Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created
Ever wondered what lies beneath the covers of Protected Mode Internet Explorer? Short answer, long explanation: mandatory integrity control (MIC).
Recap: Mandatory Integrity Control
During the development of Vista the developers at Microsoft felt that the traditional ACL-based mechanism to control access to system resources was not enough. The ACL model grants all processes run by a user specific permissions on system resources like files and registry keys. While this is a powerful thing and well-suited for “normal” applications, programs like Internet Explorer are under much heavier attack by malware than, say, your average text editor. Once an IE process has been corrupted by exploiting a security hole, the attacking software can write to any location on the system the currently logged on user has access to. Not good.
Mandatory integrity control adds another layer of security. In a nutshell, it works like this: each securable object has a label that puts it into one of three categories: low, medium or high security. Each process has a complementary label marking it as untrustworthy, normal or trustworthy. Normal processes can write to objects with the levels medium or low. Untrustworthy processes can only write to low security objects.
Sandboxing IE
Using mandatory integrity control, Microsoft put Internet Explorer in a kind of sandbox. By default, IE runs in protected mode with a low integrity level (IL). As a low IL process, IE can only write to a handful of locations that have been specifically marked with an IL of low. Here is a list of the locations IE in protected mode can write to:
- %USERPROFILE%\AppData\LocalLow
- %USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low
- %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
- %USERPROFILE%\AppData\Local\Temp\Low
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies\Low
Note: The favorites folder is shared between protected mode and “normal” IE processes.
Creating the Sandbox
Who creates the low integrity folders for IE? They are, after all, marked with a special label that normal folders lack. IE cannot very well create them itself – that would resemble Baron Münchhausen’s trick of getting himself out of the mud by pulling on his hairs.
Well, protected mode IE, as a low IL process, cannot create folders in medium integrity locations – but “normal” IE can. Thus, the following happens when you start protected mode IE:
- IE starts as a medium integrity process.
- “Medium” IE checks for the existence of the “low” versions of its folders. If necessary, it creates them.
- “Medium” IE proceeds to check for the integrity level of its low level folders. If necessary, it sets their IL to low.
- “Medium” IE then launches another instance of itself – but this time as a low IL process.
- Et voilà – protected mode IE finds its environment correctly configured.
References
Mark Russinovich – Inside Windows Vista User Account Control
MSDN – Understanding and Working in Protected Mode Internet Explorer
4 Comments
No matter how hard I have tried, I cannot get access to Internet Explorer Protected Mode. Please help. Thank you very much.
Timothy Chung
It seems that, if we’re using Roaming Profiles with redirected APPDATA, the Low-folders are not recreated (after Logon) – and so printing of “Internet Zone” websites isn’t working if Protected Mode is on. We’re deleting local profiles after Logoff.
Is this what you are seeing?
MS KB: The LocalLow folder may not be created on a Windows Vista SP1-based computer or on a Windows Server 2008-based computer when roaming profiles are used in a domain environment
It’s not this problem. We’re on Windows 7 Sp1. But rather it’s this problem: http://support.microsoft.com/kb/973479.
Solution from MS will be: create %temp%\low folder (and set integrity level) during logon script.