locked
Immersive Internet Explorer Metro UI. Protected Mode. Integrity Levels. Secure Browsing RRS feed

 > 

  • General discussion

  • Discussion
    Sign in to vote
    1
    Sign in to vote

    Hello,

    I was pondering secure browsing in Windows 8 and caught myself thinking about if broswing in Metro UI IE is as secure as browsing in Desktop IE. Or maybe it is even more secure since the Metro UI version does not support plug-ins.

    Please correct what I am saying below:

    • Any Metro UI app requires UAC enabled and thus the Metro UI IE always runs with Medium integrity level, and there's no way to run it with any other integrity level
    • The Desktop IE has Protected Mode disabled by default (for all of the security zones); thus, it runs with Medium interity level too (provided that UAC is turned on)
    • Enabling Protected Mode for, say, Internet zone makes the child iexplore process to run with Low integrity level
    • Starting Desktop IE with Ctrl+Shift pressed and answerring Yes to UAC prompt leads the iexplore.exe process to run with High integrity level
    • Starting Desktop IE with UAC turned off makes the iexplore exe run with the same set of security descriptors as provided in High integrity level.

    What happens if you run Desktop IE by manually passing integrity level bit to process token (UAC should be turned on):

    • C:\Windows\system32>runas /trustlevel:0x40000 "c:\Program Files\Internet Explore
      r\iexplore.exe" - Starts the browser with High integrity level
    • C:\Windows\system32>runas /trustlevel:0x20000 "c:\Program Files\Internet Explore
      r\iexplore.exe"- Starts the browser with Medium integrity level
    • C:\Windows\system32>runas /trustlevel:0x10000 "c:\Program Files\Internet Explore
      r\iexplore.exe" - Should start the browser with Low integrity level but effectively makes Desktop IE fail to run. Why?

    All the three integrity levels effectively provide the browser with three different sandboxes and separate data storages (you can't share cookies).

    You can't share cookies between IE run:

    • With High interity level
    • With Medium integrity level
    • With Protected Mode enabled.

    Could somebody please help me resolve this mess and get all that UAC + Virtualization + Protected Mode stuff sorted here?

    Thank you.

    Well this is the world we live in And these are the hands we're given...

    Thursday, February 9, 2012 1:45 PM