Application Compatibility: Internet Explorer Protected Mode
Internet Explorer Protected Mode
Feature Impact
High
Brief Description
In Windows Vista® and Windows Server® 2008, Microsoft® Internet Explorer® 7 runs in Protected Mode, which can help protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code. It can help protect a user from malicious code installing itself without authorization. This mode is the default for Internet Explorer when Windows Vista and Windows Server 2008 are installed.
Manifestation
Applications that use Internet Explorer 7 will not be able to write directly to disk while in the Internet or Intranet zone.
Applications might not know how to handle new prompts.
Protected Mode builds on the new integrity mechanism to restrict write access to securable objects such as processes, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet Explorer is a low-integrity process. It cannot gain write access to files and registry keys in a user's profile or system locations.
Low-integrity processes can write only to folders, files, and registry keys that have been assigned a low-integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which means that they can write only to low-integrity locations, such as the new low-integrity Temporary Internet Files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folder.
Furthermore, the Protected Mode process will run with a low desktop integrity level when Windows Vista and Windows Server 2008 ship, which will prevent Protected Mode from sending specific window messages to higher-integrity processes.
By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount of damage that can be caused by a compromised Internet Explorer process or malware. An attacker cannot, for example, silently install a keystroke logger to the user's Startup folder. Likewise, a compromised process cannot manipulate applications on the desktop through window messages.
Of course, these defenses also limit legitimate changes to higher-integrity locations (ILs). As a result, Protected Mode provides a compatibility architecture that reduces the impact on existing extensions, as shown in the following figure.
A compatibility layer handles the needs of many existing extensions. It intercepts attempts to write to medium-integrity resources, such as the My Documents folder in the user profile and the HKEY_CURRENT_USER registry hive. The compatibility layer uses a generic Windows compatibility fix to automatically redirect these operations to the following low-integrity locations:
%userprofile%\LocalSettings\Temporary Internet Files\Virtualized
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\InternetRegistry
Two higher-privilege broker processes allow Internet Explorer and extensions to perform elevated operations given user consent. For example, the user privilege broker (IEUser.exe) process provides a set of functions that let the user save files to areas outside of low-integrity areas. In addition, an administrator privilege broker (IEInstal.exe) process allows Internet Explorer to install ActiveX controls.
Remedies
Quick solution:
Add the site in question to the trusted-sites list.
Turn off Protected Mode (not recommended).
Compatibility test:
- Apply the quick solution and ensure that the application can perform the dependent functions as in Windows XP Service Pack 2.
Leverage Windows Vista and Windows Server 2008 capability:
- Change the application to handle Protected Mode, including any related prompts that might be displayed.
Links to Other Resources
Security and Compatibility in Internet Explorer 7
Understanding and Working in Protected Mode Internet Explorer
Internet Explorer Developer Center