Internet Explorer Network Protocol Lockdown
Applies To: Windows 7, Windows Server 2003 with SP1, Windows Vista, Windows XP
Note
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.
What Does Network Protocol Lockdown Do?
Internet Explorer can be configured to lock down HTML content from particular network protocols in additional zones besides the Local Machine zone. This feature allows an administrator to extend the same restrictions of the Local Machine Zone Lockdown (which is described previously in this document) to be applied to any content on any arbitrary protocol in any security zone. For example, an administrator can configure Internet Explorer to lock down HTML content hosted on the Shell: protocol if it is in the Internet zone. Since the Shell: protocol’s most common use is for local content and not Internet content, this mitigation can reduce the attack surface of the browser against possible vulnerabilities in protocols less commonly used than HTTP.
Who does this feature apply to?
By default, Network Protocol Lockdown is not enabled for any application.
All application developers should review this feature. Applications that host HTML files over non-HTTP protocols in Internet Explorer may be affected in organizations where administrators elect to apply additional restrictions. Developers of standalone applications that host Internet Explorer might want to modify their applications to make use of Network Protocol Lockdown.
Developers who chose to opt in to Network Protocol Lockdown should register their applications to take advantage of the changes. Applications that do not use this mitigation should independently review their applications for support for arbitrary protocols.
Software developers with applications that host Internet Explorer can use this feature by adding their process name to the registry as described later in this document. In the future, Microsoft might implement this feature with certain uncommonly used protocols restricted by default and with an "opt-out" policy for applications rather than the current "opt-in" policy for applications. Applications that host Internet Explorer should be tested to ensure that they function properly with Network Protocol Lockdown enabled for their process.
Network Administrators should consider adding unused protocols to the restricted protocol list on managed desktop machines. If the network administrator enables this restriction, there may be HTML files that will be affected.
Developers of Web sites that are hosted on the HTTP protocol should not be affected by restrictions to other protocols.
Users are most likely to be affected by these more stringent restrictions if their Network Administrator chose to restrict certain protocols for their desktop.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Changes to security settings for restricted protocols
Detailed description
With Windows Server 2003 Service Pack 1, HTML content in an application that has "opted in" to use the Network Protocol Lockdown feature that is served on one of the restricted protocols will be restricted to run at a higher security level. Any time the restricted protocol content attempts to use a restricted feature, such as ActiveX controls, the Information Bar will appear in Internet Explorer with the following text (text may be different for other blocked URL actions):
Internet Explorer has blocked this site from using an ActiveX control in an unsafe manner. As a result this page may not display correctly.
The user can click the Information Bar to remove the lockdown from the restricted content. The change in setting using the Information Bar is per session only, unless the policies are changed in the registry.
The security settings that are locked down for the content on the restricted protocols are the same as the settings enforced for the Local Machine zone lockdown, which is described earlier in this document. Please consult that section to review exactly which security settings are enforced for the content on the restricted protocols.
Restricted protocols feature is off by default for Internet Explorer and all applications
Detailed description
The behavior of the Network Protocol Lockdown is controlled per-process by a new Internet Explorer Feature Control setting. Since this feature is designed to provide an additional layer of defense-in-depth for network administrators, the default Internet Explorer processes, IExplore.exe and Explorer.exe are not opted in by default. To opt in to the Network Protocol Lockdown, network administrators or developers should add a DWORD at either of the following locations where the name is their process name and the value is set to 1 to have the mitigation apply to them. To forcibly opt out, set the value of the key to 0. If the administrator decides to put the setting under the Policies hive, set a REG_SZ instead of a DWORD.
HKEY_LOCAL_MACHINE\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CURRENT_USER\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
Applications may want to proactively opt out to prevent the mitigation from being applied to them when a wildcard is used to force the mitigation into Opt-out mode.
Behavior per-zone when an application has opted in
For an opted in process, the behavior of the Network Protocol Lockdown is also controlled per zone by a new Internet Explorer security setting or URL action called URLACTION_ALLOW_RESTRICTEDPROTOCOLS. This URL action will be set to the following values.
