IEs Protected Mode in Windows VistaTM

1
IEs Protected Mode in Windows VistaTM

• January 20, 2006
• Marc Silbey
• Program Manager

2
Agenda

• Goals
• Protected Mode Summary
• Architectural Overview
• Compat Features
• Getting in-proc add-ons to work
• Options for out-of-proc add-ons
• Becoming a Low Integrity Level client

3
Goals of Protected Mode

• Reduce the severity of threats to IE and threats
  to add-ons running in IE by eliminating the
  silent install of malicious code through software
  vulnerabilities
• Preserve compatibility whenever possible
• Provide the capability and guidance for add-ons
  to restore functionality
• Minimize required user involvement

4
Protected Mode Summary

• Protected Mode restricts IE from writing or
  sending window messages outside of low integrity
  resources like Temporary Internet Files (TIF)
  folder
• IEs process has less write-privileges than UAC
• It builds on the Mandatory Integrity Control
  (MIC) which restricts writes to higher integrity
  securable objects like files and reg keys
• It builds on the UI Privilege Isolation (UIPI)
  which restricts certain window messages to higher
  integrity processes
• This means Protected Mode is Windows Vista only
• Protected Mode uses COM to call two new broker
  processes which allow IE to write outside of the
  TIF
• A compatibility layer allows add-ons to elevate

5
Enabling UIPI in the builds

• Toggle UIPI via the following regkey
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
  Explorer\Low Rights
• ON "EnableLowDesktopIL"dword00000001
• Sets Protected Modes Desktop Integrity to Low
• OFF "EnableLowDesktopIL"dword00000000
• Sets Protected Modes Desktop Integrity to
  Medium
• Protected Mode always runs with a Low Process
  Integrity and the MIC restricts writes outside of
  low locations

6
Download and Install of new ActiveX

• Same as XPSP2 with a new UAP credential prompt

7
Download and Install of New Toolbars

• Same as XPSP2 with a new UAP credential prompt

8
Architectural Overview
9
Compatibility Features

• In-proc add-ons (ActiveX controls, toolbars, etc)
• Have the same privileges as Protected Mode
• File system writes get re-routed to the TIF via a
  Compat Layer
• Can call Save As API to save files outside of
  the TIF
• Out-of-proc add-ons (Doc object servers, etc)
• Get Protected Modes restrictions by default
• Can elevate privilege
• Internet and Intranet sites run in Protected Mode
• Navigation between these zones and the Internet,
  Intranet or restricted sites zone spawn a new
  window
• Admins can change this through Group Policy
• Trusted Sites/Local Machine zone dont run in
  Protected Mode

10
In-proc Compatibility Layer

• Redirects file and registry key writes to a
  virtualized, Low IL location
• HKCU\Software\Microsoft\Internet Explorer\Low
  Rights\Virtual
• Documents and Settings\user profile\Local
  Settings\Temporary Internet Files\Virtual
• Virtualized path is the full pathname added to
  the virtualized directory

11
In-proc Two Step Save As API to save files
outside of the TIF

• Step 1 Call IEShowSaveFileDialog() with target
  location
• User is prompted with Save As dialog
• Returns the user-chosen target path
• Step 2 Call SaveFile() with source (low
  integrity location) to tell the User Broker to
  copy the file to the Target location

12
Out-of-Proc Register to elevate out of Protected
Mode

• Register your process name if your add-on
  launches a process that needs to elevate out of
  Protected Mode and run with Medium integrity (UAC
  Level)
• To minimize the need for additional end user
  involvement we will ship Windows Vista with the
  registry pre-populated
• Default behavior If not on the allow list, IE
  displays an dialog

13
Out-of-Proc Add Admin to the app manifest to
elevate out of UAP

• The Admin token should only be used for
  installing software
• Update install package to include new application
  manifest
• Mark application manifest as Admin by adding a
  requestedExecutionLevelAdministrator in the
  AdminBroker manifest
• Details are available in the UAP How To Document
• Example XML format
• lttrustInfo xmlns"urnschemas-microsoft-comasm.v3
  "gt
• ltsecuritygt
• ltrequestedPrivilegesgt
• ltrequestedExecutionLevel levelleastPrivilege
  highestAvailablerequireAdministrator
  UIAccesstruefalue /gt
• lt/requestedPrivilegesgt
• lt/securitygt
• lt/trustInfogt
• No need to add reg key to CreateProcess or
  CoCreateInstance list

14
Out-of-proc Two Steps to run your software with
Low IL like Protected Mode

• Step 1 During set-up, change the file or
  registry keys security descriptor to Low IL by
• Retrieve Sacl from file handle
• Create new security descriptor with Low IL
• Create a new Sacl with Low IL SID and copy
  original Sacl info into new Sacl
• Step 2 Create Low IL process
• Create a SID with Low IL using TokenInformationCla
  ss TokenIntegrityLevel
• Use ConvertStringSidToSid with SDDL_IL_LOW

15
Builds and Documents

• Protected Mode is in Decembers CTP Build
• UIPI is not turned on by default in the builds
• You can get updated builds through the TechBeta
  program
• Documentation
• Protected Mode Tech Article
• Protected Mode API Reference

16
Questions?
17
Appendix
18
FAQs

• What additional value does Protected Mode add
  above UAP?
• User Profile protection. For example, it
  restricts a BO in IE from overwriting My Docs
• Is there UI indicating that the user is in
  Protected Mode
• Yes, when Protected Mode is enabled for a zone
  the zone icon will have a Checked Shield icon
  overlay.