Internet Explorer Zone Elevation Blocks

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Zone Elevation Blocks

Viewing 0 reply threads
  • Author
    • #2210

      Applies To:Windows Server 2003 with SP1
      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does Zone Elevation Blocks do?
      When a Web pageis opened in InternetExplorer, InternetExplorer puts restrictions on what the pagecan do, based on where
      that Web pagecamefrom: theInternet,a local intranet server,a trusted site,and so on.For example, pages on theInternet
      havestricter security restrictions than pages on a user’s local intranet.Web pages on a user’s computer arein theLocal
      Machinesecurity zone, wherethey havethefewest security restrictions.This makes theLocal Machinesecurity zonea prime
      target for malicious users. ZoneElevation Blocks makes it harder to get codeto run in this zone. In addition,Local Machine
      ZoneLockdown makes thezoneless vulnerableto malicious users by changing its security settings.
      Who does this feature apply to?
      Web developers must plan changes or workarounds for any possibleimpact to their Web site.
      Application developers should review this featureto plan to adopt changes in their applications that run in theLocal Machine
      security zone. Becausethefeatureis notenabled for processes other than InternetExplorer by default, developers must
      register their applications to takeadvantage of thechanges.
      End users might beaffected by sites thatare not compatible with thesestricter rules and settings.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Zone Elevation Blocks
      Detailed description
      InternetExplorer prevents the overall security context for any link on a pagefrom being higher than thesecurity context of the
      root URL.This means, for example, thata pagein theInternet zonecannot navigateto a pagein theLocal Intranet zone. A
      script, for example,could not causethis navigation.For the purpose of this mitigation, thesecurity context ranking of thezones,
      from highest security context to lowest, is: Restricted Sites zone, Internet zone,Local Intranet zone,Trusted Sites zone,and
      Local Machinezone.
      ZoneElevation Blocks also disables JavaScript navigation if thereis no security context.
      If a user clicks a link that causes the Web siteto attempt to navigateto a higher zone, navigation is blocked for navigation to
      theLocal Machinezone, buta dialog box will appear in InternetExplorer when a Web pageattempts to open a pagein a
      security zonethat has a higher security contextand you will be prompted as in thefollowing message.Theitalicized portion
      changes,according to thesecurity zonethat the Web pageis attempting to navigateto.
      Thecurrent Web pageis trying to open a sitein your Trusted sites list. Do you want to allow this?
      In any case, the defaultaction does notallow thezoneelevation.The user mustexplicitly allow therequested zoneelevation.
      Why is this change important?
      Elevation of privilegeis one of the mostexploited vulnerabilities in InternetExplorer, with the ultimate goal of running
      malicious codein theLocal Machinezone. ZoneElevation Blocks helps mitigate many privilegeescalation attacks.
      What works differently?
      Navigation from onezoneto a “higher” zoneis blocked.This means that Web pages thatautomatically call more privileged
      Web pages fail.
      How do I resolve these issues?
      If you havea trusted Web application that is impacted by this change becauseit navigates between different security zones
      without user interaction,you should map the domains that the Web application uses into thesecurity zone with theleast
      privilege necessary to perform thetask for which theapplication was designed.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.