Internet Explorer Zone Elevation Blocks

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Zone Elevation Blocks

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2210

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    Note
    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does Zone Elevation Blocks do?
    When a Web pageis opened in InternetExplorer, InternetExplorer puts restrictions on what the pagecan do, based on where
    that Web pagecamefrom: theInternet,a local intranet server,a trusted site,and so on.For example, pages on theInternet
    havestricter security restrictions than pages on a user’s local intranet.Web pages on a user’s computer arein theLocal
    Machinesecurity zone, wherethey havethefewest security restrictions.This makes theLocal Machinesecurity zonea prime
    target for malicious users. ZoneElevation Blocks makes it harder to get codeto run in this zone. In addition,Local Machine
    ZoneLockdown makes thezoneless vulnerableto malicious users by changing its security settings.
    Who does this feature apply to?
    Web developers must plan changes or workarounds for any possibleimpact to their Web site.
    Application developers should review this featureto plan to adopt changes in their applications that run in theLocal Machine
    security zone. Becausethefeatureis notenabled for processes other than InternetExplorer by default, developers must
    register their applications to takeadvantage of thechanges.
    End users might beaffected by sites thatare not compatible with thesestricter rules and settings.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Zone Elevation Blocks
    Detailed description
    InternetExplorer prevents the overall security context for any link on a pagefrom being higher than thesecurity context of the
    root URL.This means, for example, thata pagein theInternet zonecannot navigateto a pagein theLocal Intranet zone. A
    script, for example,could not causethis navigation.For the purpose of this mitigation, thesecurity context ranking of thezones,
    from highest security context to lowest, is: Restricted Sites zone, Internet zone,Local Intranet zone,Trusted Sites zone,and
    Local Machinezone.
    ZoneElevation Blocks also disables JavaScript navigation if thereis no security context.
    If a user clicks a link that causes the Web siteto attempt to navigateto a higher zone, navigation is blocked for navigation to
    theLocal Machinezone, buta dialog box will appear in InternetExplorer when a Web pageattempts to open a pagein a
    security zonethat has a higher security contextand you will be prompted as in thefollowing message.Theitalicized portion
    changes,according to thesecurity zonethat the Web pageis attempting to navigateto.
    Thecurrent Web pageis trying to open a sitein your Trusted sites list. Do you want to allow this?
    In any case, the defaultaction does notallow thezoneelevation.The user mustexplicitly allow therequested zoneelevation.
    Why is this change important?
    Elevation of privilegeis one of the mostexploited vulnerabilities in InternetExplorer, with the ultimate goal of running
    malicious codein theLocal Machinezone. ZoneElevation Blocks helps mitigate many privilegeescalation attacks.
    What works differently?
    Navigation from onezoneto a “higher” zoneis blocked.This means that Web pages thatautomatically call more privileged
    Web pages fail.
    How do I resolve these issues?
    If you havea trusted Web application that is impacted by this change becauseit navigates between different security zones
    without user interaction,you should map the domains that the Web application uses into thesecurity zone with theleast
    privilege necessary to perform thetask for which theapplication was designed.

You must be logged in to reply to this topic.