Upload
metallicarj3195
View
163
Download
0
Embed Size (px)
Citation preview
©2010 Microsoft Corporation. All rights reserved.
Internet Explorer Development Technical Articles
Understanding and Working in Protected Mode Internet Explorer
Marc Silbey,Peter BrundrettMicrosoft Corporation
January 2006Last Updated: February 2009Applies to: Windows Internet Explorer 7 in Windows Vista and later
Summary In Windows Vista, Internet Explorer 7 runs in Protected Mode, which helps protect users fromattack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantlyreduces the ability of an attack to write, alter or destroy data on the user's machine or to install maliciouscode.
This topic introduces Protected Mode, describes the Windows Vista features used to implement ProtectedMode, shows how to develop extensions that work with Protected Mode and provides guidelines for developingmore secure applications.
Contents
Understanding Protected Mode
Introducing Protected Mode
Understanding Windows Vista's Integrity Mechanism
Understanding Protected Mode
Configuring Protected Mode
Working with Protected Mode
Finding Low Integrity Write Locations
Saving Files to the User Profile
Starting Processes from Protected Mode
Allowing Drag and Drop Operations in your Application
Allowing Applications to Receive Window Messages
Launching and Navigating a Protected Mode Process
Debugging with the Application Compatibility Toolkit
Designing Secure Extensions
Installing Software from Extensions
Starting Low Integrity Processes
Lowering Resource Integrity
Determining Process Integrity Levels
Frequently Asked Questions
Understanding Protected Mode
Protected Mode is an important step forward in security for Internet Explorer (IE); it helps protect users fromattack by running an IE process with greatly restricted privileges on Windows Vista. While Protected Modedoes not protect against all forms of attack, it significantly reduces the ability of an attack to write, alter, ordestroy data on the user's machine or to install malicious code.
Introducing Protected Mode
While most Internet Explorer 7 security features will be available in Internet Explorer 7 for Windows XPService Pack 2, Protected Mode is only available on Windows Vista because it is based on security featuresnew to Windows Vista.
User Account Control [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us
/dnlong/html/AccProtVista.asp ] (UAC) makes it easy to run without Administrator privileges.
When users run programs with limited user privileges, they are safer from attack than when they
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
1 of 12 05/02/2010 18:57
run with Administrator privileges because Windows can restrict the malicious code from carrying
out damaging actions.
Integrity mechanism restrict write access to securable objects [ http://msdn.microsoft.com
/library/default.asp.aspx?url=/library/en-us/secauthz/security/securable_objects.asp ] by lower
integrity processes, much the same way that user account group membership restricts the rights
of users to access sensitive system components.
User Interface Privilege Isolation [ http://msdn.microsoft.com/library/default.asp.aspx?url=
/library/en-us/dnlong/html/AccProtVista.asp ] (UIPI) prevents processes from sending selected
window messages and other USER APIs to processes running with higher integrity.
The Windows Vista security infrastructure allows Protected Mode to provide Internet Explorer with theprivileges needed to browse the Web while withholding privileges needed to silently install programs ormodify sensitive system data.
This section helps you understand Protected Mode, describes the Windows Vista integrity access levels, andsummarizes the compatibility impact for Internet Explorer extensions.
Understanding Windows Vista's Integrity Mechanism
Windows Vista includes an addition to the access control security mechanism of Windows that labelsprocesses and other securable objects with an integrity level. Internet-facing programs are at higher risk forexploits than other programs because they download untrustworthy content from unknown sources. Runningthese programs with fewer permissions, or at a lower integrity level, than other programs reduces the abilityof an exploit to modify the system or harm user data files.
Protected Mode uses the Windows Vista integrity mechanism to run the Internet Explorer process at lowintegrity. The main features of the integrity level mechanism in Windows Vista are as follows:
Securable objects [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us
/secauthz/security/securable_objects.asp ] , like files and registry keys, have security descriptors
that define the integrity level, or level of privilege required for write access to the object. This
integrity level is defined with a new mandatory access control entry (ACE) in the System access
control list (SACL). The new mandatory ACE is called a mandatory label. Objects without
mandatory labels have an implied default integrity level of Medium.
