Mark of the Web


With the Local Machine Zone Lockdown introduced in Windows XP SP2 an HTML file on your hard drive will no longer be able to run script and active content without user permissions being granted through the information bar and an additional prompt. This is part of the work to ensure that if you do get bad content on your machine it cannot run with elevated privileges and do nefarious things. Users should exercise caution whenever the information bar appears and be sure that this is really content they wish to allow before doing so.

One of the ways for legitimate content to work when on the local machine is for the content to include what is known as the Mark of the Web (MOTW) in the page. Once included this will allow such content to run from the local drive. I’ve seen a little confusion as to what the MOTW actually does so we’ve improved the documentation on this on MSDN. In short the MOTW in a page allows the content to run as if from the Internet zone. So the script and active content will have the same privileges as if you were viewing it from a website and not be able to run with elevated access to machine resources.

Thanks
-Dave

Comments (43)

  1. Anonymous says:

    you could fix the stupid ‘zone’ model?

    how about proper per-site permissions/privileges/whitelists/blacklists with zones as convenient templates?

  2. Anonymous says:

    This blog is getting better recently.

  3. Anonymous says:

    I actually agree with zxcv; something needs to be done about IE’s entire security model. I’ve been managing computers through Group Policy and the number of IE security settings is just astounding. It’s to the point where I’m not sure if my settings are safe anymore. All I want is a whitelist for ActiveX sites.

  4. Anonymous says:

    What’s broken about the zone model? You can already blacklist sites by putting them in the Restricted zone or trust them by putting them into Trusted. If you want a trust-by-whitelist-only model then tighten up the Internet zone as much as you want and add your whitelisted sites to Trusted. You can even add new zones if you need more granularity! The only addition I’d like to see is the ability to right-click the zone indicator and add the current site(s) to a different zone.

    One thing that’s always confused me about MOTW though, since all it takes is a MOTW in the file it seems that the bad guys can just as easily circumvent the extra security that Local Machine Lockdown was trying to provide. Or did I miss something>

  5. Anonymous says:

    I think you’ve missed that MOTW can only effectively get Internet zone permissions. Previously the same attack would have gotten Trusted zone permissions

  6. Anonymous says:

    Any suggestions for stopping the Info Bar to show up whenever I open a local XML document in IE? So damn frustrating.

  7. Anonymous says:

    The improved documentation is much appreciated!

  8. Anonymous says:

    #$%#@# MSDN blocks my Opera 8 if I don’t spoof User-Agent.

  9. Anonymous says:

    Alt-Shift-Dave, I think the problem is complexity. I don’t really know what "MK Protocol Security Restriction" or "Binary Behavior Security Restriction" are. So I disabled both, but apparently the latter is needed for MSDN (took me months to accidentally discovered that one). Should I know this somehow? Maybe I’m just not reading enough documentation, but I do think that there are just way too many security settings. It’s very unclear just how safe my settings are.

    The different zones are okay, I guess; the problem is that all these settings for each zone.

  10. Anonymous says:

    anon, isn’t that the point of Zones though? i.e. there are far too many security options for average users to understand so you just group them into sensible defaults (Internet, Intranet, Restricted and Trusted) to simplify the whole process whilst leaving advanced settings there for those that do need/understand them. The alternative would just be a list of those settings, which to me seems a far worse scenario.

    I never quite understood the point of the Mark of the Web option though. Wouldn’t it have just been easier to make the Local Machine Zone equivalent to the Internet Zone and be done with it. Or is there something subtle I’m missing?

  11. Anonymous says:

    This is a good post. I was vaguely aware of this "feature" and it is good to have it pointed out. This is the kind of thing we want from the IE blog. Keep it up!

    (That doesn’t mean that I think using SGML comments to disable a security feature is a good idea btw.)

  12. Anonymous says:

    "Any suggestions for stopping the Info Bar to show up whenever I open a local XML document in IE? So damn frustrating."

    I’ve noticed that too. From what I can tell, the IE devs were a little overzealous and block their own code when it gets added to a local document for special effects. As for solving it, placing the drive letter into the trusted zone might work, but I have no idea if IE will allow that.

