Internet Explorer Binary Behaviors Security Setting

  • Article

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does binary behaviors security setting do?

Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. These binary behaviors are not controlled by any Internet Explorer security setting, allowing them to work on Web pages in the Restricted Sites zone. In Windows Server 2003 Service Pack 1, there is a new Internet Explorer security setting for binary behaviors. This new setting disables binary behaviors in the Restricted Sites zone by default. In combination with the Local Machine Lockdown security feature, it also requires administrative approval for binary behaviors to run in the Local Machine zone by default. This new binary behaviors security setting provides a general mitigation to vulnerabilities in Internet Explorer binary behaviors.

For more information about binary behaviors, such as how they work and how to implement them, see "Cutting Edge: Binary Behaviors in Internet Explorer 5.5" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21862. Note that binary behaviors, which are defined in C++ and compiled, are different from attached behaviors and element behaviors, which are defined in script.

Who does this feature apply to?

Application developers whose applications use Internet Explorer functionality in the restricted sites or local machine zones should review this feature to plan to adopt changes in their applications. For example, e-mail applications that render HTML e-mail in the Restricted Sites zone might need to be modified.

Users can only be affected by applications that do not completely render HTML content with this new setting. These applications will typically alert the user that some active behavior has been blocked from display. For example, when Outlook Express encounters this situation, it informs the user that it has restricted active content in the e-mail.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

New Internet Explorer security setting

Detailed description

A new URL action setting, Binary and Script Behaviors, is in each Internet Explorer security zone. The default value for this setting is Enable for all zones except the Restricted Sites zone and the Locked-Down Local Machine zone. In the Restricted Sites zone, the default value is Disable. In the Locked-Down Local Machine zone, the default value is Administrator approved.

Why is this change important? What threats does it help mitigate?

This new setting helps mitigate attacks in which binary behaviors were being used maliciously and allows the user to control the use of binary behaviors on a per-zone basis.

What works differently?

Any use of any binary behaviors for HTML rendering from the Restricted Sites zone is blocked.

How do I resolve these issues?

To use binary behaviors from the Restricted Sites zone, an application will have to implement a custom security manager. (For more information, see "Creating a Customized URL Security Manager" in "Introduction to URL Security Zones" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21863.)

When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string representation of the particular binary behaviors that can be enabled by that custom security manager as needed for application compatibility. The following process takes place when this URL action is exercised:

  • Internet Explorer calls into a custom security manager (if available), using the ProcessUrlAction method with a dwAction of URLACTION_BEHAVIOR_RUN.

  • The pContext parameter points to a LPCWSTR that contains the behavior that a policy is being queried for. For example, #default#time.

  • You set *pPolicy =URLPOLICY_ALLOW for your SmartTag behavior, from within your custom security manager, as appropriate.

In the absence of the custom security manager, the default action is to disallow running behaviors in the Restricted Sites zone, and to disallow running most behaviors in the Local Machine zone.

If you are a desktop administrator you can decide which binary behaviors to allow in the Locked-down Local Machine zone. To enable a behavior in the Locked-down Local Machine zone, you can add it to the list of administrator-approved behaviors as follows, replacing the namespace and behavior variables as appropriate to your environment:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors

#%Namespace%#%Behavior%=dword:00000001

Behaviors that are defined in this list will also be used for any other zone where the binary behavior restriction setting is configured to "Admin-Allowed" (65536).

What existing functionality is changing in Windows Server 2003 Service Pack 1?

None. This is only a setting to turn on or off the existing binary behaviors functionality.

What settings are added or changed in Windows Server 2003 Service Pack 1?

Internet Explorer Binary Behaviors Settings

Setting name Location Previous default value Default value Possible values

*

HKEY LOCAL MACHINE [or Current User] \Software\Microsoft \Internet Explorer\Main \Feature Control \FEATURE_BEHAVIORS

None

1

0 - Off

1 - On

2000

HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Internet Settings\Zones [or Lockdown_Zones] \*\

None

3 - Disabled (for Restricted Sites zone)

65536 - Admin-approved (for the Locked-down Local Machine zone)

0 - Enabled (for all other zones)

3 - Disabled

65536 - Admin-approved

0 - Enabled

Note

  • is used in the preceding table to represent that all processes are opted-in for this feature control setting by default. The binary behaviors setting can also be modified through Group Policy as part of the Internet Explorer Security Zones and Content Ratings setting.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

If your code uses binary behaviors in the Restricted Sites zone, then you will need to change your code by implementing a custom security manager for your application. If your code uses binary behaviors in the Local Machine zone, then you will need to either implement a custom security manager, add your behaviors to the list of approved behaviors, or use Mark of the Web to load your pages in less restrictive zones. For more information, see the "Creating a Customized URL Security Manager" section in "Introduction to URL Security Zones" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21863.