Processes have an integrity level defined in the security access token. In Protected Mode, Internet
Explorer has a low integrity level. Applications run from the Start menu have a medium integrity
level. Applications that require administrator permissions run with a high integrity level.
Low integrity processes cannot gain write access to objects at a higher integrity levels, even if the
user's SID is granted write access in the discretionary access control list (DACL). Integrity level
checks are performed before user access permission checks.
All files and registry keys on Windows Vista have a default integrity level of Medium. A Low integrity process,like Internet Explorer in Protected Mode, will receive access denied errors when it tries to modify existingfiles.
Some folders have a low integrity mandatory label. A low integrity process, such as Internet Explorer inProtected Mode, can create and modify files in low integrity folders. For example, the temporary Internet filesfolder contains a folder called Low, which is a low integrity folder. The Windows Vista integrity mechanismautomatically assigns low integrity mandatory labels to securable objects created by low integrity processes.As a result, all files and other objects created by Internet Explorer in Protected Mode or any other lowintegrity process are automatically assigned low integrity mandatory labels. By default, child processesstarted by a low integrity process will also run with a low integrity level. Protected mode allows processes tobe created with higher integrity. For details, see Starting Processes from Protected Mode section.
The following table shows supported integrity access levels and the privileges they confer.
IntegrityAccess Level
(IL) System Privileges
High Administrative (Process can install files to the Program Files folder and write to sensitiveregistry areas like HKEY_LOCAL_MACHINE.)
Medium User (Process can create and modify files in the user's Documents folder and write touser-specific areas of the registry, such as HKEY_CURRENT_USER.)
Low Untrusted (Process can only write to low integrity locations, such as the Temporary InternetFiles\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key)
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
2 of 12 05/02/2010 18:57
Understanding Protected Mode
Protected Mode builds on the new integrity mechanism to restrict write access to securable objects likeprocesses, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet Exploreris a low integrity process; it cannot gain write access to files and registry keys in a user's profile or systemlocations.
Low integrity processes can only write to folders, files, and registry keys that have been assigned a lowintegrity mandatory label. As a result, Internet Explorer and extensions run in Protected Mode can only writeto low integrity locations, such as the new low integrity temporary Internet files folder, the History folder, theCookies folder, the Favorites folder and the Windows temporary file folders. For a complete list, see theFrequently Asked Questions (FAQ) section.
Furthermore, Protected Mode can only send specific window messages to higher integrity processes. For moreinformation, please see the User Interface Privilege Isolation Overview section of Developer Best Practices andGuidelines for Applications in a Least Privileged Environment [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dnlong/html/AccProtVista.asp ] .
By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount ofdamage that can be caused by a compromised IE process. An attacker cannot, for example, silently install akeystroke logger to the user's Startup folder. Likewise, a compromised process cannot manipulateapplications on the desktop through window messages.
Of course, these defenses also limit legitimate changes to higher integrity locations. As a result, ProtectedMode provides a compatibility architecture that reduces the impact on existing extensions, as shown in thefollowing figure.
A Compatibility Layer handles the needs of many existing extensions. It intercepts attempts to
write to medium integrity resources, such as the Documents folder in the user profile and the
HKEY_CURRENT_USER registry hive. However it will not intercept writes to system locations like
Program Files and HKEY_LOCAL_MACHINE. The compatibility layer uses a Windows Compatibility
Shim [ http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx ] to
automatically redirect these operations to the following low integrity locations.
Documents and Settings\%userprofile%\LocalSettings\TemporaryInternet
Files\Virtualized
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\InternetRegistry
Two higher privilege broker processes allow Internet Explorer and extensions to perform elevated
operations given user consent. For example, the user privilege broker (IEUser.exe) process
provides a set of functions that let the user saves files to areas outside of low integrity areas. In
addition, an administrator privilege broker (IEInstal.exe) process allows Internet Explorer to
install ActiveX controls.
