Internet Explorer Local Machine Zone Lockdown

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Local Machine Zone Lockdown

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2204

    Webmaster
    Keymaster

    The Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as Microsoft Internet
    Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying morerestrictiveInternet
    Explorer security settings that disablescripts, ActiveX components,and file downloads for resources in theInternet security
    zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will not beas
    noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and Pop-up
    Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not using the
    enhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service Pack 2.
    What Does Local Machine Zone Lockdown do?
    When InternetExplorer opens a Web page, it places restrictions on what the pagecan do, based on the page’s InternetExplorer
    security zone.Thereareseveral possiblesecurity zones,each with different sets of restrictions.Thesecurity zonefor a pageis
    determined by its location.For example, pages thatarelocated on theInternet will normally bein the morerestrictiveInternet
    security zone.They might not beallowed to perform some operations, such as accessing thelocal hard drive. Pages thatare
    located on your corporate network would normally bein theIntranet security zone,and havefewer restrictions.The precise
    restrictions thatareassociated with most of thesezones can beconfigured by the user through Internet Options on the
    Tools menu.
    Prior to Windows XP Service Pack 2, thecontent on thelocal filesystem,asidefrom that cached by InternetExplorer, was
    considered to besecureand was assigned to theLocal Machinesecurity zone.This security zone normally allows content to
    run in InternetExplorer with relatively few restrictions. However,attackers often try to takeadvantage of theLocal Machine
    zoneto elevate privilegeand compromisea computer.
    Many of theexploits that involvetheLocal Machinezone were mitigated by other changes to InternetExplorer in Windows XP
    SP2.Thesechanges wereincorporated into InternetExplorer in Windows Server 2003 Service Pack 1. However,attackers may
    still beableto figure out ways to exploit theLocal Machinezone. Currently, InternetExplorer further protects the user by
    locking down theLocal Machinezone by default.Local HTML hosted in other applications will run under theless restrictive
    settings of theLocal Machinezone used in previous version of InternetExplorer unless thatapplication makes use of Local
    Machine ZoneLockdown.
    Administrators will beableto use Group Policy to manageLocal Machine ZoneLockdown and moreeasily apply it to groups
    of computers.
    Who does this feature apply to?
    All application developers should review this feature. Applications that host local HTML files in InternetExplorer arelikely to be
    affected. Developers of standaloneapplications that host InternetExplorer will want to modify their applications to make use of
    Local Machine ZoneLockdown.
    By default,Local Machine ZoneLockdown is only enabled for InternetExplorer. Developers will need to register their
    applications to takeadvantage of thechanges. Applications that do not usethis mitigation should independently review their
    applications for Local Machinezoneattack vectors.
    Software developers with applications that host InternetExplorer should usethis feature by adding their process nameto the
    registry as described later in this document. In thefuture, Microsoft might implement this feature using an “opt out” policy
    rather than an “opt in” policy. Applications that host InternetExplorer should betested to ensurethat they function properly
    with Local Machine ZoneLockdown enabled for their process.
    Network Administrators might havelocal scripts that will beaffected by theserestrictions. Administrators should review the
    availablesolutions to enabletheir local scripts without compromising thesecurity of their users’ client computers.
    Developers of Web sites thatare hosted on theInternet or Local Intranet zones should not beaffected by changes to theLocal
    Machinezone,except when loading thosefiles from thelocal machine during development.
    Users could beaffected by applications thatare not compatible with these morestringent restrictions.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Changes to Local Machine zone security settings
    Detailed description
    TheLocal Machinezoneis now morerestrictivethan theInternet zone. Any timethat contentattempts one of thefollowing
    actions in this zone, theInformation Bar will appear in InternetExplorer with thefollowing text:
    To help protect your security, InternetExplorer has restricted this file from showing active content that could
    access your computer. Click here for options…
    The user can click theInformation Bar to removethelockdown from therestricted content.
    Thesecurity settings that control the privileges thatare granted to content running in theLocal Machinezoneareknown as
    URL actions.When Local Machine ZoneLockdown is applied to a given process, it changes the behavior of URL actions from
    the previous Local Machinezonesetting ofEnabled to Disabled. As a result, scripts and ActiveX controls will not run.The
    default URL actions changed are:
    URLACTION _SCRIPT_RUN
    URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX
    URLACTION_ACTIVEX_RUN
    URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY (to Prompt, not Disabled)
    URLACTION_CLIENT_CERT_PROMPT
    URLACTION_BEHAVIOR_RUN
    URLACTION_JAVA_PERMISSIONS
    URLACTION_BEHAVIOR_RUN (to Administrator approved, not Disabled)
    URLACTION_FEATURE_MIME_SNIFFING
    URLACTION_FEATURE_WINDOWS_RESTRICTIONS
    URLACTION_AUTOMATIC_DOWNLOAD_UI
    URLACTION_AUTOMATIC_ACTIVEX_UI
    Note
    URLACTION_FEATURE_ZONE_ELEVATION is set to Disabled in theLocal Machinezone with or without this feature.
    For Local Machine ZoneLockdown, thesesettings arestored under a separateregistry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings\Lockdown_Zones\0
    The default Local Machinezone URL action settings arefound under:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Why is this change important?
    This change helps prevent content on a user’s computer from elevating privilege. Code with such elevated privilegecan then
    run any codethrough an ActiveX control or read information with a script.
    What works differently?
    If a Web page uses any of therestricted types of content that were previously listed, InternetExplorer displays theInformation
    Bar,as previously described.
    HTML files thatare hosted on theres: protocol on thelocal computer will automatically run under thesecurity settings for the
    Internet zone.For moreinformation about what thesetemplates allow, see”Introduction to URL Security Zones” on the MSDN
    Web siteat http://go.microsoft.com/fwlink/?LinkId=26003.
    How do I resolve these issues?
    You can allow ActiveX and scripts to always run in Web pages thatarelaunched from a CD by clicking Yes when presented
    with thefollowing message:
    Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs
    to run active content on your computer?
    If your Web page needs to run ActiveX or scripting,you can add a Mark of the Web comment in the HTML code.This Internet
    Explorer featureallows the HTML files to beforced into a zone other than theLocal Machinezoneso that they can then run the
    script or ActiveX code based on thesecurity templatethat would beapplied to the URL identified in thecomment.For example,
    if the URL specified is http://www.contoso.com and that URL is present in your Local Intranet sites list, the page uses thesecurity
    templatefor theLocal IntranetSites zone. However, if http://www.contoso.com is listed in theTrusted Sites zone, the pageis treated
    as if it were part of theInternet zone.This is by design for security purposes in Windows XP Service Pack 2 and later.This
    setting works in InternetExplorer 4 and later.To inserta Mark of the Web comment into your HTML file,add one of the
    following comments:

