Internet Explorer Network Protocol Lockdown

Applies To:Windows 7,Windows Server 2003 with SP1,Windows Vista,Windows XP
Note
The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What Does Network Protocol Lockdown Do?
InternetExplorer can beconfigured to lock down HTML content from particular network protocols in additional zones besides
theLocal Machinezone.This featureallows an administrator to extend thesamerestrictions of theLocal Machine Zone
Lockdown (which is described previously in this document) to beapplied to any content on any arbitrary protocol in any
security zone.For example,an administrator can configureInternetExplorer to lock down HTML content hosted on theShell:
protocol if it is in theInternet zone.SincetheShell: protocol’s most common useis for local contentand not Internet content,
this mitigation can reducetheattack surface of the browser against possiblevulnerabilities in protocols less commonly used
than HTTP.
Who does this feature apply to?
By default, Network Protocol Lockdown is notenabled for any application.
All application developers should review this feature. Applications that host HTML files over non-HTTP protocols in Internet
Explorer may beaffected in organizations whereadministrators elect to apply additional restrictions. Developers of standalone
applications that host InternetExplorer might want to modify their applications to make use of Network Protocol Lockdown.
Developers who choseto opt in to Network Protocol Lockdown should register their applications to takeadvantage of the
changes. Applications that do not usethis mitigation should independently review their applications for support for arbitrary
protocols.
Software developers with applications that host InternetExplorer can usethis feature by adding their process nameto the
registry as described later in this document. In thefuture, Microsoft might implement this feature with certain uncommonly
used protocols restricted by defaultand with an “opt-out” policy for applications rather than thecurrent “opt-in” policy for
applications. Applications that host InternetExplorer should betested to ensurethat they function properly with Network
Protocol Lockdown enabled for their process.
Network Administrators should consider adding unused protocols to therestricted protocol list on managed desktop
machines. If the network administrator enables this restriction, there may be HTML files that will beaffected.
Developers of Web sites thatare hosted on the HTTP protocol should not beaffected by restrictions to other protocols.
Users are most likely to beaffected by these morestringent restrictions if their Network Administrator choseto restrict certain
protocols for their desktop.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Changes to security settings for restricted protocols
Detailed description
With Windows Server 2003 Service Pack 1, HTML content in an application that has “opted in” to usethe Network Protocol
Lockdown featurethat is served on one of therestricted protocols will berestricted to run ata higher security level. Any time
therestricted protocol contentattempts to usea restricted feature, such as ActiveX controls, theInformation Bar will appear in
InternetExplorer with thefollowing text (text may be different for other blocked URL actions):
InternetExplorer has blocked this site from using an ActiveX control in an unsafe manner. As a result this page may
not display correctly.
The user can click theInformation Bar to removethelockdown from therestricted content.Thechangein setting using the
Information Bar is per session only, unless the policies arechanged in theregistry.
Thesecurity settings thatarelocked down for thecontent on therestricted protocols arethesameas thesettings enforced for
theLocal Machinezonelockdown, which is described earlier in this document. Pleaseconsult that section to review exactly
which security settings areenforced for thecontent on therestricted protocols.
Restricted protocols feature is off by default for InternetExplorer and all applications
Detailed description
The behavior of the Network Protocol Lockdown is controlled per-process by a new InternetExplorer Feature Control setting.
Sincethis featureis designed to providean additional layer of defense-in-depth for network administrators, the default
InternetExplorer processes, IExplore.exeand Explorer.exeare not opted in by default.To opt in to the Network Protocol
Lockdown, network administrators or developers should add a DWORD ateither of thefollowing locations wherethe nameis
their process nameand thevalueis set to 1 to havethe mitigation apply to them.To forcibly opt out, set thevalue of thekey to
0. If theadministrator decides to put thesetting under the Policies hive, seta REG_SZ instead of a DWORD.
HKEY_LOCAL_MACHINE\Software\(Policies)\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CURRENT_USER\Software\(Policies)\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
Applications may want to proactively opt out to prevent the mitigation from being applied to them when a wildcard is used to
forcethe mitigation into Opt-out mode.
Behavior per-zone when an application has opted in
For an opted in process, the behavior of the Network Protocol Lockdown is also controlled per zone by a new InternetExplorer
security setting or URL action called URLACTION_ALLOW_RESTRICTEDPROTOCOLS.This URL action will beset to the
following values.
Security
Zone
Default
behavior
for
restricted
protocols
Example user situation
Restricted
Sites
Zone
Disallow Since ActiveX is never allowed in the Restricted Sites zone by default, theInformation Bar is not shown
when a restricted protocol is encountered.TheInformation Bar might beshown in thecase wherea URL
action that was previously allowed in the Restricted Sites zoneis now disallowed under network
protocol lockdown. In this case, the user will NOT beableto click theInformation Bar to allow theaction.
