames in a way that makes it more difficult for malicious authors to start e-mail-based or content-based attacks.
A configurable pop-up blocker that helps you control pop-ups.
An improved interface for managing add-ons (programs that extend the capabilities of the browser).
For more information about features available in Internet Explorer, see the information in the next subsection, as well as the Internet Explorer page on the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkID=83152
Resources for Learning About Topics Related to Security in Internet Explorer 7
This subsection lists resources that can help you learn about the following topics related to security in Internet Explorer 7:
Security and privacy settings available in Internet Explorer 7
Methods for mitigating the risks inherent in Web-based programs and scripts
Ways to use Group Policy objects that control configuration settings for Internet Explorer 7
The Internet Explorer Administration Kit
In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.
Learning About Security and Privacy Settings in Internet Explorer 7
Some important sources of detailed information about the security and privacy settings in Internet Explorer 7 in Windows Server 2008 are as follows:
Documents about Internet Explorer 7, available at the Microsoft Web site at:
A technology overview for Internet Explorer 7. This overview provides information about Phishing Filter, Protected Mode, and other enhancements to security features, and is available at the Microsoft Web site at:
Articles about Protected Mode on the MSDN Web site at:
In addition, the privacy statement for Internet Explorer 7 includes information about some of the features in Internet Explorer 7. This privacy statement is on the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=70681
Learning About Mitigating the Risks Inherent in Web-based Applications and Scripts
In a network-based and Internet-based environment, code can take a variety of forms including scripts within documents, scripts within e-mail messages, or applications or other code objects running within Web pages. This code can move across the Internet and is sometimes referred to as "mobile code." Configuration settings provide ways for you to control how Internet Explorer 7 responds when a user tries to run mobile code.
Two examples of the ways you can customize the Internet Explorer configuration deployed in your organization are as follows:
You can control the code (in ActiveX controls or in scripts, for instance) that users can run. Do this by customizing Authenticode® settings, which can, for example, prevent users from running any unsigned code or enable them to only run code signed by specific authors. For more information, see information about code signing on the Microsoft Web site at:
If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 7 looks for a requested executable, it goes to your own internal Web site instead of the Internet. You can do this by changing a registry key.
Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
The registry key to change specifies an Internet search path for Internet-based code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath
This registry key usually contains the keyword CODEBASE, which allows software to specify its own Internet search path for downloading components (that is, when CODEBASE is present, calls to CoGetClassObjectFromURL check the szCodeURL location for downloading components). After CODEBASE, the CodeBaseSearchPath registry key usually lists additional URLs in the Internet search path, with each URL enclosed in angle brackets and separated by a semicolon. If you remove CODEBASE from the registry key and instead specify a site on your own intranet, software will check that site, not an Internet site, for downloadable components. The URL specified in CodeBaseSearchPath will receive an HTTP POST request with data in the following format and respond with the object to install and load.
CLSID={class id} Version=a,b,c,d MIMETYPE=mimetypeFor more information, see the following MSDN topic about Internet Component Download, and search for all instances of CodeBaseSearchPath:
For more information about how a particular Microsoft programming or scripting language works, see the MSDN Web site at:
https://go.microsoft.com/fwlink/?LinkID=140
Learning About Group Policy Objects that Control Configuration Settings for Internet Explorer 7
You can control configuration settings for Internet Explorer 7 by using Group Policy objects (GPOs). (You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see "Learning about the Internet Explorer Administration Kit," later in this section.) For sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008 in this white paper.
To learn about specific Group Policy settings that can be applied to computers running Windows Server 2008, see the following sources of information:
Information about Group Policy on the Windows Server Web site at:
The Group Policy Settings Reference on the Microsoft Download Center Web site at:
Learning About the Internet Explorer Administration Kit
Using the Internet Explorer Administration Kit (IEAK), you can create a customized Internet Explorer package for use in your organization. You can then deploy your customized package using standard means such as network shares, intranet sites, media such as CDs, or through a system management solution, such as Microsoft System Center Configuration Manager 2007. (You can also control the configuration of Internet Explorer by using Group Policy. For more information, see "Learning About Group Policy Objects that Control Configuration Settings for Internet Explorer 7," earlier in this section.)
