ies protected mode in windows vista tm january 20, 2006 marc silbey program manager
TRANSCRIPT
IE’s Protected Mode in IE’s Protected Mode in Windows VistaWindows VistaTMTM
January 20, 2006January 20, 2006
Marc SilbeyMarc SilbeyProgram ManagerProgram Manager
2
AgendaAgenda
GoalsGoals
Protected Mode SummaryProtected Mode Summary
Architectural OverviewArchitectural Overview
Compat FeaturesCompat Features
Getting in-proc add-ons to workGetting in-proc add-ons to work
Options for out-of-proc add-onsOptions for out-of-proc add-ons
Becoming a Low Integrity Level clientBecoming a Low Integrity Level client
3
Goals of Protected ModeGoals of Protected ModeReduce the severity of threats to IE and threats Reduce the severity of threats to IE and threats to add-ons running in IE by eliminating the silent to add-ons running in IE by eliminating the silent install of malicious code through software install of malicious code through software vulnerabilitiesvulnerabilities
Preserve compatibility whenever possiblePreserve compatibility whenever possible
Provide the capability and guidance for add-ons to Provide the capability and guidance for add-ons to restore functionalityrestore functionality
Minimize required user involvementMinimize required user involvement
4
Protected Mode SummaryProtected Mode SummaryProtected Mode restricts IE from writing or sending window Protected Mode restricts IE from writing or sending window messages outside of low integrity resources like Temporary messages outside of low integrity resources like Temporary Internet Files (TIF) folderInternet Files (TIF) folder
IE’s process has less write-privileges than UACIE’s process has less write-privileges than UAC
It builds on the Mandatory Integrity Control (MIC) which restricts It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity securable objects like files and reg writes to higher integrity securable objects like files and reg keyskeys
It builds on the UI Privilege Isolation (UIPI) which restricts It builds on the UI Privilege Isolation (UIPI) which restricts certain window messages to higher integrity processescertain window messages to higher integrity processes
This means Protected Mode is Windows This means Protected Mode is Windows Vista onlyVista only
Protected Mode uses COM to call two new broker processes Protected Mode uses COM to call two new broker processes which allow IE to write outside of the TIFwhich allow IE to write outside of the TIF
A compatibility layer allows add-ons to elevateA compatibility layer allows add-ons to elevateIntegrity LevelsIntegrity Levels PrivilegePrivilege
High ILHigh IL AdminAdmin
Medium ILMedium IL UserUser
Low ILLow IL LowLow
5
Enabling UIPI in the builds Enabling UIPI in the builds
Toggle UIPI via the following regkeyToggle UIPI via the following regkey[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights]Internet Explorer\Low Rights]
ON ON "EnableLowDesktopIL"=dword:0000000"EnableLowDesktopIL"=dword:000000011
Set’s Protected Mode’s Desktop Integrity to LowSet’s Protected Mode’s Desktop Integrity to Low
OFF OFF "EnableLowDesktopIL"=dword:0000000"EnableLowDesktopIL"=dword:000000000
Set’s Protected Mode’s Desktop Integrity to Set’s Protected Mode’s Desktop Integrity to MediumMedium
Protected Mode always runs with a Low Protected Mode always runs with a Low Process Integrity and the MIC restricts Process Integrity and the MIC restricts writes outside of low locationswrites outside of low locations
6
Download and Install of new Download and Install of new ActiveXActiveX
Same as XPSP2 with a new UAP credential Same as XPSP2 with a new UAP credential promptprompt
7
Download and Install of New Download and Install of New ToolbarsToolbars
Same as XPSP2 with a new UAP credential Same as XPSP2 with a new UAP credential promptprompt
8
Architectural OverviewArchitectural OverviewIE 6 running Quicktime ActiveX Admin rights required
User rights required
Install ActiveXAnd Toolbars
Download DocsSave/Change Settings
Cache Web Content
Protected Mode IE running theEbay Toolbar and Quicktime ActiveX
At a Low Integrity Level (Low IL)
Low rights (Low IL)
Mandatory Integrity Control (MIC)
Cache Web Content
Compat Layer Save/ Change Add-on Settings
Protected Mode IE running theEbay Toolbar and Quicktime ActiveX
At a Low Integrity Level (Low IL)
IE User Broker
(Medium IL)
User rights (Medium IL)
Low rights (Low IL)