Security Zone | Default behavior for restricted protocols | Example user situation |
---|---|---|
Restricted Sites Zone |
Disallow |
Since ActiveX is never allowed in the Restricted Sites zone by default, the Information Bar is not shown when a restricted protocol is encountered. The Information Bar might be shown in the case where a URL action that was previously allowed in the Restricted Sites zone is now disallowed under network protocol lockdown. In this case, the user will NOT be able to click the Information Bar to allow the action. |
Internet Zone |
Prompt |
If the administrator locks down the file:// protocol, HTML that uses script over the file:// protocol is restricted, but users can click the Information Bar to allow it. |
Intranet Zone |
Prompt |
If the administrator locks down the local:// protocol, HTML that uses Java over the local:// protocol is restricted, but users can click the Information Bar to allow it. |
Trusted Sites Zone |
Prompt |
If the administrator locks down the Shell:// protocol, HTML that uses Binary Behaviors over the Shell:// protocol is restricted, but users can click the Information Bar to allow it. |
Local Machine Zone |
Prompt |
If local machine lockdown is enabled, its settings will supersede those established by network protocol lockdown settings. |
Per-Zone Protocol Lock Down
The list of protocols that are restricted is defined separately for each zone to allow some protocols to be locked down in some zones but run without restrictions in other zones. Protocols can be restricted for a given zone by writing the protocol name to the restricted list for a particular security zone.
Security Zone | Registry location of the list of restricted protocols for each zone | Security settings applied to restricted protocol content |
---|---|---|
Restricted Sites Zone |
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \Software\(Policies) \Microsoft\Windows \CurrentVersion\Internet Settings \RestrictedProtocols\4 |
HKEY_CURRENT_USER \Software\Microsoft \Windows\CurrentVersion \Internet Settings \Lockdown_Zones\4 |
Internet Zone |
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \Software\(Policies) \Microsoft\Windows \CurrentVersion\Internet Settings \RestrictedProtocols\3 |
HKEY_CURRENT_USER \Software\Microsoft \Windows\CurrentVersion \Internet Settings \Lockdown_Zones\3 |
Intranet Zone |
HKEY_LOCAL_MACHINE -or- HKEY_CURRENT_USER \Software\(Policies) \Microsoft\Windows \CurrentVersion\Internet Settings \RestrictedProtocols\2 |
HKEY_CURRENT_USER \Software\Microsoft \Windows\CurrentVersion \Internet Settings \Lockdown_Zones\2 |
Trusted Sites Zone |
HKEY_LOCAL_MACHINE - or - HKEY_CURRENT_USER \Software\(Policies) \Microsoft\Windows \CurrentVersion\Internet Settings \RestrictedProtocols\1 |
HKEY_CURRENT_USER \Software\Microsoft \Windows\CurrentVersion \Internet Settings \Lockdown_Zones\1 |
Local Machine Zone |
HKEY_LOCAL_MACHINE - or - HKEY_CURRENT_USER \Software\(Policies) \Microsoft\Windows \CurrentVersion\Internet Settings \RestrictedProtocols\0 |
HKEY_CURRENT_USER \Software\Microsoft \Windows\CurrentVersion \Internet Settings \Lockdown_Zones\0 |
Protocols to consider for lock down
The default list of restricted protocols is blank. Network administrators should add additional protocols to the lockdown that they know are not needed in their organization for a particular zone. Network administrators should consider restricting some of the following default Windows protocols on managed desktop machines and other protocols that are not needed for rendering HTML with active content in the organization.
local://
file://
shell://
hcp://
ftp://
Why is this change important?
This change provides general defense-in-depth against vulnerabilities in less frequently used protocols. For example, an ActiveX control running under the local:// protocol might assume that it is loaded in the Local Machine zone and it may grant elevated privilege to the hosting page.
What works differently?
If a Web page served on a protocol that is restricted for a given zone uses any restricted content, such as ActiveX, Internet Explorer will display the Information Bar, as previously described.
How do I resolve these issues?
If your Web page needs to run ActiveX or scripting on a protocol that should be restricted for your intranet, you might allow the HTML to render correctly by moving the domain for that HTML to the trusted sites zone on the managed desktop machines. As a long term solution, you can look for ways to move the content off of the restricted protocol or if that’s not possible, you might remove the active content from the restricted protocol pages entirely by performing needed computations on the server using a server-side script such as an Active Server Page.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Since this feature is off by default, you will probably not need to change your HTML content unless it runs over a protocol that is restricted by a network administrator for your organization.