Mark of the Web
With the Local Machine Zone Lockdown introduced in Windows XP SP2 an HTML file on your hard drive will no longer be able to run script and active content without user permissions being granted through the information bar and an additional prompt. This is part of the work to ensure that if you do get bad content on your machine it cannot run with elevated privileges and do nefarious things. Users should exercise caution whenever the information bar appears and be sure that this is really content they wish to allow before doing so.
One of the ways for legitimate content to work when on the local machine is for the content to include what is known as the Mark of the Web (MOTW) in the page. Once included this will allow such content to run from the local drive. I’ve seen a little confusion as to what the MOTW actually does so we’ve improved the documentation on this on MSDN. In short the MOTW in a page allows the content to run as if from the Internet zone. So the script and active content will have the same privileges as if you were viewing it from a website and not be able to run with elevated access to machine resources.
Thanks
-Dave
Comments
- Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
This blog is getting better recently. - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
I think you've missed that MOTW can only effectively get Internet zone permissions. Previously the same attack would have gotten Trusted zone permissions - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
The improved documentation is much appreciated! - Anonymous
January 01, 2003
#$%#@# MSDN blocks my Opera 8 if I don't spoof User-Agent. - Anonymous
January 01, 2003
Alt-Shift-Dave, I think the problem is complexity. I don't really know what "MK Protocol Security Restriction" or "Binary Behavior Security Restriction" are. So I disabled both, but apparently the latter is needed for MSDN (took me months to accidentally discovered that one). Should I know this somehow? Maybe I'm just not reading enough documentation, but I do think that there are just way too many security settings. It's very unclear just how safe my settings are.
The different zones are okay, I guess; the problem is that all these settings for each zone. - Anonymous
January 01, 2003
anon, isn't that the point of Zones though? i.e. there are far too many security options for average users to understand so you just group them into sensible defaults (Internet, Intranet, Restricted and Trusted) to simplify the whole process whilst leaving advanced settings there for those that do need/understand them. The alternative would just be a list of those settings, which to me seems a far worse scenario.
I never quite understood the point of the Mark of the Web option though. Wouldn't it have just been easier to make the Local Machine Zone equivalent to the Internet Zone and be done with it. Or is there something subtle I'm missing? - Anonymous
January 01, 2003
This is a good post. I was vaguely aware of this "feature" and it is good to have it pointed out. This is the kind of thing we want from the IE blog. Keep it up!
(That doesn't mean that I think using SGML comments to disable a security feature is a good idea btw.) - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
Many of you are commenting on something I have been thinking about for a long time which is IE's zone approach to security.
The biggest problem I have seen with Security in IE is how people do NOT use the security zones. I have seen many, many computers where the end user goes into security and changes the Internet Zone to its lowest levels then whines about all the spyware/adware/crapware.
James - Anonymous
January 01, 2003
James, Andy, I guess what I'm trying to say is that there are still too many security options, and dividing them into zones doesn't help since people are still left wondering if a particular option is safe for Local zone, but maybe not Internet zone. Setting everything to the lowest level may be a result of frustration from not knowing what options should be set to what to get some pages to work (as in my case with MSDN library). - Anonymous
January 01, 2003
Anon,
I think you bring up a valid point that some of the security options need better explanation and we will work on that.
If someone does not understand the decision they are making when altering security settings I'd recommend they do not make any change at all.
We offer a great deal of flexibility in the settings for Internet Explorer but recommend that users adopt the default settings if they are not confident of a change. We work hard to ensure that the defautl setings are secure.
It's always a trade off of giving advanced users flexibility while not confusing the less technically savvy.
I'll definitely take the feedback that we need to improve documentation in this area though.
Thanks
-Dave - Anonymous
January 01, 2003
Dave:
Maybe add a section to the Security Center that checks if your IE settings are unreasonably low? With a one-click mechanism to tighten them to their defaults? - Anonymous
January 01, 2003
The model is backwards. Content on the desktop should always be assumed to run with the same credentials as a website.