  13. Anonymous says:

    Many of you are commenting on something I have been thinking about for a long time which is IE’s zone approach to security.

    The biggest problem I have seen with Security in IE is how people do NOT use the security zones. I have seen many, many computers where the end user goes into security and changes the Internet Zone to its lowest levels then whines about all the spyware/adware/crapware.

    James

  14. Anonymous says:

    James, Andy, I guess what I’m trying to say is that there are still too many security options, and dividing them into zones doesn’t help since people are still left wondering if a particular option is safe for Local zone, but maybe not Internet zone. Setting everything to the lowest level may be a result of frustration from not knowing what options should be set to what to get some pages to work (as in my case with MSDN library).

  15. Anonymous says:

    Anon,

    I think you bring up a valid point that some of the security options need better explanation and we will work on that.

    If someone does not understand the decision they are making when altering security settings I’d recommend they do not make any change at all.

    We offer a great deal of flexibility in the settings for Internet Explorer but recommend that users adopt the default settings if they are not confident of a change. We work hard to ensure that the defautl setings are secure.

    It’s always a trade off of giving advanced users flexibility while not confusing the less technically savvy.

    I’ll definitely take the feedback that we need to improve documentation in this area though.

    Thanks

    -Dave

  16. Anonymous says:

    Dave:

    Maybe add a section to the Security Center that checks if your IE settings are unreasonably low? With a one-click mechanism to tighten them to their defaults?

  17. Anonymous says:

    The model is backwards. Content on the desktop should always be assumed to run with the same credentials as a website.

    If the content tries to do something that goes beyond the rights of a website then show the information bar and let the user make a decision. This way all local pages are assumed to have the "mark of the web" untill they try to do something beyond this zone.

    This would give the same behavior as you have today but you wouldn’t need this extra comment tag to prevent the info-bar from showing.

    For me the new behavior in SP2 is an app-compatibility issue. My existing web pages that ran fine on the desktop now show an information-bar even though the app does not do anything bad. Currently a simple page-to-page fade causes the bar to show.

  18. Anonymous says:

    One of the new things I’d like to see in IE, is new error pages. For example the ones in Firefox. The year 1998 is way over and we need to move on to a better design of error handling. How about it?

  19. Anonymous says:

    anon,

    I see your point and it is well made. Unfortunately what we are talking about is a trade off. The reason all those options are there is because someone asked for them. Take one option away to make things simpler and there will be a thousand "anti-anon" people complaining about not enough options.

    I fully agree with the better documentation.

    James

  20. Anonymous says:

    What’s broken about the zone model is that it’s too complex. I work mainly contracts and sometimes 2-3 contacts at a time, so I find myself in many work environments and I’ve never seen any IT staff go around configuring the different security zones. Basically everybody operates on out-of-the-box setups and everything is left to secretaries to figure out how to get shit done. Doesn’t work.

  21. Anonymous says:

    I think the powers that be inside MS need to stop the IE team from trying to invent all these new off the wall security models.

    Just about every single Windows application where security is paramount all allow the user to run the app using a non-priveledged user account with minimal hassle. IE should too.

  22. Anonymous says:

    Steve: The error pages in Firefox are not enabled by default yet as there was still a few bugs to iron out, however they should be in version 1.1 at the moment Firefox uses Netscape style error dialogs instead.

    But I do agree at what Steve is getting at, all IE error pages look the same to the casual user and you can only find out the real problem by scrolling to the bottom of the page. This means to the average user a 404 (page not found) error would look the same as an error that says they can’t connect to the server which results in a call to support saying "My internet is down". A 404 should really just show the server supplied error page at all times anyway – currently IE only does this is it’s over a certain length, which is why Apache 2 and above increased the length of their default error pages.

    Greg: I agree that this is backwards, Internet privs should be assumed and elevation blocked until user gives permission.

  23. Anonymous says:

    Just read the document about this and it seems a very flawed design.

