Event 1047 - Intranet at Medium Integrity Level

  • Article
  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

Windows Internet Explorer 8 helps protect users from attack by running an Windows Internet Explorer process with greatly restricted privileges on Windows Vista. In Internet Explorer 8, browsing intranet websites occurs at the medium integrity level. At this level, processes have user level system privileges and can write to user-specific areas of the registry. In Windows Internet Explorer 7, browsing intranet websites operates with untrusted system privileges and writes only to specific low-integrity locations.

What Is It?

While most Internet Explorer 8 security features will be available in Internet Explorer 8 for Windows XP Service Pack 2 (SP2) and later, Protected Mode is only available on Windows Vista because it is based on security features new to Windows Vista.

  • User Account Control (UAC) makes it easy to run without Administrator privileges. When users run programs with limited user privileges, they are safer from attack than when they run with Administrator privileges because Windows can restrict the malicious code from carrying out damaging actions.
  • Integrity mechanism restrict write access to Securable Objects by lower integrity processes, much the same way that user account group membership restricts the rights of users to access sensitive system components.
  • User Interface Privilege Isolation (UIPI) prevents processes from sending selected window messages and other USER APIs to processes running with higher integrity.

The Windows Vista security infrastructure allows Protected Mode to provide Internet Explorer with the privileges needed to browse the Web while withholding privileges needed to silently install programs or modify sensitive system data.

Understanding Windows Vista's Integrity Mechanism

Windows Vista includes an addition to the access control security mechanism of Windows that labels processes and other securable objects with an integrity level. Internet-facing programs are at higher risk for exploits than other programs because they download untrustworthy content from unknown sources. Running these programs with fewer permissions, or at a lower integrity level, than other programs reduces the ability of an exploit to modify the system or harm user data files.

Protected Mode uses the Windows Vista integrity mechanism to run the Internet Explorer process at low integrity. The main features of the integrity level mechanism in Windows Vista are as follows:

  • Securable Objects, like files and registry keys, have security descriptors that define the integrity level, or level of privilege required for write access to the object. This integrity level is defined with a new mandatory access control entry (ACE) in the system access control list (SACL). The new mandatory ACE is called a mandatory label. Objects without mandatory labels have an implied default integrity level of Medium.
  • Processes have an integrity level defined in the security access token. In Protected Mode, Internet Explorer has a low integrity level. Applications run from the Start menu have a medium integrity level. Applications that require administrator permissions run with a high integrity level.
  • Low integrity processes cannot gain write access to objects at a higher integrity levels, even if the user's security identifier (SID) is granted write access in the discretionary access control list (DACL). Integrity level checks are performed before user access permission checks.

All files and registry keys on Windows Vista have a default integrity level of Medium. A Low integrity process, like Internet Explorer in Protected Mode, will receive access denied errors when it tries to modify existing files.

Some folders have a low integrity mandatory label. A low integrity process, such as Internet Explorer in Protected Mode, can create and modify files in low integrity folders. For example, the temporary Internet files folder contains a folder called Low, which is a low integrity folder. The Windows Vista integrity mechanism automatically assigns low integrity mandatory labels to securable objects created by low integrity processes. As a result, all files and other objects created by Internet Explorer in Protected Mode or any other low integrity process are automatically assigned low integrity mandatory labels. By default, child processes started by a low integrity process will also run with a low integrity level. Protected mode allows processes to be created with higher integrity. For details, see Starting Processes from Protected Mode.

The following table shows supported integrity access levels and the privileges they confer.

Integrity Access Level (IL) System Privileges
High Administrative (Process can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE.)
Midium User (Process can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER.)
Low Untrusted (Process can only write to low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key)

 

Changes in Internet Explorer 8

In Internet Explorer 7 browsing a site in the Intranet or Internet zone occurs with protected mode on. This means that browsing the low integrity level is used.

This behavior changes in Internet Explorer 8. Internet pages continue to run with protected mode on-meaning a low integrity level. However, Intranet pages run with protected mode off-and a medium integrity level. This facilitates a level of security that you may want for internal sites-such as accessing local files belonging to the user. However, when the user clicks a link to an Internet site from an intranet site, the page is opened in a new window running under a different, low integrity security context. This ensures that Internet sites have little chance of causing harm, even if an attacker was able to take control of the browser.

When Is This Event Logged?

This is logged when the user clicks a link on an intranet page that leads to an Internet page.

Example

Perform the following steps to see this event logged in the Internet Explorer Compatibility Test Tool:

  1. Create a webpage with the following contents. For this example call it 1047.html.

    <html xmlns="http://www.w3.org/1999/xhtml" >
<body>    
    <div>
        <a href="https://www.microsoft.com">Microsoft.com</a>
    </div>    
</body>
</html>

  2. Install the file in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:

    .\wwwroot

  3. Browse to the file:

    https://localhost/1047.html

    The file is opened with protected mode off-medium integrity level.

    Note  Protected Mode is off by default in the Local Intranet zone. If it isn't then it has been changed. If this is the case, restore the default settings by completing the following steps (and then open 1047.html again):

    1. Select the Tools > Internet Options menu item.
    2. Select the Security tab.
    3. Select the Local intranet zone and
    4. Ensure that Enable Protected Mode is unchecked.

     

  4. Click the "Microsoft.com" link.

Remediation

This feature can be disabled by modifying the registry.

Security Warning: Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.

You disable the Intranet at Medium Integrity Level by adding a DWORD Value with the name PPT in the registry. To disable the value of the DWORD should be set to 0 and the DWORD should be created in the following registry location:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main

Internet Explorer Application Compatibility

Events 1040 through 1049