IEs Protected Mode in Windows VistaTM - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

IEs Protected Mode in Windows VistaTM

Description:

Protected Mode uses COM to call two new broker processes which allow IE to write ... In-proc: Two Step 'Save As' API to save files outside of the TIF ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 19
Provided by: downloadM
Category:

less

Transcript and Presenter's Notes

Title: IEs Protected Mode in Windows VistaTM


1
IEs Protected Mode in Windows VistaTM
  • January 20, 2006
  • Marc Silbey
  • Program Manager

2
Agenda
  • Goals
  • Protected Mode Summary
  • Architectural Overview
  • Compat Features
  • Getting in-proc add-ons to work
  • Options for out-of-proc add-ons
  • Becoming a Low Integrity Level client

3
Goals of Protected Mode
  • Reduce the severity of threats to IE and threats
    to add-ons running in IE by eliminating the
    silent install of malicious code through software
    vulnerabilities
  • Preserve compatibility whenever possible
  • Provide the capability and guidance for add-ons
    to restore functionality
  • Minimize required user involvement

4
Protected Mode Summary
  • Protected Mode restricts IE from writing or
    sending window messages outside of low integrity
    resources like Temporary Internet Files (TIF)
    folder
  • IEs process has less write-privileges than UAC
  • It builds on the Mandatory Integrity Control
    (MIC) which restricts writes to higher integrity
    securable objects like files and reg keys
  • It builds on the UI Privilege Isolation (UIPI)
    which restricts certain window messages to higher
    integrity processes
  • This means Protected Mode is Windows Vista only
  • Protected Mode uses COM to call two new broker
    processes which allow IE to write outside of the
    TIF
  • A compatibility layer allows add-ons to elevate

5
Enabling UIPI in the builds
  • Toggle UIPI via the following regkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
    Explorer\Low Rights
  • ON "EnableLowDesktopIL"dword00000001
  • Sets Protected Modes Desktop Integrity to Low
  • OFF "EnableLowDesktopIL"dword00000000
  • Sets Protected Modes Desktop Integrity to
    Medium
  • Protected Mode always runs with a Low Process
    Integrity and the MIC restricts writes outside of
    low locations

6
Download and Install of new ActiveX
  • Same as XPSP2 with a new UAP credential prompt

7
Download and Install of New Toolbars
  • Same as XPSP2 with a new UAP credential prompt

8
Architectural Overview
9
Compatibility Features
  • In-proc add-ons (ActiveX controls, toolbars, etc)
  • Have the same privileges as Protected Mode
  • File system writes get re-routed to the TIF via a
    Compat Layer
  • Can call Save As API to save files outside of
    the TIF
  • Out-of-proc add-ons (Doc object servers, etc)
  • Get Protected Modes restrictions by default
  • Can elevate privilege
  • Internet and Intranet sites run in Protected Mode
  • Navigation between these zones and the Internet,
    Intranet or restricted sites zone spawn a new
    window
  • Admins can change this through Group Policy
  • Trusted Sites/Local Machine zone dont run in
    Protected Mode

10
In-proc Compatibility Layer
  • Redirects file and registry key writes to a
    virtualized, Low IL location
  • HKCU\Software\Microsoft\Internet Explorer\Low
    Rights\Virtual
  • Documents and Settings\user profile\Local
    Settings\Temporary Internet Files\Virtual
  • Virtualized path is the full pathname added to
    the virtualized directory

11
In-proc Two Step Save As API to save files
outside of the TIF
  • Step 1 Call IEShowSaveFileDialog() with target
    location
  • User is prompted with Save As dialog
  • Returns the user-chosen target path
  • Step 2 Call SaveFile() with source (low
    integrity location) to tell the User Broker to
    copy the file to the Target location

12
Out-of-Proc Register to elevate out of Protected
Mode
  • Register your process name if your add-on
    launches a process that needs to elevate out of
    Protected Mode and run with Medium integrity (UAC
    Level)
  • To minimize the need for additional end user
    involvement we will ship Windows Vista with the
    registry pre-populated
  • Default behavior If not on the allow list, IE
    displays an dialog

13
Out-of-Proc Add Admin to the app manifest to
elevate out of UAP
  • The Admin token should only be used for
    installing software
  • Update install package to include new application
    manifest
  • Mark application manifest as Admin by adding a
    requestedExecutionLevelAdministrator in the
    AdminBroker manifest
  • Details are available in the UAP How To Document
  • Example XML format
  • lttrustInfo xmlns"urnschemas-microsoft-comasm.v3
    "gt
  • ltsecuritygt
  • ltrequestedPrivilegesgt
  • ltrequestedExecutionLevel levelleastPrivilege
    highestAvailablerequireAdministrator
    UIAccesstruefalue /gt
  • lt/requestedPrivilegesgt
  • lt/securitygt
  • lt/trustInfogt
  • No need to add reg key to CreateProcess or
    CoCreateInstance list

14
Out-of-proc Two Steps to run your software with
Low IL like Protected Mode
  • Step 1 During set-up, change the file or
    registry keys security descriptor to Low IL by
  • Retrieve Sacl from file handle
  • Create new security descriptor with Low IL
  • Create a new Sacl with Low IL SID and copy
    original Sacl info into new Sacl
  • Step 2 Create Low IL process
  • Create a SID with Low IL using TokenInformationCla
    ss TokenIntegrityLevel
  • Use ConvertStringSidToSid with SDDL_IL_LOW

15
Builds and Documents
  • Protected Mode is in Decembers CTP Build
  • UIPI is not turned on by default in the builds
  • You can get updated builds through the TechBeta
    program
  • Documentation
  • Protected Mode Tech Article
  • Protected Mode API Reference

16
Questions?
17
Appendix
18
FAQs
  • What additional value does Protected Mode add
    above UAP?
  • User Profile protection. For example, it
    restricts a BO in IE from overwriting My Docs
  • Is there UI indicating that the user is in
    Protected Mode
  • Yes, when Protected Mode is enabled for a zone
    the zone icon will have a Checked Shield icon
    overlay.
Write a Comment
User Comments (0)
About PowerShow.com