Group Policy Central

The Internet Explorer Administration Kit for IE9 has just been released to the public. One of the cool things that this tool can do is make a silent MSI for installing IE9 which is very handy if you are going to deploy it via Group Policy.

For Instructions for deploying software via Group Policy see Best Practice: How to deploy Software using Group Policy

Links

• Internet Explorer Administration Kit (IEAK) Information and Downloads
• Internet Explorer Administration Kit 9 (Links to all languages)

Another highly recommended download would also to be to get the Group Policy Settings Reference Windows Internet Explorer 9

I have previously talked about the new  Group Policy for IE9 ,however I mention that one of the issues was that there is currently no “official” support of Group Policy Preferences… Unfortunately there is still no “official” support but it is now possible if you do some really easy XML editing…

Mark Heitbrink (fellow Group Policy MVP) has published an article which explains why it does not work and explains briefly how to modify the XML file for Group Policy Preferences so it will apply setting to IE9.

Therefore taking Mark excellent information I have gone thought the process step by step below showing what I think is the easiest way to find and edit the XML file to enable GPP for IE9.

Step by Step enabling GPP for IE9

Step 1. Setup a IE8 Internet Explorer Extension setting that has the setting you want to apply to IE9. (e.g. Home Page)

Step 2. In the same Group Policy Object navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) and double click on the Logon (or logoff) option. Then click on the “Show Files” button.

Step 3. Click on “Users” in the Address bar.

Step 4. Then click on the “Preferences” and then “InternetSettings” folder and then right click on the “InternetSettings” file and click on “Edit”.

Now we are looking at the XML that is used to apply the Group Policy Preferences settings. This is where we need to change the version number to support IE9.

Tip: Enable “Word Wrap” in notepad to see the text on multiple lines.

Step 5. Change “max=9.0.0.0” to “9.1.0.0” (see below)
Before:

After:

Step 6. Save the file and you are done.

Now you can have the goodness of Group Policy Preferences with IE9, however as the article also said this is NOT supported so please test carefully.

What is also nice about this change is that it will be persistence, so if you make subsequent changes to the same setting you do not need to edit the XML again however you will need to make this change each time you make a new GPP IE Policy setting.

Source: Internet Explorer 9(IE9) Group Policy Preferences (GPP) (Via GPOGuy )

Microsoft have just released Internet Explorer 9 to the web and so Windows users around the world will now be truly able to enjoy the “Beauty of the Web”. While IE9’s hardware acceleration and new un-cluttered UI is really enjoyable for consumers this browser also has a number of new features that makes it very compelling to install on your servers. So below I have listed 9 reasons why you should also consider deploying IE9 to your servers in your organisation…

#1 Group Policy – Internet Explorer 9 is still the only browser that has comprehensive Group Policy Support with over 1500 setting. This allows you as an administrator to have the power to configure the browser on their servers to ensure they are correctly and securely configured.

#2 Memory Security Enhancements – As administrator we sometimes find our self having to use the internet on a server probably to look up an error message or to download some tool we need to install to complete out work. IE8  by default has ASLR (Address Space Layout Randomization) and DEP/NX (Data Execution Prevention / No eXecute) enabled by default which provided very good protection for the browser. However even with these two layers of protection Stephen Fewer at Pwn2Own 2011 was able to get around this security by using a combination of not 1, not 2 but 3 different vulnerabilities.

But Microsoft then quickly tweeted out that the same attack would not work on IE9 RC. While there are no details as to why the IE9 RC browser was not vulnerable to the same attack certainly the additional protection of having been compiled with SafeSEH (Safe Structured Exception Handling) would have helped.

“(SafeSEH) helps ensure that structured exception handling cannot be used as an exploit vector”

More info see http://blogs.msdn.com/b/ie/archive/2011/03/07/internet-explorer-9-security-part-1-enhanced-memory-protections.aspx

#3 Tab Isolation – Tab Isolation or hang recovery is another feature of IE9 that allows you to keep using your browser when a particular web pages causes IE to crash. While this is generally just an inconvenience for users on workstations this can be a life saver if you are on a server as your browser will now more likely to only lose your work in your current tab rather than the 11 other things you were doing in the browser at the same time.

#4 Simpler UI – Using a browser on a server is a lot different experience than on a workstation. You really don’t need fancy tool bars in your browsers to do your job and some times you have limited screen resolution as you might be working on the server via a console with only a 1024×768 screen resolution due to not having the proper video card drives loaded. Therefore the new simpler, cleaner and smaller UI makes give you more real-estate on screen for you web pages and a lot less clutter getting in the way than any other browser.

However if you are a fan of the clutter however you can still enable your toolbars and menu bars.

