Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Desired State Configuration to configure Internet Explorer on servers.
Microsoft Scripting Guy, Ed Wilson, is here. This morning I decided to use my single-cup tea infuser to make a cup of Orange Cream tea using some leaves I brought back from Germany. I then decided to add a lemon slice to the cup. I should have known better. I won’t say I ruined my cup of tea—OK, I will say that. But I still drank it because I hate to waste a nice cup of tea, and I especially don’t want to waste the leaves that I cannot find here in Charlotte.
Speaking of things I don’t like to, or don’t want to do again…
I personally do not like having a web browser on a server. Of all the potential security risks, this one is a biggie. This is why I love the Enhanced Security Configuration in Internet Explorer. As far as I know, it means that Internet Explorer doesn’t work—at least not very well. I cannot even surf over to TechNet or to the Script Center Repository with this thing turned on. Cool.
Of course (in my humble opinion), the best configuration for servers is Server Core mode, and then use Windows PowerShell to do everything. This is where Windows PowerShell comes to the rescue if I have servers with the GUI still installed.
I can ensure that at least Internet Explorer is running with Enhanced Security Configuration. By default, when I finish installing my Windows Server software (beginning with Windows Server 2008), Enhanced Security Configuration is set for Internet Explorer. This means that if it is turned off, someone (with Administrator rights) has turned it off. I can confirm this by looking in Server Manager. This is shown here:
Create and apply the configuration
The first thing I do is create a configuration. I specify the name, and I import the Desired State Configuration (DSC) Resource Kit. I then specify my servers and the node as shown here:
Configuration EnableIEEsc
{
Import-DSCResource -Module xSystemSecurity -Name xIEEsc
$server = @('s1','s2')
Node $server
{
Next I use xIEEsc to enable the Enhanced Security Configuration. I want to do this for Administrators and for normal users, so I actually have to specify the call twice. This is shown here:
xIEEsc EnableIEEscAdmin
{
IsEnabled = $True
UserRole = "Administrators"
}
xIEEsc EnableIEEscUser
{
IsEnabled = $True
UserRole = "Users"
The parameters are pretty self-evident. But if I did not know what the parameters were, or if I was unclear as to what the parameter wanted, I can use IntelliSense. I highlight xIEEsc, and then either press Ctrl + Spacebar, or right-click and choose Start IntelliSense from the action menu. This provides IntelliSense for the options available.
When I am done, I close out the braces, call the configuration, and start DSC. Here is that portion of code:
}
}
}
EnableIEEsc -OutputPath c:\dsc\IEESC
Start-DscConfiguration -Path c:\dsc\ieesc -Wait -Verbose
The complete configuration script is shown here:
Configuration EnableIEEsc
{
Import-DSCResource -Module xSystemSecurity -Name xIEEsc
$server = @('s1','s2')
Node $server
{
xIEEsc EnableIEEscAdmin
{
IsEnabled = $True
UserRole = "Administrators"
}
xIEEsc EnableIEEscUser
{
IsEnabled = $True
UserRole = "Users"
}
}
}
EnableIEEsc -OutputPath c:\dsc\IEESC
Start-DscConfiguration -Path c:\dsc\ieesc -Wait -Verbose
The script and its associated output are shown here:
I navigate to one of my remote servers to see if it worked. As shown here, it worked fine:
That is all there is to using DSC to configure Internet Explorer Enhanced Security Configuration on servers. This also concludes DSC Resource Kit Week. Join me tomorrow when I will discuss "Why learn Windows PowerShell?"
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy