Thursday, March 10, 2016

Internet Explorer site to zone assignments - is it valid and why not?

Hi there.

Time for a new post finally... Recently, I got involved in a discussion about IE zone assignments via Group Policy. This post discusses which entries are valid or not.

How to assign a site to a zone?


There are two possible ways to assign a security zone to a URL:
  1. Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
  2. Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
The first method prevents users from adding sites on their own. If this is desired, use it. The second method allows users to add sites on their own. 

What can I add as a site?

Site to zone assignments (s2z) takes URLs. A URL basically has up to 5 parts:
  • Protocol (http, ftp, file...)
  • User and password (ftp://johndoe:johnspass@somehost.dot.com)
  • Hostname (www.bing.com) or IP address
  • Port (wsus.intern.com:8531)
  • Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html) 
s2z always requires a hostname or IP adress - for file:// it requires a server and optionally a share. User and password is never allowed. The protocol is optional. Port and path can be entered in the assignment, but are stripped upon processing.

If a hostname is provided, it must be either a plain hostname (no domain part) or a FQDN that consists of at least 3 parts. Hosts in root domains are not possible. If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters in Windows versions prior to 10.

In addition, s2z supports wildcards. To be precise, it supports exactly 2 asterisk wildcards - one for the protocol and one for the plain host name in a FQDN or for the last part of an IP address. Repeat that: It is only 2 * wildcards (no ?), and they are only allowed for the protocol and for the plain host name or last IP address part - nowhere else.

If you have invalid entries, all valid entries will be still processed. s2z will log an event to the group policy eventlog with ID 1085 and error code 87 ("The parameter is incorrect"). Unfortunately, it will not add the site that caused the error to the event nor will it add the GPO that contained that entry.

So in case of errors it is up to you, the busy admin, to identify the invalid entries. To do so, check all GPOs for s2z entries and validate them. To assist you with this task, Microsoft provides some valid and invalid patterns here:
https://msdn.microsoft.com/library/ms537143.aspx
https://support.microsoft.com/kb/259493

And to further assist you, here are some more comprehensive samples of s2z entries and explanations why they are valid or not.

Valid entries

  • www.microsoft.com

    Valid entry - consist of a fully qualified host name (FQDN). Since no protocol is specified, it will be applied for all protocols.
  • https://intranet

    Valid entry - consist of a protocol and a plain host name. Since no domain is specified, it will be applied to a host sitting in the primary dns suffix domain.
  • https://www.mycorp.com:8080

    Partially valid entry - consist of protocol, host and port. The port will be transparently stripped, it will be applied for all ports on that host.
  • http://www.mycorp.com/index.html

    Partially valid entry - consist of protocol, host and path. The path will be transparently stripped, it will be applied for all paths on that host.
  • *://www.microsoft.com

    Valid entry - since the protocol is a wildcard, it is identical to specifying www.microsoft.com (without a protocol)
  • *.mycorp.com

    Valid entry - since the plain hostname is a wildcard, it applies to all hosts in the domain mycorp.com.
  • 192.168.1.15

    Valid entry - IP addresses are allowed as well as hostnames.
  • 192.168.1-255.*

    Valid entry - consists of an IP range and a wildcard for all hosts in that range.
  • http://microsoft.com

    Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com. This is an implication of one of the rules above: If you use a FQDN, it must consist of at least 3 parts. Since we have only 2 parts here, s2z assumes this to be a domain.

Invalid entries

  • *hosts.mycorp.com

    Invalid entry - a wildcard is not allowed as a part of the hostname, but for the whole hostname only.
  • www.mycorp.*

    Invalid entry - the wildcard replaces a part of the domain.
  • www.*.mycorp.com

    Invalid entry (same as above) - the wildcard replaces a part of the domain.
  • http*://www.mycorp.com

    Invalid entry - a wildcard is not allowed as a part of the protocol, but for the whole protocol only (which of course is the same as omitting the protocol at all).
  • 192.168.*.1

    Invalid entry - a wildcard for IP addresses can only be used in the last position.
  • *.*.mycorp.com

    Invalid entry - only one wildcard is allowed, and only for the hostname.
Remark: In earlier versions of windows, if you provided a wildcard with a second level domain with only two letters (*.co.uk e.g.), this was an invalid entry. This was to prevent the whole SLD of some countrys to be added. At the time of this writing, this type of entry has become valid in Windows 10.

Credits

The discussion I mentioned above involved those two guys I wish to give credits:

MVP Jeremy Moskowitz - http://www.policypak.com and http://www.gpanswers.com

IT Consultant Carl Webster - http://carlwebster.com, specifically http://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/ which was the first result of our discussion. Thanks Carl for clarifying the thing about ports and paths that get stripped and the second level domain auto-wildcarding :)

32 comments:

  1. Oops - there really are people reading this blog :) Yeah, felt it was time to sum up what I found out how IE zone mapping works and what Carl contributed during his research. Thanks Joseph!

    ReplyDelete
    Replies
    1. Hi,
      You write that as of Windows 10 this has changed:
      At the time of this writing, this type of entry has become valid in Windows 10.

      Can you provide some documentation on this since I don't see anything written up about this?

      Delete
    2. There's no written documentation from MS, it was all "try and error" with various entries and various Windows versoins.

