IE8 / DEP / NX and Group Policy

Discussion in 'Internet Explorer' started by Bryn, Oct 2, 2009.

  1. Bryn

    Bryn Guest

    Hi,

    The GP settings, explanations and workarounds for IE8 are totally
    unsatisfactory. The issues are not well documented, I had to scour through
    various forums etc. and it was only after reading the answer from the MSDN
    rep's that I realised how poorly implemented the DEP control within GP is.

    Once you understand how DEP is configured/enabled you soon begin to realise
    why there is no GP setting to enable/disable or opt- in/out.

    This is because it is contained in the boot.ini file. The suggested
    workaround is to use a start-up script, with CACLS, to break/restore file
    permissions on the boot.ini and amend the options as you desire. I'm glad
    someone at M$ was smart enough to realise that to autonomise that process
    within GP (with a simple check box) would have borked an untold number of
    machines and resulted in huge support overheads/costs for themselves.

    So instead they leave it up to the sys Admins to discover, with horror, that
    they have to use a script that will most likely break half their enterprise
    (e.g. scripts failing to execute properly, I/O errors on the local disk,
    CACLS not completing, non-standard partition layouts etc etc.) to disable a
    setting that is turned on by default when SP3 is installed. Marvellous!

    This is just the first part of my gripe. The real killer and poor
    implementation of group policy would be this:

    If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
    IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior to
    this I've disabled all the add-ons, installed a third party java engine and
    this gets round half the problem (our DEP error). However, not all parts of
    the system are stable and it only works really well when used in conjunction
    with the memory protection disabled in IE8.

    HOWEVER, if you use the advanced tab > security within IE8 and then disable
    memory protection then low and behold it works (despite DEP being enabled at
    the OS /boot.ini level). Weird, but at least a possible workaround.

    So I fired up a clean image. Took a snap-shot before and after changing the
    setting (within IE8 NOT GP) and sure enough I found the key and value to
    simulate user disabling of DEP/NX.

    Located here:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    "DEPOff"=dword:00000001

    So I created a custom ADM template based on this setting and what d'ya know?
    It works. It mimics the user selection (I know it's a machine policy setting,
    I mean it mimics the user disabling it manually in IE8) and it works even
    though DEP is enabled for the OS (and I haven’t even had to tell it to
    opt-out for IE!).

    Sooooo.... please could someone explain to me why:

    1) This is not available as one of the default machine templates?
    2) Why your MSDN rep's would provide an incredibly dangerous solution to the
    problem when a more elegant and less intrusive workaround to the problem
    clearly already resides within the machine registry as shown above?
    (obviously I realise the only way to disable DEP autonomously would be to use
    the script at ones own risk, otherwise you would have to manually edit each
    one individually, but the GP for IE8 does not work via the GP setting
    provided with DEP enabled on the OS unless you use the registry setting
    above).
    3) Why is DEP enabled by default when you install SP3? We now have 700+
    machines that may have more issues in the future because of DEP and we might
    not be so lucky the next time an issue arises. My next task will be modifying
    our build images to make sure DEP is disabled for all future builds.

    Thanks,

    1 x frustrated Sys Admin (aka Bryn)




    ----------------
    This post is a suggestion for Microsoft, and Microsoft responds to the
    suggestions with the most votes. To vote for this suggestion, click the "I
    Agree" button in the message pane. If you do not see the button, follow this
    link to open the suggestion in the Microsoft Web-based Newsreader and then
    click "I Agree" in the message pane.

    http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
    Bryn, Oct 2, 2009
    #1
    1. Advertising

  2. Always state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
    posting to this newsgroup.

    Feel better now?

    And your Suggestion would be...?

    PS: No one here works for or represents Microsoft (including me).


