Windows 7 : Configuring and Troubleshooting Internet Explorer Security - How to Identify Group Policy Restrictions

Businesses need complete control over their users' Web browsing abilities, and Internet Explorer provides an extreme amount of flexibility. For example, administrators can use Group Policy settings to turn off tabbed browsing, allow pop-ups, turn off suggestions, restrict search providers, or turn off the Favorites bar.

If a user complains that an Internet Explorer feature is not working correctly, you should determine whether Group Policy restrictions might be responsible. You can use the Resultant Set Of Policy tool to determine which settings have been defined for a user or computer, and which Group Policy objects are responsible. To use the Resultant Set Of Policy tool, perform these steps:

1. Click Start, type rsop.msc, and press Enter.

2. In the Resultant Set Of Policy window, within both the Computer Configuration or User Configuration, select the Administrative Templates\Windows Components\Internet Explorer node.

3. As shown in Figure 1 the Details pane shows Internet Explorer settings that have been defined, and which GPO defined them.

   

   Figure 1. Resultant Set Of Policy shows which Group Policy settings have been applied and the Group Policy object responsible

Practice: Troubleshoot Certificate Problems

In this practice, you configure the ActiveX Installer Service to trust ActiveX controls from MSN. Then, you troubleshoot certificate-related problems by generating an untrusted certificate, viewing how Internet Explorer responds to that certificate, and then configuring Internet Explorer to trust the certificate.

EXERCISE 1 Simulate an Invalid Certificate

In this exercise, you open a Web page using a host name other than the common name specified in the SSL certificate and view how Internet Explorer handles it.

1. Open Internet Explorer. In the Address bar, type www.microsoft.com. Press Enter.

   Internet Explorer opens the www.microsoft.com home page using encrypted HTTPS. Note the gold lock in the Address bar, as shown in Figure 2.

   

   Figure 2. The gold lock in the address bar, which signifies that communications with the site are encrypted and the certificate is valid

2. Click the gold lock in the address bar to display the Web site identification. Notice that the identification page displays "www.microsoft.com," which exactly matches the host name you typed in the address bar.

3. In the Address bar, type https://microsoft.com. Notice that this time the host name does not begin with "www." Press Enter.

   Internet Explorer displays the There Is A Problem With This Website's Security Certificate Web page. This happens because the host name in the certificate, www.microsoft.com, does not exactly match the host name you typed in the address bar, microsoft.com. Users would see this same error message if they attempted to visit a site that was impersonating another site.

EXERCISE 2 Issue an Untrusted Certificate

In this exercise, you must issue an internal certificate to a Web server and determine how Windows 7 handles it both as a member of the domain and from outside the domain.

1. Connect to a Windows Server 2008 R2 AD DS domain controller in a test environment, and log on as an administrator.

2. Click Start, click Administrative Tools, and then click Server Manager.

3. In Server Manager, click the Roles node, and then click Add Roles.

4. On the Before You Begin page, click Next.

5. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next.

6. On the Introduction To Active Directory Certificate Services page, click Next.

7. On the Select Role Services page, select Certification Authority, Certification Authority Web Enrollment, and Online Responder. When prompted to add other services, click Add Required Role Services. Click Next.

8. On the Specify Setup Type page, click Enterprise. Click Next.

9. On the Specify CA Type page, leave Root CA selected, and then click Next.

10. On the Set Up Private Key page, leave Create A New Private Key selected. Click Next.

11. On the Configure Cryptography For CA page, click Next.

12. On the Configure CA Name page, type the host name for your CA (such as DCSRV1.nwtraders.msft) and then click Next.

13. On the Set Validity Period page, click Next.

14. On the Configure Certificate Database page, click Next.

15. On the Web Server page, click Next.

16. On the Role Services page, click Next.

17. On the Confirmation page, click Install.

18. Click Close, and click Yes to restart the computer.

19. After the computer restarts, log on again. Allow Server Manager to finish completing the installation of the server roles, and then click Close.

20. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

21. In the Internet Information Services (IIS) Manager, click your computer.

22. Double-click Server Certificates.

23. In the Actions pane, click Create Domain Certificate.

24. On the Distinguished Name Properties page, type the full host name in the Common Name box, such as dc1.nwtraders.msft. Type Northwind Traders in the Organization box and type IT in the Organizational Unit box. In the City, State, and Country boxes, provide your local information. Then, click Next.

25. On the Online Certification Authority page, click Select. Select the domain controller, and then click OK. In the Friendly Name box, type DC1. Click Finish.

26. In the Internet Information Services (IIS) Manager, expand Sites and then click Default Web Site. Right-click Default Web Site and then click Edit Bindings.

27. In the Site Bindings dialog box, click Add.

28. In the Add Site Binding dialog box, click the Type list and then select HTTPS. In the SSL Certificate list, select dc1.nwtraders.msft. Click OK, and then click Close.

29. Now you have configured your domain controller as a Web server with an SSL certificate. Open Internet Explorer. In the address bar, enter https://common_name, where common_name is the name you entered in the certificate, such as dc1.nwtraders.msft. Press Enter.

    Internet Explorer opens the page. Notice that the gold lock icon appears in the address bar, signifying that the SSL certificate is valid.

30. On a second computer running Windows 7 that is not a member of your domain, open Internet Explorer. Alternatively, if you do not have a second computer, you can remove your computer running Windows 7 from the domain temporarily. In Internet Explorer, enter https://common_name and press Enter.

    Internet Explorer displays a warning message indicating that the certificate was not issued by a trusted CA, as shown in Figure 3.

    

    Figure 3. The warning message given by Internet Explorer if it doesn't trust the certificate authority

Now, continue to Exercise 3 to resolve this problem.

EXERCISE 3 Trust a Certificate Authority

In this exercise, you must export your CA's root certificate and trust that certificate on your nondomain computer running Windows 7 so that you can open the SSL-encrypted Web site without a warning. To complete this exercise, you must have completed Exercise 2.

1. On your domain controller, in the Certification Authority console, right-click your server and then click Properties.

2. Click the General tab. Click Certificate #0, and then click View Certificate.

3. In the Certificate dialog box, click the Details tab. Then, click Copy To File.

4. The Certificate Export Wizard appears. Click Next.

5. On the Export File Format page, accept the default export format, and then click Next.

6. On the File To Export tab, type C:\root.cer and then click Next.

7. Click Finish, and then click OK three times.

8. On your client computer running Windows 7 that is not a member of your test domain, open Internet Explorer. In Internet Explorer, click the Tools button on the toolbar, and then click Internet Options.

9. In the Internet Options dialog box, click the Content tab and then click Certificates.

10. In the Certificates dialog box, click the Trusted Root Certification Authorities tab and then click Import.

11. The Certificate Import Wizard appears. On the Welcome To The Certificate Import Wizard page, click Next.

12. On the File To Import page, click Browse. In the Open dialog box, type \\server_name\c$\root.cer. Then click Open and click Next.

13. On the Certificate Store page, notice that the Certificate Import Wizard imports the certificate into the Trusted Root Certification Authorities store by default. This is the correct place. Click Next.

14. On the Completing The Certificate Import Wizard page, click Finish.

15. A Security Warning dialog box appears. Click Yes to install the certificate and then click OK.

16. Click Close and then click OK.

17. In Internet Explorer, enter https://common_name and press Enter.

    Internet Explorer opens the page. Notice that the gold lock icon appears in the address bar, signifying that the SSL certificate is valid. Because this computer is not a member of the AD DS domain, you had to trust the root certificate manually. Then, all certificates issued by that CA will be trusted. If the computer had been a member of the AD DS domain, Group Policy would have caused the computer to trust the enterprise CA automatically.