Event 1047 - Intranet at Medium Integrity Level

Applies To: Windows 7, Windows Vista

Windows® Internet Explorer® 8 helps to protect users from attack by using Protected Mode to run its processes with greatly restricted privileges on the Windows Vista® or newer operating systems. While Protected Mode does not protect against all forms of attack, it significantly reduces the ability of an attack to write, to alter, or to destroy data on the user's machine, or to install malicious code.

Previously, in Internet Explorer 7, intranet Web sites were viewed with non-trusted system privileges, which enabled the pages to write only to specific low-integrity locations. For Internet Explorer 8, intranet browsing occurs at the medium-integrity level, which enables processes to have user-level system privileges and to write to user-specific areas of the registry.

While most Internet Explorer security features will be available in Internet Explorer for the Windows XP operating systems, this functionality is only available on Windows Vista or newer operating systems because it is based on security features that were new to Windows Vista.

Understanding the Integrity Mechanism

The Windows operating system uses integrity-level labels for processes and other securable objects, an addition to the access-control security mechanism of Windows. The integrity level defines which network-enabled programs are at higher risk for exploits because they download untrustworthy content from unknown sources. Running these at-risk programs with more restricted permissions or at a lower integrity level than other programs reduces the ability of an exploit to modify the system or harm user data files.

Protected Mode uses the Windows Vista integrity mechanism to run the Internet Explorer process at Low integrity level. The main features of the integrity level mechanism are as follows:

  • Securable objects, like files and registry keys, have security descriptors that define the integrity level, or level of privilege required for write access to the object. This integrity level is defined with a new mandatory access-control entry (ACE) in the system access-control list (SACL) called a mandatory label. Objects without mandatory labels have an implied default integrity level of Medium.

  • Processes have an integrity level defined in the security access token. In Protected Mode, Internet Explorer has a Low integrity level, applications started from the Start menu have a Medium integrity level, and applications that require Administrator permissions run with a High integrity level.

  • Low integrity processes cannot gain write access to objects at a higher integrity level, even if the user's SID has write access in the discretionary access-control list (DACL). The Windows operating system performs the integrity-level checks before user access permission checks.

All files and registry keys in the Windows operating systems post-Windows Vista have a default integrity level of Medium. A Low integrity process, like Internet Explorer in Protected Mode, will receive access denied errors when it tries to modify existing files.

Some folders have a Low integrity mandatory label. A Low integrity level process can create and modify files in Low integrity folders. For example, the Temporary Internet Files folder contains a folder called Low, which is a Low integrity folder. Additionally, the integrity mechanism automatically assigns Low integrity mandatory labels to securable objects, files, or other objects created by Low integrity-level processes. By default, child processes started by a Low integrity process will also run with a Low integrity level.

The following table shows supported integrity access levels and the privileges they confer.

Integrity Access Level (IL) System Privileges

High

Administrative. The process can install files to the Program Files folder and write to sensitive registry areas such as HKEY_LOCAL_MACHINE.

Medium

User. The process can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER.

Low

Not Trusted. The process can only write to low-integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry registry key.

When Is This Event Logged?

This event is logged when a user clicks a hyperlink on an intranet Web page that goes to an Internet Web page.

Note

For more information and examples, see the Event 1047-Intranet at Medium Integrity Level topic from Internet Explorer Application Compatibility.

Remediation

You can disable this security feature by setting the following named values in the registry:

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\PPT (dword)=0 or 1

  • HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth=0 or 1

If you set PPT (dword) to 0, you will disable Low Rights Internet Explorer (LoRIE)/Protected Mode and tab processes will run at the medium-integrity level. Additionally, if you also set TabProcGrowth to 0, you will run Internet Explorer at the medium mandatory integrity control (MIC) for a single process, for example, when frames and tabs run in the same process.

What Happens If I Disable This Security Feature?

If you disable this security feature, you will be more prone to integrity-level attacks. Disabling this feature should only be used as a temporary measure during troubleshooting, to compare the behavior of the application when the feature is enabled and when it is disabled. It is not recommended that this feature be left disabled on an ongoing basis.

See Also

Concepts

Known Internet Explorer Security Feature Issues