    Bryn wrote:
    > The GP settings, explanations and workarounds for IE8 are totally
    > unsatisfactory. The issues are not well documented, I had to scour through
    > various forums etc. and it was only after reading the answer from the MSDN
    > rep's that I realised how poorly implemented the DEP control within GP is.
    >
    > Once you understand how DEP is configured/enabled you soon begin to
    > realise
    > why there is no GP setting to enable/disable or opt- in/out.
    >
    > This is because it is contained in the boot.ini file. The suggested
    > workaround is to use a start-up script, with CACLS, to break/restore file
    > permissions on the boot.ini and amend the options as you desire. I'm glad
    > someone at M$ was smart enough to realise that to autonomise that process
    > within GP (with a simple check box) would have borked an untold number of
    > machines and resulted in huge support overheads/costs for themselves.
    >
    > So instead they leave it up to the sys Admins to discover, with horror,
    > that
    > they have to use a script that will most likely break half their
    > enterprise
    > (e.g. scripts failing to execute properly, I/O errors on the local disk,
    > CACLS not completing, non-standard partition layouts etc etc.) to disable
    > a
    > setting that is turned on by default when SP3 is installed. Marvellous!
    >
    > This is just the first part of my gripe. The real killer and poor
    > implementation of group policy would be this:
    >
    > If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
    > IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior
    > to this I've disabled all the add-ons, installed a third party java engine
    > and this gets round half the problem (our DEP error). However, not all
    > parts of the system are stable and it only works really well when used in
    > conjunction with the memory protection disabled in IE8.
    >
    > HOWEVER, if you use the advanced tab > security within IE8 and then
    > disable
    > memory protection then low and behold it works (despite DEP being enabled
    > at
    > the OS /boot.ini level). Weird, but at least a possible workaround.
    >
    > So I fired up a clean image. Took a snap-shot before and after changing
    > the
    > setting (within IE8 NOT GP) and sure enough I found the key and value to
    > simulate user disabling of DEP/NX.
    >
    > Located here:
    >
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    > "DEPOff"=dword:00000001
    >
    > So I created a custom ADM template based on this setting and what d'ya
    > know?
    > It works. It mimics the user selection (I know it's a machine policy
    > setting, I mean it mimics the user disabling it manually in IE8) and it
    > works even though DEP is enabled for the OS (and I haven’t even had to
    > tell
    > it to opt-out for IE!).
    >
    > Sooooo.... please could someone explain to me why:
    >
    > 1) This is not available as one of the default machine templates?
    > 2) Why your MSDN rep's would provide an incredibly dangerous solution to
    > the
    > problem when a more elegant and less intrusive workaround to the problem
    > clearly already resides within the machine registry as shown above?
    > (obviously I realise the only way to disable DEP autonomously would be to
    > use the script at ones own risk, otherwise you would have to manually edit
    > each one individually, but the GP for IE8 does not work via the GP setting
    > provided with DEP enabled on the OS unless you use the registry setting
    > above).
    > 3) Why is DEP enabled by default when you install SP3? We now have 700+
    > machines that may have more issues in the future because of DEP and we
    > might
    > not be so lucky the next time an issue arises. My next task will be
    > modifying our build images to make sure DEP is disabled for all future
    > builds.
    >
    > Thanks,
    >
    > 1 x frustrated Sys Admin (aka Bryn)
    >
    >
    >
    >
    > ----------------
    > This post is a suggestion for Microsoft, and Microsoft responds to the
    > suggestions with the most votes. To vote for this suggestion, click the "I
    > Agree" button in the message pane. If you do not see the button, follow
    > this
    > link to open the suggestion in the Microsoft Web-based Newsreader and then
    > click "I Agree" in the message pane.
    >
    > http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
    PA Bear [MS MVP], Oct 3, 2009
    #2
    1. Advertising

  3. Bryn

    Bryn Guest

    Sorry, I didn't actually specify the Domain/OS. My bad, I also should have
    made my final points clearer. I don’t really post a lot as the
    questions/answers are always within reach (thanks to sites like this one).

    We are running a 2K3 domain with XP hosts. Like a lot of enterprises, we
    (and our clients) rely on IE6 integration for a lot of intranet applications
    etc. that are generally having a bit of a hard time trying to move with the
    times.

    I also never said all that info was found here either; it was a mixture of
    public/private sites across the web, with a fraction of it on these groups.
    But IMO, anyone who has a whole lot of M$ letters after their name when
    posting in a forum and then they RTM back to me is a M$ rep (whether paid or
    otherwise).

    And no, I'm not a Linux/Mac fanboi either and yes, I appreciate the fact
    that M$ have woven a black magic all of their own that has provided me with a
    decent living over the years. I even like 7 so much I've been recommending to
    all my friends that they go out on the 22nd of October and beta test it for
    M$ too (ed. I mean buy a copy) since it runs so well. Sarcasm aside, I really
    do like 7.