    In a nutshell you add an HTML comment to the page where you specify the URL where the page supposedly originates from or failing that "about:internet" to default to the Internet Zone.

    Problem is there seems to be no checking on the url entered in the comments, imagine if a user had "windowsupdate.microsoft.com" listed in trusted sites and "evilsite.com" listed in restricted sites a page on evilsite.com could convince a user to download content that contains a mark of the web comment that says the page was from windowsupdate.microsoft.com immediately they’ll have a zone elevation as content that should be in restricted sites would now be a trusted site.

    Now imagine if the user for some reason had set the trusted sites to run unsigned activex and the restricted sites to disable everything then they’d be in for a nasty surprise.

    The rule is never trust the server, all local content should run restricted by default with an option (via the info bar) to enable more freedom.

  24. Anonymous says:

    The fact Internet Explorer is set up with a more restrictive setting than the internet is obviously absurd.

    If something is on your local zone, it should be at least as trusted as the internet. Think about it: it’s your local machine! You’re able to run a random .exe from the hard drive, but you’re not allowed to run some javascript or view an xml file? This was obviously some panic reaction from the security team, regarding some attacks using the local machine zone (instead of solving the fact the attacks got access to the local machine zone!)

    If it is possible to use SGML comments to elevate a web page from local machine zone to the internet zone, what’s the point of the security model then? If any malicious user can simply place himself outside the imposed security model, the whole point of it is gone. Also, users would have to theoretically know the source of a .html page before knowing if it will be run is a "safe" enviroment instead of a "insecure" internet enviroment, which is exactly not the point of the whole security zone model.

  25. Anonymous says:

    Dave Massy (same as Dave?),

    Great to hear there’s some work being done on the documentation side. Specifically, it’d be nice to have some information on whether or not something is safe to enable, not just what it does.

  26. Anonymous says:

    A great marker!

    However, after adding the MOTW,

    var xslProc = xslt.createProcessor();

    xslProc.input = xslDoc;

    fails. It won’t read XML from the local drive. If read from internet site, gets the cross domain warning.

    BTW, people who says Local Zone should be more trusted than Internet should probably rethink. The IE developers probably used to think that it should be like this, until they learnt it the hard way.

  27. Anonymous says:

    It seems strange to lock down the local zone even more than the internet zone. Given that a local page can just "elevate" its priviliges to the internet zone, why dont they just treat *all* local content as if it comes from the internet zone.

    ie. starting safe activex objects cannot be done in the local zone, but can be done in the internet zone. Seems pretty pointless with this MOTW capability to completely avoid this *safety* feature.

  28. Anonymous says:

    shane, that’s the puzzlement I had up above. All I could figure is that some of the exploits they were trying to stop could not inject a MOTW but would (attempt to) run ActiveX for example.

    Jonathan: "Maybe add a section to the Security Center that checks if your IE settings are unreasonably low?"

    Here’s another vote for that idea. The Internet zone should not be set to accept unsigned ActiveX, or to install ActiveX without prompts. SC could check for that and warn just like it does for firewall or AV.

  29. Anonymous says:

    There does seem to be a some continued confusion around the LMZ lockdown. I do encourage people to read both the article on MOTW we pointed to as well as the resources on the changes in SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx which discussed teh LMZ lockdown amongst other things.

    We’ll also be taking a look to see if we can make any further improvements to documentation to minimise confusion.

    We took the step of locking down all content from the local machine rather than defaulting to internet zone secruity for local content. This allows a user to still intervene through the information bar to run with elevated privelages if they wish. Had we defaulted to simply running content in the internet zone some legitimate content that required elevated privelages might not be able to function at all or even more confusingly only partially run due to the different zone settings.

    There are certainly different approaches to this but we believe we got the balance about right in Windows XP SP2. Our work there considered both defense in depth and minimising the surface area for attack. So that even if a bad person managed to get content onto your machine then loading that content into the browser can do no harm.

