19 January, 2013

Managing Internet Explorer Add-Ons for All Users



I guess we all heard about the Java security breach. I don't know about you but I've heard about it and decided to take action like a good IT Professional. :)  We decided to deactivate the Java add-on on our Terminal Server which is running Windows Server 2008 R2. I realized that if I turn off the add-on manually from the Internet Explorer settings, the action is only takes effect only for the user account that your are logged in. But, what do you do for a Terminal server or on system that multiple user is using? I've found the answer on Microsoft TechNet forums and I wanted to share it with you guys because the answer wasn't easy to find at all.

First, here is the forum thread that I'm talking about;

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/fe5b7fb6-bbda-42ac-87d2-a64f57f5d6a0

Here is the original article from Microsoft (even though it says Windows XP in the article, this applies to Windows 7 & Server 2008 R2 systems as well;

http://support.microsoft.com/kb/883256

Personally, I've configured these settings trrough GPO by setting up these 2 settings;

 - Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, Security Features, Add-On Management
          * Deny All add-ons unless specifically allowed in the Add-On List = Enabled
          * Add-On List = Enabled

Optionally you might want to activate some of the add-ons. In this case, you will need to find out what is the CLSID (.....)
To find out what is your add-ons CLSID value for internet explorer, follow these steps;
 1 - Open Internet Explorer
 2 - Under Tools, click on "Manage Add-Ons"
 3 - Under "Toolbars and Extensions" on the right pane, right click on one of the add-ons in the list and go to "Columns" and make sure that the "Class ID" is checked. When this setting is checked you will see that the CLSID is shown along with all add-ons.
 4 - Use the CLSID value of the add-on that you want to enable in the "Add-On List"  GPO.

With all these settings in place, you will have the control of what is enabled and used in Internet Explorer by your users. You don't need to worry about Java or any other add-on security breaches.

Never forget to keep it up-to-date :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.