    So back to my suggestions:

    We already have DEP enabled in our AV solution and whilst we're not adverse
    to the idea of having that additional layer of software protection, it would
    have been nice to have the decision to enable it in the first place (re: XP
    SP3). The fact the only way to disable it en-masse is to use a particularly
    risky script is what makes that previous point even more annoying. Obviously
    M$ realised that too or there would have been a simple GP setting to
    configure it.
    Suggestion 1) DEP is disabled by default when upgrading to SP3 within XP. Or
    an option is provided to enable/disable it during the installation with an
    adequate explanation for domain users/admin's that there is no safe way to
    turn this off via GP (on a 2K3 one anyway).

    The disabling of DEP is handled differently when a user does it via the host
    XP pc in IE8. Being controlled by the registry setting:
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    > "DEPOff"=dword:00000001


    I have found this is a good workaround to the problem caused by XP machines
    not adhering to the group policy setting that M$ provides to disable DEP/NX
    for IE8. As stated within the GPM, the DEP/NX GP setting for IE8 does not
    work unless DEP for XP is disabled or set to opt-out. As this can only be
    done by editing the boot.ini file, the above registry setting is a much safer
    option for Admins/application integrators to try first.
    Suggestion 2) Provide a GP setting to disable DEP in IE8 running on an XP
    (x86 client) via the registry option above.


    I know x64 machines have hardware DEP as default (or the option to in the
    BIOS). Out of curiosity, does the 64bit (x64/Itanium) versions of XP also
    have software DEP by default too? If they do, is it safe to assume it is also
    controlled via the boot.ini?

    I also do really appreciate the fact that you, and others like you, have a
    far more in-depth knowledge of Windows than I. And that you take the time out
    to reply to people in your own time as well. I went through about 3 years
    worth of posts and was surprised that no one else had found/mentioned the
    registry workaround above.

    I also came across a borked netbook recently that was caused by a failed IE8
    installation. To be fair that was probably the fault of the Ask toolbar
    add-on (I never found out from the client if that was what they did but the
    posts online pointed at that). And while M$ can’t be blamed for a third
    parties implementation of code, it does highlight the danger of controlling
    DEP options via the boot.ini. I suppose a third suggestion would be then:

    3) If it must be done at boot (and thus assuming this is a better
    implementation than our AV provided DEP) then don’t use the boot.ini alone to
    enable/disable DEP. An M$ developed and integrated boot loader (similar to
    grub) that would rely on user interaction (or an encrypted file with script
    info for GP action) and thus be more secure from an online/malware based
    attack. This could also have a built-in backup/restore function that could
    detect/fix an unbootable machine. For example, our HDD encryption provider
    sits at the MBR level and is MoD approved. Perhaps M$ could push more third
    party vendors out of the game by raising their own game and improving their
    own code (instead of just buying other peoples) for a change.

    Once again, thank you for your time.

    Bryn



    "PA Bear [MS MVP]" wrote:

