Internet Explorer Binary Behaviors Security Setting

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Binary Behaviors Security Setting

Viewing 0 reply threads
  • Author
    • #2201

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does binary behaviors security setting do?
      InternetExplorer contains dynamic binary behaviors:components thatencapsulatespecific functionality for HTML elements to
      which they wereattached.These binary behaviors are not controlled by any InternetExplorer security setting,allowing them to
      work on Web pages in the Restricted Sites zone. In Windows Server 2003 Service Pack 1, thereis a new InternetExplorer
      security setting for binary behaviors.This new setting disables binary behaviors in the Restricted Sites zone by default. In
      combination with theLocal MachineLockdown security feature, italso requires administrativeapproval for binary behaviors to
      run in theLocal Machinezone by default.This new binary behaviors security setting provides a general mitigation to
      vulnerabilities in InternetExplorer binary behaviors.
      For moreinformation about binary behaviors, such as how they work and how to implement them, see”Cutting Edge: Binary
      Behaviors in InternetExplorer 5.5″ on the Microsoft Web siteat Notethat
      binary behaviors, which are defined in C++ and compiled,are different from attached behaviors and element behaviors, which
      are defined in script.
      Who does this feature apply to?
      Application developers whoseapplications useInternetExplorer functionality in therestricted sites or local machinezones
      should review this featureto plan to adopt changes in their applications.For example,e-mail applications that render HTML email
      in the Restricted Sites zone might need to be modified.
      Users can only beaffected by applications that do not completely render HTML content with this new setting.These
      applications will typically alert the user that someactive behavior has been blocked from display.For example, when Outlook
      Express encounters this situation, it informs the user that it has restricted activecontent in thee-mail.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      New InternetExplorer security setting
      Detailed description
      A new URL action setting, Binary and Script Behaviors, is in each InternetExplorer security zone.The defaultvaluefor this
      setting is Enable for all zones except the Restricted Sites zoneand theLocked-Down Local Machinezone. In the Restricted
      Sites zone, the defaultvalueis Disable. In theLocked-Down Local Machinezone, the defaultvalueis Administrator
      Why is this change important? What threats does it help mitigate?
      This new setting helps mitigateattacks in which binary behaviors were being used maliciously and allows the user to control
      the use of binary behaviors on a per-zone basis.
      What works differently?
      Any use of any binary behaviors for HTML rendering from the Restricted Sites zoneis blocked.
      How do I resolve these issues?
      To use binary behaviors from the Restricted Sites zone,an application will haveto implementa custom security manager. (For
      moreinformation, see”Creating a Customized URL Security Manager” in “Introduction to URL Security Zones” on the
      Microsoft Web siteat
      When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string
      representation of the particular binary behaviors that can beenabled by that custom security manager as needed for
      application compatibility.Thefollowing process takes place when this URL action is exercised:
      InternetExplorer calls into a custom security manager (if available), using the ProcessUrlAction method with a dwAction
      The pContext parameter points to a LPCWSTR that contains the behavior thata policy is being queried for.For example,
      You set *pPolicy =URLPOLICY_ALLOW for your SmartTag behavior, from within your custom security manager,as
      In theabsence of thecustom security manager, the defaultaction is to disallow running behaviors in the Restricted Sites zone,
      and to disallow running most behaviors in theLocal Machinezone.
      If you area desktop administrator you can decide which binary behaviors to allow in theLocked-down Local Machinezone.To
      enablea behavior in theLocked-down Local Machinezone,you can add it to thelist of administrator-approved behaviors as
      follows, replacing the namespaceand behavior variables as appropriateto your environment:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors
      #% Namespace %#% Behavior %=dword:00000001
      Behaviors thatare defined in this list will also be used for any other zone wherethe binary behavior restriction setting is
      configured to “Admin-Allowed” (65536).
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      None.This is only a setting to turn on or off theexisting binary behaviors functionality.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      InternetExplorer Binary Behaviors Settings
      Location Previous
      Default value Possible
      * HKEY LOCAL MACHINE [or Current User]
      \Software\Microsoft \InternetExplorer\Main \Feature
      None 1 0 – Off
      1 – On
      2000 HKEY_CURRENT_USER \Software\Microsoft \Windows
      \CurrentVersion \InternetSettings\Zones [or
      Lockdown_Zones] \*\
      None 3 – Disabled (for Restricted Sites
      65536 – Admin-approved (for
      theLocked-down Local Machine
      0 -Enabled (for all other zones)
      3 – Disabled
      65536 –
      0 -Enabled
      * is used in the preceding tableto represent thatall processes are opted-in for this featurecontrol setting by default.
      The binary behaviors setting can also be modified through Group Policy as part of theInternetExplorer Security Zones and
      Content Ratings setting.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      If your code uses binary behaviors in the Restricted Sites zone, then you will need to changeyour code by implementing a
      custom security manager for your application. If your code uses binary behaviors in theLocal Machinezone, then you will need
      to either implementa custom security manager,add your behaviors to thelist of approved behaviors, or use Mark of the Web
      to load your pages in less restrictivezones.For moreinformation, seethe”Creating a Customized URL Security Manager”
      section in “Introduction to URL Security Zones” on the Microsoft Web siteat

Viewing 0 reply threads
  • You must be logged in to reply to this topic.