IT Blog – Jesper Ravn » Internet Explorer

Archive for the ‘Internet Explorer’ Category.

IE7 og Group Policies

January 14, 2008, 10:27 pm

Jeg orker ikke at skulle google hver gang jeg skal konfigurere IE7 via Group Policies.
Jeg har derfor prøvet at lave en konfig-plan for IE7, som jeg kan anvende næste gang det bliver nødvendigt.

Basis konfigurationen af IE7, er som følger:

Download og installer IE7 adm templates fra din GPO admin server/workstation.
http://www.microsoft.com/downloads/details.aspx?FamilyID=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&displaylang=en

Remove eksisterende ” inetres.adm” templates under “Administrative Templares.
Gå til C:\Windows\inf og omdøb ” inetres.adm” til “inetres_org.adm”
Kopier C:\Program Files\Microsoft Group Policy\ inetres.adm til C:\Windows\inf.
Import herefter den nye IE7 template.

For at gøre oplevelsen med IE7 transperant for brugerne, vælger jeg her at konfigurere følgende:

Computer Configuration – Administrative Templates – Windows Components – Internet Explorer
Prevent participation in the Customer Experience Improvement Program = Enabled
Prevent Performance of first run customization settings = Enabled
Turn on Menu Bar by Default = Enabled

User Configuration – Windows Settings – Internet Explorer Maintenance – URLs – Important URLs
Important URLs (Homepage) = http://jravn.dk

Indsæt til sidst vigtige virksomheds websider i “Trusted Sites og intranet”. Det kunne feks være som følger:

User Configuration – Windows Settings – Internet Explorer – Security – Security Zones and Content Ratings
Intranet – Outlook Web Acces – Citrix Web Interface – Bank mfl.

For mere info til ovenstående, se dette link (Internet Explorer 7 Deployment Guide):
http://www.microsoft.com/downloads/details.aspx?familyid=E41D8800-D134-4356-A2E7-C01BEE790908&displaylang=en

Nedenstående lister de fleste af de anbefalede sikkerheds indstillinger for IE7, som Microsoft har udarbejdet i dette dokument.
http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en

Min plan er at køre med dem i forskellige miljøer og vende tilbage til denne blog-post, hvis jeg fremover oplever problemer med nedenstående.

Security Zones.

Security zone	Security level	Tested
Local Machine	Custom	ok
Internet	Medium-High	ok
Local intranet	Medium-low	ok
Trusted sites	Medium	ok
Restricted sites	High	ok

Recommendations for Increased Security.

Policy object	Location	Recommended setting	Tested
Internet Explorer Processes (Zone Elevation Protection)	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation	Enabled	ok
Security Zones: Do not allow users to add/delete sites	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer	Enabled	ok
Security Zones: Do not allow users to change policies	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer	Enabled	ok
Prevent Ignoring Certificate Errors	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel	Enabled	ok
Internet Explorer Processes (Restrict ActiveX Install)	Computer Configuration\Administrative Templates\Windows Components \Internet Explorer\Security Features\Restrict ActiveX Install	Enabled	1
Allow Active Scripting	Computer Configuration\Administrative Templates\Windows Components \Internet Explorer\Internet Control Panel\Security Page\<zone>	Disabled in response to zero day attack	4
Internet Explorer Processes (Scripted Window Security Restrictions)	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions	Enabled	ok
ur non Protected Mode	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\<zone>	Enabled	ok
Empty Temporary Internet Files folder when browser is closed	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page	Enabled	ok
Disable AutoComplete for forms	User Configuration\Administrative Templates\Windows Components\ Internet Explorer	Enabled	ok
Turn on the auto-complete feature for user names and passwords on forms	User Configuration\Administrative Templates\Windows Components\ Internet Explorer	Disabled	ok
Logon Options	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\Internet Zone	Enabled\Prompt for Username and Password	ok
Logon Options	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\Intranet Zone	Enabled\Automatic Logon with Current Username and Password	ok
Logon Options	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone	Enabled\Anonymous Logon	ok
Logon Options	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone	Enabled\Automatic Logon only in Intranet Zone	ok
Turn off managing phishing filter	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\	Enabled\Automatic	ok
Do not save encrypted pages to disk	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page	Enabled for environments with sensitive data on Web pages.	Ok
Disable Automatic Install of Internet Explorer components	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer	Enabled	ok
Disable Periodic Check for Internet Explorer software updates	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer	Enabled	ok
Disable software update shell notifications on program launch	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer	Enabled	ok
Turn off Crash Detection	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer	Enabled	ok
Internet Explorer Processes (Restrict File Download)	Computer Configuration\Administrative Templates\Windows Components \Internet Explorer\Security Features\ Restrict File Download	Enabled	ok
Allow File Downloads	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone	Disabled	ok
Deny all add-ons unless specifically allows in the add-on list	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Security Features\Add-on Management	Enabled	2
Add-on List	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Security Features\ Add-on Management	Enabled with add-ons listed	3
Internet Explorer Processes (Consistent MIME Handling)	Computer Configuration\Administrative Templates\Windows Components \Internet Explorer\Security Features\ Consistent MIME Handling	Enabled	ok
Internet Explorer Processes (MIME Sniffing)	Computer Configuration\Administrative Templates\Windows Components\ Internet Explorer\Security Features\ MIME Sniffing Safety Feature	Enabled	ok
Internet Explorer Processes\MK Protocol Security Restriction	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction	Enabled	ok
Internet Explorer Processes\Object Caching Protection	Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Object Caching Protection	Enabled	ok
Configure Outlook Express	User Configuration\Administrative Templates\Windows Components\ Internet Explorer	Enabled\Block attachments that could contain a virus	ok

Note til Punkt 1-2-3:
Ved at at enable disse punkter vil alle Add-on blive disablet i brugernes IE. Derfor skal man forinden planlægge og teste denne lockdown.
Nedenstående links er doku til disse punkter:

About ActiveX Controls:
http://msdn2.microsoft.com/en-us/library/aa751971.aspx

Introduction to ActiveX – Part 1-2-3:
http://blogs.technet.com/askperf/archive/2007/11/16/introduction-to-activex-part-one.aspx
http://blogs.technet.com/askperf/archive/2007/11/30/introduction-to-activex-part-two-managing-activex-controls.aspx
http://blogs.technet.com/askperf/archive/2007/12/04/introduction-to-activex-part-three-security-and-security-zones.aspx

The ActiveX Installer Service in Windows Vista:
http://www.microsoft.com/technet/technetmag/issues/2007/07/AxIS/default.aspx

Note til Punkt 4:
Ved at disable “Allow Active Scripting” disabler man også Javascript, som mange web sites bruger i dag. Det betyder at man også skal planlægge og teste denne indstilling.
IT afdelingen skal her indstille sig på, at vedligeholde en Trusted Site liste.
Hvis man tillader at brugerne selv kan tilføje til Trusted Sites kan man installere “Internet Explorer 5 Power Tweaks Web Accessory” ude på de enkelte workstations.
Fordelen er her, at den integrerer Trusted Sites i IE menuen.
Alternativt til ovenstående, kan man opsætte en Secure Proxy i form af ISA 2006 + GFI Webmonitor eller Bluecoat, som kan scanne http trafik.

Category: Internet Explorer | Comment

IT Blog – Jesper Ravn

IE7 og Group Policies

Pages

Categories

Archives

HOME

IT-experts.dk