    > Always state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
    > posting to this newsgroup.
    >
    > Feel better now?
    >
    > And your Suggestion would be...?
    >
    > PS: No one here works for or represents Microsoft (including me).
    >
    >
    > Bryn wrote:
    > > The GP settings, explanations and workarounds for IE8 are totally
    > > unsatisfactory. The issues are not well documented, I had to scour through
    > > various forums etc. and it was only after reading the answer from the MSDN
    > > rep's that I realised how poorly implemented the DEP control within GP is.
    > >
    > > Once you understand how DEP is configured/enabled you soon begin to
    > > realise
    > > why there is no GP setting to enable/disable or opt- in/out.
    > >
    > > This is because it is contained in the boot.ini file. The suggested
    > > workaround is to use a start-up script, with CACLS, to break/restore file
    > > permissions on the boot.ini and amend the options as you desire. I'm glad
    > > someone at M$ was smart enough to realise that to autonomise that process
    > > within GP (with a simple check box) would have borked an untold number of
    > > machines and resulted in huge support overheads/costs for themselves.
    > >
    > > So instead they leave it up to the sys Admins to discover, with horror,
    > > that
    > > they have to use a script that will most likely break half their
    > > enterprise
    > > (e.g. scripts failing to execute properly, I/O errors on the local disk,
    > > CACLS not completing, non-standard partition layouts etc etc.) to disable
    > > a
    > > setting that is turned on by default when SP3 is installed. Marvellous!
    > >
    > > This is just the first part of my gripe. The real killer and poor
    > > implementation of group policy would be this:
    > >
    > > If you disable DEP/NX in GP for IE8 then the setting will ONLY WORK IF DEP
    > > IS DISABLED OR SET TO OPT-OUT FOR IE WITHIN THE HOST OS (XP). Great, prior
    > > to this I've disabled all the add-ons, installed a third party java engine
    > > and this gets round half the problem (our DEP error). However, not all
    > > parts of the system are stable and it only works really well when used in
    > > conjunction with the memory protection disabled in IE8.
    > >
    > > HOWEVER, if you use the advanced tab > security within IE8 and then
    > > disable
    > > memory protection then low and behold it works (despite DEP being enabled
    > > at
    > > the OS /boot.ini level). Weird, but at least a possible workaround.
    > >
    > > So I fired up a clean image. Took a snap-shot before and after changing
    > > the
    > > setting (within IE8 NOT GP) and sure enough I found the key and value to
    > > simulate user disabling of DEP/NX.
    > >
    > > Located here:
    > >
    > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    > > "DEPOff"=dword:00000001
    > >
    > > So I created a custom ADM template based on this setting and what d'ya
    > > know?
    > > It works. It mimics the user selection (I know it's a machine policy
    > > setting, I mean it mimics the user disabling it manually in IE8) and it
    > > works even though DEP is enabled for the OS (and I haven’t even had to
    > > tell
    > > it to opt-out for IE!).
    > >
    > > Sooooo.... please could someone explain to me why:
    > >
    > > 1) This is not available as one of the default machine templates?
    > > 2) Why your MSDN rep's would provide an incredibly dangerous solution to
    > > the
    > > problem when a more elegant and less intrusive workaround to the problem
    > > clearly already resides within the machine registry as shown above?
    > > (obviously I realise the only way to disable DEP autonomously would be to
    > > use the script at ones own risk, otherwise you would have to manually edit
    > > each one individually, but the GP for IE8 does not work via the GP setting
    > > provided with DEP enabled on the OS unless you use the registry setting
    > > above).
    > > 3) Why is DEP enabled by default when you install SP3? We now have 700+
    > > machines that may have more issues in the future because of DEP and we
    > > might
    > > not be so lucky the next time an issue arises. My next task will be
    > > modifying our build images to make sure DEP is disabled for all future
    > > builds.
    > >
    > > Thanks,
    > >
    > > 1 x frustrated Sys Admin (aka Bryn)
    > >
    > >
    > >
    > >
    > > ----------------
    > > This post is a suggestion for Microsoft, and Microsoft responds to the
    > > suggestions with the most votes. To vote for this suggestion, click the "I
    > > Agree" button in the message pane. If you do not see the button, follow
    > > this
    > > link to open the suggestion in the Microsoft Web-based Newsreader and then
    > > click "I Agree" in the message pane.
    > >
    > > http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general

    >
    >
    Bryn, Oct 4, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug Taylor

    Group policy and DEP

    Doug Taylor, May 7, 2005, in forum: Windows Server
    Replies:
    0
    Views:
    255
    Doug Taylor
    May 7, 2005
  2. Ofer B. Ho

    DEP Exceptions via Group Policy

    Ofer B. Ho, May 4, 2005, in forum: Active Directory
    Replies:
    1
    Views:
    949
    Jimmy Andersson [MVP]
    May 4, 2005
  3. BP
    Replies:
    0
    Views:
    1,592
  4. Hutch

    Group Policy - Group Policy Results Wizard

    Hutch, Jun 13, 2006, in forum: Active Directory
    Replies:
    2
    Views:
    1,118
    Jorge Silva
    Jun 15, 2006
  5. Keshav

    Disable DEP through Group Policy

    Keshav, Jul 7, 2006, in forum: Active Directory
    Replies:
    1
    Views:
    677
    chafey13
    Sep 17, 2006
Loading...

Share This Page