ZS: 10. Binär- und Skriptverhalten

Stats:

GUI Name: Binär- und Skriptverhalten/ Binary and script behaviors

Policy Name: Binär- und Skriptverhalten zulassen

Supported on: Mindestens Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1

Kategorie Pfad: [Machine|User] Configuration\Administrative Templates\Windows-Komponenten\Internet Explorer\Internetsystemsteuerung\Sicherheitsseite\%ZONENAME%\

Registry key: [HKLM|HKCU]\Software\[Policies\]Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%ZONEID%

Registry value: 2000

Policy URL: https://gps.cloudapp.net/Default.aspx?PolicyID=732

 

Erklärung:

Diese Richtlinieneinstellung ermöglicht Ihnen, dynamische Binär- und Skriptverhalten zu verwalten: Komponenten, die spezifische Funktionalität für die HTML-Elemente einkapseln, an die sie angefügt wurden.

 

Wenn Sie diese Richtlinieneinstellung aktivieren, stehen Binär- und Skriptverhalten zur Verfügung. Wenn Sie "Vom Administrator genehmigt" in der Dropdownliste auswählen, sind nur in der Liste "Vom Administrator zugelassenes Verhalten" der Richtlinie "Sicherheitseinschränkung für Binärverhalten" aufgeführte Verhalten verfügbar.

 

Wenn Sie diese Richtlinieneinstellung deaktivieren, stehen Binär- und Skriptverhalten nicht zur Verfügung, es sei denn, Anwendungen haben einen benutzerdefinierten Sicherheits-Manager implementiert.

 

Wenn Sie diese Richtlinieneinstellung nicht konfigurieren, stehen Binär- und Skriptverhalten zur Verfügung.

 

Bsp.:

<a href="https://www.microsoft.com" style="behavior:url(mouseover.htc)">

Visit my Web site

</a>

Wobei "mouseover.htc" folgendem entspricht:

 <PUBLIC:HTC>
 <PUBLIC:ATTACH event="onmouseover" handler="fnOver"/>
 <PUBLIC:ATTACH event="onmouseout" handler="fnOut"/>
 <script LANGUAGE="jscript">
 function fnOver(){element.style.color="red";}
 function fnOut(){element.style.color="";}
 </script>
 </PUBLIC:HTC>

(aus: https://msdn.microsoft.com/en-us/magazine/bb985631.aspx )

 

Hinweis:

What does binary behaviors security setting do?

Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. These binary behaviors are not controlled by any Internet Explorer security setting, allowing them to work on Web pages in the Restricted Sites zone. In Windows Server 2003 Service Pack 1, there is a new Internet Explorer security setting for binary behaviors. This new setting disables binary behaviors in the Restricted Sites zone by default. In combination with the Local Machine Lockdown security feature, it also requires administrative approval for binary behaviors to run in the Local Machine zone by default. This new binary behaviors security setting provides a general mitigation to vulnerabilities in Internet Explorer binary behaviors.

 

What is a Binary Behavior:
Binary and script Behaviors are Extensions (Plugins) which can be used by HTML-like tags within a webpage.

The most popular behavior is the usage of the VML-language.

Some menu-structures in Webpages are also built on that feature.

What happens if I deactivate binary and Script-behaviors:

Tags which would initiate a behavior will not be executed. As the tag would be interpreted as a custom HTML-tag with no relationship to the intended behavior, it will usually do nothing.

How can I evaluate if binary behaviors are used in my environment?

You can use the Application compatibility Toolkit (Version 5 and above) and enable the IE-testing. In case that a behavior was blocked due to the security setting for the given security-zone (e.g. Internet-zone), ACT will have an event "BinaryBhvr" with the URL, the index for the UrlZone (3=Internet) and the blocked behavior itself (e.g. #default#VML)

Additional links:

Security Considerations: Element Behaviors:

https://msdn.microsoft.com/en-us/library/aa753685.aspx

--- snip ---

Security Considerations: Element Behaviors

This topic provides information about security considerations related to element behaviors. This document doesn´t provide all you need to know about security issues—instead, use it as a starting point and reference for this technology area.

A Binary Element Behavior (or binary behavior) is a Component Object Model (COM) object loaded by a Web page and assigned to an element type in the page—either a custom element tag or an existing HTML tag. The COM object is then able to customize the behavior of the tag by implementing the IElementBehavior interface. Customizations include any options available to scripted behaviors and more advanced behaviors such as Microsoft Windows Graphics Device Interface (GDI) rendering. For more information on creating binary element behaviors, see Binary Behaviors Overviews and Tutorials.

