Internet Explorer Binary Behaviors Security Setting

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does binary behaviors security setting do?
InternetExplorer contains dynamic binary behaviors:components thatencapsulatespecific functionality for HTML elements to
which they wereattached.These binary behaviors are not controlled by any InternetExplorer security setting,allowing them to
work on Web pages in the Restricted Sites zone. In Windows Server 2003 Service Pack 1, thereis a new InternetExplorer
security setting for binary behaviors.This new setting disables binary behaviors in the Restricted Sites zone by default. In
combination with theLocal MachineLockdown security feature, italso requires administrativeapproval for binary behaviors to
run in theLocal Machinezone by default.This new binary behaviors security setting provides a general mitigation to
vulnerabilities in InternetExplorer binary behaviors.
For moreinformation about binary behaviors, such as how they work and how to implement them, see”Cutting Edge: Binary
Behaviors in InternetExplorer 5.5″ on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=21862. Notethat
binary behaviors, which are defined in C++ and compiled,are different from attached behaviors and element behaviors, which
are defined in script.
Who does this feature apply to?
Application developers whoseapplications useInternetExplorer functionality in therestricted sites or local machinezones
should review this featureto plan to adopt changes in their applications.For example,e-mail applications that render HTML email
in the Restricted Sites zone might need to be modified.
Users can only beaffected by applications that do not completely render HTML content with this new setting.These
applications will typically alert the user that someactive behavior has been blocked from display.For example, when Outlook
Express encounters this situation, it informs the user that it has restricted activecontent in thee-mail.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
New InternetExplorer security setting
Detailed description
A new URL action setting, Binary and Script Behaviors, is in each InternetExplorer security zone.The defaultvaluefor this
setting is Enable for all zones except the Restricted Sites zoneand theLocked-Down Local Machinezone. In the Restricted
Sites zone, the defaultvalueis Disable. In theLocked-Down Local Machinezone, the defaultvalueis Administrator
approved.
Why is this change important? What threats does it help mitigate?
This new setting helps mitigateattacks in which binary behaviors were being used maliciously and allows the user to control
the use of binary behaviors on a per-zone basis.
What works differently?
Any use of any binary behaviors for HTML rendering from the Restricted Sites zoneis blocked.
How do I resolve these issues?
To use binary behaviors from the Restricted Sites zone,an application will haveto implementa custom security manager. (For
moreinformation, see”Creating a Customized URL Security Manager” in “Introduction to URL Security Zones” on the
Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=21863.)
When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string
representation of the particular binary behaviors that can beenabled by that custom security manager as needed for
application compatibility.Thefollowing process takes place when this URL action is exercised:
InternetExplorer calls into a custom security manager (if available), using the ProcessUrlAction method with a dwAction
of URLACTION_BEHAVIOR_RUN.
The pContext parameter points to a LPCWSTR that contains the behavior thata policy is being queried for.For example,
#default#time.
You set *pPolicy =URLPOLICY_ALLOW for your SmartTag behavior, from within your custom security manager,as
appropriate.
In theabsence of thecustom security manager, the defaultaction is to disallow running behaviors in the Restricted Sites zone,
and to disallow running most behaviors in theLocal Machinezone.
If you area desktop administrator you can decide which binary behaviors to allow in theLocked-down Local Machinezone.To
enablea behavior in theLocked-down Local Machinezone,you can add it to thelist of administrator-approved behaviors as
follows, replacing the namespaceand behavior variables as appropriateto your environment:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors
#% Namespace %#% Behavior %=dword:00000001
Behaviors thatare defined in this list will also be used for any other zone wherethe binary behavior restriction setting is
configured to “Admin-Allowed” (65536).
What existing functionality is changing in Windows Server 2003 Service Pack 1?
None.This is only a setting to turn on or off theexisting binary behaviors functionality.
What settings are added or changed in Windows Server 2003 Service Pack 1?
InternetExplorer Binary Behaviors Settings
Setting
name
Location Previous
default
value
Default value Possible
values
* HKEY LOCAL MACHINE [or Current User]
\Software\Microsoft \InternetExplorer\Main \Feature
Control \FEATURE_BEHAVIORS
None 1 0 – Off
1 – On
2000 HKEY_CURRENT_USER \Software\Microsoft \Windows
\CurrentVersion \InternetSettings\Zones [or
Lockdown_Zones] \*\
None 3 – Disabled (for Restricted Sites
zone)
65536 – Admin-approved (for
theLocked-down Local Machine
zone)
0 -Enabled (for all other zones)
3 – Disabled
65536 –
Adminapproved
0 -Enabled
Note
* is used in the preceding tableto represent thatall processes are opted-in for this featurecontrol setting by default.
The binary behaviors setting can also be modified through Group Policy as part of theInternetExplorer Security Zones and
Content Ratings setting.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
If your code uses binary behaviors in the Restricted Sites zone, then you will need to changeyour code by implementing a
custom security manager for your application. If your code uses binary behaviors in theLocal Machinezone, then you will need
to either implementa custom security manager,add your behaviors to thelist of approved behaviors, or use Mark of the Web
to load your pages in less restrictivezones.For moreinformation, seethe”Creating a Customized URL Security Manager”
section in “Introduction to URL Security Zones” on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=21863