Tag: cybersecurity

Disable IE Enhanced Security Configuration in Windows Server via script

by Samuel Mitchell, posted in Azure, Hyper-V, Security, VMware, windows, Windows server

I have always want to use a script to disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server. It is an annoying activity when it is required to perform tasked using the IE in older versions of windows servers.

It is important to note that IE ESC is very important to the security of legacy servers from common past vulnerabilities which is not a risk in current versions of server OS.

This activity must be taken with precaution and on servers with access restriction to the Internet. It is encouraged that IT professional implement all measures to secure the legacy application running on these servers that must be maintained in an segmented or isolated environment. It is the responsibility of the IT professional to use a secure alternative browser after this activity has been performed.

Now here is a batch script to the rescue taken from this Microsoft FAQ that can be runned on all your servers. Save the script in a batch file and run it from the command line.

The script must run as an administrator or a logon script to work since it is making changes to the registry.

Note: The script was created for Windows Server 2003 and 2008. However, it will work for other versions such as Windows Server 2019.

ECHO OFF
REM  IEHarden Removal Project
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden Removal Project End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: Rem out if you like to Backup the registry keys
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg"
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
::x64
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios
::Rundll32 iesetup.dll,IEHardenLMSettings
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
::This apply to Windows 2003 Servers
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /va
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va
:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below
:: 32-bit HKCU Keys
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f
:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.
:: See article http://social.technet.microsoft.com/Forums/lv-LV/winserverTS/thread/34719084-5bdb-4590-9ebf-e190e8784ec7
:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f
:: Removing Terminal Server Shadowing x86 32bit
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
:: Removing Terminal Server Shadowing Wow6432Node
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

The script may display errors for some commands depending on the versions of Windows servers due the registry keys not used in that versions.

Most importantly, ensure to verify the settings changed for the Internet Explorer ESC.

Almost caught by Spam

by Samuel Mitchell, posted in Exchange, Security, Uncategorized

I had receive the following spam email which seems to come from Paypal:

Spam_email_paypalMarch132018_edit

At first glance, it looks very legitimate but after close inspection, it was discovered to be a spam. This provides the opportunity to highlight some indications that the email received is a spam and how to mitigate against it.

  • Check the email address that it is coming from. Not the one that is displayed at first glance but when it is opened, the email address that is between these symbols <>. In the example above, it says it is coming from service@paypal-int.co.uk. (Paypal correct address is service@intl.paypal.com).

 

  • Check where the link that you are asked to click on is point to by just hovering the mouse pointer over the hyperlink and look at the bottom of the browser. The spam email said the following:

    If you did not initiate this payment, we recommend that you go to Manage/Cancel Payment

    The Manage/Cancel payment was pointing to an unknown URL and not to the Paypal website so you know that it is a malicious website it is asking you to click on.

 

  • Usually the greeting will include the email address it is sent to. In this case, I was address by my email address (*****@gmail.com) and not by my full name which the Paypal will have on record.

Now for those who are unsure if this event actually happened that the email is stating. Verify the transaction by logging on directly to your website or portal (not using the email links) in my case Paypal.com and check if any such event has occurred.

I hope this is helpful and don’t be fooled by well crafted spam emails.

Keep safe…Keep secure

Simple Computer Security Tips

by Samuel Mitchell, posted in Security

As a computer user, we sometimes take for granted the numerous threats that are out on the internet that can steal and even take over our computers without our permission. It is important that we are aware of the threats that can affects us by just browsing the internet.

I would like to share a few simple tips that will help any person to protect themselves from the various treats on the internet.

  1. Install an Anti-virus software on your computer – this is one of the most important task that any person can do to protect their computer from viruses or malware that can cause our computer to behave abnormal or render it unusable. There are a few paid anti-virus software I can recommend such as Norton Security, Kaspersky Anivirus, ESET Security and McAfee Antivirus. If you dont want to spend money on this then there are also good free antivirus software such as Avast, AVG and Microsoft Security Essential.
  2. Remove the admin privileges from your default user account – This is a very important task because a lot of persons don’t realize that when you have administrator right on your user account that you use daily any changes can be made to the compute without restriction. It is not good because if your computer does get infected then the malicious software can make unwanted changes and you will not have control over it. I recommend that you create a different account with admin rights, then change the user account you use daily to a standard user. See instructions here on how to do this on Windows 10.
  3. Ensure that windows firewall is enabled – This is especially important for person who connect to any and every open WiFi that comes there way. Having the firewall enabled can reduce the likelihood of a unauthorized person from connecting or access your computer from these free open networks. for steps on how to check or enable to windows firewall on your computer, go here. Note: that the latest windows come with the Windows firewall turned on by default.
  4. Backup documents to a secure cloud space – This tip might seem trivial but it is one of the most important task to do. This task does not only protect you from hackers wiping out your data but also protects the important information from devices fail or a computer crash. To accomplish this task you can use one of the free large cloud space such as Google Drive and OneDrive. Note that they also have a desktop sync tool that allows you to sync local folders to the cloud once you are connected to the internet.
  5. Don’t visit any websites that are labelled as unsecure or unsafe – Whether browsing the internet or searching for information to assist in doing a task, we will sometimes get a message from our browser warning us that this site is unsecure. It is best that we don’t continue unless we are absolutely sure that it is legitimate or safe. Current reputable browser such as Google Chrome, Internet Explorer (or Edge) or Firefox has built in Certification Authority that checks a website’s certificate for its authenticity. This is important because we can be visiting a website that is developed by a hacker to get access to our computer or retrieve information from it.

These are the tips in a nutshell but if there are any more, I will update this list. I just want remind you to keep safe and do as much as you can to protect your personal data.