180 likes | 387 Views
IE’s Protected Mode in Windows Vista TM. January 20, 2006 Marc Silbey Program Manager. Agenda. Goals Protected Mode Summary Architectural Overview Compat Features Getting in-proc add-ons to work Options for out-of-proc add-ons Becoming a Low Integrity Level client.
E N D
IE’s Protected Mode in Windows VistaTM January 20, 2006 Marc Silbey Program Manager
Agenda • Goals • Protected Mode Summary • Architectural Overview • Compat Features • Getting in-proc add-ons to work • Options for out-of-proc add-ons • Becoming a Low Integrity Level client
Goals of Protected Mode • Reduce the severity of threats to IE and threats to add-ons running in IE by eliminating the silent install of malicious code through software vulnerabilities • Preserve compatibility whenever possible • Provide the capability and guidance for add-ons to restore functionality • Minimize required user involvement
Protected Mode Summary • Protected Mode restricts IE from writing or sending window messages outside of low integrity resources like Temporary Internet Files (TIF) folder • IE’s process has less write-privileges than UAC • It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity securable objects like files and reg keys • It builds on the UI Privilege Isolation (UIPI) which restricts certain window messages to higher integrity processes • This means Protected Mode is Windows Vista only • Protected Mode uses COM to call two new broker processes which allow IE to write outside of the TIF • A compatibility layer allows add-ons to elevate
Enabling UIPI in the builds • Toggle UIPI via the following regkey • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] • ON "EnableLowDesktopIL"=dword:00000001 • Set’s Protected Mode’s Desktop Integrity to Low • OFF "EnableLowDesktopIL"=dword:00000000 • Set’s Protected Mode’s Desktop Integrity to Medium • Protected Mode always runs with a Low Process Integrity and the MIC restricts writes outside of low locations
Download and Install of new ActiveX • Same as XPSP2 with a new UAP credential prompt
Download and Install of New Toolbars • Same as XPSP2 with a new UAP credential prompt
Compatibility Features • In-proc add-ons (ActiveX controls, toolbars, etc) • Have the same privileges as Protected Mode • File system writes get re-routed to the TIF via a Compat Layer • Can call “Save As” API to save files outside of the TIF • Out-of-proc add-ons (Doc object servers, etc) • Get Protected Mode’s restrictions by default • Can elevate privilege • Internet and Intranet sites run in Protected Mode • Navigation between these zones and the Internet, Intranet or restricted sites zone spawn a new window • Admins can change this through Group Policy • Trusted Sites/Local Machine zone don’t run in Protected Mode
In-proc: Compatibility Layer • Redirects file and registry key writes to a virtualized, Low IL location • HKCU\Software\Microsoft\Internet Explorer\Low Rights\Virtual • Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\Virtual • Virtualized path is the full pathname added to the virtualized directory
In-proc: Two Step “Save As” API to save files outside of the TIF • Step 1: Call IEShowSaveFileDialog() with target location • User is prompted with “Save As” dialog • Returns the user-chosen target path • Step 2: Call SaveFile() with source (low integrity location) to tell the User Broker to copy the file to the Target location
Out-of-Proc: Register to elevate out of Protected Mode • Register your process name if your add-on launches a process that needs to elevate out of Protected Mode and run with Medium integrity (UAC Level) • To minimize the need for additional end user involvement we will ship Windows Vista with the registry pre-populated • Default behavior: If not on the allow list, IE displays an dialog
Out-of-Proc: Add “Admin” to the app manifest to elevate out of UAP *The Admin token should only be used for installing software • Update install package to include new application manifest • Mark application manifest as “Admin” by adding a requestedExecutionLevel=Administrator in the AdminBroker manifest • Details are available in the UAP How To Document • Example XML format: <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level=“leastPrivilege|highestAvailable|requireAdministrator” UIAccess=“true|falue” /> </requestedPrivileges> </security> </trustInfo> • No need to add reg key to CreateProcess or CoCreateInstance list
Out-of-proc: Two Steps to run your software with Low IL like Protected Mode • Step 1: During set-up, change the file or registry key’s security descriptor to Low IL by: • Retrieve Sacl from file handle • Create new security descriptor with Low IL • Create a new Sacl with Low IL SID and copy original Sacl info into new Sacl • Step 2: Create Low IL process • Create a SID with Low IL using TokenInformationClass = TokenIntegrityLevel • Use ConvertStringSidToSid with SDDL_IL_LOW
Builds and Documents • Protected Mode is in December’s CTP Build • UIPI is not turned on by default in the builds • You can get updated builds through the TechBeta program • Documentation • Protected Mode Tech Article • Protected Mode API Reference
FAQs • What additional value does Protected Mode add above UAP? • User Profile protection. For example, it restricts a BO in IE from overwriting My Docs • Is there UI indicating that the user is in Protected Mode • Yes, when Protected Mode is enabled for a zone the zone icon will have a Checked Shield icon overlay.