For more information, please see Working with Protected Mode.
Configuring Protected Mode
Protected Mode can be configured in Internet Explorer's Internet Options dialog. To configure Protected Mode,click the Security tab, select a Web content zone, and then change the "Enable Protected Mode" check box.By default, Protected Mode is enabled for the Internet, Intranet, and Restricted Sites zones. To verify thatInternet Explorer is running in Protected mode, look for the words "Protected Mode: On" next to the Webcontent zone displayed in Internet Explorer's status bar..
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
3 of 12 05/02/2010 18:57
Protected Mode will be configurable through Group Policy when Windows Vista ships through theURLACTION_LOWRIGHTS (0x00002500)URL Action. For more information, please see URL Security ZonesOverviews [ http://msdn.microsoft.com/en-us/library/ms537187(VS.85).aspx ] .
Working with Protected Mode
This section shows how extensions can perform common tasks while in Protected Mode; it explains how tofind low integrity object locations, save files outside low integrity file locations, elevate processes out ofProtected Mode, and debug Protected Mode access failures.
Finding Low Integrity Write Locations
In Windows Vista, securable objects automatically inherit the lower integrity level between the process thatcreated them and their container. As a result, files or registry keys have a low integrity when created inProtected Mode. This means that a low integrity process can obtain write access to the objects it creates.However, a low integrity process cannot gain write access to medium or high integrity folders or files in theuser's profile.
Before writing to a low integrity location, extensions can determine if Internet Explorer is running in ProtectedMode by calling the IEIsProtectedModeProcess [ http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IEIsProtectedModeProcess.asp ] function. When inProtected Mode, extensions can write files to a folder below the user's UserProfile folder, typically%userprofile%\AppData\LocalLow. Use the SHGetKnownFolderPath function with theFOLDERID_LocalAppDataLow flag to obtain the expanded folder name.
SHGetKnownFolderPath(FOLDERID_LocalAppDataLow, 0, NULL, szPath, ARRAYSIZE(szPath));
Note Protected Mode modifies IE's environment variables. As a result, the GetTempPath() function returns%Temp%\Low when called while Protected Mode is active.
Low integrity processes can create and write to low integrity subkeys of the registry, such asHKEY_CURRENT_USER\Software\AppDataLow. However, extensions running in Protected mode's low integrityprocess can only write to specific low integrity locations and should use IEGetWriteableHKCU [http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IEGetWriteableHKCU.asp ] to obtain a low integrity registry location.
Security Alert Take care to avoid mixing integrity levels. Low integrity objects should be stored separatelyfrom medium or high integrity objects. In addition, medium and high integrity applications should not openlow integrity objects without proper validation.
Saving Files to the User Profile
Some extensions need to save files to a particular location so that users or applications can later find the file.The following steps show how to save a file outside of a low integrity location.
Create a temporary version of the file in %userprofile%\AppData\LocalLow. Don't forget to delete thetemporary file after the file is sucessfully saved.
1.
Call IEShowSaveFileDialog [ http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IEShowSaveFileDialog.asp ] with the location of the user'sprofile folder to prompt the user to save the file in a different location. If the user accepts the Save Asdialog, IEShowSaveFileDialog returns the destination folder they have chosen.
2.
Call IESaveFile [ http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IESaveFile.asp ] with the location of the temporary file saved in Step 1.
3.
When you do this, Protected Mode's user broker copies the file from the temporary location to the locationselected by the user.
To obtain write access to other medium integrity objects, use a custom broker process and then elevate yourbroker to a medium level process. When run as medium level processes, broker objects can access mediumintegrity objects. For more information, see Starting Processes from Protected Mode.
Starting Processes from Protected Mode
In general, extensions should operate as low integrity processes whenever possible. This provides the bestprotection against malicious attacks. However, there are times when an extension may need to accessmedium or even high integrity objects.
To do this, create a broker process to access higher integrity objects and then launch the broker process witha higher integrity level. By default, Internet Explorer will prompt the user to confirm the medium integrityelevated process, as shown in the following screen shot.
