IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Windows Server as a Workstation

Windows Server as a Workstation

  • Comments 4

Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out of the box.” Even if a server administrator followed best-practices and never booted the browser, Windows still looked bad in the charts because all browsers, including IE5 and IE6, had an endless stream of security patches.

Windows cobbled together a small task force to address this problem by introducing the Enhanced Security Configuration feature for Internet Explorer when run on Windows Server.

ESC: Enhanced Security Configuration

ESC makes myriad small changes across the browser, but the primary change is that it kicks the security level of the Internet Zone up to High:

image

By setting the Internet Zone to use the High Template, ActiveX and script execution are blocked and a huge number of features are disabled by default. This simple change alone would have been sufficient to make the charts look dramatically better (because virtually all browser exploits require one or more of the disabled features).

To help the user understand that this configuration is enabled, the default homepage is changed to a very wordy explanation:

image

This could be summarized as: “This is a server. Don’t browse from your server. That’s what workstations are for!

However, the notifications don’t stop there. As you browse around, you’ll see many ancient notifications that were long ago hidden by the default security level template, like this prompt from the 1990s that attempted to explain what HTTPS was all about:

image

Any time you visit a website that wants to run script or perform another action that is not permitted due to the changes made by ESC, a prompt is shown:

image

What this prompt really means is: “Hey, we noticed that you’re browsing from your server. We really don’t want you to do that, but we’ll let you. If you’re really really committed to browsing securely from your server, you can load the page in this mode which will probably break it. Or you can manually add this site to the list of sites you trust to run with regular permissions.”

Some … hyper-vigilant  users find these prompts useful and don’t seem to mind them. Some administrators feel they have a genuine need to use a browser on the server itself and they don’t feel they can accomplish their goals by browsing from a workstation.

However, if you’re simply a developer who’s running a Windows Server as a workstation (e.g. your dev box) so you have a full IIS / SQL instance, etc, and you’re not really using it as a production server, it is likely that these prompts will quickly get intensely irritating.

Fortunately, you can very easily instruct the Server to knock it off. From the Local Server tab of the Server Manager, click the link next to the IE Enhanced Security Configuration item:

image

A dialog will launch that allows you to control the ESC feature:

image

Changes take effect the next time Internet Explorer starts.

Note that clicking the “More about Internet Explorer Enhanced Security Configuration” link will launch a browser which prompts you with the ESC “Content Blocked” dialog for 9 different domains (including Facebook and about:blank) before rendering the generic Internet Explorer Help page.

After you disable ESC, the browser’s default homepage will change to a warning to remind you that you’ve done so:

image

The ESC feature has received only minimal attention from the IE development team over the last decade. By default, the recommended “Windows Server Core” configuration doesn’t include a GUI at all, which means that servers that are acting as proper “servers” are in a very secure configuration automatically. Even when you enable the GUI for Server, Windows supports uninstalling the Internet Explorer browser if it isn’t needed.

In my opinion, the ESC feature should probably be yanked out—it’s irritating, unnecessary, and has an ongoing maintenance cost for the IE development team.

For now, however, disabling ESC isn’t the only change you need to make to make your server behave like a workstation.

HTML5 Video

If you’re using a PC running Windows Server 2012 R2, you might find that HTML5 video doesn’t play in Internet Explorer. For instance, when visiting a page like the FishBowl benchmark, it might stop loading at the “Initializing” stage, with the F12 Developer Tools’ Console tab showing an inscrutable error:

SCRIPT65535: Unexpected call to method or property access.

The problem is that, by default, Windows Server does not include the HTML5 video codecs, and thus they’re not available to Internet Explorer. To resolve this, simply boot a Windows PowerShell command prompt (e.g. by clicking the icon in the task bar):

image

and then enter the following two commands:

Import-Module ServerManager

Install-WindowsFeature Desktop-Experience

A reboot is required for the installation to complete.

 

-Eric Lawrence
MVP - Internet Explorer

  • Note that I think enabling Desktop Experience enables a bunch of other stuff as well

    [EricLaw] That is correct.

  • One thing they never added that would be useful is a documented and supported command line for enabling or disabling ESC so that you can script it in an automated build.  There's one that involves rundll32, but that's obviously not documented/supported.

    [EricLaw] It probably wasn't supposed to be documented, but a quick search turns up http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

  • I've had a load of "fun" recently trying to get HTML5 video working in IE11 on a Server 2012 R2 Remote Desktop Session Host (which is another example of when you'd be using Windows Server as,  effectively, a workstation). My solution: rcmtech.wordpress.com/.../no-html5-video-in-ie11-on-rdsh-2012-r2

    It'd be really nice if IE F12 stuff could tell you why something isn't working in a more meaningful way e.g. if you don't have Desktop Experience installed and are trying to do HTML5 video, say "HTML5 video can't be played because the codec is missing, if running Windows Server you need to add the Desktop Experience feature".

    [EricLaw] Yes, that was kinda the point of this post.

    In my case, having that installed but HTML5 still not working, perhaps it could say "Can't play HTML5 video because IE ESC configuration is enabled" and/or "You need to change the following IE settings to get this JavaScript code to work: xxxxxxx".

    [EricLaw] Given the dozens of settings which impact JavaScript execution, that would be a non-trivial undertaking in general.

    I still don't really understand why IE is embedded into the OS anyway [...] it should just be another feature that can be added or removed as you please (and thus not present by default on servers [...]

    [EricLaw] I'm not exactly sure what you're asking. IE is not present in a default installation of Server (Core) and it can be removed from Windows using the Add/Remove Components control panel.

  • Eric - You said in your last reply RobinCM "IE is not present in a default installation of Server (Core) and it can be removed from Windows using the Add/Remove Components control panel." On my Server 2012 R2 Standard intallation, I don't see that option. Can IE 11 be removed?

    [EricLaw] I've asked the Windows team why this option isn't appearing there; it should be. For now, from an Administrative command prompt, run this command:

    dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

    ...and reboot to disable IE. To reenable it, run:

    dism /online /Enable-Feature /FeatureName:Internet-Explorer-Optional-amd64

    ...and reboot.

Page 1 of 1 (4 items)
Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post