Internet Explorer Local Machine Zone Lockdown
Applies To: Windows Server 2003 with SP1
The Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server's vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.
What Does Local Machine Zone Lockdown do?
When Internet Explorer opens a Web page, it places restrictions on what the page can do, based on the page's Internet Explorer security zone. There are several possible security zones, each with different sets of restrictions. The security zone for a page is determined by its location. For example, pages that are located on the Internet will normally be in the more restrictive Internet security zone. They might not be allowed to perform some operations, such as accessing the local hard drive. Pages that are located on your corporate network would normally be in the Intranet security zone, and have fewer restrictions. The precise restrictions that are associated with most of these zones can be configured by the user through Internet Options on the Tools menu.
Prior to Windows XP Service Pack 2, the content on the local file system, aside from that cached by Internet Explorer, was considered to be secure and was assigned to the Local Machine security zone. This security zone normally allows content to run in Internet Explorer with relatively few restrictions. However, attackers often try to take advantage of the Local Machine zone to elevate privilege and compromise a computer.
Many of the exploits that involve the Local Machine zone were mitigated by other changes to Internet Explorer in Windows XP SP2. These changes were incorporated into Internet Explorer in Windows Server 2003 Service Pack 1. However, attackers may still be able to figure out ways to exploit the Local Machine zone. Currently, Internet Explorer further protects the user by locking down the Local Machine zone by default. Local HTML hosted in other applications will run under the less restrictive settings of the Local Machine zone used in previous version of Internet Explorer unless that application makes use of Local Machine Zone Lockdown.
Administrators will be able to use Group Policy to manage Local Machine Zone Lockdown and more easily apply it to groups of computers.
Who does this feature apply to?
All application developers should review this feature. Applications that host local HTML files in Internet Explorer are likely to be affected. Developers of standalone applications that host Internet Explorer will want to modify their applications to make use of Local Machine Zone Lockdown.
By default, Local Machine Zone Lockdown is only enabled for Internet Explorer. Developers will need to register their applications to take advantage of the changes. Applications that do not use this mitigation should independently review their applications for Local Machine zone attack vectors.
Software developers with applications that host Internet Explorer should use this feature by adding their process name to the registry as described later in this document. In the future, Microsoft might implement this feature using an "opt out" policy rather than an "opt in" policy. Applications that host Internet Explorer should be tested to ensure that they function properly with Local Machine Zone Lockdown enabled for their process.
Network Administrators might have local scripts that will be affected by these restrictions. Administrators should review the available solutions to enable their local scripts without compromising the security of their users' client computers.
Developers of Web sites that are hosted on the Internet or Local Intranet zones should not be affected by changes to the Local Machine zone, except when loading those files from the local machine during development.
Users could be affected by applications that are not compatible with these more stringent restrictions.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Changes to Local Machine zone security settings
The Local Machine zone is now more restrictive than the Internet zone. Any time that content attempts one of the following actions in this zone, the Information Bar will appear in Internet Explorer with the following text:
To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options...
The user can click the Information Bar to remove the lockdown from the restricted content.
The security settings that control the privileges that are granted to content running in the Local Machine zone are known as URL actions. When Local Machine Zone Lockdown is applied to a given process, it changes the behavior of URL actions from the previous Local Machine zone setting of Enabled to Disabled. As a result, scripts and ActiveX controls will not run. The default URL actions changed are:
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY (to Prompt, not Disabled)
URLACTION_BEHAVIOR_RUN (to Administrator approved, not Disabled)
URLACTION_FEATURE_ZONE_ELEVATION is set to Disabled in the Local Machine zone with or without this feature.
For Local Machine Zone Lockdown, these settings are stored under a separate registry key:
The default Local Machine zone URL action settings are found under:
Why is this change important?
This change helps prevent content on a user's computer from elevating privilege. Code with such elevated privilege can then run any code through an ActiveX control or read information with a script.
What works differently?
If a Web page uses any of the restricted types of content that were previously listed, Internet Explorer displays the Information Bar, as previously described.
HTML files that are hosted on the res: protocol on the local computer will automatically run under the security settings for the Internet zone. For more information about what these templates allow, see "Introduction to URL Security Zones" on the MSDN Web site at http://go.microsoft.com/fwlink/?LinkId=26003.
How do I resolve these issues?
You can allow ActiveX and scripts to always run in Web pages that are launched from a CD by clicking Yes when presented with the following message:
Active content can harm your computer or disclose personal information. Are you sure that you want to allow CDs to run active content on your computer?
If your Web page needs to run ActiveX or scripting, you can add a Mark of the Web comment in the HTML code. This Internet Explorer feature allows the HTML files to be forced into a zone other than the Local Machine zone so that they can then run the script or ActiveX code based on the security template that would be applied to the URL identified in the comment. For example, if the URL specified is www.contoso.com and that URL is present in your Local Intranet sites list, the page uses the security template for the Local Intranet Sites zone. However, if www.contoso.com is listed in the Trusted Sites zone, the page is treated as if it were part of the Internet zone. This is by design for security purposes in Windows XP Service Pack 2 and later. This setting works in Internet Explorer 4 and later. To insert a Mark of the Web comment into your HTML file, add one of the following comments:
<!-- saved from url=(0022)http://www.example.com
Use this comment when you are inserting a Mark of the Web into a page whose domain is identified, replacing http://www.example.com with the URL of the Internet or intranet domain that the page is hosted by. Include the length of the URL in parenthesis used for the Mark of the Web before the URL, for example (0022).
If you want your Web page to always be treated as though it were part of the Internet zone, you can use the following Mark of the Web:
<!-- saved from url=(0014)about:internet -->
Use this comment when you need to generically insert a Mark of the Web. The
about:internet portion will place the page in the Internet zone.
Beginning with Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, this HTML comment can also be used with .mht files, known as multipart HTML or .xml files. Mark of the Web will be ignored for .mht or .xml files in earlier versions of Internet Explorer.
As another option, you can create a separate application that hosts the HTML content in the Internet Explorer Web Object Control (WebOC). The HTML is then no longer bound by the same rules that apply to content run in Internet Explorer. When the HTML content runs in the other process, it can have full rights as defined by the developer or the zone policy for that process.
An easy way to do this is to save your content as an .hta (HTML application) file and try to run the file again in the Local Machine zone. An .hta file is hosted in a different process and therefore is not affected by the mitigation. However, .hta files run with full privileges, so you should not allow code that is not trusted to run in this manner.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Developers should test their applications and enable the lockdown in order to offer enhanced levels of security. Developers of standalone applications should plan to adopt these changes in their applications that host Internet Explorer.
Developers of ActiveX controls that previously allowed elevated privileges in the Local Machine zone should not change their controls to allow elevated privileges in another zone. Instead, these controls should be converted to run only from an HTML application (.hta file) or a standalone application that runs outside of Local Machine Zone Lockdown.
By default, Local Machine Zone Lockdown is not enabled for non-Internet Explorer processes. Developers must explicitly register their applications to take advantage of the changes. Application developers that do not use this mitigation should independently review their applications for Local Machine zone attack vectors. To enable Local Machine Zone Lockdown for your application, go to the following registry key:
REG_DWORD value to this key named for your application (for example, MyApplication.exe) and set it to 1. Any other setting for this value will disable Local Machine Zone Lockdown for the application.
To control whether Local Machine Zone Lockdown is applied to Web pages launched from a CD, go to the following registry key and value:
Setting this value to 1 disables this feature for Web pages launched from a CD on the user's computer.