Windows 7 / Getting Started

How Protected Mode Improves Security

When Internet Explorer runs in Protected Mode, Mandatory Integrity Control (MIC), a Windows Vista and later operating systems feature, forces Internet Explorer to be a low-integrity process. MIC does not allow low-integrity processes to gain write access to high-integrity-level objects, such as files and registry keys, in a user's profile or system locations. Low-integrity processes can write only to folders, files, and registry keys that have been assigned a low-integrity MIC access control entry (ACE) known as a mandatory label. Table below describes the different integrity levels.

Mandatory Integrity Control Levels

Integrity Access LevelSystem Privileges
HighAdministrative. Processes can install files to the Program Files folder and write to sensitive registry areas, such as HKEY_LOCAL_MACHINE.
MediumUser. Processes can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER. Most files and folders on a computer have a medium-integrity level because any object without a mandatory label has an implied default integrity level of Medium.
LowUntrusted. Processes can write only to low-integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\LowRegistry key.

As a result of being a low-integrity process, Internet Explorer and its extensions run in Protected Mode, which can write only to low-integrity locations, such as the new low-integrity temporary Internet files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows temporary file folders. By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount of damage that a compromised Internet Explorer process can cause. An attacker cannot, for example, silently install a keystroke logger to the user's startup folder.

Furthermore, the Protected Mode process runs with a low desktop integrity level. Because of User Interface Privilege Isolation (UIPI), a compromised process cannot manipulate applications on the desktop through window messages, thus helping to reduce the risk of shatter attacks.

Shatter attacks compromise processes with elevated privileges by using window messages.

If a Web page or add-on does require more privileges than provided by Protected Mode or the compatibility layer, it will prompt the user to grant those privileges using User Account Control (UAC). This can occur, for example, if the user needs to install an add-on that requires elevated rights. Most add-ons can run within Protected Mode, however, and loading them will not prompt the user.

Because Protected Mode also protects extensions, vulnerabilities in extensions, such as buffer overflows, cannot be exploited to access any part of the file system or other operating system object to which Protected Mode does not normally have access. Therefore, the damage that a successful exploit can cause is very limited.

Defense-in-Depth

Protected Mode is not the first line of defense against malware; it's a form of defense-in-depth. Protected Mode offers protection in the event that a malicious Web page successfully bypasses the other security measures of Internet Explorer. In the case of a successful exploit, Protected Mode restricts the processes' privileges to limit the damage that malware can do. In other words, even if your browser gets hacked, Protected Mode might still keep your computer safe.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows Internet Explorer
  2. Internet Explorer 8 Improvements
  3. InPrivate Browsing
  4. InPrivate Filtering
  5. Compatibility View
  6. SmartScreen
  7. Domain Highlighting
  8. Tab Isolation
  9. Accelerators
  10. Improvements Previously Introduced in Internet Explorer 7
  11. User Interface Changes
  12. Tabbed Browsing
  13. Search Bar
  14. How to Create a Web Link to Add a Custom Search Provider
  15. How to Configure Custom Search Providers Using the Registry
  16. How to Configure Custom Search Providers Using Group Policy
  17. RSS Feeds
  18. Improved Standards Support
  19. Expanded Group Policy Settings
  20. Defending Against Malware
  21. How Protected Mode Improves Security
  22. How the Protected Mode Compatibility Layer Works
  23. How to Solve Protected Mode Incompatibilities
  24. URL-Handling Protection
  25. Address Bar Visibility
  26. Cross-Domain Scripting Attack Protection
  27. Controlling Browser Add-ons
  28. Add -on Manager Improvements
  29. Protecting Against Data Theft
  30. Security Status Bar
  31. How the Smart Screen Filter Works
  32. How to Configure Smart Screen Options
  33. Deleting Browsing History
  34. Blocking IDN Spoofing
  35. Security Zones
  36. Understanding Zones
  37. Configuring Zones on the Local Computer
  38. Configuring Zones Using Group Policy
  39. Network Protocol Lockdown
  40. Managing Internet Explorer Using Group Policy
  41. Group Policy Settings for Internet Explorer 7 and Internet Explorer 8
  42. New Group Policy Settings for Internet Explorer 8
  43. Using the Internet Explorer Administration Kit
  44. Troubleshooting Internet Explorer Problems
  45. Internet Explorer Does Not Start
  46. An Add-on Does Not Work Properly
  47. Some Web Pages Do Not Display Properly
  48. Preventing Unwanted Toolbars
  49. The Home Page or Other Settings Have Changed