Internet Explorer Zone Elevation Blocks
Applies To: Windows Server 2003 with SP1
|The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.|
What does Zone Elevation Blocks do?
When a Web page is opened in Internet Explorer, Internet Explorer puts restrictions on what the page can do, based on where that Web page came from: the Internet, a local intranet server, a trusted site, and so on. For example, pages on the Internet have stricter security restrictions than pages on a user’s local intranet. Web pages on a user’s computer are in the Local Machine security zone, where they have the fewest security restrictions. This makes the Local Machine security zone a prime target for malicious users. Zone Elevation Blocks makes it harder to get code to run in this zone. In addition, Local Machine Zone Lockdown makes the zone less vulnerable to malicious users by changing its security settings.
Who does this feature apply to?
Web developers must plan changes or workarounds for any possible impact to their Web site.
Application developers should review this feature to plan to adopt changes in their applications that run in the Local Machine security zone. Because the feature is not enabled for processes other than Internet Explorer by default, developers must register their applications to take advantage of the changes.
End users might be affected by sites that are not compatible with these stricter rules and settings.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Zone Elevation Blocks
Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local Intranet zone. A script, for example, could not cause this navigation. For the purpose of this mitigation, the security context ranking of the zones, from highest security context to lowest, is: Restricted Sites zone, Internet zone, Local Intranet zone, Trusted Sites zone, and Local Machine zone.
If a user clicks a link that causes the Web site to attempt to navigate to a higher zone, navigation is blocked for navigation to the Local Machine zone, but a dialog box will appear in Internet Explorer when a Web page attempts to open a page in a security zone that has a higher security context and you will be prompted as in the following message. The italicized portion changes, according to the security zone that the Web page is attempting to navigate to.
The current Web page is trying to open a site in your Trusted sites list. Do you want to allow this?
In any case, the default action does not allow the zone elevation. The user must explicitly allow the requested zone elevation.
Why is this change important?
Elevation of privilege is one of the most exploited vulnerabilities in Internet Explorer, with the ultimate goal of running malicious code in the Local Machine zone. Zone Elevation Blocks helps mitigate many privilege escalation attacks.
What works differently?
Navigation from one zone to a "higher" zone is blocked. This means that Web pages that automatically call more privileged Web pages fail.
How do I resolve these issues?
If you have a trusted Web application that is impacted by this change because it navigates between different security zones without user interaction, you should map the domains that the Web application uses into the security zone with the least privilege necessary to perform the task for which the application was designed.