IE’s Protected Mode in IE’s Protected Mode in Windows VistaWindows VistaTMTM

January 20, 2006January 20, 2006

Marc SilbeyMarc SilbeyProgram ManagerProgram Manager

2

AgendaAgenda

GoalsGoals

Protected Mode SummaryProtected Mode Summary

Architectural OverviewArchitectural Overview

Compat FeaturesCompat Features

Getting in-proc add-ons to workGetting in-proc add-ons to work

Options for out-of-proc add-onsOptions for out-of-proc add-ons

Becoming a Low Integrity Level clientBecoming a Low Integrity Level client

3

Goals of Protected ModeGoals of Protected ModeReduce the severity of threats to IE and threats Reduce the severity of threats to IE and threats to add-ons running in IE by eliminating the silent to add-ons running in IE by eliminating the silent install of malicious code through software install of malicious code through software vulnerabilitiesvulnerabilities

Preserve compatibility whenever possiblePreserve compatibility whenever possible

Provide the capability and guidance for add-ons to Provide the capability and guidance for add-ons to restore functionalityrestore functionality

Minimize required user involvementMinimize required user involvement

4

Protected Mode SummaryProtected Mode SummaryProtected Mode restricts IE from writing or sending window Protected Mode restricts IE from writing or sending window messages outside of low integrity resources like Temporary messages outside of low integrity resources like Temporary Internet Files (TIF) folderInternet Files (TIF) folder

IE’s process has less write-privileges than UACIE’s process has less write-privileges than UAC

It builds on the Mandatory Integrity Control (MIC) which restricts It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity securable objects like files and reg writes to higher integrity securable objects like files and reg keyskeys

It builds on the UI Privilege Isolation (UIPI) which restricts It builds on the UI Privilege Isolation (UIPI) which restricts certain window messages to higher integrity processescertain window messages to higher integrity processes

This means Protected Mode is Windows This means Protected Mode is Windows Vista onlyVista only

Protected Mode uses COM to call two new broker processes Protected Mode uses COM to call two new broker processes which allow IE to write outside of the TIFwhich allow IE to write outside of the TIF

A compatibility layer allows add-ons to elevateA compatibility layer allows add-ons to elevateIntegrity LevelsIntegrity Levels PrivilegePrivilege

High ILHigh IL AdminAdmin

Medium ILMedium IL UserUser

Low ILLow IL LowLow

5

Enabling UIPI in the builds Enabling UIPI in the builds

Toggle UIPI via the following regkeyToggle UIPI via the following regkey[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights]Internet Explorer\Low Rights]

ON ON "EnableLowDesktopIL"=dword:0000000"EnableLowDesktopIL"=dword:000000011

Set’s Protected Mode’s Desktop Integrity to LowSet’s Protected Mode’s Desktop Integrity to Low

OFF OFF "EnableLowDesktopIL"=dword:0000000"EnableLowDesktopIL"=dword:000000000

Set’s Protected Mode’s Desktop Integrity to Set’s Protected Mode’s Desktop Integrity to MediumMedium

Protected Mode always runs with a Low Protected Mode always runs with a Low Process Integrity and the MIC restricts Process Integrity and the MIC restricts writes outside of low locationswrites outside of low locations

6

Download and Install of new Download and Install of new ActiveXActiveX

Same as XPSP2 with a new UAP credential Same as XPSP2 with a new UAP credential promptprompt

7

Download and Install of New Download and Install of New ToolbarsToolbars

Same as XPSP2 with a new UAP credential Same as XPSP2 with a new UAP credential promptprompt

8

Architectural OverviewArchitectural OverviewIE 6 running Quicktime ActiveX Admin rights required

User rights required

Install ActiveXAnd Toolbars

Download DocsSave/Change Settings

Cache Web Content

Protected Mode IE running theEbay Toolbar and Quicktime ActiveX

At a Low Integrity Level (Low IL)

Low rights (Low IL)

Mandatory Integrity Control (MIC)

Cache Web Content

Compat Layer Save/ Change Add-on Settings

Protected Mode IE running theEbay Toolbar and Quicktime ActiveX

At a Low Integrity Level (Low IL)

IE User Broker

(Medium IL)

User rights (Medium IL)

Low rights (Low IL)

Mandatory Integrity Control (MIC)

Cache Web Content

Compat Layer Save/Change Add-on Settings

Install ToolbarsDownload Docs

Save/ Change SettingsAllow Add-ons to Elevate

Protected Mode IE running theEbay Toolbar and Quicktime ActiveX

At a Low Integrity Level (Low IL)IE Admin Broker

(High IL)

IE User Broker

(Medium IL)

Admin rights (High IL)

User rights (Medium IL)

Low rights (Low IL)

Mandatory Integrity Control (MIC)

Cache Web Content

Compat Layer Save/Change Add-on Settings

Application Info Service

(AIS)

Install ActiveX

Install ToolbarsDownload Docs

Save/Change SettingsAllow Add-ons to Elevate

Protected Mode IE running theEbay Toolbar and Quicktime ActiveX

with a Low Desktop Integrity

IE User Broker

(Medium IL)

Admin rights Processes

(High Integrity)

User rights Processes

(Medium Integrity)

Low rights Process

(Low Integrity)

UI Privilege Isolation (UIPI)

Window Messages

Drag/Drop

9

Compatibility FeaturesCompatibility Features

In-proc add-ons (ActiveX controls, toolbars, etc)In-proc add-ons (ActiveX controls, toolbars, etc)Have the same privileges as Protected ModeHave the same privileges as Protected ModeFile system writes get re-routed to the TIF via a Compat File system writes get re-routed to the TIF via a Compat LayerLayerCan call “Save As” API to save files outside of the TIFCan call “Save As” API to save files outside of the TIF

Out-of-proc add-ons (Doc object servers, etc)Out-of-proc add-ons (Doc object servers, etc)Get Protected Mode’s restrictions by defaultGet Protected Mode’s restrictions by defaultCan elevate privilegeCan elevate privilege

Internet and Intranet sites run in Protected ModeInternet and Intranet sites run in Protected ModeNavigation between these zones and the Internet, Navigation between these zones and the Internet, Intranet or restricted sites zone spawn a new windowIntranet or restricted sites zone spawn a new window

Admins can change this through Group PolicyAdmins can change this through Group Policy

Trusted Sites/Local Machine zone don’t run in Protected Trusted Sites/Local Machine zone don’t run in Protected ModeMode

10

In-proc: Compatibility In-proc: Compatibility LayerLayer

Redirects file and registry key writes to a Redirects file and registry key writes to a virtualized, Low IL locationvirtualized, Low IL location

HKCU\Software\Microsoft\Internet ExplorerHKCU\Software\Microsoft\Internet Explorer\Low Rights\\Low Rights\VirtualVirtual

Documents and Settings\%user profile%\Local Settings\Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\VirtualTemporary Internet Files\Virtual

Virtualized path is the full pathname added to the Virtualized path is the full pathname added to the virtualized directoryvirtualized directory

If Protected Mode tries to If Protected Mode tries to write here…write here…

……the virtualized write goes the virtualized write goes here:here:

HKCU\Software\FooBar\ HKCU\Software\FooBar\ HKCU\Software\HKCU\Software\MS\IE\Low MS\IE\Low Rights\Virtual\Software\Rights\Virtual\Software\FooBarFooBar

C:\Documents and Settings\C:\Documents and Settings\%user profile%\FooBar%user profile%\FooBar

C:\Documents and Settings\C:\Documents and Settings\%user profile%\Local Settings\%user profile%\Local Settings\Temporary Internet Files\Temporary Internet Files\Virtual\FooBarVirtual\FooBar

11

In-proc: Two Step “Save As” API to In-proc: Two Step “Save As” API to save files outside of the TIFsave files outside of the TIF

Step 1: Call IEShowSaveFileDialog() with target Step 1: Call IEShowSaveFileDialog() with target locationlocation

User is prompted with “Save As” dialogUser is prompted with “Save As” dialog

Returns the user-chosen target pathReturns the user-chosen target path

Step 2: Call SaveFile() with source (low integrity Step 2: Call SaveFile() with source (low integrity location) to tell the User Broker to copy the file to location) to tell the User Broker to copy the file to the Target locationthe Target location

12

Out-of-Proc: Register to elevate Out-of-Proc: Register to elevate out of Protected Modeout of Protected Mode

Register your process name if your add-on Register your process name if your add-on launches a process that needs to elevate out of launches a process that needs to elevate out of Protected Mode and run with Medium integrity Protected Mode and run with Medium integrity (UAC Level)(UAC Level)

To minimize the need for additional end user To minimize the need for additional end user involvement we will ship Windows Vista with the involvement we will ship Windows Vista with the registry pre-populatedregistry pre-populatedDefault behavior: If not on the allow list, IE displays an Default behavior: If not on the allow list, IE displays an dialogdialog

13

Out-of-Proc: Add “Admin” to the Out-of-Proc: Add “Admin” to the app manifest to elevate out of UAPapp manifest to elevate out of UAP

*The Admin token should only be used for installing software*The Admin token should only be used for installing softwareUpdate install package to include new application manifestUpdate install package to include new application manifestMark application manifest as “Admin” by adding a Mark application manifest as “Admin” by adding a requestedExecutionLevel=Administrator in the AdminBroker requestedExecutionLevel=Administrator in the AdminBroker manifestmanifest

Details are available in the UAP How To DocumentDetails are available in the UAP How To DocumentExample XML format:Example XML format:

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><security>

<requestedPrivileges><requestedPrivileges> <requestedExecutionLevel level=“leastPrivilege|<requestedExecutionLevel level=“leastPrivilege|

highestAvailable|requireAdministrator” UIAccess=“true|falue” />highestAvailable|requireAdministrator” UIAccess=“true|falue” /></requestedPrivileges></requestedPrivileges>

</security></security></trustInfo></trustInfo>

No need to add reg key to CreateProcess or CoCreateInstance listNo need to add reg key to CreateProcess or CoCreateInstance list

14

Out-of-proc: Two Steps to run your Out-of-proc: Two Steps to run your software with Low IL like Protected software with Low IL like Protected ModeMode

Step 1: During set-up, change the file or registry Step 1: During set-up, change the file or registry key’s security descriptor to Low IL by:key’s security descriptor to Low IL by:

Retrieve Sacl from file handleRetrieve Sacl from file handleCreate new security descriptor with Low ILCreate new security descriptor with Low IL

Create a new Sacl with Low IL SID and copy original Sacl Create a new Sacl with Low IL SID and copy original Sacl info into new Saclinfo into new Sacl

Step 2: Create Low IL process Step 2: Create Low IL process Create a SID with Low IL using TokenInformationClass = Create a SID with Low IL using TokenInformationClass = TokenIntegrityLevelTokenIntegrityLevel

Use ConvertStringSidToSid with SDDL_IL_LOWUse ConvertStringSidToSid with SDDL_IL_LOW

15

Builds and DocumentsBuilds and Documents

Protected Mode is in December’s CTP Protected Mode is in December’s CTP BuildBuild

UIPI is not turned on by default in the UIPI is not turned on by default in the buildsbuilds

You can get updated builds through You can get updated builds through the TechBeta programthe TechBeta program

DocumentationDocumentationProtected Mode Tech ArticleProtected Mode Tech Article

Protected Mode API ReferenceProtected Mode API Reference

Questions?Questions?

AppendixAppendix

18

FAQsFAQsWhat additional value does Protected Mode add above UAP?What additional value does Protected Mode add above UAP?

User Profile protection. For example, it restricts a BO in IE from User Profile protection. For example, it restricts a BO in IE from overwriting My Docsoverwriting My Docs

Is there UI indicating that the user is in Protected ModeIs there UI indicating that the user is in Protected ModeYes, when Protected Mode is enabled for a zone the zone icon will have Yes, when Protected Mode is enabled for a zone the zone icon will have a Checked Shield icon overlay.a Checked Shield icon overlay.

Protected Mode IEProtected Mode IE IE in UAPIE in UAP

Files downloaded from Files downloaded from respective zone respective zone

Created with Low Created with Low integrity level integrity level

Created Created with with Medium Medium integrity integrity level level

Able to modify My documentsAble to modify My documents NoNo YesYes

Perform cross-process UI Perform cross-process UI interaction with other interaction with other applications on the desktop applications on the desktop

NoNo YesYes

Inject a DLL and create a Inject a DLL and create a remote thread in another remote thread in another process process

NoNo YesYes

Used to render .htm file in Used to render .htm file in local machine zone local machine zone

YesYes YesYes