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
4 of 12 05/02/2010 18:57
You can silently elevate your broker process to medium integrity level by creating an elevation policy, whichis a series of registry keys and values that tell Protected Mode how to handle elevation for a specific broker.Elevation policies must have a globally unique identifier (GUID) associated with them. Use CreateGuid [http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/vcext/html/vxlrfvcwizlibvcwizctlcreateguid.asp ] to create a new GUID for your policy. Next, add a key to thefollowing location.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy
Set the name of the new key to the GUID created for your policy and then add the following settings to thekey.
Policy (DWORD) indicates how Protected Mode should launch the broker. The following table describesthe supported values.
Value Result
3 Protected Mode silently launches the broker as a medium integrity process.
2 Protected Mode prompts the user for permission to launch the process. If permission isgranted, the process is launched as a medium integrity process.
1 Protected mode silently launches the broker as a low integrity process.
0 Protected mode prevents the process from launching.
1.
If your broker is an executable file, add the following settings to your policy.
AppName (REG_SZ) is the filename of your broker's executable file.
AppPath (REG_SZ) is the user-selected install location of your broker's executable file.
2.
If your extension launches a COM server that is not registered in HKEY_CLASSES_ROOT, and getsdynamically registered through COM and launched through CoCreateInstance, add a REG_SZ valuecalled CLSID containing the CLSID of the COM server and add the following setting to your policy.
CLSID (REG_SZ) contains the CLSID of your extension.
3.
To illustrate, the following policy would silently elevate a fictional broker called contoso.exe to mediumintegrity level.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
5 of 12 05/02/2010 18:57
{0002df01-0000-0000-c000-000000000046}AppName="Contoso.exe"AppPath="C:\%USERPROFILE%\Application Data\Contoso"Policy=(DWORD) 00000003
Note For security reasons, Internet Explorer in Protected Mode ignores parameters that change the workingdirectory of createProcess [ http://msdn.microsoft.com/en-us/library/ms682425.aspx ] , createProcessAsUser[ http://msdn.microsoft.com/en-us/library/ms682429(VS.85).aspx ] , and related functions. If your processmust accept working directory parameters, use a logical XOR operation to add0x80000
to the value of the Policy setting of the elevation policy for your application. Be aware that this can create asecurity risk; as a result, it is strongly discouraged.
If Microsoft determines that an application has a vulnerability and presents a danger to end users, Microsoftreserves the right to remove that application at any time from the elevation policy.
You can also create broker processes to access high integrity objects. For information describing how tolaunch broker processes with a high integrity level, please see the Guidelines for Administrative UserApplications section of Developer Best Practices and Guidelines for Applications in a Least PrivilegedEnvironment [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dnlong/html/AccProtVista.asp ] . Note that you do not need to create an elevation policy because UAC will handlethe elevation.
If your existing extension uses rundll32.exe to host a .DLL library, you can silently launch a rundll32.exeprocess with low integrity by adding the library's filename to the following key.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsRunDll32Policy
The following example shows the setting that would silently load the fictional contoso.dll library with lowintegrity using rundll32.exe.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsRunDll32Policycontoso.dll
Note The best practice is to create a custom exe to host DLL's and not use rundll32.exe.
Allowing Drag and Drop Operations in your Application
By default, Protected mode prompts the user before allowing web content to be copied to a higher integrityprocess.
You can register your application to avoid this prompt and silently accept web content from a drag-and-dropoperation by creating a DragDrop policy. DragDrop policies must have a globally unique identifier (GUID)associated with them. Use CreateGuid [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/vcext/html/vxlrfvcwizlibvcwizctlcreateguid.asp ] to create a new GUID for your policy. Next, add a keyto the following location.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsDragDrop
Set the name of the new key to the GUID created for your policy and then add the following settings to thekey.
Policy (DWORD) should be set to 3, which tells Protected mode to allow web content to be silentlycopied to your application process.
1.
If your application is an executable file, add the following settings to your policy.