    Thanks

    -Dave

  30. Anonymous says:

    @Dave: Ah yes, I understand now. This method effectively gives the user the *opportunity* to run potentially unsafe content if they wish. Although it is admittedly strange that content that runs fine on the web suddenly has security issues when run locally. Which is what this MOTW is all about overcoming I guess 🙂

  31. Anonymous says:

    MOTW for IntranetZone :<

    <!– saved from url=(0017)http://localhost/ –>

  32. Anonymous says:

    Nice to find this just as I’m finally trying to use MOTW. What I’d like to see is an option to Always trust a particular local page so I don’t have to go add these by hand to local Web pages but I’m not turning of local security in a blanket way. I run the wonderful DQSD search bar on all my PCs and I’d like to say just the once ‘yes, I know this one piece of local content is safe’ instead of getting the warning every time I start up my PC. I hope I’ll get MOTW working – but I don’t think all my readers should have to get their heads around it too.

  33. Anonymous says:

    ah, that’s disappointing. Adding MOTW to the local HTML page that is in the toolbar stops the initial warning but causes the pop-up calendar and help pages to break irretrievably (they’re fine if I click OK to the Active Content prompt and unblock by hand). Sadly the only option I can find (http://www.dqsd.net/sp2.htm) involves disabling more security than I’m comfortable with. What kind of workaround might you suggest for cases like this? thanks!

  34. Anonymous says:

    I’ve read the articles and comments and I’m still confused.

    As I understand it adding MOTW takes a local HTML file out of the local machine zone and into the internet zone.

    What’s to stop the cracker putting the MOTW on their nasty HTML file? I understand it no longer gets full trust but only the internet zone, so why not make it default to this zone in the first place?

  35. Anonymous says:

    Never thought I’d use this tag.

    But I just did. This blog is becoming a useful resource!

  36. Anonymous says:

    Bogdan: I believe the intent of the local machine lockdown is to prevent abuse of *already-existing* HTML pages/files. For example, pages within the Help & Support Center or within local CHM files. If the cracker can get his own file onto your machine, you’ve got bigger problems. 🙂

  37. Anonymous says:

    The current scheme in SP2 is that by default all web pages are very locked down but you can optionally make them completely unrestricted using the information bar.

    The default is completely useless as it will not display most pages thereby forcing you to use the information bar to give you elevated privileges which is plain dangerous. To save clicking on the information bar every time I have had to resort to selecting "Allow active content to run in files on my computer" in Internet Options which is even more dangerous.

    What should happen is that pages are displayed with the same security as pages on the internet meaning that you would not usually have to give them any further privileges. The information bar should then allow you to run the page with higher pviraledges (with a big warning) if necessary (and it would not normally be necessary).

    It would be Even better if there was a separate zone for local computer which defaulted to the same level as the internet zone, allowing you to customize it yourself.

    You could then get rid of the "Allow active content to run in files on my computer" option.

  38. Anonymous says:

    Than last post was a different Jonathan to the other posts!

  39. Anonymous says:

    very bad experience with the mark of the web, because when the visual studio 2003 generate comment web pages for my projects, it automactially put a line "<!– saved from url=(0007)http:// –>", this eventually make all the pages goes to Restricted zone in IE under windows xp sp2. so all the frames, etc, cannot be viewed… should I blame IE? SP2? or VS 2003? Never mind, all of these are Microsoft products, hope they come out a workaround. Now I am using a simple programm to remove this comments from the all the pages generated..

  40. Anonymous says:

    The documentation certainly is more clear but WHAT ARE THE NUMBERS? Is there any difference in using (0013) or (0014) or (0022) or (0025) I’ve seen all these numbers used in various places, and since I’m not an admin, if they are related to zone numbers, I’ve never seen those options anywhere. Please explain these numbers and what they do for you.

  41. Dave Massy says:

    Hi Mike,

    The numbers refer to the number of characters that follow. Nothing to do with security zones or anything magical 🙂

    Thanks

    -Dave Massy [MSFT]

  42. Anonymous says:

    A&amp;nbsp;new feature of Internet Explorer is the Local Machine lockdown that blocks by default the execution…