For more info see http://blogs.msdn.com/b/ie/archive/2011/02/15/user-experiences-listen-learn-refine.aspx

#5 ActiveX Filtering – Browser add-on’s and ActiveX control are just a bad idea on servers. Weather it is slow performance due to the bloat of running so many add-on products or its the multiple security vulnerabilities that make add-on the new security attack vector. Therefore the new ActiveX Filtering that allows you run ActiveX controls in an opt-in mode meaning you only explicitly run the controls you trust. This setting is not on by default but you can enabled using the “Turn on ActiveX Filtering” group policy (see image below and point #1).

#6 Web Tracking Protection – Almost all sites on the Internet (this site included) have some sort of embedded web tracking to allow site owners monitor the activity of their visitors. However if you are using your browser on a server it is not desirable that you activities are tracked. To help with this problem IE9 has introduced a feature called Web Tracking Protection that allow users to block certain third party web sites. Therefore an administrator can subscribe to a third party tracking  lists or even create their own to prevent their browser from contacting any undesirable web sites from the client.

#7 Add On Performance Monitor – I know that in #5 I said that installing browser add-on’s on a server is a bad idea however sometimes this is just a necessary evil. In this case IE9 will monitor your add-on performance and give you a warning when any of them are running slow and then let you selectively disable them (see below).

#8 Automatic Update – It holds true that all web browsers will need updating on a regular basis as they are the most exposed attack surface on your computer. However Internet Explorer is the only one that is integrated with Windows Update, allowing you to use the same standard update and reporting process. This means that that reporting tools such as WSUS or SCCM can give you  a status reports as to see what computers still have out of date software and thus make sure all your software is up to date without any slipping through the gate. This helps avoids a scenario that I am sure that many IT admins can relate to of logging on to a server only to see that a grossly out of date versions of Adobe Read installed because no one ever new it was installed and had to be updated…

#9 Install Updates without reboot – and saving the best for last, this reasons is the BIG ONE!!!! Also continuing on from #8 and as I previously mentioned you no longer to you need to reboot your server to install updates to your browsers (see image below). Gone are the mandatory reboots of the server you have had to endure every month after patch Tuesday which will make your life SO MUCH EASIER!!!

Note: You will need to be running Windows 2008 R2 service pack 1 to be able to do this so it is not going to help if you are still running Server 2008 (sorry).

As I mentioned before there is of course many other reasons why IE9 is such a great product for consumers that I have not talked about (hardware acceleration, video tag support, Aero Snap and Pinned sites) however as you can see this is still a compelling for your server as well…

Did I mention no reboots to install updates!!!

Well the wait is over and Microsoft today released the final version of Internet Explorer 9 to the web at http://windows.microsoft.com/ie/ . Since the release of the IE9 Release Candidate there have been a few more Group Policy added (see Internet Explorer 9 (RC) Group Policy Settings) so below is an updated list of each IE9 Group Policy settings with a related screenshots.

Update: Now that I have installed the final version of IE9 on 6 computers 2 of them needed to rebook so it would seem that it may or may not require a reboot. This seems to be dependent on what application you are running at the time. Therefore it would still be prudent to plan for a reboot but not always expect it to happen.

I have just install IE9 on a Windows 7 and a Windows Server 2008 R2 computer running Service Pack 1 and I was very pleased to see that in both cases it does not required a reboot to install. Previously I have installed IE9 on 3 Windows 7 computers that were not running service pack 1 however they all required a reboot to install IE9. Therefore it seems that with Windows 7 / 2008 R2 Service Pack 1 installed it is now possible to install IE9 without a reboot. (see images below).

Disclaimer: I have only seem this behaviour on one computer so far but I am testing it one more really soon. I have now repeated this process on a Windows Server 2008 R2 SP1 and Windows 7 SP1. It looks more likely that this option to install IE9 without a reboot is a new feature of Service Pack 1.

One of the dialogue boxes (see below) on Windows Server 2008 R2 Service Pack 1 during the IE9 install asks if you want to the installer to close your running programs to install it without a reboot. So if you select the “Close programs for me (I already save my work)” opting the browser will be installed without a reboot.\

( FYI: The screenshots below are from a computer running Windows Server 2008 R2 Service Pack 1 with the Domain Controller role installed and running. )

The next screen is the dialogue box during install of IE9. As you can see IE8 and the Explorer shell has been closed during the install but the OS has NOT rebooted.

After IE9 is installed the Explorer Shell is launched again still without interruption to the OS.

This is a huge deal as it means that it is likely that updates to the browser will be able to be installed without having to require a reboot of the OS. Now this may be a nice have for end users however this is a much bigger deal for Windows Servers as IT administrators as they can now patch what is the most vulnerable part of the server OS (the browser) without any down time. This should hopefully mean that IT administrators will not need to revert to installed “Server Core” versions of the server OS’s just to ensure that they don’t have to reboot them every patch Tuesday to keep them secure.

I know this is not specifically a Group Policy topic however this is a really super cool find that I just had to share with everyone…