Restrict old Internet Explorer Versions


Hello everyone. Today I´m going to show you how to use AppLocker to block old versions of Internet Explorer from Execution. The requirement I had to fulfill was to make sure that Internet Explorer versions below 9 will not be able to run. Here is how you can do this:

Open up your Group Policy Management Editor.

restrict_old_ie_versions_gpo_start

Now go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services and look for the service Application Identity. This service is needed to identify your application. When this service is not running your Allow and Deny rules will not apply.

restrict_old_ie_versions_application_identity_service

Select Automatic to start this service automatically when the system is started.

restrict_old_ie_versions_application_identity_service_properties

Next go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules.

restrict_old_ie_versions_gpo_application_control_policies

Now click on Create New Rule…

restrict_old_ie_versions_application_new_rule

This will open up a wizard. The first thing you need to do is to choose Deny and leave Everyone filled in in the text box (Because we want to deny everyone the right to start old Internet Explorer versions).

restrict_old_ie_versions_application_new_rule_deny

Next choose Publisher.

restrict_old_ie_versions_application_new_rule_publisher

Now click on Browse… and go to C:\Program Files\Internet Explorer and choose iexplore.exe. (By the way: You can also go to C:\Program Files (x86)\Internet Explorer and choose iexplore.exe. It does not matter. The rule we are defining will block the 32bit version as well as the 64bit version from Execution.)

Next check Use custom values and go to File version: enter 9.0.0.0 into the text box and choose And below.

restrict_old_ie_versions_application_new_rule_version_below

On the next page you have the choice to add Exceptions if you want to add some. But we will simply add none and click on Next.

restrict_old_ie_versions_application_exceptions

Now you can enter a Name and a Description for your Rule.

restrict_old_ie_versions_application_name_and_description

Now your Rule is finished. If you are asked if you want to create the Default rules click on Yes.

restrict_old_ie_versions_application_exexecutable_rules

If a user with a Internet Explorer version below 9 wants to start it he/she will receive the following error message:

restrict_old_ie_versions_application_error_message

A user with a higher Internet Explorer version will see no difference at all as you can see:

restrict_old_ie_versions_application_ie10_working

 

Well that´s it. Pretty simple, right? This way you can prevent security issues caused by old Internet Explorer versions. I hope my post was useful for you. See you next time.

Sources:

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Securing-Application-Execution-Microsoft-AppLocker.html

http://www.kodyaz.com/articles/windows-7-applocker-tool-step-by-step.aspx

http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/

http://esihere.wordpress.com/2011/06/18/step-by-step-guide-on-configuring-applocker-in-the-domain/

http://4sysops.com/archives/applocker-tutorial-part-4-deployment/

Advertisements
Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: