1 / 18

IE’s Protected Mode in Windows Vista TM

IE’s Protected Mode in Windows Vista TM. January 20, 2006 Marc Silbey Program Manager. Agenda. Goals Protected Mode Summary Architectural Overview Compat Features Getting in-proc add-ons to work Options for out-of-proc add-ons Becoming a Low Integrity Level client.

kelly-schwartz
Télécharger la présentation

IE’s Protected Mode in Windows Vista TM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IE’s Protected Mode in Windows VistaTM January 20, 2006 Marc Silbey Program Manager

  2. Agenda • Goals • Protected Mode Summary • Architectural Overview • Compat Features • Getting in-proc add-ons to work • Options for out-of-proc add-ons • Becoming a Low Integrity Level client

  3. Goals of Protected Mode • Reduce the severity of threats to IE and threats to add-ons running in IE by eliminating the silent install of malicious code through software vulnerabilities • Preserve compatibility whenever possible • Provide the capability and guidance for add-ons to restore functionality • Minimize required user involvement

  4. Protected Mode Summary • Protected Mode restricts IE from writing or sending window messages outside of low integrity resources like Temporary Internet Files (TIF) folder • IE’s process has less write-privileges than UAC • It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity securable objects like files and reg keys • It builds on the UI Privilege Isolation (UIPI) which restricts certain window messages to higher integrity processes • This means Protected Mode is Windows Vista only • Protected Mode uses COM to call two new broker processes which allow IE to write outside of the TIF • A compatibility layer allows add-ons to elevate

  5. Enabling UIPI in the builds • Toggle UIPI via the following regkey • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] • ON "EnableLowDesktopIL"=dword:00000001 • Set’s Protected Mode’s Desktop Integrity to Low • OFF "EnableLowDesktopIL"=dword:00000000 • Set’s Protected Mode’s Desktop Integrity to Medium • Protected Mode always runs with a Low Process Integrity and the MIC restricts writes outside of low locations

  6. Download and Install of new ActiveX • Same as XPSP2 with a new UAP credential prompt

  7. Download and Install of New Toolbars • Same as XPSP2 with a new UAP credential prompt

  8. Architectural Overview

  9. Compatibility Features • In-proc add-ons (ActiveX controls, toolbars, etc) • Have the same privileges as Protected Mode • File system writes get re-routed to the TIF via a Compat Layer • Can call “Save As” API to save files outside of the TIF • Out-of-proc add-ons (Doc object servers, etc) • Get Protected Mode’s restrictions by default • Can elevate privilege • Internet and Intranet sites run in Protected Mode • Navigation between these zones and the Internet, Intranet or restricted sites zone spawn a new window • Admins can change this through Group Policy • Trusted Sites/Local Machine zone don’t run in Protected Mode

  10. In-proc: Compatibility Layer • Redirects file and registry key writes to a virtualized, Low IL location • HKCU\Software\Microsoft\Internet Explorer\Low Rights\Virtual • Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\Virtual • Virtualized path is the full pathname added to the virtualized directory

  11. In-proc: Two Step “Save As” API to save files outside of the TIF • Step 1: Call IEShowSaveFileDialog() with target location • User is prompted with “Save As” dialog • Returns the user-chosen target path • Step 2: Call SaveFile() with source (low integrity location) to tell the User Broker to copy the file to the Target location

  12. Out-of-Proc: Register to elevate out of Protected Mode • Register your process name if your add-on launches a process that needs to elevate out of Protected Mode and run with Medium integrity (UAC Level) • To minimize the need for additional end user involvement we will ship Windows Vista with the registry pre-populated • Default behavior: If not on the allow list, IE displays an dialog

  13. Out-of-Proc: Add “Admin” to the app manifest to elevate out of UAP *The Admin token should only be used for installing software • Update install package to include new application manifest • Mark application manifest as “Admin” by adding a requestedExecutionLevel=Administrator in the AdminBroker manifest • Details are available in the UAP How To Document • Example XML format: <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level=“leastPrivilege|highestAvailable|requireAdministrator” UIAccess=“true|falue” /> </requestedPrivileges> </security> </trustInfo> • No need to add reg key to CreateProcess or CoCreateInstance list

  14. Out-of-proc: Two Steps to run your software with Low IL like Protected Mode • Step 1: During set-up, change the file or registry key’s security descriptor to Low IL by: • Retrieve Sacl from file handle • Create new security descriptor with Low IL • Create a new Sacl with Low IL SID and copy original Sacl info into new Sacl • Step 2: Create Low IL process • Create a SID with Low IL using TokenInformationClass = TokenIntegrityLevel • Use ConvertStringSidToSid with SDDL_IL_LOW

  15. Builds and Documents • Protected Mode is in December’s CTP Build • UIPI is not turned on by default in the builds • You can get updated builds through the TechBeta program • Documentation • Protected Mode Tech Article • Protected Mode API Reference

  16. Questions?

  17. Appendix

  18. FAQs • What additional value does Protected Mode add above UAP? • User Profile protection. For example, it restricts a BO in IE from overwriting My Docs • Is there UI indicating that the user is in Protected Mode • Yes, when Protected Mode is enabled for a zone the zone icon will have a Checked Shield icon overlay.

More Related