Home > IE ESC, Internet Explorer, Networking, Powershell, Security, Windows Server 2012 > How to disable IE Enhanced Security in Windows Server 2012

How to disable IE Enhanced Security in Windows Server 2012

November 28, 2012 Leave a comment Go to comments

Have you seen this? Or similar in SharePoint 2010?

This is just a quick guide to disabling the setting that makes Internet Explorer unbarable in a labb or test environment. Often, you do use the browser on the lab, dev or test server to quickly verify functionality or in SharePoint, to access Central Administration web site and make the first initial configurations. When IE ESC is eneabled, you get popups all the time and you are asked to add every new url to the IE trusted sites zone.
So, on a dev, test or lab server, it is ok to disable it, at least if you ask me. As long as you are aware of what you are doing and that it after all does provide an extra layer of security.
At the end of this post, I have added what all the settings in IE ESC really does, one by one.

Updated 2013-02-06 – Added link menu



Server2012_Logo_small Disable IE ESC using the GUI – Graphical User Interface
powershell_logo_small Disable IE ESC using PowerShell
Server2012_Logo_small General Information about IE ESC




GUI – Graphical User Interface

The steps:

1. On the Windows Server 2012 server desktop, locate and start the Server Manager.

2. Select Local Server (The server you are currently on and the one that needs IE ESC turned off)

3. On the right side of the Server Manager, you will by default find the IE Enhanced Security Configuration Setting. (The default is On)

4. You have two settings that can be disabled, one only affects the Administrators and the other all users. The preferred method when testing (if for example SharePoint) is to use a non-admin account and if that is the case, disable the IEESC only for users. Using a local administrator account would cause an additional threat to security and it will also often not give you the required result in tests, since the administrator has permissions where a normal user do not.
Make your selection to Off for Administrators, Users or both.

5. In this example, I have selected to completely disable Internet Explorer Enhanced Security. When your seelction is made, click OK.

6. Back in the Server Manager, you will see that the setting has not changed at all. Press F5 to refresh the Server Manager and you wil see that it is changed to Off.

Done, open up a IE browser windows and try to access any internal site to test the setting, you will notice that you no longer are prompted in the same way.
Back to top



PowerShell

(Best I can do, if you know of any OOB CMDlets that does the trick, please drop a comment and let me know:
Put the code below in a textfile and save it with a ps1 extension i.e. Disable-IEESC.ps1
(This will disable both Administrator and User IE ESC)

function Disable-IEESC
{
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
Write-Host “IE Enhanced Security Configuration (ESC) has been disabled.” -ForegroundColor Green
}
Disable-IEESC
(You have to hit enter twice after pasting the script if you paste it directly into a PS prompt)
 
Powershell
Done!
Back to top



IEESC General Information

IMPORTANT! Do NOT disable IE ESC on any production servers or servers with live data on them, to disable IE ESC is to reduce the security and can potentially expose the server to attacks. By the way, on a production server: IE shall not be used at all!

More on IE ESC from Microsoft help:
(From Windows Server 2008R2 helkp, 2012 help leads to an empty web page!)

Internet Explorer Enhanced Security Configuration Overview

Windows Internet Explorer Enhanced Security Configuration (IE ESC) configures your server and Internet Explorer in a way that decreases the exposure of your server to potential attacks through Web content and application scripts. This is done by raising the default security levels on Internet Explorer security zones and changing the default settings.

Enabling or disabling IE ESC

IE ESC can be enabled or disabled by using Server Manager for members of the local Administrators group only or for all users that log on to the computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Note:   If Internet Explorer is open when IE ESC is enabled or disabled, you must   restart Internet Explorer for the IE ESC changes to become active.
Note: IE ESC will   automatically be disabled if Terminal Services or Remote Desktop Services is   installed on a computer that has IE ESC enabled, but it can be enabled again   by using Server Manager.

Default settings for IE ESC

When IE ESC is enabled on Windows Server 2008 R2, the security levels for several built-in security zones are changed. The following describes these changes.

Internet
High
All Web sites are assigned to this zone by default. Web pages might not display as expected, and applications that require the Web browser might not work correctly because scripts, ActiveX controls, and file downloads have been disabled. If you trust an Internet Web site, you can add that site to the Trusted sites zone.

Trusted sites
Medium
This zone is for the Internet sites whose content you trust.

Local intranet
Medium-Low
When visiting Web sites on your organization’s intranet, you might be repeatedly prompted for credentials because IE ESC disables the automatic detection of intranet Web sites. To automatically send credentials to selected intranet sites, add those sites to the Local intranet zone. Additionally, access to scripts, executable files, and other files in a shared folder are restricted unless the shared folder is added to this zone.

Restricted sites
High
This zone contains sites that are not trusted, such as malicious Web sites.

Internet Explorer maintains two different lists of sites for the Trusted sites zone: one list when IE ESC is enabled and a separate list when it is disabled. When you add a Web site to the Trusted sites zone, you are adding it only to the list that is currently being used.

If you attempt to browse a Web site that uses scripting or ActiveX controls, Internet Explorer with IE ESC enabled will prompt you to consider adding the site to the Trusted sites zone. You should add the Web site to the Trusted sites zone only if you are sure that the Web site is trustworthy. If this prompt is disabled, it can be enabled again by selecting the Display enhanced security configuration dialog check box in the Advanced tab of the Internet Options dialog box. For more information about adding Web sites to Internet Explorer security zones, see Security zones: adding and removing websites (http://go.microsoft.com/fwlink/?LinkId=81287).

In addition to raising the default security level of each zone, IE ESC also adjusts Internet options to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of the Internet Options dialog box. The following describes the options that are changed when IE ESC is enabled.