Mandatory Integrity Control (MIC)
Cache Web Content
Compat Layer Save/Change Add-on Settings
Install ToolbarsDownload Docs
Save/ Change SettingsAllow Add-ons to Elevate
Protected Mode IE running theEbay Toolbar and Quicktime ActiveX
At a Low Integrity Level (Low IL)IE Admin Broker
(High IL)
IE User Broker
(Medium IL)
Admin rights (High IL)
User rights (Medium IL)
Low rights (Low IL)
Mandatory Integrity Control (MIC)
Cache Web Content
Compat Layer Save/Change Add-on Settings
Application Info Service
(AIS)
Install ActiveX
Install ToolbarsDownload Docs
Save/Change SettingsAllow Add-ons to Elevate
Protected Mode IE running theEbay Toolbar and Quicktime ActiveX
with a Low Desktop Integrity
IE User Broker
(Medium IL)
Admin rights Processes
(High Integrity)
User rights Processes
(Medium Integrity)
Low rights Process
(Low Integrity)
UI Privilege Isolation (UIPI)
Window Messages
Drag/Drop
9
Compatibility FeaturesCompatibility Features
In-proc add-ons (ActiveX controls, toolbars, etc)In-proc add-ons (ActiveX controls, toolbars, etc)Have the same privileges as Protected ModeHave the same privileges as Protected ModeFile system writes get re-routed to the TIF via a Compat File system writes get re-routed to the TIF via a Compat LayerLayerCan call “Save As” API to save files outside of the TIFCan call “Save As” API to save files outside of the TIF
Out-of-proc add-ons (Doc object servers, etc)Out-of-proc add-ons (Doc object servers, etc)Get Protected Mode’s restrictions by defaultGet Protected Mode’s restrictions by defaultCan elevate privilegeCan elevate privilege
Internet and Intranet sites run in Protected ModeInternet and Intranet sites run in Protected ModeNavigation between these zones and the Internet, Navigation between these zones and the Internet, Intranet or restricted sites zone spawn a new windowIntranet or restricted sites zone spawn a new window
Admins can change this through Group PolicyAdmins can change this through Group Policy
Trusted Sites/Local Machine zone don’t run in Protected Trusted Sites/Local Machine zone don’t run in Protected ModeMode
10
In-proc: Compatibility In-proc: Compatibility LayerLayer
Redirects file and registry key writes to a Redirects file and registry key writes to a virtualized, Low IL locationvirtualized, Low IL location
HKCU\Software\Microsoft\Internet ExplorerHKCU\Software\Microsoft\Internet Explorer\Low Rights\\Low Rights\VirtualVirtual
Documents and Settings\%user profile%\Local Settings\Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\VirtualTemporary Internet Files\Virtual
Virtualized path is the full pathname added to the Virtualized path is the full pathname added to the virtualized directoryvirtualized directory
If Protected Mode tries to If Protected Mode tries to write here…write here…
……the virtualized write goes the virtualized write goes here:here:
HKCU\Software\FooBar\ HKCU\Software\FooBar\ HKCU\Software\HKCU\Software\MS\IE\Low MS\IE\Low Rights\Virtual\Software\Rights\Virtual\Software\FooBarFooBar
C:\Documents and Settings\C:\Documents and Settings\%user profile%\FooBar%user profile%\FooBar
C:\Documents and Settings\C:\Documents and Settings\%user profile%\Local Settings\%user profile%\Local Settings\Temporary Internet Files\Temporary Internet Files\Virtual\FooBarVirtual\FooBar
11
In-proc: Two Step “Save As” API to In-proc: Two Step “Save As” API to save files outside of the TIFsave files outside of the TIF
Step 1: Call IEShowSaveFileDialog() with target Step 1: Call IEShowSaveFileDialog() with target locationlocation
User is prompted with “Save As” dialogUser is prompted with “Save As” dialog
Returns the user-chosen target pathReturns the user-chosen target path
Step 2: Call SaveFile() with source (low integrity Step 2: Call SaveFile() with source (low integrity location) to tell the User Broker to copy the file to location) to tell the User Broker to copy the file to the Target locationthe Target location
12
Out-of-Proc: Register to elevate Out-of-Proc: Register to elevate out of Protected Modeout of Protected Mode
Register your process name if your add-on Register your process name if your add-on launches a process that needs to elevate out of launches a process that needs to elevate out of Protected Mode and run with Medium integrity Protected Mode and run with Medium integrity (UAC Level)(UAC Level)