Internet
Zone
Prompt If theadministrator locks down thefile:// protocol, HTML that uses script over thefile:// protocol is
restricted, but users can click theInformation Bar to allow it.
Intranet
Zone
Prompt If theadministrator locks down thelocal:// protocol, HTML that uses Java over thelocal:// protocol is
restricted, but users can click theInformation Bar to allow it.
Trusted
Sites
Zone
Prompt If theadministrator locks down theShell:// protocol, HTML that uses Binary Behaviors over theShell://
protocol is restricted, but users can click theInformation Bar to allow it.
Local
Machine
Zone
Prompt If local machinelockdown is enabled, its settings will supersedethoseestablished by network protocol
lockdown settings.
Per-Zone Protocol Lock Down
Thelist of protocols thatarerestricted is defined separately for each zoneto allow some protocols to belocked down in some
zones but run without restrictions in other zones. Protocols can berestricted for a given zone by writing the protocol nameto
therestricted list for a particular security zone.
Security
Zone
Registry location of the list of restricted
protocols for each zone
Security settings applied to restricted protocol content
Restricted
Sites Zone
HKEY_LOCAL_MACHINE
-orHKEY_CURRENT_USER
\Software\(Policies) \Microsoft\Windows
\CurrentVersion\InternetSettings
\RestrictedProtocols\4
HKEY_CURRENT_USER \Software\Microsoft
\Windows\CurrentVersion \InternetSettings
\Lockdown_Zones\4
Internet
Zone
HKEY_LOCAL_MACHINE
-orHKEY_CURRENT_USER
\Software\(Policies) \Microsoft\Windows
\CurrentVersion\InternetSettings
\RestrictedProtocols\3
HKEY_CURRENT_USER \Software\Microsoft
\Windows\CurrentVersion \InternetSettings
\Lockdown_Zones\3
Intranet
Zone
HKEY_LOCAL_MACHINE
-orHKEY_CURRENT_USER
\Software\(Policies) \Microsoft\Windows
\CurrentVersion\InternetSettings
\RestrictedProtocols\2
HKEY_CURRENT_USER \Software\Microsoft
\Windows\CurrentVersion \InternetSettings
\Lockdown_Zones\2
Trusted
Sites Zone
HKEY_LOCAL_MACHINE
– or –
HKEY_CURRENT_USER
\Software\(Policies)
\Microsoft\Windows \CurrentVersion\Internet
Settings
\RestrictedProtocols\1
HKEY_CURRENT_USER \Software\Microsoft
\Windows\CurrentVersion \InternetSettings
\Lockdown_Zones\1
Local
Machine
Zone
HKEY_LOCAL_MACHINE
– or –
HKEY_CURRENT_USER
\Software\(Policies)
\Microsoft\Windows \CurrentVersion\Internet
Settings
\RestrictedProtocols\0
HKEY_CURRENT_USER \Software\Microsoft
\Windows\CurrentVersion \InternetSettings
\Lockdown_Zones\0
Protocols to consider for lock down
The default list of restricted protocols is blank. Network administrators should add additional protocols to thelockdown that
they know are not needed in their organization for a particular zone. Network administrators should consider restricting some
of thefollowing default Windows protocols on managed desktop machines and other protocols thatare not needed for
rendering HTML with activecontent in the organization.
local://
file://
shell://
hcp://
ftp://
Why is this change important?
This change provides general defense-in-depth againstvulnerabilities in less frequently used protocols.For example,an
ActiveX control running under thelocal:// protocol mightassumethat it is loaded in theLocal Machinezoneand it may grant
elevated privilegeto the hosting page.
What works differently?
If a Web pageserved on a protocol that is restricted for a given zone uses any restricted content, such as ActiveX, Internet
Explorer will display theInformation Bar,as previously described.
How do I resolve these issues?
If your Web page needs to run ActiveX or scripting on a protocol that should berestricted for your intranet,you mightallow
the HTML to render correctly by moving the domain for that HTML to thetrusted sites zone on the managed desktop
machines. As a long term solution,you can look for ways to movethecontent off of therestricted protocol or if that’s not
possible,you might removetheactivecontent from therestricted protocol pages entirely by performing needed computations
on theserver using a server-sidescript such as an ActiveServer Page.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Sincethis featureis off by default,you will probably not need to changeyour HTML content unless it runs over a protocol that
is restricted by a network administrator for your organization.