Supporting enhanced protected mode (EPM)

As of Internet Explorer 10, Microsoft ActiveX controls are loaded only for Internet Explorer for the desktop and then only when allowed through user consent, group policy, and other authorization mechanisms. When ActiveX controls are loaded, they run within the Internet Explorer process and are subject to security restrictions placed on the browser.

When enhanced protected mode (EPM) is enabled, ActiveX controls are loaded and run only when they support EPM. As a result, ActiveX controls need to recognize and respond to security restrictions enforced by EPM. Here, you'll learn what you need to do to make sure your ActiveX control supports EPM.

A brief introduction to enhanced protected mode

Enhanced protected mode (EPM) leverages three key features from the Windows security model:

• 64-bit processes enable advanced memory protections and other security improvements.

• Integrity levels prevent untrusted applications from modifying sensitive system objects. Untrusted apps, like IE, are considered low-integrity objects and can only modify low-integrity objects. (Low integrity apps can read higher integrity objects, though.)

• AppContainers create a sandbox between an app and the rest of the system. AppContainers define capabilities that control the features an app is allowed to use. Apps are not allowed to read or write to access securable objects outside of authorized capabilities. Because nearly every object in the Windows API can be thought of as a securable object, this means that access (read and write) to API objects is blocked unless that access has been explicitly granted. As a result, AppContainers also limit the impact of successful exploits to the resources authorized for a given AppContainer.

  IE runs in one of two AppContainer processes.

  • Most content is considered untrusted and is therefore limited to the following capabilities:
    • internetClient
    • sharedUserCertificates
    • location
    • microphone
    • webcam
  • Trusted content has the same capabilities as untrusted content and two additional ones:
    • privateNetworkClientServer
    • enterpriseAuthentication

  The Windows 8 security model is based on the principle of least privilege. If you haven't been specifically granted access to a resource, you cannot access it. Because read access is different than write access, you must remember to request both forms of access when they're needed. It's entirely possible to have write access to resources you are not allowed to read.

  Note  The trust associated with a given URI varies according to the browser configuration, the scheme used to access the resource, and the underlying network profile.

   

  For a more detailed introduction to enhanced protected mode, see IEInternals: Understanding Protected Mode.

Loading ActiveX controls when EPM is active

When you install your ActiveX control (including toolbars and browser helper objects), follow these steps to ensure your control supports enhanced protected mode:

1. Install 32-bit and 64-bit binaries.

2. Register the ActiveX control as one that is compatible with AppContainers. To do this, you register your control with the CAT_ID AppContainerCompatible ({59fb2056-d625-48d0-a944-1a85b5ab2640}) COM component category. Here's one way to do this from C++:

   DEFINE_GUID(CATID_AppContainerCompatible, 0x59fb2056,0xd625,0x48d0,0xa9,0x44,0x1a,0x85,0xb5,0xab,0x26,0x40);
   

Updating ActiveX control code to support EPM

After your ActiveX control can be loaded when enhanced protected mode is active, the real work of supporting EPM begins. At this point, you need to test your control and resolve issues, many of which will come from authorization failures. The most obvious indication of a problem is an "access denied" error, which means that your control tried to access a resource that it was not authorized to access.

Given the variety of tasks that can be performed by an ActiveX control, it's nearly impossible to provide a checklist of specific troubleshooting steps. In general, you'll want to use process monitoring utilities or an attached debugger to pinpoint the authorization failure and map that back to a specific statement in your code, which will help you determine the next step of your investigation.

If your control works when EPM is disabled, this may mean that you're trying to access a resource that doesn't support the IE AppContainer. In some cases, you can resolve the issue by updating the security access control list (SACL) of the resource to include the security ID (SID) of the IE AppContainer.

In other cases, you might need to modify your code to request additional access privileges when you attempt to open an object handle.

The following links describe many common tasks performed by ActiveX controls; use these as guidelines:

In this section

Topic	Description
Granting resource access to AppContainers	You can change the access control list (ACL) of a securable resource to allow access from the IE AppContainer.
Determining integrity level and isolation	It may be necessary for your ActiveX control to determine the current integrity or isolation level. This can be achieved by checking the process token, as shown here
Creating and opening securable objects	To gain access to a securable object (read, write, or otherwise), you need to pass appropriate parameter values when opening handles to those resources. Use these examples to do so.