1. Adding Sites to the Trusted Sites List
Internet Explorer is configured by default to prevent Internet
Web sites from performing many actions that might compromise the
computer's security or the user's privacy. However, some legitimate
Web sites might need to perform those actions to allow Web
applications to run properly.
Administrators can add sites to the Trusted Sites list to grant them additional privileges.
To add a site to the Trusted Sites list, follow these steps:
-
In Internet Explorer, click the Tools menu on the toolbar,
and then click Internet Options.
-
In the Internet Options dialog box, click the Security tab.
Click Trusted Sites, and then click Sites.
-
In the Trusted Sites dialog box, clear the Require Server
Verification check box if you access the server using HTTP rather
than HTTPS.
-
In the Add This Website To The Zone box, type the URL of the
Web site, such as http://www.contoso.com, and then click
Add.
-
Click Close.
The next time you visit the site, Internet Explorer grants it
all the privileges assigned to the Trusted Sites list.
2. Protected Mode
Before Windows Vista, many computers were compromised when Web
sites containing malicious code succeeded in abusing the Web browsers
of visitors to run code on the client computer. Because any new
process spawned by an existing process inherits the privileges of the
parent process and the Web browser ran with the user's full
privileges, maliciously spawned processes received the same privilege
as the user. With the user's elevated privileges, the malicious
process could install software and transfer confidential
documents.
In Windows Vista and Windows 7, Internet Explorer hopes to
reduce this type of risk using a feature called Protected
Mode. With Protected Mode (originally introduced with
Internet Explorer 7), Internet Explorer 8 runs with very limited
privileges on the local computer—even fewer privileges than those that
the standard user has in Windows 7. Therefore, even if malicious code
on a Web site were to abuse Internet Explorer successfully to spawn a
process, that malicious process would have privileges only to access
the Temporary Internet Files folder and a few other locations—it would
not be able to install software, reconfigure the computer, or read the
user's documents.
For example, most users log on to computers running Windows XP
with administrative privileges. If a Web site exploits a vulnerability
in Windows XP that hasn't been fixed with an update and successfully
starts a process to install spyware, the spyware installation process
would have full administrator privileges to the local computer. On a
computer running Windows 7 the spyware install process would have
minimal privileges—even less than those of a standard user—regardless
of whether the user was logged on as an administrator.
Protected Mode is a form of defense-in-depth. Protected Mode is
a factor only if malicious code successfully compromises the Web
browser and runs. In these cases, Protected Mode limits the damage the
process can do without the user's permission. Protected Mode is not
available when Internet Explorer is installed on Windows XP because it
requires several security features unique to Windows Vista and Windows
7.
The sections that follow provide more information about
Protected Mode.
One of the features of Windows 7 that enables Protected Mode
is Mandatory Integrity Control (MIC). MIC
labels processes, folders, files, and registry keys using one of
four integrity access levels (ILs), as shown in Table 1. Internet Explorer
runs with a low IL, which means it can access only other low IL
resources without the user's permission.
Table 1. Mandatory Integrity Control Levels
|
IL |
SYSTEM PRIVILEGES |
|---|
|
System |
System; processes have unlimited access to the
computer. |
|
High |
Administrative; processes can install files to
the Program Files folder and write to sensitive registry
areas like HKEY_LOCAL_MACHINE. |
|
Medium |
User; processes can create and modify files in
the user's Documents folder and write to user-specific areas
of the registry, such as HKEY_CURRENT_USER. Most files and
folders on a computer have a medium integrity level because
any object without a mandatory label has an implied default
integrity level of Medium. |
|
Low |
Untrusted; processes can write only to
low-integrity locations, such as the Temporary Internet
Files\Low folder or the
HKEY_CURRENT_USER\Software\LowRegistry key. |
Low IL resources that Internet Explorer in Protected Mode can access include:
-
The History folder
-
The Cookies folder
-
The Favorites folder
-
The
%Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\ folder
-
The Temporary Files folders
-
The HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\LowRegistry key
How the Protected Mode Compatibility Layer Works
To minimize both the number of privilege elevation requests
and the number of compatibility problems, Protected Mode provides a compatibility layer. The
Protected Mode Compatibility Layer redirects
requests for protected resources to safer locations. For example,
any requests for the Documents library are redirected automatically
to subfolders contained within the hidden
%Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Virtualized folder. The first time that an add-on attempts to
write to a protected object, the Protected Mode Compatibility Layer
copies the object to a safe location and accesses the copy. All
future requests for the same protected file access the
copy.
The Protected Mode Compatibility Layer applies only to
Internet Explorer add-ons written for versions of Windows prior to
Windows Vista because anything written for Windows Vista or Windows
7 would access files natively in the preferred locations.
How to Enable Compatibility Logging
Some Web applications and Internet Explorer add-ons developed
for earlier versions of Internet Explorer have compatibility
problems when you run them with Internet Explorer 8 and Windows 7.
One way to identify the exact compatibility problem is to enable
compatibility logging using Group Policy. To enable compatibility logging on your local computer, perform
these steps:
-
Click Start, type gpedit.msc, and then press Enter.
-
In the Group Policy Object Editor, browse to User
Configuration\Administrative Templates\Windows
Components\Internet Explorer. If you need to enable
compatibility logging for all users on the computer, browse to
Computer Configuration\Administrative Templates\Windows
Components\Internet Explorer.
-
Double-click the Turn On Compatibility Logging setting.
Select Enabled, and then click OK.
-
Restart Internet Explorer if it is currently open;
otherwise, start it.
With compatibility logging enabled, you should reproduce the
problem you are experiencing. You can then view events in the Event
Viewer snap-in under Applications And Service Logs\Internet
Explorer. Some events, such as Event ID 1037, will not have a
description unless you also install the Application Compatibility
Toolkit.
Note
COMPATIBILITY LOGGING
For more information about
compatibility logging, read "Finding Security Compatibility Issues
in Internet Explorer 7," at http://msdn.microsoft.com/en-us/library/bb250493.aspx.
It applies equally well to Internet Explorer 8.
How to Disable Protected Mode
If you are concerned that Protected Mode is causing problems with a Web
application, you can disable it temporarily to test the application.
Protected Mode is enabled on a zone-by-zone basis and is disabled by
default for Trusted Sites.
To disable Protected Mode, perform these steps:
-
Open Internet Explorer.
-
Click the Tools button on the toolbar, and then click
Internet Options.
-
Click the Security tab.
-
Select the zone for which you want to disable Protected
Mode. Then, clear the Enable Protected Mode check box.
-
Click OK twice.
-
Restart Internet Explorer.
If the application works when Protected Mode is disabled, the
problem is probably related to Protected Mode. In that case, you
should re-enable Protected Mode and work with the application
developer to solve the problems in the Web application.
Alternatively, you could add the site to the Trusted Sites zone,
thus permanently disabling Protected Mode for that site.
