AsiaTech: Microsoft APGC Internet Developer Support Team

We focus on various troubleshooting plan and solution on IIS web platform and distributed applications

Case Study -- Can’t open IE 11 if home page is set with a FQDN web site after Windows firewall service got disabled.

Case Study -- Can’t open IE 11 if home page is set with a FQDN web site after Windows firewall service got disabled.

Rate This
  • Comments 1

 

Symptom

=================

Customers find they can’t open IE 11 both in desktop mode and matric mode if home page with dots (e.g. www.bing.com) is set with an internet web site with protected mode enabled.

The status is: IE only flash and close immediately, no IE windows pop up. If home page is intranet web site, IE (RT and desktop) can launch.

Then they confirm IE11 advance tab settings with default values but there is some polies disable “window firewall service”.

When set home page as internet web site while ENABLE Protected Mode, ONLY IE in desktop can be launched successfully (but not matric mode) if DISABLE “Enhanced Protected Mode”.

clip_image001When set home page as internet web site while DISABLE Protected Mode, both of IE Desktop mode and RT mode can be launched successfully, no matter “Enhanced Protected Mode” is enabled or disabled.

Root Cause Analysis

=================

Local tests and some research from IE side:

1) In Test environment, create a new account in windows 8.1 & IE11 client computer.

2) Disable windows firewall service in that client.

3) Set home page of IE as www.bing.com  and Logon this VM by new account.

4) Open IE and confirm it works fine.

5) Double confirm windows firewall service is not running.

6) When enable "Enhanced Protected Mode" in Advanced Tab of Internet Option window, the issue is reproduce.

7) When set home page as a non-dotted hostname (e.g. http://test), IE works fine.

8) Then re-set www.bing.com as home page and add it into “Trusted Sites”. Close all IE windows and open a new IE window, it works fine with open www.bing.com.

If below conditions existing are at same time, the issue will occur:

1) Windows Firewall Service is disabled.

2) "Enhanced Protected Mode" in IE Advanced Tab is enable.

3) Home page is a web site with FQDN (dotted name, e.g. www.bing.com) and it’s in “Internet” zone with “Protected Mode” enabled.

Work Around

=================

1) Use dotted hostname with adding that address into “Trusted Sites” zone. This is the top recommender because it need not change setting of computer.

2) Use a non-dotted hostname as homepage.

3) Enable window firewall service.

4) Disable "Enhanced Protected Mode" by some GPO tool.

5) Install KB2907803 http://support.microsoft.com/kb/2907803/en-us to disable “Enhanced Protected Mode” by default in IE11 or install Cumulative Security Update for Internet Explorer http://support.microsoft.com/kb/2888505/ or later update because KB2888505 is the first update including KB2907803.

References

=================

Here are references about EPM from IE10 and some key points that between EPM and windows Firewall.

Enhanced Protected Mode (EPM)

1) Enhanced Protected Mode on desktop IE:

http://msdn.microsoft.com/en-us/library/ie/dn265025(v=vs.85).aspx

2) Enhanced protected mode (EPM) may be enabled on the desktop:

http://msdn.microsoft.com/en-us/library/ie/dn384053(v=vs.85).aspx

3) Understanding Enhanced Protected Mode:

http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

Acting as a Network Server is Blocked

Because EPM’s AppContainer does not have the internetClientServer capability, there’s no way for an EPM process to accept inbound connection attempts from the network. Typically, such connections weren’t possible in the Web Platform anyway (e.g. there's no JavaScript method to listen() on a new TCP/IP socket), but some browser add-ons had the capability of allowing inbound connections (even though this became pretty uncommon with the broadscale deployment of firewalls). When EPM is enabled, such add-ons will not be able to accept remote connections.

For instance, many of us have a home router with a configuration UI accessible at http://192.168.1.1 or a similar address that is not globally-routable. On one hand, it’s desirable to prevent Internet content from sending requests to such addresses to help block CSRF-attacks that might maliciously reconfigure poorly-secured routers. However, for historical and other reasons, Security Zones consider this dotted hostname to be an Internet-Zone address by default, which means that if you attempt to navigate to the Router configuration page in Metro-style IE, you may encounter a Page Cannot Be Displayed error page. If you enable EPM in the Desktop mode of the browser, you can use the F12 Developer tools to see why the request was blocked:

clip_image003

Note: The next update to IE10 will use a more specific error message here; this string was designed for developers of Metro-style applications, not for folks debugging in EPM in IE.

To resolve this issue, you can either use a non-dotted hostname for your router (e.g. my DNS points http://router to 192.168.1.1) or you can manually add the router’s address to your Trusted Sites zone using the Tools > Internet Options > Security | Trusted | Sites... list. When navigating to Trusted Sites, the navigation occurs outside of Protected Mode, so AppContainer restrictions are not a problem.

4) An update is available that disables Enhanced Protected Mode by default in Internet Explorer 11:

http://support.microsoft.com/kb/2907803/en-us

Update information

To obtain this update, install the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update.
For technical information about the most recent cumulative security update for Internet Explorer, go to the following Microsoft website:

http://www.microsoft.com/technet/security/current.aspx

Note This update was first included in security update 2888505. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2888505 http://support.microsoft.com/kb/2888505/

MS13-088: Cumulative Security Update for Internet Explorer: November 12, 2013

 

Regards,

Xiaoman Wang from GBSD DSI Team

Leave a Comment
  • Please add 1 and 6 and type the answer here:
  • Post
Page 1 of 1 (1 items)