Security Considerations: URL Security Zones API

This topic provides information about security considerations related to the URL security zones API. This topic doesn't provide all you need to know about security issues—instead, use it as a starting point and reference for this technology area.

  • Using the Default Implementation
  • Security Alerts
  • Related topics

Using the Default Implementation

It is important that your custom security manager only process input that is both valid and specific to your application. This could include URLs with custom protocols, additional pieces of information not considered by the default manager, or custom URL actions that you wish to process. All other input should be handled by the default security manager by returning INET_E_DEFAULT_ACTION from the method you are implementing. Failure to defer to the default security manager may introduce security holes into your application by allowing invalid input to result in a successful method call.

For applications relying on the default security manager, it is important to make use of methods that generate secure information. Do not attempt to create your own security IDs or URLs based on the information you find in the security zone documentation. If your application generates or processes information independently of the default methods, it is possible to introduce subtle differences that can cause a URL to be placed into the wrong security zone.

Security Alerts

The following table lists features that, if used incorrectly, can compromise the security of your applications.

Feature documentation Alert
About URL Security Zones Templates, About URL Security Zones

Setting the registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones incorrectly can compromise the security of your application. The values for these registry keys have been determined to be a safe default. By adjusting these values you may put users at risk of an elevation of privilege attack.

About URL Security Zones Implementing IInternetSecurityManager methods incorrectly can compromise the security of your application. Any methods or URL actions that the customized security manager wants the default security manager to act on should return INET_E_DEFAULT_ACTION. If a method does not override default behavior and returns an HRESULT indicating success, the action is unhandled and can put users at risk of an elevation of privilege attack.
About URL Security Zones, IInternetHostSecurityManager::ProcessUrlAction Using IInternetHostSecurityManager::ProcessUrlAction incorrectly can compromise the security of your application. Upon a return value indicating S_FALSE or any error, your component should assume that the URL action is not allowed under the current policy. If your component performs an action after receiving an error, users may be at risk of an elevation of privilege attack.
IInternetHostSecurityManager::GetSecurityId Failure to use this method to obtain a security ID can compromise the security of your application. The formation of IDs should be handled by the default implementation when possible. If you generate your own security ID there may be slight differences from IDs generated by IInternetHostSecurityManager::GetSecurityId which may be exploitable by an attacker.
IInternetSecurityManager::GetSecurityId Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::GetSecurityId should only generate IDs for hosts which cannot be handled by the default implementation. For all other hosts, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the creation of IDs that are less secure and are susceptible to a spoofing attack.
IInternetSecurityManager::MapUrlToZone Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::MapUrlToZone should only return zones for URLs which cannot or should not be handled by the default implementation. For all other URLs, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the incorrect mapping of zones and possibly leave users susceptible to spoofing or elevation of privilege attacks.
IInternetSecurityManager::ProcessUrlAction Implementing this method incorrectly can compromise the security of your application. A custom implementation of IInternetSecurityManager::ProcessUrlAction should only process URL actions which cannot or should not be handled by the default implementation. For all other URL actions, this method should return INET_E_DEFAULT_ACTION. Attempting to duplicate the default implementation may result in the incorrect processing of URL actions and possibly leave users susceptible to elevation of privilege attacks.

 

Security Best Practices