If the content tries to do something that goes beyond the rights of a website then show the information bar and let the user make a decision. This way all local pages are assumed to have the "mark of the web" untill they try to do something beyond this zone.
This would give the same behavior as you have today but you wouldn't need this extra comment tag to prevent the info-bar from showing.
For me the new behavior in SP2 is an app-compatibility issue. My existing web pages that ran fine on the desktop now show an information-bar even though the app does not do anything bad. Currently a simple page-to-page fade causes the bar to show. - Anonymous
January 01, 2003
One of the new things I'd like to see in IE, is new error pages. For example the ones in Firefox. The year 1998 is way over and we need to move on to a better design of error handling. How about it? - Anonymous
January 01, 2003
anon,
I see your point and it is well made. Unfortunately what we are talking about is a trade off. The reason all those options are there is because someone asked for them. Take one option away to make things simpler and there will be a thousand "anti-anon" people complaining about not enough options.
I fully agree with the better documentation.
James - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
I think the powers that be inside MS need to stop the IE team from trying to invent all these new off the wall security models.
Just about every single Windows application where security is paramount all allow the user to run the app using a non-priveledged user account with minimal hassle. IE should too. - Anonymous
January 01, 2003
Steve: The error pages in Firefox are not enabled by default yet as there was still a few bugs to iron out, however they should be in version 1.1 at the moment Firefox uses Netscape style error dialogs instead.
But I do agree at what Steve is getting at, all IE error pages look the same to the casual user and you can only find out the real problem by scrolling to the bottom of the page. This means to the average user a 404 (page not found) error would look the same as an error that says they can't connect to the server which results in a call to support saying "My internet is down". A 404 should really just show the server supplied error page at all times anyway - currently IE only does this is it's over a certain length, which is why Apache 2 and above increased the length of their default error pages.
Greg: I agree that this is backwards, Internet privs should be assumed and elevation blocked until user gives permission. - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
The fact Internet Explorer is set up with a more restrictive setting than the internet is obviously absurd.
If something is on your local zone, it should be at least as trusted as the internet. Think about it: it's your local machine! You're able to run a random .exe from the hard drive, but you're not allowed to run some javascript or view an xml file? This was obviously some panic reaction from the security team, regarding some attacks using the local machine zone (instead of solving the fact the attacks got access to the local machine zone!)
If it is possible to use SGML comments to elevate a web page from local machine zone to the internet zone, what's the point of the security model then? If any malicious user can simply place himself outside the imposed security model, the whole point of it is gone. Also, users would have to theoretically know the source of a .html page before knowing if it will be run is a "safe" enviroment instead of a "insecure" internet enviroment, which is exactly not the point of the whole security zone model. - Anonymous
January 01, 2003
Dave Massy (same as Dave?),
Great to hear there's some work being done on the documentation side. Specifically, it'd be nice to have some information on whether or not something is safe to enable, not just what it does. - Anonymous
January 01, 2003
A great marker!
However, after adding the MOTW,
var xslProc = xslt.createProcessor();
xslProc.input = xslDoc;
fails. It won't read XML from the local drive. If read from internet site, gets the cross domain warning.
BTW, people who says Local Zone should be more trusted than Internet should probably rethink. The IE developers probably used to think that it should be like this, until they learnt it the hard way. - Anonymous
January 01, 2003
It seems strange to lock down the local zone even more than the internet zone. Given that a local page can just "elevate" its priviliges to the internet zone, why dont they just treat all local content as if it comes from the internet zone.
ie. starting safe activex objects cannot be done in the local zone, but can be done in the internet zone. Seems pretty pointless with this MOTW capability to completely avoid this safety feature. - Anonymous
January 01, 2003
shane, that's the puzzlement I had up above. All I could figure is that some of the exploits they were trying to stop could not inject a MOTW but would (attempt to) run ActiveX for example.
Jonathan: "Maybe add a section to the Security Center that checks if your IE settings are unreasonably low?"
