Group Policy Central

There has been a lot of talk in the news recently around how Mozilla have changed support gears are are now releasing a new browser version every few month. The affect of this is that a lot of enterprise customers (such as IBM) using Firefox aren’t even finished testing before the next version is released. While corporate customers using Firefox 3.6  are still supported, it would seem that this may not be for long due to the “cost benefit trade” for Mozilla to play in the Enterprise.

This has of course prompted Microsoft to starting pushing IE to the corporate customers say “’We’ve got a great solution for corporate customers with both IE8 and IE9”

So to illustrate this I have graphed the number of days that Microsoft supports Internet Explorer compared to Mozilla’s Firefox 4.

Note: I assume that IE9 will not have extended support lifecycle as it was NOT released as part of Windows 7.

Certainly having to support IE6 for over 9 years is a major commitment for Microsoft especially when there are so many security issues… But even while Microsoft encourages users to stop using IE6 http://www.theie6countdown.com/ they continue to support IE6 as promised for the long haul and are certainly not going to be “forcing” anyone to upgrade any time soon. For this reason, plus Internet Explorers excellent out of the box group policy support (for third party see Policy Pak), is why I think IE is  hands down best browser for any corporate environment….

If you are looking at moving to Windows 7 or you are looking upgrading IE6 in your organisation you have probably discovered that a lot of your intranet web sites don’t work properly. Well apparently  80% of IE app compatibility issues are cause by website that do not have the <!DOCTYPE> header as the with IE8 (See below).

This problem is due to a bug in  IE6 that it ignores the <!DOCTYPE> if it is not on the first row and then default back to rendering the page in Quirks mode. The problem is that newer browsers do read this <!DOCTYPE> tag if it is not on the first line and it then starts to renders the page in standards mode as requested. So to address this issue Microsoft have released a hotfix for IE8 and include in IE9 a feature that lets you force pages to render in Quicks Mode thus ignoring the <!DOCTYPE> line.

A webpage is not displayed correctly in Internet Explorer when any of the following is true:

• You use Windows Internet Explorer 8 Standards mode to browse the webpage.
• You enable Compatibility View in Internet Explorer 7 to browse the webpage.

Additionally, if you do not have the permissions to implement the Meta tag or the HTTP header for browser emulation, you cannot force the browser to work in QUIRKS mode from the client-side.

Microsoft KB A webpage is not displayed correctly when you browse the webpage by using Internet Explorer 8 Standards mode or Compatibility View in Internet Explorer 7

Once you have the hotfix deployed or you have installed IE9 on your computers you can then use the policy  “Use Policy List of Quirks Mode sites” under Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList to add specific sites to render as quirks mode.

This will now force your browser to render the page using IE5.5 (a.k.a. Quirks) mode so that the page now renders correctly.

TIP: If you are still having issues with your Intranet pages not working correctly one of the other big compatibility fixes you can try is to make sure that the page is properly placed in the “Intranet Zone”. For instructions on how to do this see my other post How to use Group Policy to configure Internet Explorer security zone sites .

Thanks to Chris Jackson “The App Compat Guy” for his TechEd 2011 video that had the details for me to write this article at  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL315

Microsoft have just released Internet Explorer 9 to the web and so Windows users around the world will now be truly able to enjoy the “Beauty of the Web”. While IE9’s hardware acceleration and new un-cluttered UI is really enjoyable for consumers this browser also has a number of new features that makes it very compelling to install on your servers. So below I have listed 9 reasons why you should also consider deploying IE9 to your servers in your organisation…

#1 Group Policy – Internet Explorer 9 is still the only browser that has comprehensive Group Policy Support with over 1500 setting. This allows you as an administrator to have the power to configure the browser on their servers to ensure they are correctly and securely configured.

#2 Memory Security Enhancements – As administrator we sometimes find our self having to use the internet on a server probably to look up an error message or to download some tool we need to install to complete out work. IE8  by default has ASLR (Address Space Layout Randomization) and DEP/NX (Data Execution Prevention / No eXecute) enabled by default which provided very good protection for the browser. However even with these two layers of protection Stephen Fewer at Pwn2Own 2011 was able to get around this security by using a combination of not 1, not 2 but 3 different vulnerabilities.

But Microsoft then quickly tweeted out that the same attack would not work on IE9 RC. While there are no details as to why the IE9 RC browser was not vulnerable to the same attack certainly the additional protection of having been compiled with SafeSEH (Safe Structured Exception Handling) would have helped.

“(SafeSEH) helps ensure that structured exception handling cannot be used as an exploit vector”

More info see http://blogs.msdn.com/b/ie/archive/2011/03/07/internet-explorer-9-security-part-1-enhanced-memory-protections.aspx

#3 Tab Isolation – Tab Isolation or hang recovery is another feature of IE9 that allows you to keep using your browser when a particular web pages causes IE to crash. While this is generally just an inconvenience for users on workstations this can be a life saver if you are on a server as your browser will now more likely to only lose your work in your current tab rather than the 11 other things you were doing in the browser at the same time.

#4 Simpler UI – Using a browser on a server is a lot different experience than on a workstation. You really don’t need fancy tool bars in your browsers to do your job and some times you have limited screen resolution as you might be working on the server via a console with only a 1024×768 screen resolution due to not having the proper video card drives loaded. Therefore the new simpler, cleaner and smaller UI makes give you more real-estate on screen for you web pages and a lot less clutter getting in the way than any other browser.