Because a binary behavior is a COM object, a binary behavior can execute any code after loading. For that reason, the security profile of a binary behavior is very similar to that of a Microsoft ActiveX control, and the same security considerations apply. Binary behaviors, like ActiveX controls, run with the security credentials of the user running the browser process. This means a binary behavior can not only render to the screen, it can also potentially access local files, configuration settings, or network resources. Accessing a page that loads a malicious binary behavior presents a considerable security risk.

Windows Internet Explorer in Windows XP Service Pack 2 (SP2) offers three major techniques for restricting binary behaviors, as follows:

  1. Processes listed in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS registry key do not load binary behaviors on Web pages in the Restricted zone by default. Other processes can be added or removed from this list via administrative group policy or by setting the registry key manually. For more information, see Internet Explorer Maintenance Policy.
  2. Binary behaviors can be specifically allowed or forbidden to run based on the zone of the Web page loading the binary behavior. This is done via administrative group policy, setting registry keys manually, or enabling behaviors programmatically using the CoInternetSetFeatureEnabled and IInternetZoneManager::SetZoneActionPolicy functions. For example, a process hosting the WebBrowser Control can disallow binary behaviors in both the Restricted Sites zone and the Local Machine zone while allowing it in other zones. For more information about the CoInternetSetFeatureEnabled function, see Introduction to Feature Controls.
  3. Binary behaviors can be specifically allowed or forbidden to run based on the combination of namespace and behavior name. Specific behaviors can be added to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors registry key. For example, adding a #default#VML# DWORD key with a value of 0 disables the built-in Vector Markup Language (VML) binary behavior.

--- snip ---

Documentation of changes in Functionality in XP SP2

https://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/05_CIF_Browsing.DOC

-- snip --

New Internet Explorer Security Setting

Detailed description

A new URL Action setting, Binary Behaviors, is in each Internet Explorer security zone. The default value for this setting is Enable for all zones except the Restricted Sites zone. In the Restricted Sites zone, the default value is Disable.

Why is this change important? What threats does it help mitigate?

This new setting helps mitigate attacks in which binary behaviors were being used maliciously and allows the user to control the use of binary behaviors on a per-zone basis.

What works differently?

Any use of any binary behaviors for HTML rendering from the Restricted Sites zone is blocked.

How do I resolve these issues?

To use binary behaviors from the Restricted Sites zone, an application will have to implement a custom security manager. (For more information, see “Creating a Customized URL Security Manager� in “Introduction to URL Security Zones� on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21863.)

When the binary behaviors URL action is exercised from a custom security manager, the URL action will pass in a string representation of the particular binary behaviors that can be enabled by that custom security manager as needed for application compatibility. The following process takes place when this URL Action is exercised:

  • Internet Explorer calls into a custom security manager (if available), using the ProcessUrlAction method with a dwAction of URLACTION_BEHAVIOR_RUN.
  • The pContext parameter points to a LPCWSTR that contains the behavior that a policy is being queried for. For example, #default#time.
  • You set *pPolicy = URLPOLICY_ALLOW for your SmartTag behavior, from within your custom security manager, as appropriate.
  • In the absence of the custom security manager, the default action is to disallow running behaviors in the Restricted zone.

If you are a desktop administrator you can decide which Binary Behaviors to allow in the Locked-down Local Machine Zone. To enable a behavior in the Locked-down Local Machine Zone, you can add it to the list of administrator-approved behaviors as follows, replacing the namespace and behavior variables as appropriate to your environment:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedBehaviors

#% Namespace %#% Behavior % =dword:00000001

Behaviors that are defined in this list will also be used for any other zone where the Binary Behavior restriction setting is configured to “Admin-Allowed� (65536).

--- snip ---

Mögliche Werte:

0x0 => Aktivieren

0x10000 => Vom Administrator genehmigt

0x3 => Deaktivieren

 

Standardwerte:

Eingeschränkte Seiten:

IE6: Deaktivieren;

IE7: Deaktivieren;

IE8: Deaktivieren;

IE9: Deaktivieren;

IE10: Deaktivieren;

 

Internet:

IE6: Aktivieren;

IE7: Aktivieren;

IE8: Aktivieren;

IE9: Aktivieren;

IE10: Aktivieren;

 

Vertrauenswürdigen Seiten:

IE6: Aktivieren;

IE7: Aktivieren;

IE8: Aktivieren;

IE9: Aktivieren;

IE10: Aktivieren;

 

Lokales Intranet:

IE6: Aktivieren;

IE7: Aktivieren;

IE8: Aktivieren;

IE9: Aktivieren;

IE10: Aktivieren;