locked
Disabling Internet Explorer Enhanced Security on RDS

    Question

  • I am running a Win Server 2008 R2 box with RDS role. My users need to use IE from within the remote desktop. Because Server 2008 by default comes with Internet Explorer Enhanced Security Configuration enabled, it is difficult for anyone to browse to any sites because javascript and other things are disabled. I am thinking about disabling IEES but am concerned about the security implications. What is the exposure risk? I am concerned about users navigating to a site that might exploit a 0-day vulnerability through scripting or flash and infect the server. What is the best practice in this scenario.

    Tuesday, April 27, 2010 3:37 AM

Answers

  • If that is your requirement, then the server will be in even greater danger since multiple users have access to it.  What you'll need is a dedicated Internet proxy server to configure what sites are allowed and what sites are blocked.  Full undiluted and uncontrolled access to the internet is ALWAYS dangerous, and neither IEES nor UAC will truly assist you in stopping that.
    Wednesday, April 28, 2010 3:38 AM

All replies

  • honestly the best practice in that scenario is to not allow access to the internet.  The instant you allow regular users full access to internet, you will always expose your server to dangers.

    If that's a requirement that cannot be changed, then I recommend using locked down mandatory profiles.  Generally even with IEES disabled, servers have much stricter access controls.  With UAC enabled, this becomes even stricter.  By combining that with mandatory profiles, you are at least ensured that when the user logs off any file they had will also be deleted.  Of course users won't be able to save anything to the local profile and have it retained, but since it's a server they shouldn't be doing that anyway.

    Aside from that, you might have to isolate it and treat it not as a server but as a user's workstation.

    Tuesday, April 27, 2010 4:42 PM
  • Well in a sense this RDS server is and should act as everybody's workstation. That's how we intend it to be used. The users definitely need to save their work on this server. That is one of its primary reasons we have it, so that user's documents are stored on the server and in turn backed up rather than on their client machines (laptops) which are frequently lost or the users end up destroing the installation with viruses and other stuff users do to mess up their machines. I was hoping that this remote desktop experience would be inbreakable and secure so it can easily be maintained while allowing users to have full freedom of operation to browse the Internet for their work.

    I tried using policies to white list sites that are in the trusted security zone and keeping IEES on but have failed after many attempts. I just can't seem to get this IE policy to get applied even though all other policies on this domain work.

    Wednesday, April 28, 2010 3:07 AM
  • If that is your requirement, then the server will be in even greater danger since multiple users have access to it.  What you'll need is a dedicated Internet proxy server to configure what sites are allowed and what sites are blocked.  Full undiluted and uncontrolled access to the internet is ALWAYS dangerous, and neither IEES nor UAC will truly assist you in stopping that.
    Wednesday, April 28, 2010 3:38 AM
  • Personally I'd make them browse locally, not on my server.  Once one person browses to the wrong site you've screwed everyone up.  I don't think there's any surefire secure but usable browser settings and we don't have time to try to figure out that combination.  If anything I'd suggest what James mentioned and have a whitelist of sites they could access
    Sunday, May 02, 2010 2:58 AM
  • I put some sites on the white list (trusted zone) and javascript is still being blocked. Tested with maps.gogle.com. Still can't zoom and pan the map.
    Friday, May 07, 2010 7:11 AM
  • Yes I did disable ESC. Disabling it (for users not admins) only allowed intranet sites to be white listed. Internet sites are still blocked so I paced some sites like http://*.google.com in the trusted zone. Like I explained above the zoom/pan functions in maps.google.com still does not work.

    Friday, May 07, 2010 8:51 AM
  • Have you found the solution?
    Tuesday, May 25, 2010 9:55 AM
  • No solution yet.
    Tuesday, May 25, 2010 11:55 PM
  • What worked for me was, once I disabled it on the RDS server, each used had to go into IE, internet options, advanced, reset and reset all settings, once this was done, close and restart IE and all was good.
    Thursday, May 27, 2010 9:24 PM
  • I tried this without success...
    Friday, May 28, 2010 7:29 AM
  • Yea did not work for me either.
    Friday, May 28, 2010 8:57 AM
  • hi Perry, can you run RSOP.msc while logged in as a user who is having issues and see if any GPOs are being applied that will block those sites?
    Saturday, May 29, 2010 1:36 AM