Friday, March 15, 2013

Turn off IE Enhanced Security with Terminal Servers

So this has little to do with Lync or Exchange but I came off a good size infrastructure project where I installed multiple Terminal Server farms allowing RDP access for various applications and services. The users also needed to surf the internet from their profiles.  We deployed a pair of Cisco IronPorts web security appliances: http://www.cisco.com/web/about/ciscoitatwork/borderless_networks/ironport_web_security_appliance.html
to provide web proxy services with varying degrees of access control for Internet sites.  The users logon credentials are supposed to be passed to the ironport for SSO and based on the AD security group the user belongs to determines the proper access.

I created a Computer group policy object that added the Ironport urls to the trusted sites list in addition to the self signed certificate to the servers Trusted Root Certification Store and the Trusted Publishers Store.  














We also turned off Enhanced IE security for the Administrators. 



















I test with an Administrator and my credentials get passed to the Ironports and in this case I am not part of any groups so it prompts me for alternate credentials.  I figure great everything is working to specification.  I also confirm that the web urls are in the trusted sites zone in both I.E and the registry in:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows\CurrentVersion\Internet Settings\ZoneMap



But when I tested with a regular user that user would get prompted to provide credentials to the Ironports and single sign on was not working. Internet explorer also showed the zones had none of the urls being pushed down by the group policy.  Gpresult showed the zones assignments were being applied. 

Solution: Well to make a long story short the zone settings for regular users are stored in a different Registry Key that is blocked when IE Enhanced security is enabled for users on Terminal servers.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Windows\CurrentVersion\Internet Settings\ZoneMap

For more info about Terminal services and IE settings read: http://support.microsoft.com/kb/815141

There is a section in it called: Internet Explorer Enhanced Security Configuration and Terminal Services, where it is mentioned as follows:
 
**During the manual Terminal Services installation, you are prompted to disable Internet Explorer Enhanced Security Configuration for users. This allows users to run a Terminal Services session without restrictions.
 
For a better experience when Terminal Services is enabled, it is a good idea to remove the enhanced security configuration from members of the Users group. These users have fewer permissions on the server, so they present a lower level of risk if they are victims of an attack.

Cheers!










2 comments:

  1. Protection Concepts began in 1998 with one simple principle…To offer excellent customer service, quality equipment and monitoring all at an affordable price while conducting business with honesty and integrity.

    Marietta commercial security

    ReplyDelete
  2. This community has lots of combined issues experienced around almost all the technological innovation.


    Windows Thin Client & Citrix Thin Client

    ReplyDelete