AppName (REG_SZ) is the filename of your application executable file.
AppPath (REG_SZ) is the user-selected install location of your application's executable file.
2.
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
6 of 12 05/02/2010 18:57
If your extension launches a COM server that is not registered in HKEY_CLASSES_ROOT, getsdynamically registered through COM and launched via CoCreateInstance, add a REG_SZ value calledCLSID containing the CLSID of the COM server, add the following setting to your policy.
CLSID (REG_SZ) contains the CLSID of your extension.
3.
The following example shows the setting that would all web content to be silently copied to fictionalcontoso.exe application
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerLow RightsDragDropAppName="contose.exe"AppPath="C:\%USERPROFILE%\Application Data\Contoso"Policy=(DWORD) 00000003
Allowing Applications to Receive Window Messages
As mentioned above, UIPI blocks window messages from low to higher integrity processes. If your extensionrunning in Protected mode needs to communicate with an evelated application using window messages, youcan call ChangeWindowMessageFilter() [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfunctions/changewindowmessagefilter.asp ] from the elevated application to allow specific messages though.
Note The best practice is run your application with low integrity if you are communicating with Protectedmode. Otherwise use only secure forms of interprocess communication (IPC), such as remote procedure calls(RPC), to communicate between Protected mode and a higher integrity process.
Launching and Navigating a Protected Mode Process
If your application uses CreateProcess [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dllproc/base/createprocess.asp ] to launch IE, it should call IELaunchURL [ http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IELaunchURL.asp ] on Vista.This will ensure that your application gets the right return values and that IE launches in Protected mode forURLs whose zone has Protected mode on. If you need to determine whether a specific URL will open in a low(Protected mode) or a medium integrity IE process before launching IE, call IEIsProtectedModeURL [http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/security/protmode/reference/functions/IEIsProtectedModeURL.asp ] . Note that a high integrity process with administrator privileges will launch ahigh integrity IE process with Protected mode off. If you want to launch Protected mode from your highintegrity process then first create a medium integrity process, which will launch your high integrity processand IE.
If your application launches Internet Explorer using CoCreateInstance [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/com/html/7295a55b-12c7-4ed0-a7a4-9ecee16afdec.asp ] and you needto continue controlling navigations after IE is launched, you can use IWebBrowser2 [http://msdn.microsoft.com/library/default.asp.aspx?url=/workshop/browser/webbrowser/reference/ifaces/iwebbrowser2/iwebbrowser2.asp ] to navigate Internet Explorer programmatically. You can only continuecontrolling navigations after IE is launched if your application has the same integrity level as the IE processlaunched. Once your application navigates to URL in a different integrity IE process, you can not performadditional navigations. You should make the IE Frame visible after navigation.
The following example shows how you would do this in C++.
hr = CoCreateInstance(CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER, IID_IWebBrowser2,(LPVOID*)&pIWebBrowser2); hr = pIWebBrowser2->Navigate(bstrUrl, &vEmpty, &vEmpty, &vEmpty, &vEmpty); hr = pIWebBrowser2->put_Visible(VARIANT_TRUE);
The following example shows the JScript version.
var ie = new ActiveXObject("InternetExplorer.Application"); ie.Navigate("http://www.msn.com"); ie.visible = true;
Debugging with the Application Compatibility Toolkit
Protected Mode works with the Microsoft Application Compatibility Toolkit [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dnanchor/html/appcompat.asp ] introduced with Windows XP ServicePack 2.
When Internet Explorer or its extensions attempt to write to securable objects in Protected Mode, the
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
7 of 12 05/02/2010 18:57
application compatibility logs contain entries that describe the operation and its results. The following listexplains the values in the log entries.
ModuleName is the filename that launched the process accessing securable objects.
VirtualizationAction indicates the result of the write operation and is one of the following values.
InterceptedWrite indicates that the operation was intercepted by the Compatibility
Layer.
WriteIgnored indicates that the operation was ignored by ProtectedMode because the
attempting process is an elevated broker.
