Granting resource access to AppContainers
You can change the access control list (ACL) of a securable resource to allow access from the Internet Explorer AppContainer. However, because such changes affect the security profile of the user's device, you should grant access only after careful consideration and review.
Security considerations before granting access
ActiveX controls run within the IE process; as a result, add-ons require close integration (and cooperation) with the IE security model.
Web code running inside of the IE AppContainer is considered untrusted and thus could be potentially malicious. Add-ons run in the same security context as web content, so allowing data to be read and written across an AppContainer security boundary to support add-on functionality has security implications that you must consider carefully.
Use security best practices, such as threat modeling exercises and application of the Principle of Least Privilege, to design secure ActiveX controls.
Remember that the decision to grant access is a security decision, one that should be made only after careful review and deliberation. Here are a few things to think about when making this decision:
- Does the resource contain any personally identifiable information (PII) about the user? If so, permission should not be granted without the user's knowledge and consent.
- Can the AppContainer launch an informed attack against the system or other AppContainer processes by gaining access to the information secured by the resource? If so, then access should not be granted.
- Can an AppContainer use resource access to disrupt services on the device? For example, can writing to the resource create a blocking operation? Is it possible to use this behavior to conduct a denial-of-service attack or a so-called "squatting" attack? If so, access should not be granted.
- Are you assigning the least required access? If you're granting write access, for example, does the AppContainer really update the data?
- When using other processes to consume data provided by an untrusted source (e.g. an AppContainer), treat the data as untrusted and possibly malicious.
Decisions regarding resource access are security decisions that can, in certain cases, lead to serious ramifications.
Granting resource access to AppContainers
Resources are secured by access control lists (ACLs) that describe allowed access. To grant permission for the IE AppContainer to access a resource, update the security descriptor (SD) associated with the resource:
- Add an ACCESS_ALLOWED_ACE that grants access to the package security identifier (SID) corresponding to the AppContainer.
- If using SDDL, be sure to use the appropriate package SID: ("A;OICI;0x1200a9;;; S-1-15-3-4096").
You can use various tools to update the ACL, including:
- The ACL user interface (ACL UI).
- The lcacls.exe command-line utility.
- The set-acl PowerShell commandlet.
For more details, see:
- Technet SecurityWatch: Tools for managing ACLs
- IEInternals: Understanding Protected Mode
- Access Control Model
Granting access programmatically
You can also build and set a security descriptor in code, as shown here:
//Security Descriptor example
SID_IDENTIFIER_AUTHORITY AppPackageAuthority = SECURITY_APP_PACKAGE_AUTHORITY;
PSID Sid = NULL;
PACL Acl;
//
// TODO: Allocate Acl with appropriate size and check for error.
//
if (!AllocateAndInitializeSid(&AppPackageAuthority,
2,
SECURITY_APP_PACKAGE_BASE_RID,
SECURITY_CAPABILITY_INTERNET_EXPLORER,
0, 0, 0, 0, 0, 0,
&Sid))
{
//
// TODO: Handle error.
//
}
//
// TODO: Place other ACEs as before.
//
if (!AddAccessAllowedAceEx(Acl, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
(SYNCHRONIZE | FILE_READ_DATA ), Sid))
{
//
// TODO: Handle error.
//
}
//
// TODO: Set ACL to security descriptor and apply security descriptor to object
//
Per the principle of least privilege, this sample grants read and synchronize rights. Additional rights should only be granted when absolutely necessary and require the appropriate ACCESS_MASK flags.
Note Remember, your security descriptor (SD) must include the access control entry (ACE) for the IE AppContainer for access to be allowed.
Related topics
Enhanced protected mode (EPM) may be enabled on the desktop
Supporting enhanced protected mode (EPM)