Enhanced Protected Mode


Every release of Internet Explorer includes new security enhancements to help keep you safe as you browse the Internet. The new Enhanced Protected Mode in Internet Explorer 10 helps keep your data safe even if an attacker has exploited a vulnerability in the browser or one of its add-ons.

There is no single thing that can keep you secure by itself, so we pursue multiple strategies, including:

Protection from socially-engineered attacks

There are a variety of miscreants that want to steal your personal information or take over your computer by impersonating Web sites that you trust. SmartScreen Filter provides the best protection available against malware attacks and phishing. In Windows 8, this protection was added to the Windows Shell, to help keep you safe from malware no matter how it was downloaded.

Protection from attacks designed to exploit vulnerabilities in Web sites

“Good” Web sites can have security vulnerabilities that can allow evil Web sites to steal your data or perform actions as if they were you. We protect you with the XSS Filter, which automatically prevents certain types of attacks, and make it easier for Web sites to secure themselves with Declarative Security features, like IE10’s new support for the HTML5 Sandbox.

Protection against attacks designed to exploit the browser or operating system

Automatic updating ensures that you have the latest updates installed. This protects you against security issues that have been fixed. IE9 added memory protection features to make it harder to exploit certain types of vulnerabilities and we enhanced these features in IE10. We also added a new layer of protection in IE10 called Enhanced Protected Mode.

Enhanced Protected Mode

Protected Mode, which was added in IE7 for Windows Vista, is defense in depth feature that helps prevent attackers from installing software or modifying system settings if they manage to run exploit code. It is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. For example, your browser doesn’t usually need to modify system settings or write to your Documents folder. Protected Mode is based on the principle of least privilege — by reducing the capabilities that Internet Explorer has, the capabilities available to exploit code are reduced as well.

“Enhanced” Protected Mode takes this concept further by restricting additional capabilities. Below is a list of some of the new ways that Enhanced Protected Mode helps keep you safe:

64-bit processes

Most PCs shipped in the last few years have 64-bit CPUs, and many have a 64-bit version of Windows installed. “64-bit” is usually thought of as a way to extend the amount of memory that a program on your computer can use: because 64-bit processors use 64-bit memory addresses instead of 32-bit ones, a program can “address,” or use, more memory if it’s available.

A 32-bit number is large – it’s a little more than 4 billion. A 64-bit address is much larger number – roughly 18 pentillion and change (18,446,744,073,709,551,616). Not only does a 64-bit number let you address more memory, it also makes existing memory protection features such as ASLR (Address Space Layout Randomization) much more effective. Heap spray attacks, which are used by attackers to plant malicious code at predictable locations, become much more difficult because it isn’t practical to “fill up” a 64-bit address space – you’ll run out of memory and disk space long before any sizable fraction of the address space is sprayed.

Protecting your personal information

When you run a program, it has access to anything on the computer that you have access to, including your personal documents. Enhanced Protected Mode restricts Internet Explorer from locations that contain your personal information until you grant permission to it. This helps prevent exploit code from accessing your personal information without your permission.

For example, consider Web-based email. If you want to attach a file from your Documents folder to the email, then Internet Explorer needs permission to access the file and upload it to your email provider. With Enhanced Protected Mode, a “broker process” will grant Internet Explorer temporary access to the file only if you actually click on “Open” on the file upload dialog:

Screen shot showing attaching a file from your Documents folder to an email using a Web-based email application

Notice that there are no extra prompts. Brokering is done automatically after you choose to open a file. This is like providing a single safe deposit box to Internet Explorer when requested, instead of giving access to the entire safe all of the time.

Protecting your corporate assets

Most corporate networks, or “intranets,” contain valuable information that must be protected from attackers. Enhanced Protected Mode restricts an exploit’s ability to access corporate network resources in three ways. First, Internet tab processes, which is where untrusted Internet pages load, do not have access to a user’s domain credentials. Second, they cannot operate as local webservers, which makes it more difficult to impersonate an Intranet site. Third, Internet tabs cannot make connections to intranet servers.