CreateVirtualCopy indicates that the Compatibility Layer made a copy of the object in
the virtual location.
CreateNew indicates that the Compatibility Layer created a new object in the virtual
location.
ObjectType is either File or Registry.
APIName specifies the function attempting the operation, for example CreateFile or RegOpenKey.
ReqObjectPath is the location of the object the operation object attempted to modify. This is
blank for objects that do not have paths.
When write operations succeed, NewObjectPath specifies the object that was modified by the
operation.
APIResult indicates the result returned by the API function attempting the write operation.
LastError is the last error received by an API function.
This information can be invaluable when trying to determine why operations do not behave as expected.
Designing Secure Extensions
Developing secure Internet Explorer extensions for Protected Mode is not that different from developingsecure applications for Windows Vista. In addition to the guidelines offered in Developer Best Practices andGuidelines for Applications in a Least Privileged Environment [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dnlong/html/AccProtVista.asp ] and ActiveX Security: Improvementsand Best Practices [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/IETechCol/cols/dnexpie/activex_security.asp ] , extension developers should understand how to install software fromextensions, start low integrity processes, lower resource integrity levels, and determine process integritylevels. This section shows how to perform these tasks.
Installing Software from Extensions
When running in Protected Mode, ActiveX controls and other extensions cannot install software. If yourextension needs to modify high integrity objects, such as the Program files or registry keys underHKEY_LOCAL_MACHINE, you should create a standalone installation application that can be run withadministrator privileges.
To launch your application with administrator privileges, you can include an application manifest as detailedin the Developer Best Practices and Guidelines for Applications in a Least Privileged Environment [http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dnlong/html/AccProtVista.asp ] . Afterinstallation, your extension running in Protected mode can launch your application with medium integrityinstead of launching it from the install application with high integrity. This helps protect the user because theapplication is running with user privileges instead of administrator privileges.
If you add to the elevation policy, you need to close and restart any open Internet Explorer processes.IEUser.exe does not automatically detect and respond to elevation policy changes.
Starting Low Integrity Processes
By default, child processes inherit the integrity level of the parent process. To start a low integrity processfrom Protected mode, call CreateProcessAsUser [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dllproc/base/createprocessasuser.asp ] . To start a low integrity process from a mediumintegrity process, you have to explicitly start the new process as low integrity. This is a three step process.
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
8 of 12 05/02/2010 18:57
Duplicate the handle of the medium integrity process.1.Use SetTokenInformation [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/secauthz/security/settokeninformation.asp ] to lower the process handle to low integrity.
2.
Use CreateProcessAsUser [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/dllproc/base/createprocessasuser.asp ] to create a new process using the low integrity handle.
3.
The following code sample demonstrates this process.
#include <sddl.h>
void CreateLowProcess(){ BOOL bRet; HANDLE hToken; HANDLE hNewToken;
// Notepad is used as an example WCHAR wszProcessName[MAX_PATH] = L"C:\\Windows\\System32\\Notepad.exe";
// Low integrity SID WCHAR wszIntegritySid[20] = L"S-1-16-4096"; PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL TIL = {0}; PROCESS_INFORMATION ProcInfo = {0}; STARTUPINFO StartupInfo = {0}; ULONG ExitCode = 0;
if (OpenProcessToken(GetCurrentProcess(),MAXIMUM_ALLOWED, &hToken)) { if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { if (ConvertStringSidToSid(wszIntegritySid, &pIntegritySid)) { TIL.Label.Attributes = SE_GROUP_INTEGRITY; TIL.Label.Sid = pIntegritySid;
// Set the process integrity level if (SetTokenInformation(hNewToken, TokenIntegrityLevel, &TIL, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid))) { // Create the new process at Low integrity bRet = CreateProcessAsUser(hNewToken, NULL, wszProcessName, NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo, &ProcInfo); }
LocalFree(pIntegritySid); } CloseHandle(hNewToken); } CloseHandle(hToken); }}
Note You can also launch low integrity processes from Protected Mode by setting a registry key. For moreinformation, please see Launching Processes.
