Group Policy Changes: Windows Server 2012, Windows 8 and Window RT (Part 2)

by [Published on 1 May 2013 / Last Updated on 1 May 2013]

In this Part 2 of our article series, we’ll look at some of the Group Policy additions and changes that pertain to the Internet Explorer web browser.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we started our discussion of the changes and additions to Group Policy in Windows Server 2012 and Windows 8, and Windows RT. Specifically, we talked about Local Group Policy support in Windows RT and its limitations, and the new Remote Group Policy Update feature in Windows Server 2012. We will continue our introduction of these new and improved features in subsequent parts of this series. Here in Part 2, we’ll look at some of the Group Policy additions and changes that pertain to the Internet Explorer web browser.

IE 10: Two for the price of one

It’s Microsoft’s usual practice to introduce a new version of the Internet Explorer web browser when they come out with a new operating system, and in keeping with that, Windows Server 2012, Windows 8 and Windows RT come with IE 10 (Note that IE 10 is also available to download and install on Windows 7. Note, too, that you cannot install earlier versions of IE on Windows 8).

IE 10 on Windows 8 and Windows RT differs from previous versions of IE in that it includes two browsers. The name “IE 10” refers to the combination of both. There is a “modern” version of IE that is accessed from the new tile UI and “IE for the desktop” that runs on the Windows 8 desktop. The former is designed to be more minimalist and touch-centric and lacks many of the controls we’re used to having in IE. The desktop version of IE provides a more traditional browsing experience and includes the menu bar, Favorites bar, command bar, etc. (although these are not displayed by default, it’s easy to turn them on). Only the desktop version of IE 10 supports browser plug-ins.

IE 10 security

One focus for improvement in the new version(s) of IE is the addition of security functionalities such as better ways for developers to lock down content via the HTML 5 sandbox, and an improved version of ASLR (which, however, a hacker claims to have defeated).

One of the most important new security-related features is Enhanced Protected Mode. Protected Mode was introduced back in IE 7 (which was included in Windows Vista), to help prevent remote installation of software or changes to system settings by attackers. Enhanced Protected Mode, as its name implies, goes further. It additionally protects password information by restricting IE from accessing the locations where that information is stored unless you give permission, and it prevents Internet tab processes from accessing users’ domain credentials, operating as local web servers or making connections to intranet servers.

New and changed Group Policy settings in IE 10

Appropriately, Microsoft has added new Group Policy settings to Windows to support the new features in IE 10. In all, IT admins now have almost 1500 Group Policy settings related to Internet Explorer. Microsoft lists twenty-eight brand new IE-related policies and six IE-related polices that were included in previous versions but have changed in Windows 8. You can see the entire list here.

Some of the more significant/useful new policies include:

  • Turn on Enhanced Protected Mode. Enhanced Protected Mode in IE gives extra protection from malicious sites. In Windows 8, the locations that IE can read from in the registry and file system are restricted, as well. Enabling this policy turns on Enhanced Protected Mode and prevents users from disabling it.
  • Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled. We      all know ActiveX controls can present security challenges, and more control over ActiveX is good news for security admins. When you enable this policy, all websites are forced to run in Enhanced Protected Mode, ActiveX controls that aren’t compatible with Enhanced Protected Mode won’t run when this policy is enabled and users will no longer get the option to disable Enhanced Protected Mode in order to run the control, as they do when this policy is not enabled.
  • Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects. Adobe Flash is notorious for its seemingly endless stream of security vulnerabilities, to the extent that Apple doesn’t include Flash support in its iOS devices, and Microsoft encourages use of HTML 5 in place of Flash. However, IE 10 still supports Flash (with limitations). If you want to prevent IE from using it, you can enable this policy to turn it off entirely. Users will be prevented from re-enabling it in the Manage Add-ons dialog box. You can also disable Flash through the Add-on List, but when you do it that way, applications can still use IE technology to instantiate Flash objects.
  • Do not display the reveal password button. When users enter passwords in IE 10, they have the option to click a button and view the password value (similarly to the way users can select to “show password” on Android devices). This makes some sense for mobile devices with small on-screen keyboards because password errors are common and it can be difficult to troubleshoot them. However, especially on a desktop computer with a large display that someone else can easily see from a distance away, it can present a security risk for users to be able to reveal the password on screen. You can enable this policy to prevent the “reveal password” choice from being available; it will be hidden for all password fields in web forms or web applications.
  • Install new versions of Internet Explorer automatically. By default, users can choose whether to automatically install new versions of IE when they become available, through the About Internet Explorer dialog box that is accessed from the Help (?) menu in the desktop version of IE 10. If you want to force installation of new versions, you can enable this policy to override user preference.
  • Turn off flip ahead feature. The flip ahead feature is new to IE 10 in Windows 8, and it works only on the formerly-known-as-Metro “modern” UI version of IE, not on the desktop version. The feature allows users to flip to the next page of a web site by swiping across the screen, which is a nice intuitive way to navigation on touch screen devices. However, when flip ahead is turned on, the browsing history is sent to Microsoft. The purpose of this is to improve the flip ahead feature, but you may not want this information sent – either for security reasons or bandwidth reasons. You can enable this policy to turn flip ahead off, and prevent users from turning it on through the Settings charm.

Some of the more significant/useful changes to policies include:

  • Prevent access to Delete Browsing History. A new feature in Windows 8 allows users to click the Delete Browsing History option on the Settings menu of the Charms bar. Some organizations may not want users to be able to delete this information. In that case, you can enable this policy to prevent users from accessing the Delete Browsing History dialog box.
  • Prevent Changing Proxy Settings. Many organizations don’t want browser users to be able to change the proxy settings to go through a different proxy. You can enable this policy to prevent users from configuring proxy settings.
  • Turn off print menu. You may not want users to print web pages. You can enable this policy to block access to the Print menu and the Print flyout for IE in Windows 8, and it will also prevent users from accessing (or even seeing) the printers under the Devices charm.

These Group Policy settings are all contained in the Administrative Templates | Windows Components | Internet Explorer section of the Group Policy tree (some of them are in subfolders in that path). To add the new settings, IE installs a new inetres.admx file in the PolicyDefinitions directory of the Windows directory and also installs a new language file for the new administrative template.

Group Policy preferences

In addition to the new and changed policies, Windows Server 2012 and Windows 8 also include a new feature called Group Policy Preferences for IE 10, which consolidates multiple ways to configure the browser’s preference settings. Instead of the IE Maintenance (IEM) snap-in, you now use the IE 10 preference extension (or the Internet Explorer Administration Kit (IEAK) to configure the IE 10 settings that were previously managed through IEM.

Annoyingly, some of the settings that could be done through IEM are no longer available in IE 10, such as the setting to replace the standard IE logos in the upper right corner with your own custom logo. But you can do things like importing connection settings from another computer and prevent users from adding new trusted publishers via Authenticode settings, using Group Policy Preferences. For more information about the replacement methods for IEM functionalities for Windows 8, see this link.

Summary

In Part 2 of this series discussing what’s new and improved in Group Policy for Windows Server 2012, Windows 8 and Windows RT, we turned our attention to those changes that pertain to the Internet Explorer web browser and looked in detail at some of the most significant new policies and changes to old ones. In Part 3, we’ll explore what else has been added to or changed in Group Policy and the way it works in the new operating systems.

If you would like to read the other parts in this article series please go to:

 

Advertisement

Featured Links