Internet Explorer Network Protocol Lockdown

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Network Protocol Lockdown

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2206

    Webmaster
    Keymaster

    Applies To:Windows 7,Windows Server 2003 with SP1,Windows Vista,Windows XP
    Note
    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What Does Network Protocol Lockdown Do?
    InternetExplorer can beconfigured to lock down HTML content from particular network protocols in additional zones besides
    theLocal Machinezone.This featureallows an administrator to extend thesamerestrictions of theLocal Machine Zone
    Lockdown (which is described previously in this document) to beapplied to any content on any arbitrary protocol in any
    security zone.For example,an administrator can configureInternetExplorer to lock down HTML content hosted on theShell:
    protocol if it is in theInternet zone.SincetheShell: protocol’s most common useis for local contentand not Internet content,
    this mitigation can reducetheattack surface of the browser against possiblevulnerabilities in protocols less commonly used
    than HTTP.
    Who does this feature apply to?
    By default, Network Protocol Lockdown is notenabled for any application.
    All application developers should review this feature. Applications that host HTML files over non-HTTP protocols in Internet
    Explorer may beaffected in organizations whereadministrators elect to apply additional restrictions. Developers of standalone
    applications that host InternetExplorer might want to modify their applications to make use of Network Protocol Lockdown.
    Developers who choseto opt in to Network Protocol Lockdown should register their applications to takeadvantage of the
    changes. Applications that do not usethis mitigation should independently review their applications for support for arbitrary
    protocols.
    Software developers with applications that host InternetExplorer can usethis feature by adding their process nameto the
    registry as described later in this document. In thefuture, Microsoft might implement this feature with certain uncommonly
    used protocols restricted by defaultand with an “opt-out” policy for applications rather than thecurrent “opt-in” policy for
    applications. Applications that host InternetExplorer should betested to ensurethat they function properly with Network
    Protocol Lockdown enabled for their process.
    Network Administrators should consider adding unused protocols to therestricted protocol list on managed desktop
    machines. If the network administrator enables this restriction, there may be HTML files that will beaffected.
    Developers of Web sites thatare hosted on the HTTP protocol should not beaffected by restrictions to other protocols.
    Users are most likely to beaffected by these morestringent restrictions if their Network Administrator choseto restrict certain
    protocols for their desktop.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Changes to security settings for restricted protocols
    Detailed description
    With Windows Server 2003 Service Pack 1, HTML content in an application that has “opted in” to usethe Network Protocol
    Lockdown featurethat is served on one of therestricted protocols will berestricted to run ata higher security level. Any time
    therestricted protocol contentattempts to usea restricted feature, such as ActiveX controls, theInformation Bar will appear in
    InternetExplorer with thefollowing text (text may be different for other blocked URL actions):
    InternetExplorer has blocked this site from using an ActiveX control in an unsafe manner. As a result this page may
    not display correctly.
    The user can click theInformation Bar to removethelockdown from therestricted content.Thechangein setting using the
    Information Bar is per session only, unless the policies arechanged in theregistry.
    Thesecurity settings thatarelocked down for thecontent on therestricted protocols arethesameas thesettings enforced for
    theLocal Machinezonelockdown, which is described earlier in this document. Pleaseconsult that section to review exactly
    which security settings areenforced for thecontent on therestricted protocols.
    Restricted protocols feature is off by default for InternetExplorer and all applications
    Detailed description
    The behavior of the Network Protocol Lockdown is controlled per-process by a new InternetExplorer Feature Control setting.
    Sincethis featureis designed to providean additional layer of defense-in-depth for network administrators, the default
    InternetExplorer processes, IExplore.exeand Explorer.exeare not opted in by default.To opt in to the Network Protocol
    Lockdown, network administrators or developers should add a DWORD ateither of thefollowing locations wherethe nameis
    their process nameand thevalueis set to 1 to havethe mitigation apply to them.To forcibly opt out, set thevalue of thekey to
    0. If theadministrator decides to put thesetting under the Policies hive, seta REG_SZ instead of a DWORD.
    HKEY_LOCAL_MACHINE\Software\(Policies)\Microsoft\Internet
    Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
    HKEY_CURRENT_USER\Software\(Policies)\Microsoft\Internet
    Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
    Applications may want to proactively opt out to prevent the mitigation from being applied to them when a wildcard is used to
    forcethe mitigation into Opt-out mode.
    Behavior per-zone when an application has opted in