      Delete
  2. thanks, finally there someone who confirm what I always tried to explain... and your blog is awesome, I thins more people is reading it than you may think

    ReplyDelete
  3. Hi there

    How would I integrate something like this:

    https://company.crm24.dynamics.com

    Thanks
    Udo

    ReplyDelete
    Replies
    1. Hm - I don't really understand your question... Simply type it in as it is. It is a valid URL, so it will work without issues.

      Delete
  4. you are a life-saver!

    "http://microsoft.com
    Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com."

    I had NO idea!!

    Thank you!!!!

    ReplyDelete
  5. Do I understood this correct If we write microsoft.com it's the same like *.microsoft.com?

    ReplyDelete
  6. Great write up, it helped a lot while troubleshooting some s2z polcies. Hoping to share a little bit of feedback that I've found that wasn't explicitly covered in the post and might be easily overlooked.

    Despite one of the referenced documenation links mentioning that "http://*.server.example.com" is invalid, I have found that it _is_ valid.

    One addition I want to add though is that even though "http://microsoft.com" expands to "http://*.microsoft.com", that only applies for the first level subdomain, which, as you mentioned, is due to lack of being a FQDN.

    If you want "http://*.server.example.com" to work, you need to explicitly set "http://*.server.example.com" and not just "http://server.example.com", due to server.example.com being a FQDN and matching a single host.

    It is still true that "http://*.*.example.com" does not work.

    Hope this helps someone who finds this post and is trying to get wildcard subdomains to work.

    ReplyDelete
  7. Hello
    If i have a customer with the following entries for zone 1 / intranet.

    *.domain.org
    https://*.domain.org

    Would this cause any confusion during processing? Auto logon to the following adfs domain name wont work correctly. I'm wondering if it due to the multiple entries.

    https://fs.domain.org


    ReplyDelete
    Replies
    1. AFAIK it should work, but I never dug into ADFS auto logon too deep... You can easily verify which zone IE actually uses by right clicking and viewing the site properties.

      Delete
  8. Is this a valid entry?

    https://atl.gov/*

    ReplyDelete
  9. Thank you for sharing your tips! This is very helpful and informative! I’m looking forward to seeing more updates from you.

    Web Hosting Services

    ReplyDelete
  10. This article is still the most clear and comprehensive on I have found. Doing GPO cleanup and this was a major help. Thanks for being awesome Martin! (and Jeremy, and Carl)

    ReplyDelete
    Replies
    1. Thanks for this awesome feedback - this blog is not really "lifely", but the author is still online and searching for issues worth blogging :-)

      Delete
  11. Great post, but still one question :)
    "*.domain.com" will work for "server.domain.com"
    But what about "server.subdomain.domain.com", should I add another entry "*.subdomain.domain.com" ?
    (I think it was the initial question of "Udo J" three years ago :D )

    ReplyDelete
    Replies
    1. Yes, you need to add another entry. These assignments are "one level only", they do not apply to subdomains.

      Delete
  12. As of 3/19/2020, including Windows 10 1803 with March 2020 CU installed, add this to the list of invalid entries (no idea why, but no iteration of amazonaws.com seems to work):
    *.amazonaws.com

    I am not the only one who experienced this:
    https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows_10/cannot-add-amazonawscom-to-trusted-sites-in/377c17b7-94c6-4171-92bb-fe7283a98d7f

    ReplyDelete
  13. I can confirm, too. Seems a regex quirk in the checking code... Or an easter egg for the competitor customers. In addition, in the german error message, they screwed the pattern samples :-)

    Subdomains of amazonaws do work, like *.my.amazonaws.com

    ReplyDelete
  14. I have spent a great deal of time trying to get this to work and have found the following. The best way to address IP Ranges is as follows.

    If you need to clear a range, simply enter it following 'https://'
    https://10.*.*.* works just fine to clear the entirety of the class A private subnet.
    I've tested it, it works.

    ReplyDelete
    Replies
    1. This is new behavior :-) At the time of writing this post, this did not work.

      Delete
  15. Looks like adding a UNC path like \\server.contoso.com will be translated to file://server.contoso.com

    ReplyDelete
  16. Hi. Came across this blog very late this evening trying to solve a problem and wondered if you/anyone can help. Trying to add the website erpgold.co.uk to the Local Intranet sites via S2Z assignment but every time it gets amended to *.erpgold.co.uk and this won't work for what I need. Any reason why it is doing this?! I've tried looking for answers but difficult to know what to search for. Hoping someone spots this and can point me in the right direction!

    ReplyDelete
    Replies
    1. Seems you are hitting this rule: "If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters". I don't know if Win10 was modified - at the time of writing this post, your entry was definitely valid. The only "solution" if this is no longer true: Use a different browser.

      Delete
  17. Tried all these forms, no errors in Event viewer log Microsoft-Windows-GroupPolicy/Operational
    Value name__________________Value
    *://10.0-255.0.0.*______________4
    *://10.*.*.*.*___________________4
    *://10.*.*.*____________________4

    ReplyDelete
    Replies
    1. Doesn't really conflict with my findings above. First one is a valid entry anyway, and the latter two will simply have their trailing wildcards ignored since they do not contribute anything. Again, it was (and still is) a lot of trial and error, because I've never found a full exhaustive public documentation on the allowed or erroneous patterns :-)

      Delete
    2. I've used this resource many times over the years and appreciate the effort taken to create it. Amazing that MSFT has still failed to produce anything this useful and concise on the topic.

      Delete