Here's another vote for that idea. The Internet zone should not be set to accept unsigned ActiveX, or to install ActiveX without prompts. SC could check for that and warn just like it does for firewall or AV. - Anonymous
January 01, 2003
There does seem to be a some continued confusion around the LMZ lockdown. I do encourage people to read both the article on MOTW we pointed to as well as the resources on the changes in SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx which discussed teh LMZ lockdown amongst other things.
We'll also be taking a look to see if we can make any further improvements to documentation to minimise confusion.
We took the step of locking down all content from the local machine rather than defaulting to internet zone secruity for local content. This allows a user to still intervene through the information bar to run with elevated privelages if they wish. Had we defaulted to simply running content in the internet zone some legitimate content that required elevated privelages might not be able to function at all or even more confusingly only partially run due to the different zone settings.
There are certainly different approaches to this but we believe we got the balance about right in Windows XP SP2. Our work there considered both defense in depth and minimising the surface area for attack. So that even if a bad person managed to get content onto your machine then loading that content into the browser can do no harm.
Thanks
-Dave - Anonymous
January 01, 2003
@Dave: Ah yes, I understand now. This method effectively gives the user the opportunity to run potentially unsafe content if they wish. Although it is admittedly strange that content that runs fine on the web suddenly has security issues when run locally. Which is what this MOTW is all about overcoming I guess :) - Anonymous
January 01, 2003
MOTW for IntranetZone :<
<!-- saved from url=(0017)http://localhost/ --> - Anonymous
January 01, 2003
Nice to find this just as I'm finally trying to use MOTW. What I'd like to see is an option to Always trust a particular local page so I don't have to go add these by hand to local Web pages but I'm not turning of local security in a blanket way. I run the wonderful DQSD search bar on all my PCs and I'd like to say just the once 'yes, I know this one piece of local content is safe' instead of getting the warning every time I start up my PC. I hope I'll get MOTW working - but I don't think all my readers should have to get their heads around it too. - Anonymous
January 01, 2003
ah, that's disappointing. Adding MOTW to the local HTML page that is in the toolbar stops the initial warning but causes the pop-up calendar and help pages to break irretrievably (they're fine if I click OK to the Active Content prompt and unblock by hand). Sadly the only option I can find (http://www.dqsd.net/sp2.htm) involves disabling more security than I'm comfortable with. What kind of workaround might you suggest for cases like this? thanks! - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
Never thought I'd use this tag.
But I just did. This blog is becoming a useful resource! - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
The current scheme in SP2 is that by default all web pages are very locked down but you can optionally make them completely unrestricted using the information bar.
The default is completely useless as it will not display most pages thereby forcing you to use the information bar to give you elevated privileges which is plain dangerous. To save clicking on the information bar every time I have had to resort to selecting "Allow active content to run in files on my computer" in Internet Options which is even more dangerous.
What should happen is that pages are displayed with the same security as pages on the internet meaning that you would not usually have to give them any further privileges. The information bar should then allow you to run the page with higher pviraledges (with a big warning) if necessary (and it would not normally be necessary).
It would be Even better if there was a separate zone for local computer which defaulted to the same level as the internet zone, allowing you to customize it yourself.
You could then get rid of the "Allow active content to run in files on my computer" option. - Anonymous
January 01, 2003
Than last post was a different Jonathan to the other posts! - Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
The documentation certainly is more clear but WHAT ARE THE NUMBERS? Is there any difference in using (0013) or (0014) or (0022) or (0025) I've seen all these numbers used in various places, and since I'm not an admin, if they are related to zone numbers, I've never seen those options anywhere. Please explain these numbers and what they do for you. - Anonymous
January 01, 2003
Hi Mike,
The numbers refer to the number of characters that follow. Nothing to do with security zones or anything magical :-)
Thanks
-Dave Massy [MSFT] - Anonymous
January 01, 2003
The comment has been removed - Anonymous
June 01, 2009
PingBack from http://paidsurveyshub.info/story.php?id=78427