However if you are a fan of the clutter however you can still enable your toolbars and menu bars.

For more info see http://blogs.msdn.com/b/ie/archive/2011/02/15/user-experiences-listen-learn-refine.aspx

#5 ActiveX Filtering – Browser add-on’s and ActiveX control are just a bad idea on servers. Weather it is slow performance due to the bloat of running so many add-on products or its the multiple security vulnerabilities that make add-on the new security attack vector. Therefore the new ActiveX Filtering that allows you run ActiveX controls in an opt-in mode meaning you only explicitly run the controls you trust. This setting is not on by default but you can enabled using the “Turn on ActiveX Filtering” group policy (see image below and point #1).

#6 Web Tracking Protection – Almost all sites on the Internet (this site included) have some sort of embedded web tracking to allow site owners monitor the activity of their visitors. However if you are using your browser on a server it is not desirable that you activities are tracked. To help with this problem IE9 has introduced a feature called Web Tracking Protection that allow users to block certain third party web sites. Therefore an administrator can subscribe to a third party tracking  lists or even create their own to prevent their browser from contacting any undesirable web sites from the client.

#7 Add On Performance Monitor – I know that in #5 I said that installing browser add-on’s on a server is a bad idea however sometimes this is just a necessary evil. In this case IE9 will monitor your add-on performance and give you a warning when any of them are running slow and then let you selectively disable them (see below).

#8 Automatic Update – It holds true that all web browsers will need updating on a regular basis as they are the most exposed attack surface on your computer. However Internet Explorer is the only one that is integrated with Windows Update, allowing you to use the same standard update and reporting process. This means that that reporting tools such as WSUS or SCCM can give you  a status reports as to see what computers still have out of date software and thus make sure all your software is up to date without any slipping through the gate. This helps avoids a scenario that I am sure that many IT admins can relate to of logging on to a server only to see that a grossly out of date versions of Adobe Read installed because no one ever new it was installed and had to be updated…

#9 Install Updates without reboot – and saving the best for last, this reasons is the BIG ONE!!!! Also continuing on from #8 and as I previously mentioned you no longer to you need to reboot your server to install updates to your browsers (see image below). Gone are the mandatory reboots of the server you have had to endure every month after patch Tuesday which will make your life SO MUCH EASIER!!!

Note: You will need to be running Windows 2008 R2 service pack 1 to be able to do this so it is not going to help if you are still running Server 2008 (sorry).

As I mentioned before there is of course many other reasons why IE9 is such a great product for consumers that I have not talked about (hardware acceleration, video tag support, Aero Snap and Pinned sites) however as you can see this is still a compelling for your server as well…

Did I mention no reboots to install updates!!!

Well the wait is over and Microsoft today released the final version of Internet Explorer 9 to the web at http://windows.microsoft.com/ie/ . Since the release of the IE9 Release Candidate there have been a few more Group Policy added (see Internet Explorer 9 (RC) Group Policy Settings) so below is an updated list of each IE9 Group Policy settings with a related screenshots.

Update: Now that I have installed the final version of IE9 on 6 computers 2 of them needed to rebook so it would seem that it may or may not require a reboot. This seems to be dependent on what application you are running at the time. Therefore it would still be prudent to plan for a reboot but not always expect it to happen.

I have just install IE9 on a Windows 7 and a Windows Server 2008 R2 computer running Service Pack 1 and I was very pleased to see that in both cases it does not required a reboot to install. Previously I have installed IE9 on 3 Windows 7 computers that were not running service pack 1 however they all required a reboot to install IE9. Therefore it seems that with Windows 7 / 2008 R2 Service Pack 1 installed it is now possible to install IE9 without a reboot. (see images below).

Disclaimer: I have only seem this behaviour on one computer so far but I am testing it one more really soon. I have now repeated this process on a Windows Server 2008 R2 SP1 and Windows 7 SP1. It looks more likely that this option to install IE9 without a reboot is a new feature of Service Pack 1.

One of the dialogue boxes (see below) on Windows Server 2008 R2 Service Pack 1 during the IE9 install asks if you want to the installer to close your running programs to install it without a reboot. So if you select the “Close programs for me (I already save my work)” opting the browser will be installed without a reboot.\

( FYI: The screenshots below are from a computer running Windows Server 2008 R2 Service Pack 1 with the Domain Controller role installed and running. )

The next screen is the dialogue box during install of IE9. As you can see IE8 and the Explorer shell has been closed during the install but the OS has NOT rebooted.

After IE9 is installed the Explorer Shell is launched again still without interruption to the OS.

This is a huge deal as it means that it is likely that updates to the browser will be able to be installed without having to require a reboot of the OS. Now this may be a nice have for end users however this is a much bigger deal for Windows Servers as IT administrators as they can now patch what is the most vulnerable part of the server OS (the browser) without any down time. This should hopefully mean that IT administrators will not need to revert to installed “Server Core” versions of the server OS’s just to ensure that they don’t have to reboot them every patch Tuesday to keep them secure.

I know this is not specifically a Group Policy topic however this is a really super cool find that I just had to share with everyone…