Lowering Resource Integrity
Generally, it is not a good security practice for higher level processes to accept input or share resources withlow integrity processes. There is a risk the low integrity process may attempt malicious behavior. However,there are times when this is required by design.
Note Applications that accept input or share resources from lower integrity processes should assume thatdata provided by lower integrity processes cannot be trusted and then perform appropriate validation. Forexample, Protected mode displays the Save As dialog from the Internet Explorer User Broker process; thisallows the user to confirm that they want to save a file using a process that runs with higher privileges thanProtected mode.
Because low integrity applications can only write to low integrity resources, you need to lower the integritylevel of the shared resources.
Create an SDDL security descriptor that defines a Low mandatory label.1.
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
9 of 12 05/02/2010 18:57
Convert the SDDL string to a security descriptor.2.Assign the low integrity attribute to the security descriptor.3.Assign the security descriptor to the shared resource.4.
The following code sample shows this process.
#include <sddl.h>#include <AccCtrl.h>#include <Aclapi.h>
void SetLowLabelToFile(){ // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low integrity #define LOW_INTEGRITY_SDDL_SACL_W L"S:(ML;;NW;;;LW)" DWORD dwErr = ERROR_SUCCESS; PSECURITY_DESCRIPTOR pSD = NULL;
PACL pSacl = NULL; // not allocated BOOL fSaclPresent = FALSE; BOOL fSaclDefaulted = FALSE; LPCWSTR pwszFileName = L"Sample.txt";
if (ConvertStringSecurityDescriptorToSecurityDescriptorW( LOW_INTEGRITY_SDDL_SACL_W, SDDL_REVISION_1, &pSD, NULL)) { if (GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted)) { // Note that psidOwner, psidGroup, and pDacl are // all NULL and set the new LABEL_SECURITY_INFORMATION dwErr = SetNamedSecurityInfoW((LPWSTR) pwszFileName, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pSacl); } LocalFree(pSD); }}
Application processes can only set the integrity levels of securable objects to those at or below the applicationprocess.
Windows Vista allows object owners to change the integrity access level of a securable object. Such changeswill not update audit logs.
Processes with READ_CONTROL privileges for a securable object can use GetNamedSecurityInfo [http://windowssdk.msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/secauthz/security/getnamedsecurityinfo.asp ] to determine the object's integrity level.
Note Even low integrity files will get redirected by Protected mode's compatibility shim except for knownlocations mentioned in the frequently-asked questions.
Determining Process Integrity Levels
Extensions that can run in different processes might want to check if the code is running in a process at Lowor Medium integrity level and modify behavior accordingly. The following steps show how to determine theintegrity level of a process.
Open a handle to the current process's token.1.Get the integrity level of the token.2.Compare the integrity level SID to the system defined integrity level RIDs.3.
The following code sample shows how to do this.
void ShowProcessIntegrityLevel(){ HANDLE hToken; HANDLE hProcess;
DWORD dwLengthNeeded; DWORD dwError = ERROR_SUCCESS;
PTOKEN_MANDATORY_LABEL pTIL = NULL; LPWSTR pStringSid; DWORD dwIntegrityLevel;
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
10 of 12 05/02/2010 18:57
hProcess = GetCurrentProcess(); if (OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken)) { // Get the Integrity level. if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLengthNeeded)) { dwError = GetLastError(); if (dwError == ERROR_INSUFFICIENT_BUFFER) { pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwLengthNeeded); if (pTIL != NULL) { if (GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLengthNeeded, &dwLengthNeeded)) { dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1)); if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID) { // Low Integrity wprintf(L"Low Process"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) { // Medium Integrity wprintf(L"Medium Process"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) { // High Integrity wprintf(L"High Integrity Process"); } } LocalFree(pTIL); } } } CloseHandle(hToken); }}
Frequently Asked Questions
Q: Does UAC file and registry Virtualization apply to Protected Mode?
A: No, UAC Virtualization does not apply to Protected Mode and, therefore, write access to Protected Modeextensions that write to sensitive areas will not be redirected.