    For an opted in process, the behavior of the Network Protocol Lockdown is also controlled per zone by a new InternetExplorer
    security setting or URL action called URLACTION_ALLOW_RESTRICTEDPROTOCOLS.This URL action will beset to the
    following values.
    Security
    Zone
    Default
    behavior
    for
    restricted
    protocols
    Example user situation
    Restricted
    Sites
    Zone
    Disallow Since ActiveX is never allowed in the Restricted Sites zone by default, theInformation Bar is not shown
    when a restricted protocol is encountered.TheInformation Bar might beshown in thecase wherea URL
    action that was previously allowed in the Restricted Sites zoneis now disallowed under network
    protocol lockdown. In this case, the user will NOT beableto click theInformation Bar to allow theaction.
    Internet
    Zone
    Prompt If theadministrator locks down thefile:// protocol, HTML that uses script over thefile:// protocol is
    restricted, but users can click theInformation Bar to allow it.
    Intranet
    Zone
    Prompt If theadministrator locks down thelocal:// protocol, HTML that uses Java over thelocal:// protocol is
    restricted, but users can click theInformation Bar to allow it.
    Trusted
    Sites
    Zone
    Prompt If theadministrator locks down theShell:// protocol, HTML that uses Binary Behaviors over theShell://
    protocol is restricted, but users can click theInformation Bar to allow it.
    Local
    Machine
    Zone
    Prompt If local machinelockdown is enabled, its settings will supersedethoseestablished by network protocol
    lockdown settings.
    Per-Zone Protocol Lock Down
    Thelist of protocols thatarerestricted is defined separately for each zoneto allow some protocols to belocked down in some
    zones but run without restrictions in other zones. Protocols can berestricted for a given zone by writing the protocol nameto
    therestricted list for a particular security zone.
    Security
    Zone
    Registry location of the list of restricted
    protocols for each zone
    Security settings applied to restricted protocol content
    Restricted
    Sites Zone
    HKEY_LOCAL_MACHINE
    -orHKEY_CURRENT_USER
    \Software\(Policies) \Microsoft\Windows
    \CurrentVersion\InternetSettings
    \RestrictedProtocols\4
    HKEY_CURRENT_USER \Software\Microsoft
    \Windows\CurrentVersion \InternetSettings
    \Lockdown_Zones\4
    Internet
    Zone
    HKEY_LOCAL_MACHINE
    -orHKEY_CURRENT_USER
    \Software\(Policies) \Microsoft\Windows
    \CurrentVersion\InternetSettings
    \RestrictedProtocols\3
    HKEY_CURRENT_USER \Software\Microsoft
    \Windows\CurrentVersion \InternetSettings
    \Lockdown_Zones\3
    Intranet
    Zone
    HKEY_LOCAL_MACHINE
    -orHKEY_CURRENT_USER
    \Software\(Policies) \Microsoft\Windows
    \CurrentVersion\InternetSettings
    \RestrictedProtocols\2
    HKEY_CURRENT_USER \Software\Microsoft
    \Windows\CurrentVersion \InternetSettings
    \Lockdown_Zones\2
    Trusted
    Sites Zone
    HKEY_LOCAL_MACHINE
    – or –
    HKEY_CURRENT_USER
    \Software\(Policies)
    \Microsoft\Windows \CurrentVersion\Internet
    Settings
    \RestrictedProtocols\1
    HKEY_CURRENT_USER \Software\Microsoft
    \Windows\CurrentVersion \InternetSettings
    \Lockdown_Zones\1
    Local
    Machine
    Zone
    HKEY_LOCAL_MACHINE
    – or –
    HKEY_CURRENT_USER
    \Software\(Policies)
    \Microsoft\Windows \CurrentVersion\Internet
    Settings
    \RestrictedProtocols\0
    HKEY_CURRENT_USER \Software\Microsoft
    \Windows\CurrentVersion \InternetSettings
    \Lockdown_Zones\0
    Protocols to consider for lock down
    The default list of restricted protocols is blank. Network administrators should add additional protocols to thelockdown that
    they know are not needed in their organization for a particular zone. Network administrators should consider restricting some
    of thefollowing default Windows protocols on managed desktop machines and other protocols thatare not needed for
    rendering HTML with activecontent in the organization.
    local://
    file://
    shell://
    hcp://
    ftp://
    Why is this change important?
    This change provides general defense-in-depth againstvulnerabilities in less frequently used protocols.For example,an
    ActiveX control running under thelocal:// protocol mightassumethat it is loaded in theLocal Machinezoneand it may grant
    elevated privilegeto the hosting page.
    What works differently?
    If a Web pageserved on a protocol that is restricted for a given zone uses any restricted content, such as ActiveX, Internet
    Explorer will display theInformation Bar,as previously described.
    How do I resolve these issues?
    If your Web page needs to run ActiveX or scripting on a protocol that should berestricted for your intranet,you mightallow
    the HTML to render correctly by moving the domain for that HTML to thetrusted sites zone on the managed desktop
    machines. As a long term solution,you can look for ways to movethecontent off of therestricted protocol or if that’s not
    possible,you might removetheactivecontent from therestricted protocol pages entirely by performing needed computations
    on theserver using a server-sidescript such as an ActiveServer Page.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Sincethis featureis off by default,you will probably not need to changeyour HTML content unless it runs over a protocol that
    is restricted by a network administrator for your organization.

You must be logged in to reply to this topic.