Internet Explorer Enhanced Security Configuration (IE ESC)

If you ever have to install a Windows server (2008, 2008 R2) and try to use Internet Explorer, you might notice how annoying IE is related to being secure.  Essentially you have to fight it do anything useful.  At one point I was using it to install Chrome to get around the constant security popups.

Here is an example from trying to visit http://www.citrix.com.

It asks this for each web site that the current web site loads something from.  In this case, I was prompted five times for five different web sites that citrix.com uses.  In some cases it is impossible to keep IE ESC happy and the site never loads properly.

It is for a good cause (server security) but you might as well turn IE off completely.  Administrators are going to expect being able to install and update software from the web.  The web browser plays a key role in doing this.  Having a dysfunctional IE makes the process much more painful.

I briefly have tried to defeat this before.  Nothing worked for me so I gave up on IE and switched to Chrome.  Today, I finally found the right way to switch this off.

Under Administrator Tools, start the Server Manager. In Server Manager, it is possible to turn off IE ESC.

Click on “Configure IE ESC”.

Turn off the IE ESC feature for administrators.

Once this happens, IE becomes usable again.

Microsoft has taken a long term position of requiring the user to make security decisions.  In many cases, these decisions are so repetitive that they not only annoy the administrator, but they also reduce observation and encourage the administrator to allow the transaction.  This was the whole UAC situation from Vista as well.

The real answer seems to lie somewhere else.  It is easy to write code to request for user input on security questions.  It is much more difficult to form patterns and decide automatically.  Probably the right way to consider this is that the software should know better than the user what the risks are and what action to take.  Prompting constantly implies that the software knows nothing and is expecting the user to be the expert.

These observations have formed over the last several years.  The first experience with this kind of prompt came around 1996 when Microsoft requested that Citrix add a popup for local drive access.  This popup still exists in a different form in the current release.  It is not quite as annoying but it still can be annoying.

These kind of popups have always felt wrong.  It is hard to suggest an alternative.  The most rational decision is to trust at different levels based on knowledge of the sites and what they do.  This already exists with IE and the different types of trust.

From past experience, this does not always work well either.

Where is this matched in Google Chrome?  Somehow it has avoided all of this.  I do not think I have ever seen this kind of prompt.  Part of the answer lies in the fact that Google Chrome uses two blacklists (phishing and malware) and warns the user if they select one of the sites in the blacklist.

Instead of requiring the user to determine web site trust, Chrome maintains blacklists that it updates in Chrome.  From using Chrome, this feature works well.  Very few sites have ever triggered this warning (only one I can remember) but the web browser experience is safe.  Read a bit more about Chrome at Wikipedia.

In case you are curious, Chrome is now two years old and is gaining momentum.  You can learn more about “Safe Browsing” from this YouTube video.  From the video, it is clear that they have thought about this problem and come up with an excellent model for handling bad web sites.

Over the last couple of years I have switched to Chrome as the main web browser.  I only use IE for sites that work best with IE (e.g. SharePoint).  Using IE on Windows 2008 R2 triggered this blog post.  Hopefully Microsoft will change the model in the upcoming IE9.

Live near Brisbane, Australia. Software developer currently focused on iOS and Android. Avid Google Local Guide

Tagged with: , ,
Posted in Chrome, Internet Explorer, Microsoft
3 comments on “Internet Explorer Enhanced Security Configuration (IE ESC)
  1. Fredrik says:

    You found out how to do this today? How long have you been working with WS08 machines?
    All the times mmc snap-ins must have complained for you because of the HTML report…
    Poor bastard 😀

    • jeffreymuir says:

      I have only been using WS08 machines for about six months. Previous to this I did not need to have my own servers. Luckily it was only IE that was acting up. If MMC had given me grief that would have been another matter.

      Thanks!

  2. Chris Dill says:

    I agree with you, IE needs some help in that department. The first thing I do when I install a new SBS 2008 is turn off Enhanced Security, because it is bull. Then I ignore all of the BPA alerts and baseline security alerts about how the added security is turned off for administrators.
    Good post.
    Check out my related blog at http://chrisdill.wordpress.com

Comments are closed.

Archives
Categories
Follow Red Circle Blog on WordPress.com
%d bloggers like this: