Group Policy Central

There is currently a security advisory out about a Zero Day vulnerability in Internet Explore 6 & 7 on Windows XP and Vista. While there is no patch out for this issues so far you can mitigate the security a number ways using Group Policy. Below I have listed two ways to implement the workaround as listed by Microsoft using Group Policy.

Method 1. Modify the Access Control List (ACL) on iepeers.dll

Step 1. Edit a Group Policy Object (GPO) that is targeted to the computer accounts you want to apply this setting. Then navigate to Computer Configurations > Windows Settings > Security Settings > File System.

Step 2. Click on “Action” in the menu and then “Add File…”

Step 3. Type “%WINDIR%\System32\iepeers.DLL” into the Folder: field then click “OK”

Step 4. Click “Add”and then add the “Everyone” group and click “OK”

Step 5. Tick the Full Control “Deny” tick box. This will then tick all the Deny tick boxes.

Step 6.  Click “Yes” to the Deny warning.

Step 7. Click “OK” to the permissions option.

Note: If you want to apply this to x64 version of Windows as well repeat step 2 thought 7 but type “%WINDIR%\SYSWOW64\iepeers.DLL” instead in the Folder: field.

You have now denied permissions to the file that has the issues.

Once you have applied the patch to fix this vulnerability be sure to go into each of file security settings and remove the “Everyone” deny permission from the setting.

Method 2: Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Step 1. Edit a GPO that is targeted to the users accounts you want to apply security setting. Then Enabled both the “Allow active scripting” under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Page > Internet Zone and the Intranet Zone. Then configure the Options to either “Prompt” or “Disable”.

Once you have performed the above configuration changes be sure to add *.windowsupdate.microsoft.com, *.update.microsoft.com and any other site you require to run Active Scripting on to the trusted sites zone list. Instructions on how to do this can be found here How to use Group Policy to configure Internet Explorer security zone sites

Disclaimer: I do not guarantee that this information will work. All the above information is to be used at your own risk.

For more details on the security vulnerability and other ways to mitigate this issue see Microsoft Security Advisory (981374)

Microsoft have been getting a lot of press (here , here and here) about security vulnerability KB979352 in Internet Explorer that was used by Chinese Hackers to breach Google’s security and gain access to anti-china protestors email accounts and other private data. As a result Microsoft have now released a security advisory for IT professional listing multiple ways to mitigate this security issue before they release a patch (which they are rushing to get out).

One of the ways listed to mitigate this issue on IE6 (other than not running IE6) is to configure Active Scripting to either be disabled or set to prompt. Now this is pretty easy for one user to change this setting manually but for large organisation (like Google) performing this workaround on the many thousand’s of computers would be very time consuming.

So to make this change in Group Policy open the Group Policy Object (GPO) that is targeted on your user accounts and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then under the “Local Intranet” and “Internet” configured the “Allow Active Scripting” option to “Disable” or “Prompt” (see image below).

Now if you do configure this option it is likely that some legitimate sites on the locally and on the Internet may break so workaround that issue you can explicitly add them to “Trusted Sites” zone. To do this again open the Users GPO and navigate to the Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then open the “Site to Zone Assignment List ” setting and click “Enabled” then click the “Show” button.

Then type the full URL in the “Value Name” field and a “2” in the “Value” field for each site you want to run the Active Scripts.

Now according to Microsoft your browser should be configured to mitigate this security vulnerability.

For more information about the security vulnerability see the Microsoft Advisory at http://www.microsoft.com/technet/security/advisory/979352.mspx.

Disclaimer: I do not accept any liability what so ever for the information in this article. Please use this information at your own risk.