Internet Explorer Binary Behaviors Security Setting

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Binary Behaviors Security Setting

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 years ago.

  • Author
  • #2201


    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does binary behaviors security setting do?
    InternetExplorer contains dynamic binary behaviors:components thatencapsulatespecific functionality for HTML elements to
    which they wereattached.These binary behaviors are not controlled by any InternetExplorer security setting,allowing them to
    work on Web pages in the Restricted Sites zone. In Windows Server 2003 Service Pack 1, thereis a new InternetExplorer
    security setting for binary behaviors.This new setting disables binary behaviors in the Restricted Sites zone by default. In
    combination with theLocal MachineLockdown security feature, italso requires administrativeapproval for binary behaviors to
    run in theLocal Machinezone by default.This new binary behaviors security setting provides a general mitigation to
    vulnerabilities in InternetExplorer binary behaviors.
    For moreinformation about binary behaviors, such as how they work and how to implement them, see”Cutting Edge: Binary
    Behaviors in InternetExplorer 5.5″ on the Microsoft Web siteat Notethat
    binary behaviors, which are defined in C++ and compiled,are different from attached behaviors and element behaviors, which
    are defined in script.
    Who does this feature apply to?
    Application developers whoseapplications useInternetExplorer functionality in therestricted sites or local machinezones
    should review this featureto plan to adopt changes in their applications.For example,e-mail applications that render HTML email
    in the Restricted Sites zone might need to be modified.
    Users can only beaffected by applications that do not completely render HTML content with this new setting.These
    applications will typically alert the user that someactive behavior has been blocked from display.For example, when Outlook
    Express encounters this situation, it informs the user that it has restricted activecontent in thee-mail.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    New InternetExplorer security setting
    Detailed description
    A new URL action setting, Binary and Script Behaviors, is in each InternetExplorer security zone.The defaultvaluefor this
    setting is Enable for all zones except the Restricted Sites zoneand theLocked-Down Local Machinezone. In the Restricted
    Sites zone, the defaultvalueis Disable. In theLocked-Down Local Machinezone, the defaultvalueis Administrator
    Why is this change important? What threats does it help mitigate?
    This new setting helps mitigateattacks in which binary behaviors were being used maliciously and allows the user to control
    the use of binary behaviors on a per-zone basis.
    What works differently?
    Any use of any binary behaviors for HTML rendering from the Restricted Sites zoneis blocked.
    How do I resolve these issues?
    To use binary behaviors from the Restricted Sites zone,an application will haveto implementa custom security manager. (For
    moreinformation, see”Creating a Customized URL Security Manager” in “Introduction to URL Security Zones” on the
    Microsoft Web siteat
    When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string
    representation of the particular binary behaviors that can beenabled by that custom security manager as needed for
    application compatibility.Thefollowing process takes place when this URL action is exercised:
    InternetExplorer calls into a custom security manager (if available), using the ProcessUrlAction method with a dwAction
    The pContext parameter points to a LPCWSTR that contains the behavior thata policy is being queried for.For example,
    You set *pPolicy =URLPOLICY_ALLOW for your SmartTag behavior, from within your custom security manager,as
    In theabsence of thecustom security manager, the defaultaction is to disallow running behaviors in the Restricted Sites zone,
    and to disallow running most behaviors in theLocal Machinezone.
    If you area desktop administrator you can decide which binary behaviors to allow in theLocked-down Local Machinezone.To
    enablea behavior in theLocked-down Local Machinezone,you can add it to thelist of administrator-approved behaviors as
    follows, replacing the namespaceand behavior variables as appropriateto your environment:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors
    #% Namespace %#% Behavior %=dword:00000001
    Behaviors thatare defined in this list will also be used for any other zone wherethe binary behavior restriction setting is
    configured to “Admin-Allowed” (65536).
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    None.This is only a setting to turn on or off theexisting binary behaviors functionality.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    InternetExplorer Binary Behaviors Settings
    Location Previous
    Default value Possible
    * HKEY LOCAL MACHINE [or Current User]
    \Software\Microsoft \InternetExplorer\Main \Feature
    None 1 0 – Off
    1 – On
    2000 HKEY_CURRENT_USER \Software\Microsoft \Windows
    \CurrentVersion \InternetSettings\Zones [or
    Lockdown_Zones] \*\
    None 3 – Disabled (for Restricted Sites
    65536 – Admin-approved (for
    theLocked-down Local Machine
    0 -Enabled (for all other zones)
    3 – Disabled
    65536 –
    0 -Enabled
    * is used in the preceding tableto represent thatall processes are opted-in for this featurecontrol setting by default.
    The binary behaviors setting can also be modified through Group Policy as part of theInternetExplorer Security Zones and
    Content Ratings setting.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    If your code uses binary behaviors in the Restricted Sites zone, then you will need to changeyour code by implementing a
    custom security manager for your application. If your code uses binary behaviors in theLocal Machinezone, then you will need
    to either implementa custom security manager,add your behaviors to thelist of approved behaviors, or use Mark of the Web
    to load your pages in less restrictivezones.For moreinformation, seethe”Creating a Customized URL Security Manager”
    section in “Introduction to URL Security Zones” on the Microsoft Web siteat

You must be logged in to reply to this topic.