    Usethis comment when you areinserting a Mark of the Web into a page whose domain is identified, replacing
    http://www.example.com with the URL of theInternet or intranet domain that the pageis hosted by. Includethelength of the
    URL in parenthesis used for the Mark of the Web beforethe URL, for example(0022).
    If you wantyour Web pageto always betreated as though it were part of theInternet zone,you can usethefollowing Mark of
    the Web:

    Usethis comment when you need to generically inserta Mark of the Web.The about:internet portion will placethe pagein
    theInternet zone.
    Beginning with Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, this HTML comment can also be used
    with .mht files,known as multipart HTML or .xml files. Mark of the Web will beignored for .mht or .xml files in earlier versions
    of InternetExplorer.
    As another option,you can createa separateapplication that hosts the HTML content in theInternetExplorer Web Object
    Control (WebOC).The HTML is then no longer bound by thesamerules thatapply to content run in InternetExplorer.When
    the HTML content runs in the other process, it can havefull rights as defined by the developer or thezone policy for that
    process.
    An easy way to do this is to saveyour contentas an .hta (HTML application) fileand try to run thefileagain in theLocal
    Machinezone. An .hta fileis hosted in a different process and thereforeis notaffected by the mitigation. However, .hta files run
    with full privileges, so you should notallow codethat is not trusted to run in this manner.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Developers should test their applications and enablethelockdown in order to offer enhanced levels of security. Developers of
    standaloneapplications should plan to adopt thesechanges in their applications that host InternetExplorer.
    Developers of ActiveX controls that previously allowed elevated privileges in theLocal Machinezoneshould not changetheir
    controls to allow elevated privileges in another zone. Instead, thesecontrols should beconverted to run only from an HTML
    application (.hta file) or a standaloneapplication that runs outside of Local Machine ZoneLockdown.
    By default,Local Machine ZoneLockdown is notenabled for non-InternetExplorer processes. Developers mustexplicitly
    register their applications to takeadvantage of thechanges. Application developers that do not usethis mitigation should
    independently review their applications for Local Machinezoneattack vectors.To enableLocal Machine ZoneLockdown for
    your application, go to thefollowing registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
    Add a REG_DWORD valueto this key named for your application (for example, MyApplication.exe) and set it to 1. Any other
    setting for this value will disableLocal Machine ZoneLockdown for theapplication.
    To control whether Local Machine ZoneLockdown is applied to Web pages launched from a CD, go to thefollowing registry
    key and value:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
    Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK
    Setting this valueto 1 disables this featurefor Web pages launched from a CD on the user’s computer.

You must be logged in to reply to this topic.