Default Settings and Compatibility

Metro style Internet Explorer always runs with Enhanced Protected Mode enabled – there isn’t anything that you need to configure – just browse. Because Metro style Internet Explorer offers plug-in free browsing, the compatibility impact of this security feature is minimal.

Many add-ons, such as Adobe Flash and certain toolbars are not yet compatible with Enhanced Protected Mode. Some Web sites still require Adobe Flash in order to work, and some users enjoy the additional functionality offered by some toolbars. In Windows 8 Beta, Enhanced Protected Mode can be enabled in the desktop under Internet Options->Advanced:

Screen shot of the Advanced tab of the Internet Options dialog showing the new “Enable Enhanced Protected Mode” option.

After you enable Enhanced Protected Mode, incompatible add-ons will automatically be disabled. If you encounter a site that needs an add-on such as Flash in order to work, you can disable Enhanced Protected Mode just for that particular Web site.

Notification message which reads “This webpage wants to run 'Adobe Flash Player 10.3 d162'. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control.” The notication bar contains one button labeled “Disable”.

This allows you to continue using the site, and have Enhanced Protected Mode enabled on the rest of the Internet. Keep in mind that you should only do this if you know and trust the Web site.

Of course, if you prefer to browse without add-ons, you can always turn on ActiveX Filtering, which will prevent you from seeing this prompt.

Summary

Defense-in-depth is an area of continual investment for the Windows team. It’s a widely-applied principle in the real world as well. Safety deposit boxes have locks on them. But they are also kept inside of a locked room, inside of a bank, which is locked and is armed with an advanced security system. Enhanced Protected Mode is another layer of protection that helps protect your data from malicious attackers.

—Andy Zeigler, Senior Program Manager, Internet Explorer

Comments (38)

  1. Sam says:

    I see IE settings UI is still from IE3.

    Did MS made a commitment to update every part of the software but leave IE settings the same forever?

  2. Tom says:

    Detect and block 1 pixel images would go a long way towards safer browsing.  This needs to be a global filter in IE and not a site by site one.  

  3. Davin says:

    I think you meant to write "roughly 18 quintillion and change" not "roughly 18 pentillion and change".

  4. EricLaw [MSFT] says:

    @davin; yes, thank you.

    @tom: Blocking 1×1 images might improve privacy, but it wouldn't impact security. As a privacy measure, it's trivially circumvented, since a 2×2 image compresses just as well (and this is true for nxn as well. Tracking Protection lists provide a much more robust measure of privacy that isn't scoped to just images of a certain size.

    @sam: The IE settings UI has indeed remained the same for quite a long time. We find that most users rarely have the need to interact with the settings exposed within the Internet Options. It's not trivial to replace– most tech-savvy users who need to make changes here are familiar with the existing design, and there's a huge volume of documentation around it that will need to be updated when the UI is modernized.

  5. Viktor Krammer [Quero] says:

    Can you please provide some info on how to write an add-on for Enhanced Protected Mode? How can I mark an add-on to be EPM compatible?

    Are these operations still possible for add-ons under EPM?

    – Read/Write to Low Registry HKCUSoftwareAppDataLow

    – Read IE Settings HKLMSOFTWAREMicrosoftInternet Explorer

    – Access to Internet Explorer and Windows APIs

    – Launching of a Broker process to perfom elevated operations

  6. Viktor Krammer [Quero] says:

    @Tom: Blocking of third-party 1×1 pixel tracking is already possible with Tracking Protection Lists. Blocking first-party 1×1 pixel tracking by the same server or a subdomain of the site you are on is not possible because of a current TPL limitation / design decision. TPL would be much more flexible and powerful if they would also allow filtering of first-party content.

  7. Juankk says:

    IE protected mode must be called: "Better choose Chrome" As well is great from "safety"  point of view, the browser turns ugly and difficult to use. I'd lying if say this is a great job.

  8. sam says:

    will 64bit IE10 be the default browser in 64bit win8 or will it be the 32bit IE10?

  9. @sam – 64bit IE10 is default in Windows 8 Consumer Preview, so I see no reason why it'd be reverted back.