Enable third-party browser extensions
Off
Disables Internet Explorer add-ons that might have been created by companies other than Microsoft.

Play sounds in Web pages
Off
Disables music and other sounds.

Play animations in Web pages
Off
Disables animations.

Check for server certificate revocation
On
Automatically checks a Web site’s certificate to determine if the certificate has been revoked.

Do not save encrypted pages to disk
On
Disables saving encrypted information in the Temporary Internet Files folder.

Empty Temporary Internet Files folder when browser is closed
On
Automatically clears the Temporary Internet Files folder when Internet Explorer is closed.

Warn if changing between secure and not secure mode
On
Displays a warning when a Web site is redirecting the browser from a Web site with security features implemented (HTTPS) to a Web site without security features implemented (HTTP).

The Internet Explorer home page location is changed when IE ESC is enabled or disabled. This change ensures that the home page will open without prompting the user to add it to the Trusted sites zone. This is done by changing the home page to an HTML file stored locally on the computer. If you want to change the home page when IE ESC is enabled, add this home page to the Trusted sites zone before making the change. The following lists the home page associated with each scenario.

IE ESC is enabled, and the user account is a member of the local Administrators group.
res://iesetup.dll/HardAdmin.htm

IE ESC is disabled, and the user account is a member of the local Administrators group.
res://iesetup.dll/SoftAdmin.htm

IE ESC is enabled, and the user account is not a member of the local Administrators group.
res://iesetup.dll/HardUser.htm

Note: If Internet Explorer   is customized by using the Internet Explorer Administration Kit, the home   page is not changed to one of the IE ESC home pages listed in the table when   IE ESC is enabled or disabled.

Caution

These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display Help, support, and general user assistance.

When IE ESC is enabled, the following Web sites are added to the appropriate security zones:
The Windows Update and Windows Error Reporting Web sites are added to the Trusted sites zone.
Http://localhost
https://localhost
hcp://system
are added to the Local intranet zone.

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Advertisements
  1. September 3, 2013 at 13:34

    This is one of the most annoying things on Windows server. I disable it for admins on all my servers. I still leave it enabled for stanard users even if they cannot log on

    • September 3, 2013 at 13:38

      🙂
      Its there for a reason though. I recommend enabling it again once you put a system into production, even for admins. The server is not for surfing…:-)

      Thanks for the feedback!
      Regards
      // Thomas

  2. ram
    January 6, 2014 at 11:58

    is it ness’y to turn it OFF or turn it ON in the server

    • January 8, 2014 at 01:33

      Hi.
      It is on by default, it is only necessary to turn it off if you want to access SharePoint using the servers browser, not else.
      IEESC is a built in security measure and should not be turned off without cause.

      Regards
      // Thomas

  3. February 18, 2014 at 10:04

    Awesome…thanks for this! #gratitude

  4. Mathivathanan Vijayakumar
    March 13, 2014 at 12:39

    Thanks.. 🙂

  5. Mahanthesh
    March 17, 2014 at 13:46

    Thanks

  6. Amerk
    April 21, 2014 at 13:51

    Thank you very much…I couldn’t find how to shut it off for a while.

  7. May 1, 2014 at 08:18

    So what about the case of a Remote Desktop Server with a bunch of non-admin users who need all the IESEC stuff off so all the websites they need function properly? There’s a lot of vpn/medical “https” sites that do not function at all with it on.
    Do you have any sugestions for that scenario? thanks

    • May 6, 2014 at 17:17

      Hi.
      Try adding the sites as trusted sites/local intranet to avoid the IEESC? Not sure if it works though…

      Regards // Thomas

  8. mastapat11
    May 1, 2014 at 08:28

    What about the case of a Remote Desktop Server with a bunch of users that rdp in as their main workstation?
    When IESEC is on, a lot of websites don’t function AT ALL especially vpn/medical sites.
    Any suggestions for a scenario like this? thanks

    • May 2, 2014 at 12:38

      Hi.
      My recommendation is to leave the IEESC on on all servers, but if the security function hinders users from doing their jobs, then it must be reconfigured or disabled, but with the added risk in mind when doing so.
      Regards
      // Thomas

  9. July 16, 2015 at 19:54

    I disabled IE ESC on a Win2012 server using the server manager for both admin and non-admin account but i still get the prompt (windows security explore connecting to .domain.com). I am trying to access a site set up locally in IIS and trying to access it. Windows authentication is enabled for the site. Any pointers would be appreciated.

    • July 16, 2015 at 21:29

      Hi
      Have you tried disabling the loopback check? If its locally you can’t access a local site with a different url than servername or ip.
      I have a topl for it at Codeplex.
      Hth
      Thomas

      • July 16, 2015 at 22:15

        Hi Thomas,
        Thanks for your reply!
        I did turn off the loopback check using the tool you created and made available on codeplex. I did not add any URLs though.
        Still getting the same error. . I browse the site using the IIS manager action (“Browse localhost on *:80(http)”. After unsuccessful login attemps i get “401.2 : Unauthorized : login failed due to server configuration. Verify that you have permissions to view this directory or page baced on the credentials and authentication methods enableed on the web server”..

  10. tj
    September 1, 2015 at 06:44

    Thanks.

  1. July 30, 2013 at 15:18
  2. October 3, 2013 at 01:50
  3. October 20, 2013 at 19:52
  4. March 5, 2014 at 11:57
  5. March 22, 2014 at 03:03
  6. February 6, 2015 at 10:52
  7. February 12, 2015 at 05:33
  8. March 4, 2015 at 12:41

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: