IE7 - Protected Mode

Well this is the kind of feature that could have been very useful for me a few years back when supporting a network of ‘normal’ users i.e. everything on the internet should be accessible, and all features of any site should work.  Not an unreasonable expectation of course, however code can be used in or by websites that can maliciously or unintentionally make undesirable changes to your system.

The new (not so new now) Internet Explorer 7 Plus (plus -  indicating it’s the Vista version, and therefore it has this feature) which is now in Beta 3 has a ‘Protected mode’ which controls what Areas of the Registry and User Profile Internet Explorer can write to.  This feature has been referred to as ‘Sandboxing’ internet explorer away from the operating system, which is effectively what it does by removing the integration with the operating system that has been pervasive in previous versions.

I should say at this point that the Protected mode is configurable for each security zone in the browser itself, or as an administrator you can set it by GPO so that users can’t change the setting.  With this in mind, by default Protected mode is disabled for sites in the Trusted Zone, but interestingly enough it is turned on by default in the Intranet Zone.

Low Integrity
In Vista, anything that can be secured, has an associated Integrity level, basically the level of privilege that is required by any process to get Write access to the object, alongside this each process has am integrity level defined.  As you might expect, processes with Low Integrity cannot gain access to any object that requires a higher integrity level.

Internet Explorer in protected mode uses the lowest of the three integrity levels, Low Integrity, giving it access to objects that require only low integrity, it’s worth noting that this is the case regardless of whether the user has access to the object as Integrity levels are checked prior to User Permission checks.

So rather usefully, IE7+ in protected mode does not have access to most of the Registry and is locked away from the sensitive areas both in the registry and the file system.  

Elevation
So what if you have a bunch of sites that are on your intranet that require write access to objects on the client machines?  Well you can turn off protected mode for intranet sites, this however maybe insecure due to the default behaviour of Internet Explorer is to auto-detect intranet sites and somebody may be running a web server surreptitiously on your network that may cause issues on systems where Internet Explorer does not operate in protected mode.  Another option is to add the relevant sites to the Trusted sites list, but letting users add sites to this list could become an issue.  The other method specifically used by IE7+ is to create a broker process to elevate so the process can access high integrity level objects, the behaviour of these brokers can be configured in the registry as to how IE accesses the object that is being brokered.  This process can be as simple as a Window popping up to say that a website is trying to open a file in Word and asking for user permission to open it.


Conclusion
Personally, I like this feature, and it seems a certain amount of control can be gained through the registry, and therefore through GPOs.  The flexibility of turning the feature on/off by zones will enable easy testing of websites as to whether it’s the Protected mode that is causing the issue without leaving the browser completely vulnerable.