ISM-1654 – Technical Resolution Guidance

What is ISM-1654?

Internet Explorer 11 is disabled or removed.

Background

This control involves disabling or fully removing Microsoft’s Internet Explorer 11 from a device. Before doing so, it’s important to check for any apps, websites, or systems that still rely on it, test alternative browsers for compatibility, and communicate changes to ensure a smooth transition and reduce risks.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveTested that ‘iexplorer.exe’ is unable to render HTML code.
IneffectiveTested that ‘iexplorer.exe’ is able to render HTML code.

Implementing Removal

There are several ways to remove Internet Explorer 11, however these methods will not work as they remove the shortcuts and base files leaving the libraries which allow for rendering HTML content.

This is becasue these are core operating system files. As such the only real method is to block access to the "C:\Program Files\Internet Explorer" folder via Application Control software. This will allow for the operating system to still use the files, however users will be blocked.

REMOVE: Commandline Options (in an ADMIN MODE COMMAND PROMPT)


dism /online /Remove-Capability /CapabilityName:Browser.InternetExplorer~~~~0.0.11.0
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

REMOVE: PowerShell (IN ADMIN MODE)


Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 –Online

You can of course use the Add/Remove Programs (Control Panel) and Turn of/off Windows features, where you can untick the Internet Explorer 11 option to remove the software

Internet Explorer 11 Removal

DISABLE: Using Registry Editor

  1. Open the Registry Editor (regedit) in admin mode.
  2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
  3. Select the Microsoft key, right-click, and select New > Key.
  4. Create the new key named Internet Explorer.
  5. Select the new Internet Explorer key, right-click, and select New > Key.
  6. Create the new key named Main.
  7. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main
  8. Select the Main key, right-click, and select New > DWORD (32-bit) Value.
  9. Create the new DWORD (32-bit) value named NotifyDisableIEOptions.
  10. Set the value of NotifyDisableIEOptions to:
    • 0 - Do not display a warning message to users when they use IE.
    • 1 - Always display a warning message to users when they use IE.
    • 2 - Display a warning message to each user only once when they use IE for the first time.
Internet Explorer 11 Removal

DISABLE: Group Policy

  1. Open the Group Policy Management Console (gpedit.msc).
  2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
  3. Locate the policy named Disable Internet Explorer 11 as a standalone browser.
  4. Double-click the policy to edit it.
  5. Select the Enabled option to disable Internet Explorer.
  6. Click Apply and then OK.
  7. Close the Group Policy Management Console.
  8. Run gpupdate /force in a command prompt to apply the changes.

Testing Parameters

SecurE8 attampts to render HTML code in Internet Explorer. Use this PowerShell code to check it your self:


#This is a sample demostration of how to render HTML code in Internet Explorer.
#SecurE8 uses this very method to determine if Internet Explorer is installed.

$Site = @'
<!DOCTYPE html>
<html>
<head><meta http-equiv="X-UA-Compatible" content="IE=11" /></head>
<body><h1>IE11 is running!</h1><a href="https://www.google.com/">Visit Google!</a></body>
</html>
'@

$URL1 = $env:TEMP + "\page_markup.html"
[IO.File]::WriteAllText($URL1, $Site)
Add-Type -AssemblyName System.Windows.Forms
$winWidth = 800
$winHeight = 600

# WinForm Setup
$mainForm = New-Object System.Windows.Forms.Form
$mainForm.Font = “Comic Sans MS,9"
$mainForm.BackColor = [System.Drawing.Color]::White
#$mainForm.Width = $winWidth + 10
#$mainForm.Height = $winHeight
$mainForm.Text = "IE11 Demo"
$mainForm.Size = New-Object System.Drawing.Size($winWidth,($winHeight + 100))

#Done button
$buttonOK = New-Object 'System.Windows.Forms.Button'
$buttonOK.Anchor = 'Bottom, Right'
$buttonOK.DialogResult = 'OK'
$buttonOK.Location = "50, $($winHeight - 50)"
$buttonOK.Name = "buttonOK"
$buttonOK.Size = '100, 50'
$buttonOK.TabIndex = 0
$buttonOK.Text = "Done"
$buttonOK.UseVisualStyleBackColor = $True
$mainForm.Controls.Add($buttonOK)

# Main Browser
$webBrowser1 = New-Object System.Windows.Forms.WebBrowser
$webBrowser1.IsWebBrowserContextMenuEnabled = $false
$webBrowser1.URL = $URL1
$webBrowser1.Width = $winWidth
$webBrowser1.Height = $winHeight
$webBrowser1.Location = "0, 20"
$webBrowser1.Size = New-Object System.Drawing.Size($($winWidth - 50),500)
$webBrowser1.Anchor = 'Top, Bottom, Left, Right'
$webbrowser1.add_DocumentTitleChanged($buttonGetElement_Click)
$mainForm.Controls.Add($webBrowser1)

# Display Form
[void] $mainForm.ShowDialog() 

Remediation Steps

Use Application Control: Prevent access to Internet Explorer and its DLL files.

Remove Internet Explorer files from the system. Delete Internet Explorer and its DLL files.

Validation Process

As long as Internet Explorer remains on the disk and accessable by users, it will render HTML Code and pose to be a security risk.

Risk Consideration

The decision to disable or remove Internet Explorer 11 requires careful assessment of compatibility, security, user impact, and compliance obligations, as it may disrupt workflows and dependencies on legacy systems or specific web standards. To mitigate risks, consider implementing alternative browser solutions, addressing compatibility needs, and maintaining a robust security strategy.