  10. Viktor Krammer [Quero] says:

    @sam: in the Consumer Preview IE10 Desktop runs in a mixed 32/64 bit mode: the chrome runs in 64-bit but the tabs run in 32-bit and there is no explicit option to turn the tabs into 64-bit mode like there was in the Developer Preview.

  11. Steve says:

    @aseymour – is that in Metro IE? or desktop IE?… historically IE's default has been the 32bit version because it was the version that supported plugins, and actually ran faster than the 64bit version.

    I could understand how the Metro IE (e.g. the tablet version of Windows) would run 64bit since it won't support plugins of any kind… but for the desktop, 64bit plugins are scarce… and generally highly unreliable (if even available!)… I would absolutely ***HATE*** it if IE10 defaulted to 64bit on Windows 8.

  12. Alan Burchill says:

    Will you be able to control the enhanced protected mode disable site list via group policy?

  13. MC says:

    Where I find which sites are allowed to run plug-ins non-compatible with Enhanced Protected View so I can give my per-site permission back?

  14. EricLaw [MSFT] says:

    @Viktor: Developer documentation about Application Container and EPM-compatibility will be forthcoming. Yes, brokers are still supported and are now required to Read data from the system (IE7-9's Protected Mode only blocked/virtualized writes).

    @sam: In IE10, 64bit tabs can only be enabled by enabling EPM. IE10 in the Metro-style experience runs with EPM, which means 64bit tabs on compatible hardware/OS. In Desktop, EPM is off-by-default, which means that it will use 32bit tabs by default. It is correct to note that on a 64bit OS, the IE Frame (which does not load HTML or add-ons) will always be 64bit, in both Metro and Desktop.

  15. sam says:

    so 64bit IE10 will have 64bit browser and 32bit tabs? Will these mean you can use 32bit and 64bit plugins? Will we get the speed benefit of a 64bit browser by default or will we have to enable EPM for that?

    What exactly is the benefit of 64bit browser and 32bit tabs, just security? Maybe you could create a new blog post about the 64bit application and 32bit tabs and go into detail as i'm sure i'm not the only person who wants to know.

    Will the 64bit IE10 have a new javascript engine or will it be stuck with an older engine like in IE9?

    I would have had a try with 64bit plugins and trying EPM but seeing as though you haven't released any new builds for Win7 in over 6 months i can't try that as i don't want to have to download win8 to test a browser plus i don't have enough hdd space to mount a vm of it.

  16. Riasat says:

    I found this settings a few weeks ago. Lovin' it 🙂

    I agree with sam. A blog post about 32bit/64bit would be nice. Please provide comparison and pros/cons too.

  17. Hera says:

    I must apologize for this off-topic IE10 question,

    Although, both IE9 and IE10 are very fast rendering, neither browser remains responsive under stress.

    Why?

    For example,

    1) Scrolling down a loading page is not possible; scrolling commands (PGDOWN) will be registered after the page is loaded (massive delay between pressing a key and getting a reaction) and the CPU is free.

    2) A plugin, instead of just taking down a tab, makes the browser Chrome poorly responsive (bugged tab previews, no/delayed response to switching tabs) – forcing the user to wait for the plugin to become responsive again before interacting with other tabs. Chrome doesn't slow down form a tab doing something stupid.

    3) YouTube is generally laggy, not the video playback, but the interaction with the video controls and the page. Opera and Flash outperforms you and so does Chrome.

    And another question,

    Has anyone noticed that YouTube doesn't show some videos in IE10 (Yes I am in the HTML5 "Trial")? (Video doesn't load (requires reloading the page without everything after the video ID in URL), Browser doesn't support video (a lie), etc)…

    Will YouTube fix its compatibility issues with IE10? I don't want to install Flash Player to view the other videos.

  18. Stilgar says:

    I don't know how this blog works but half of my comments posted via the latest version of IE are not published… for the last 5 years.

    I just wanted to ask how is that IE has had tabs in different processes for years but still a tab can freeze the whole UI when it hangs? Are you going to fix this?

