Enforcing Execution of Browser Extensions Explicitly – Part II

Uncategorized

Part the Second: Internet Explorer

A few weeks ago, we posted about how to manage Chrome Extensions. This week, we’re doing the same for Internet Explorer (IE), the other enterprise browser. And like Chrome, we’re using the best tool for the job, Group Policy. (See the note at the end of this blog for information about IE’s future).

Let’s get to it.

Add-on Management for Internet Explorer:

The first thing you want to do is set up Internet Explorer the way you want it set for your users. This means all the add-ons they could possibly need should be included. You can add some of the pre-built add-ons from the IE Gallery. You’ll notice, however, the Gallery is a lot smaller than it used to be and certain things no longer work. 404 Page Cannot Be Displayed. Sad! Other add-ons can be included by deploying programs with IE add-ons included (e.g. Adobe Reader, Adobe Acrobat, Office, Java, etc.)

Once you’ve selected all the add-ons, go to manage add-ons in IE, right-click one of the add-ons and select More Information. You’re going to need the Class ID for the GPO. Copy the More Information into Notepad or other text editor so you can copy the Class ID.

Repeat this process for all the add-ons you want to manage in IE.

Now create the GPO.

Internet Explorer Add-on management should already be included in Group Policy. Open the GPMC, create a new Group Policy, edit that policy and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management. You should see something like this:

We’re going to set up the Add-on List. Open that setting, enable it, and click Show… next to Add-on List. Add your Class IDs you retrieved earlier and choose the value you want. The values are as follows:

0 = The add-on is disabled and cannot be changed

1 = The add-on is enabled and cannot be changed.

2 = The add-on is enabled and can be changed.

Here’s an example of the add-ons with values for the Add-on List setting:

The next thing is to deny all the add-ons not defined in the Add-on List. It’s pretty straightforward. Open the Deny all add-ons unless specifically allowed in the Add-on List and enable the setting.

That’s it. Save the GPO, apply it wherever makes sense, and you’re finished.

Next, let’s run some tests.

First, we deploy the Shockwave Player and Java to a machine with IE installed. We see some add-ons in the Manage Add-ons properties of IE.

Next, we wait or run gpupdate on the target machine, restart IE. Go to Manage Add-ons again, and voila:

Next, we’ll take a look at Bethany Coddlebottom’s machine (the GPO has not been applied)…

Move that machine into range of the GPO, run gpupdate, and restart IE:

That’s it.


NOTES:

As you likely know, on January 12, 2016, support for older IE versions ended. Security updates would still be provided for the latest supported version through the OS lifecycle, but no additional IE releases were planned. You can read more here.

Leave a Reply

Your email address will not be published. Required fields are marked *