The weekend announcement of a serious flaw in Internet Explorer versions 6-11 has the Internet on fire with the news. After our initial coverage of it (All Hands On Deck: Zero-Day Reported in the Wild, Affects IE6-11), the news spread like wildfire. It's amazing how quickly bad news can disseminate.
According to the reports, there are 3 ways available to mitigate and stop the exploit until Microsoft can provide a fix (btw: Windows XP will never see a public fix for this since the 13 year old OS reached end of life in early April 2014).
The first way is to use Microsoft's EMET (both 4.1 and the 5.0 technical preview). The second is to run Internet Explorer in "Enhanced Protected Mode" (EPM), however, this was only introduced in IE version 10, so it has no bearing on earlier versions. The third way is to disable the Flash plugin for Internet Explorer.
Single users can go into the Manage Add-ons configuration in IE and disable the Flash plugin there, but what if the change needs to be made against an entire company full of vulnerable systems? There are many ways to accomplish a mass modification like this, but for those without the extra tools, this is where Group Policy is a good fit.
You can use this method with any Internet Explorer add-on, but in this case we'll use the Flash component since it's the most critical to disable right now.
BTW: Actual screenshots my vary depending on the server OS version you use and the version of Internet Explorer running on the client PCs, but the instructions are sound.
Locating the Information
The first thing you need to do is to locate the Shockwave Flash Object information you'll need to create a Group Policy Object.
- Go to Manage add-ons in Internet Explorer.
- Locate Shockwave Flash Object in the list and click the More Information link.
- On the More Information window, click the Copy button.
- Paste the copied information to a new, temporary document (Notepad will work just fine). Then, highlight the Class ID (just the ID) and copy it.
Creating the GPO
Many of you are already familiar with creating GPOs, but here are the steps to create one to disable Flash in your organization.
- Open Group Policy Management Editor and open User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management
- Open the Add-on List setting, change the first option to Enabled, and then click the Show button. (Enabled must be selected before the Show button will be clickable).
- In the Value Name field, paste in the Class ID (obtained in the previous section) of the Shockwave Flash Object and set the actual Value to 0 (zero)—this disables the object. Click OK to save it and back out of Group Policy Management Editor.
EXTRA: To specify that an add-on should be denied, enter 0 (zero) into this field. To specify that an add-on should be allowed, enter 1 (one) into this field. To specify that an add-on should be allowed and to also permit the user to manage the add-on through Add-on Manager, enter 2 (two) into this field.
During the next GPO update cycle, the new settings will be applied to all domain-connected computers. If you'd like to make the policy changes more immediate, use GPUPDATE to force the sync or use my favorite GPO synching tool, Specops' Gpupdate.