Protected Mode also does not have write access to the redirected or virtual store for system areas. Extensionsrunning in Protected Mode get an Access Denied error when they attempt to write to sensitive system areas.
Q: Are there specific locations in the USER PROFILE or HKEY_CURRENT_USER registry location that anextension in Protected Mode Internet Explorer can not write to?
A: Yes, Internet Explorer-specific locations in the following USER PROFILE folders.
Documents and Settings\%USER PROFILE%......\Local Settings\Temporary Internet Files...\Local Settings\Temp...\Local Settings\History ...\%USER PROFILE%\Favorites ...\%USER PROFILE%\Cookies
Extensions can write to the following locations.
Documents and Settings\%USER PROFILE%......\Local Settings\Temporary Internet Files\Low...\Local Settings\Temp\Low...\Local Settings\History\Low ...\%USER PROFILE%\Favorites\Low ...\%USER PROFILE%\Cookies\Low%USER PROFILE%\AppData\LocalLow
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
11 of 12 05/02/2010 18:57
Note that extensions can not write to system locations such as the Program Files folder or theHKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE subtrees.
Furthermore, extensions that attempt to gain write access to securable objects by using an API function inone of the following binaries will receive Access Denied errors.
actxprxy.dll ieui.dll mswsock.dll sensapi.dll
Advapi32.dll iexplore.exe NAPINSP.dll Shdocvw.dll
bcrypt.dll IMM32.dll ncrypt.dll SHLWAPI.dll
BrowseUI.dll Inetcpl.cpl NETAPI32.dll SWEEPRX.dll
clbcatq.dll IPHLPAPI.dll NLAapi.dll TAPI32.dll
Comctl32.dll jscript.dll NSI.dll URLMon.dll
Corpol.dll jsproxy.dll Ntdll.dll USERENV.dll
CREDSSP.dll Kernel32.dll ntmarta.dll USP10.dll
Crypt32.dll LPK.dll offprof.dll uxtheme.dll
Cryptnet.dll mf.dll OLEACC.dll vbscript.dll
dciman32.dll mlang.dll pnrpnsp.dll Wininet.dll
ddraw.dll MPR.dll PSAPI.dll WINNSI.dll
dhcpcsvc.dll MSASN1.dll rasadhlp.dll winrnr.dll
dhcpcsvc6.dll mscms.dll rasapi32.dll WINSPOOL.DRV
DNSAPI.dll MSCTF.dll rasdlg.dll winsta.dll
dssenh.dll msfeeds.dll rasman.dll Wintrust.dll
dwmapi.dll msfeedsbs.dll rpcrt4.dll ws2_32.dll
Dxtmsft.dll Mshtml.dll rsaenh.dll wship6.dll
Dxtrans.dll MSHTMLED.dll rtutils.dll wshtcpip.dll
gpapi.dll msimg32.dll samlib.dll wsock32.dll
Ieframe.dll msimtf.dll Schannel.dll wtsapi32.dll
IEPeers.dll msls31.dll secur32.dll
iertutil.dll Mstime.dll Secure32.dll
Q: How do I stop my toolbar from launching an elevated Internet Explorer process?
A: Many toolbar installations close all running instances of Internet Explorer and launch a new one once theirsetup is finished, so that the new toolbar is visible. The problem is that the new Internet Explorer is launchedfrom an elevated process and, therefore, is also elevated. Toolbars can avoid this problem by closing downInternet Explorer and re-launching it with a lower integrity level. For more information, please see StartingLow Integrity Processes.
Q: By default, elevation requests ignore
Acknowledgements
We would like to thank the following for their help in preparing and reviewing this article: Robert Gu, VidyaNallathimmayyagari, Jeremy Epling, Sharath Udupa, Hao-Wei Liu, Bogdan Tepordei, Lance Leonard, and WillMason.
Marc Silbey and Peter Brundrett are program managers on the Internet Explorer and Windows Securityteams.
Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx
12 of 12 05/02/2010 18:57