To minimize the need for additional end user To minimize the need for additional end user involvement we will ship Windows Vista with the involvement we will ship Windows Vista with the registry pre-populatedregistry pre-populatedDefault behavior: If not on the allow list, IE displays an Default behavior: If not on the allow list, IE displays an dialogdialog
13
Out-of-Proc: Add “Admin” to the Out-of-Proc: Add “Admin” to the app manifest to elevate out of UAPapp manifest to elevate out of UAP
*The Admin token should only be used for installing software*The Admin token should only be used for installing softwareUpdate install package to include new application manifestUpdate install package to include new application manifestMark application manifest as “Admin” by adding a Mark application manifest as “Admin” by adding a requestedExecutionLevel=Administrator in the AdminBroker requestedExecutionLevel=Administrator in the AdminBroker manifestmanifest
Details are available in the UAP How To DocumentDetails are available in the UAP How To DocumentExample XML format:Example XML format:
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><security>
<requestedPrivileges><requestedPrivileges> <requestedExecutionLevel level=“leastPrivilege|<requestedExecutionLevel level=“leastPrivilege|
highestAvailable|requireAdministrator” UIAccess=“true|falue” />highestAvailable|requireAdministrator” UIAccess=“true|falue” /></requestedPrivileges></requestedPrivileges>
</security></security></trustInfo></trustInfo>
No need to add reg key to CreateProcess or CoCreateInstance listNo need to add reg key to CreateProcess or CoCreateInstance list
14
Out-of-proc: Two Steps to run your Out-of-proc: Two Steps to run your software with Low IL like Protected software with Low IL like Protected ModeMode
Step 1: During set-up, change the file or registry Step 1: During set-up, change the file or registry key’s security descriptor to Low IL by:key’s security descriptor to Low IL by:
Retrieve Sacl from file handleRetrieve Sacl from file handleCreate new security descriptor with Low ILCreate new security descriptor with Low IL
Create a new Sacl with Low IL SID and copy original Sacl Create a new Sacl with Low IL SID and copy original Sacl info into new Saclinfo into new Sacl
Step 2: Create Low IL process Step 2: Create Low IL process Create a SID with Low IL using TokenInformationClass = Create a SID with Low IL using TokenInformationClass = TokenIntegrityLevelTokenIntegrityLevel
Use ConvertStringSidToSid with SDDL_IL_LOWUse ConvertStringSidToSid with SDDL_IL_LOW
15
Builds and DocumentsBuilds and Documents
Protected Mode is in December’s CTP Protected Mode is in December’s CTP BuildBuild
UIPI is not turned on by default in the UIPI is not turned on by default in the buildsbuilds
You can get updated builds through You can get updated builds through the TechBeta programthe TechBeta program
DocumentationDocumentationProtected Mode Tech ArticleProtected Mode Tech Article
Protected Mode API ReferenceProtected Mode API Reference
Questions?Questions?
AppendixAppendix
18
FAQsFAQsWhat additional value does Protected Mode add above UAP?What additional value does Protected Mode add above UAP?
User Profile protection. For example, it restricts a BO in IE from User Profile protection. For example, it restricts a BO in IE from overwriting My Docsoverwriting My Docs
Is there UI indicating that the user is in Protected ModeIs there UI indicating that the user is in Protected ModeYes, when Protected Mode is enabled for a zone the zone icon will have Yes, when Protected Mode is enabled for a zone the zone icon will have a Checked Shield icon overlay.a Checked Shield icon overlay.
Protected Mode IEProtected Mode IE IE in UAPIE in UAP
Files downloaded from Files downloaded from respective zone respective zone
Created with Low Created with Low integrity level integrity level
Created Created with with Medium Medium integrity integrity level level
Able to modify My documentsAble to modify My documents NoNo YesYes
Perform cross-process UI Perform cross-process UI interaction with other interaction with other applications on the desktop applications on the desktop
NoNo YesYes
Inject a DLL and create a Inject a DLL and create a remote thread in another remote thread in another process process
NoNo YesYes
Used to render .htm file in Used to render .htm file in local machine zone local machine zone
YesYes YesYes