IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager

2 Agenda Goals Protected Mode Summary Architectural Overview Compat Features Getting in-proc add-ons to work Options for out-of-proc add-ons Becoming a Low Integrity Level client

3 Goals of Protected Mode Reduce the severity of threats to IE and threats to add-ons running in IE by eliminating the silent install of malicious code through software vulnerabilities Preserve compatibility whenever possible Provide the capability and guidance for add-ons to restore functionality Minimize required user involvement

4 Protected Mode Summary Protected Mode restricts IE from writing or sending window messages outside of low integrity resources like Temporary Internet Files (TIF) folder IEs process has less write-privileges than UAC It builds on the Mandatory Integrity Control (MIC) which restricts writes to higher integrity securable objects like files and reg keys It builds on the UI Privilege Isolation (UIPI) which restricts certain window messages to higher integrity processes This means Protected Mode is Windows Vista only Protected Mode uses COM to call two new broker processes which allow IE to write outside of the TIF A compatibility layer allows add-ons to elevate Integrity Levels Privilege High IL Admin Medium IL User Low IL Low

5 Enabling UIPI in the builds Toggle UIPI via the following regkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] ON "EnableLowDesktopIL"=dword: Sets Protected Modes Desktop Integrity to Low OFF "EnableLowDesktopIL"=dword: Sets Protected Modes Desktop Integrity to Medium Protected Mode always runs with a Low Process Integrity and the MIC restricts writes outside of low locations

6 Download and Install of new ActiveX Same as XPSP2 with a new UAP credential prompt

7 Download and Install of New Toolbars Same as XPSP2 with a new UAP credential prompt

8 Architectural Overview

9 Compatibility Features In-proc add-ons (ActiveX controls, toolbars, etc) Have the same privileges as Protected Mode File system writes get re-routed to the TIF via a Compat Layer Can call Save As API to save files outside of the TIF Out-of-proc add-ons (Doc object servers, etc) Get Protected Modes restrictions by default Can elevate privilege Internet and Intranet sites run in Protected Mode Navigation between these zones and the Internet, Intranet or restricted sites zone spawn a new window Admins can change this through Group Policy Trusted Sites/Local Machine zone dont run in Protected Mode

10 In-proc: Compatibility Layer Redirects file and registry key writes to a virtualized, Low IL location HKCU\Software\Microsoft\Internet Explorer\Low Rights\Virtual Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\Virtual Virtualized path is the full pathname added to the virtualized directory If Protected Mode tries to write here… …the virtualized write goes here: HKCU\Software\FooBar\ HKCU\Software\MS\IE\Low Rights\Virtual\Software\FooBar C:\Documents and Settings\%user profile%\FooBar C:\Documents and Settings\%user profile%\Local Settings\Temporary Internet Files\Virtual\FooBar

11 In-proc: Two Step Save As API to save files outside of the TIF Step 1: Call IEShowSaveFileDialog() with target location User is prompted with Save As dialog Returns the user-chosen target path Step 2: Call SaveFile() with source (low integrity location) to tell the User Broker to copy the file to the Target location

12 Out-of-Proc: Register to elevate out of Protected Mode Register your process name if your add-on launches a process that needs to elevate out of Protected Mode and run with Medium integrity (UAC Level) To minimize the need for additional end user involvement we will ship Windows Vista with the registry pre-populated Default behavior: If not on the allow list, IE displays an dialog

13 Out-of-Proc: Add Admin to the app manifest to elevate out of UAP *The Admin token should only be used for installing software Update install package to include new application manifest Mark application manifest as Admin by adding a requestedExecutionLevel=Administrator in the AdminBroker manifest Details are available in the UAP How To Document UAP How To DocumentUAP How To Document Example XML format: <security><requestedPrivileges> </requestedPrivileges></security></trustInfo> No need to add reg key to CreateProcess or CoCreateInstance list

14 Out-of-proc: Two Steps to run your software with Low IL like Protected Mode Step 1: During set-up, change the file or registry keys security descriptor to Low IL by: Retrieve Sacl from file handle Create new security descriptor with Low IL Create a new Sacl with Low IL SID and copy original Sacl info into new Sacl Step 2: Create Low IL process Create a SID with Low IL using TokenInformationClass = TokenIntegrityLevel Use ConvertStringSidToSid with SDDL_IL_LOW ConvertStringSidToSid

15 Builds and Documents Protected Mode is in Decembers CTP Build UIPI is not turned on by default in the builds You can get updated builds through the TechBeta program Documentation Protected Mode Tech Article Protected Mode Tech Article Protected Mode API Reference Protected Mode API Reference

Questions?

Appendix

18 FAQs What additional value does Protected Mode add above UAP? User Profile protection. For example, it restricts a BO in IE from overwriting My Docs Is there UI indicating that the user is in Protected Mode Yes, when Protected Mode is enabled for a zone the zone icon will have a Checked Shield icon overlay. Protected Mode IE IE in UAP Files downloaded from respective zone Created with Low integrity level Created with Medium integrity level Able to modify My documents NoYes Perform cross-process UI interaction with other applications on the desktop NoYes Inject a DLL and create a remote thread in another process NoYes Used to render.htm file in local machine zone YesYes