Thursday, July 20, 2006

Vista - Controlling the Sidebar

The sidebar in Vista is Billed as being an efficient way to access lightweight apps (Gadgets) that perform a specific task well, in much the same way that Yahoo Widgets (formally Konfabulator), and Google gadgets work.  The problem with having these competing interfaces is interoperability between them, and the Vista Sidebar being supported solely on Vista.  Whilst the sidebar has been successfully ported to XP here, it remains to be seen whether Microsoft will offer it as a supported product in XP.

So in mixed OS environments, do you make use of this feature of Vista?  Well if the answer is yes, you can control how it behaves through GPO, and as the defaults leave it pretty user configurable this maybe a good idea.

The GPOs can be configured on a machine or user basis and the policy settings can be found in gpedit under either User or Machine Configuration branch – Administrative templates – Windows Components – Windows Sidebar.  There are only some fairly basic settings here, but essential for locking down the use of the sidebar:-

Turn off Windows Sidebar
Obviously does what it says on the tin, however if you don’t configure this the sidebar will be displayed by default.
Turn off unsigned Windows Sidebar gadgets     
This will stop the sidebar running any gadgets that haven’t been digitally signed.  Again this is switched off by default and will allow the running of any gadget regardless of whether or not it is signed.
Turn off user installed Windows Sidebar Gadgets.
This prevents the sidebar from running any gadgets that have been installed by the user.  Again if you don’t configure this it gives users free reign on what gadgets they install.
Override the more gadgets link
This enables you to redirect the ‘Get more gadgets online’ link to a website of your choice.  If you don’t configure this, the link goes to the default Microsoft site.


So if you want to lockdown how the sidebar is used by your users, it’s important you configure the GPOs accordingly.

Thursday, July 06, 2006

IE7 - Protected Mode

Well this is the kind of feature that could have been very useful for me a few years back when supporting a network of ‘normal’ users i.e. everything on the internet should be accessible, and all features of any site should work.  Not an unreasonable expectation of course, however code can be used in or by websites that can maliciously or unintentionally make undesirable changes to your system.

The new (not so new now) Internet Explorer 7 Plus (plus -  indicating it’s the Vista version, and therefore it has this feature) which is now in Beta 3 has a ‘Protected mode’ which controls what Areas of the Registry and User Profile Internet Explorer can write to.  This feature has been referred to as ‘Sandboxing’ internet explorer away from the operating system, which is effectively what it does by removing the integration with the operating system that has been pervasive in previous versions.

I should say at this point that the Protected mode is configurable for each security zone in the browser itself, or as an administrator you can set it by GPO so that users can’t change the setting.  With this in mind, by default Protected mode is disabled for sites in the Trusted Zone, but interestingly enough it is turned on by default in the Intranet Zone.

Low Integrity
In Vista, anything that can be secured, has an associated Integrity level, basically the level of privilege that is required by any process to get Write access to the object, alongside this each process has am integrity level defined.  As you might expect, processes with Low Integrity cannot gain access to any object that requires a higher integrity level.

Internet Explorer in protected mode uses the lowest of the three integrity levels, Low Integrity, giving it access to objects that require only low integrity, it’s worth noting that this is the case regardless of whether the user has access to the object as Integrity levels are checked prior to User Permission checks.

So rather usefully, IE7+ in protected mode does not have access to most of the Registry and is locked away from the sensitive areas both in the registry and the file system.  

Elevation
So what if you have a bunch of sites that are on your intranet that require write access to objects on the client machines?  Well you can turn off protected mode for intranet sites, this however maybe insecure due to the default behaviour of Internet Explorer is to auto-detect intranet sites and somebody may be running a web server surreptitiously on your network that may cause issues on systems where Internet Explorer does not operate in protected mode.  Another option is to add the relevant sites to the Trusted sites list, but letting users add sites to this list could become an issue.  The other method specifically used by IE7+ is to create a broker process to elevate so the process can access high integrity level objects, the behaviour of these brokers can be configured in the registry as to how IE accesses the object that is being brokered.  This process can be as simple as a Window popping up to say that a website is trying to open a file in Word and asking for user permission to open it.


Conclusion
Personally, I like this feature, and it seems a certain amount of control can be gained through the registry, and therefore through GPOs.  The flexibility of turning the feature on/off by zones will enable easy testing of websites as to whether it’s the Protected mode that is causing the issue without leaving the browser completely vulnerable.