Event 1024 - Binary Behaviors Restrictions

Artículo
10/13/2015

Logged Message
What Is It?
When Is This Event Logged?
Example
Remediation
Related topics

Logged Message

Windows Internet Explorer 8 and Windows Internet Explorer 7 contain dynamic binary behaviors, which are components attached to HTML elements that encapsulate specific functionality. Windows Internet Explorer security settings do not control binary behaviors, so the components can work on webpages in the Restricted sites zone. The Binary Behaviors Restrictions security feature disables the binary behavior in the Restricted sites zone by default. In combination with the Local Machine Zone Lockdown security feature, administrative approval is required for binary behaviors to run in the Local machine zone by default.

What Is It?

A behavior is a component that implements two interfaces, but in both cases it relies heavily on COM component technology. You can write behaviors in three ways: as HTML Components (HTCs), Windows Script Component (WSC), or Component Object Model (COM) objects. When you use raw COM interfaces, or the WSC infrastructure, the resulting behavior looks unequivocally like a COM object.

Note Binary behaviors differ from attached behaviors and element behaviors, which are written in script. For more information, see the Introduction to DHTML Behaviors and About Element Behaviors topics.

Binary Behavior Restriction Setting

The Binary Behavior Restriction security feature creates a new URL action setting, Binary and Script Behaviors, in each Internet Explorer security zone. The default value for this setting is Enable for all zones except the Restricted sites zone and the Locked-Down Local Machine zone. In the Restricted sites zone, the default value is Disable. In the Locked-Down Local Machine zone, the default value is Administrator-approved.

Automatic Download Blocking and the Registry

Applications that host the WebBrowser control and use Internet Explorer functionality in the Restricted sites zone might be affected. For example, e-mail applications that use a binary behavior to render HTML e-mail in the Restricted sites zone might require modification.

When Is This Event Logged?

This event is logged when a binary behavior is triggered in the Restricted site zone.

Example

Perform the following steps to see this event logged in the compatibility tool:

Create a file with the following contents. For this example call it MouseOver.htc. The file can be placed anywhere. For this example, the file is located on the desktop.

<PUBLIC:HTC>
<PUBLIC:ATTACH event="onmouseover" handler="fnOver"/>
<PUBLIC:ATTACH event="onmouseout" handler="fnOut"/>
<script LANGUAGE="jscript">
    function fnOver()
    {
        element.style.color="red";
    }
    function fnOut()
    {
        element.style.color="";
    }
</script>
</PUBLIC:HTC>

Add the following HTML to a webpage and save to the same location as the mouseover.htc file. For this example call it 1024.html.

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>Binary Behaviors Restrictions</title>
</head>
<body>    
    <a href="http://foo" style="behavior:url(mouseover.htc)">Click here</a>
</body>
</html>

Open a browser and navigate to the webpage. For example:

C:\Users\JohnS\Desktop\1024.html

A message is displayed in the information bar indicating that the browser is restricting the webpage from running Microsoft ActiveX controls. This is due to the mouseover behavior we created. At the same time that the message is displayed, the corresponding event is logged to the Internet Explorer Compatibility Test Tool.

For comparison, you can install the same files in the root directory of the local web server and browse to https://localhost/1024.html. This places the page in the Local intranet zone which does not have the binary behavior restriction. In that case, the behavior just runs without a prompt in the information bar.

Remediation

To use binary behaviors from the Restricted sites zone, an application can implement a custom security manager. For more information about URL security zones, see Implementing a Custom Security Manager.

You can also disable this feature through feature control keys.

Security Warning: This feature mitigates attacks from malicious binary behaviors and allows the user to control the use of binary behaviors on a per-zone basis. Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.

You manage the restrictions through a security feature control registry key (FEATURE_BEHAVIORS). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) are enabled by default. The following shows where to add the registry keys:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_BEHAVIORS
                     iexplore.exe = 0x00000000

This feature can also be controlled by the following Group Policy settings:

GPO Policy Path	GPO Policy Setting Name	GPO Settings
Administrative Templates\Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction	Internet Explorer Processes	If you enable this policy setting, binary behaviors are prevented for the Windows Explorer and Internet Explorer processes. If you disable this policy setting, binary behaviors are allowed for the Windows Explorer and Internet Explorer processes. If you do not configure this policy setting, binary behaviors are prevented for the Windows Explorer and Internet Explorer processes.

Administrative Templates\Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction

Internet Explorer Processes

If you enable this policy setting, binary behaviors are prevented for the Windows Explorer and Internet Explorer processes.

If you disable this policy setting, binary behaviors are allowed for the Windows Explorer and Internet Explorer processes.

If you do not configure this policy setting, binary behaviors are prevented for the Windows Explorer and Internet Explorer processes.

Applications that host the WebBrowser control can also take advantage of the security feature control by adding their process to the same registry locations. You can do this programmatically by using the CoInternetSetFeatureEnabled function.

Note If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.

After the security feature control is enabled for a process, the value of the URL Action Flags URLACTION_BEHAVIOR_RUN determines whether binary behaviors are allowed to run. This flag can be set differently for each security zone. The default value for this flag is URLPOLICY_ALLOW for all zones except the Restricted sites zone. In the Restricted sites zone, the default value is URLPOLICY_DISALLOW.

The following table shows the new settings for turning on or off the existing binary behaviors functionality.

Setting name	Location	Previous default	Default value	Possible values
*	HKCU{LM}\Software\Microsoft\ Internet Explorer\Main\FeatureControl\ FEATURE_BINARY_BEHAVIOR_LOCKDOWN	None	1	0 (off) 1 (on)
2000	HKCU\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\Zones\3	None	3 (disabled for restricted zone)0 (enable for all other zones)	3 (disabled) 0 (enabled)

Note The asterisk (*) is used to indicate that all processes are opted-in for this feature control setting by default. You can also modify the binary behaviors setting through Group Policy as part of the Internet Explorer Security Zones and Content Ratings setting.

Internet Explorer Application Compatibility

Events 1021 through 1028