A few of the features and resources in the IEAK include:
Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client desktops.
IEAK Profile Manager. After you deploy Internet Explorer, you can use the IEAK Profile Manager to change browser settings and restrictions automatically.
IEAK Toolkit. Contains a variety of helpful tools, programs, and sample files.
IEAK Help. Includes many conceptual and procedural topics that you can view by using the Contents and Search tabs. You can also print topics from IEAK Help.
For more information about the IEAK, see TechNet Web pages at:
https://go.microsoft.com/fwlink/?LinkId=71520
Procedures for Controlling Internet Explorer in Windows Server 2008
The following subsections provide procedures for carrying out two types of tasks:
Controlling the browser available for use in Windows Server 2008
Turning Internet Explorer Enhanced Security Configuration on or off
Setting the security level to High for specific Web sites
Procedures for Controlling the Web Browser Available for Use in Windows Server 2008
This subsection provides information about controlling the browser available for use in Windows Server 2008. Methods of controlling browser availability include:
During unattended installation, with an answer file
Through the Default Programs interface
To Specify a Browser During Unattended Installation by Using an Answer File
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.
Confirm that your answer file includes the following lines. If you already have a <ClientApplications> section in your answer file, the "Internet" line (the line containing information about your browser) should be included in the <ClientApplications> section rather than repeating the section.
<ClientApplications>
<Internet>browser_canonical_name</Internet>
</ClientApplications>
For browser_canonical_name, specify the canonical name coded into your Web browser.
To Remove Visible Entry Points to Internet Explorer During Unattended Installation by Using an Answer File
Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.
Confirm that your answer file includes the following lines. If you already have a <WindowsFeatures> section in your answer file, the "ShowInternetExplorer" line should be included in the <WindowsFeatures> section rather than repeating the section.
<WindowsFeatures>
<ShowInternetExplorer>false</ShowInternetExplorer>
</WindowsFeatures>
Note
This procedure removes visible entry points to Internet Explorer, but it does not prevent Internet Explorer from running.
To Specify a Browser Through the Default Programs Interface
Click Start, click Control Panel, click Default Programs, and then click Set your default programs.
Under Programs (on the left), click the browser you want to select as the default.
Note For the preceding step, if your Web browser does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see the MSDN Web site at:
To use the selected program as the default for opening all file types and protocols it can open, click Set this program as default.
As an alternative, you can click Choose defaults for this program and then specify which file types and protocols the selected program opens by default.
Procedure for Turning Internet Explorer Enhanced Security Configuration On or Off
To Turn Internet Explorer Enhanced Security Configuration On or Off
Make sure that no instances of Internet Explorer are running (otherwise you will have to close and re-open all instances of Internet Explorer after completing this procedure).
If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Make sure Server Summary is expanded, and make sure Security Information is expanded.
On the right, click Configure IE ESC.
Under Administrators, click On or Off, and under Users, click On or Off.
Procedures for Setting the Security Level to High for Specific Web Sites
The procedures that follow provide information about how to set the security level for a particular Web site to High, which prevents actions such as running scripts and downloading files from the site. For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or allows plug-ins, ActiveX controls, or scripts to run, see "Examples of the Security-Related Features Offered in Internet Explorer 7" and "Learning About Security and Privacy Settings in Internet Explorer 7," earlier in this section.
To Configure a Specific Computer with a Security Level of High for Specific Sites
On the computer on which you want to configure a security level of High for specific sites, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
Select Restricted sites.
Under Security level for this zone, make sure the slider for the security level is set to High.
If the Internet Explorer Enhanced Security Configuration is turned on, the slider will be set to High and cannot be adjusted.
If the Internet Explorer Enhanced Security Configuration is turned off, the slider can be adjusted, and the security level can be set to a Custom level. If it is set to a Custom level, click Default Level and then make sure the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click the Add button.
To Use Group Policy to Set the Security Level to High for Specific Sites that Users in Your Organization Might Connect To
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
In Group Policy, expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, and then click Security.
In the details pane, double-click Security Zones and Content Ratings.
Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings.
Select Restricted sites.
Under Security level for this zone, make sure the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this Web site to the zone, type the Web site address. You can use an asterisk for a wildcard. For example, for Web sites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click the Add button.