  19. xpclient says:

    And how to browse in pure 64-bit IE without using Enhanced Protected Mode? In Consumer Preview, unless Enhanced Protected Mode is enabled, 64-bit IE uses 32-bit tabs. So you can clubbed together two unrelated options unnecessarily (64-bit browsing and Enhanced Protected Mode sandboxing).

  20. Jason says:

    With out enabling by default this will never get used by the average user.

  21. sam says:

    @jason, yep, it needs to be fully 64bit by default. We also have java, silverlight and flash available in 64bit, those are by far the most popular plugins.

  22. hAl says:

    Wil IE10 Metro Style still support anchors (#) in navigating to new urls?

    As this html feature was dropped in IE9 mobile (by design)

  23. Roland says:

    @sam: Many IE add-ons (not plug-ins like Silverlight) are not compatible with 64-bit IE, escecially custom extensions in corporate environments. Thus, it makes sense to disable EPM by default.

  24. "If you encounter a site that needs an add-on such as Flash in order to work, you can disable Enhanced Protected Mode just for that particular Web site."

    For non-computer literate, the dialog that is displayed may pose a potential security issue since, for many of them, when facing a question originating from the system, consider the answer to be within the buttons shown. By displaying only one option in the bar, you are likely to expect that many of them will click it without really uderstanding the potential adverse effects.

    I suggest you add a button that keeps the protection active. Furthermore, this action should be the default one.

  25. pmbAustin says:

    "I don't know how this blog works but half of my comments posted via the latest version of IE are not published… for the last 5 years."

    When you click "post", look for the green "your comment has been published" (or whatever) text upon refresh.  If the screen refreshes quickly, and you see no green box under the article (before the comments), then just scroll down to the bottom.  You'll see your comment text still typed in the "leave a comment" box, and you can just click "post" again.  It almost always publishes on the second attempt.

    I have no idea why a usability bug like this persists for so long.  It's the same on the "Windows 8" blog as well.

  26. pmbAustin says:

    I want to echo @TheCyberKnight's comments.  Seriously, I have this problem with most of the IE9/10 prompts.

    The buttons should give ALL the choices.  Especially in Win8/IE10, where trying to touch that little "x" to cancel/close will be difficult.

    The UI is frequently confusing even for computer literate… "What do I do if I DON'T want to disable?!?"… there should always be an option.  In this case "Disable" and "Do Not Disable" buttons.  Yes, the second button is equivalent to clicking the tiny little hard-to-see-or-notice "X" close, but come on.  Be user friendly and don't throw wrenches into the standard human mental reactions and responses to prompts like this.

    For the record, I also hate that these prompts cover up part of the page until dismissed (and some that I wish WOULD auto-dismiss never seem to, which is annoying too).  They should take up space on the bottom of the window and shrink the page space, so there is NO OVERLAP.

    This is ESPECIALLY necessary on IE10 Metro!  The "Find on page" pops up a little band OVER THE PAGE.  The problem is, I've encountered a dozen times where the thing I'm searching for is at the bottom of the page, which is HIDDEN by this over-lay, so I cannot see that it's found, or the context it's in, without completely dismissing the find area… which of course, eliminates the "find" highlight.  This is a usability nightmare.

  27. Stilgar says:

    @pmbAustin yeah I figured this out but I don't understand what is so hard about making simple comment from a textbox work.

  28. sam says:

    @roland surely businesses will have atleast 1 knowledgeable person that could disable 64bit mode. Seems a waste to inflict 32bit on millions just because of say 0.1% of users have to click disable 64bit.

  29. e2420 says:

    IE keeps you safe?  Pull the other one, it rings a bell.

  30. Hera says:

    I want to agree that the prompt is the worst idea ever.

    On IE9, I have Adobe Flash installed. Why? Because YOU nagged me enough to enable it.

    On every page, the prompt showed up to download the Flash Plugin.

    So, if this prompt will be anything like the nagging prompts in IE10/IE9 for installing Adobe Flash, it will not work.

    Nagging a user to death to enable Adobe Flash *le shock* makes them enable Adobe Flash.

  31. thenonhacker says:

    @EricLaw [MSFT]: Come on, Microsoft Office 2007 Team revamped their settings screen, and a lot of options became easier to search.

    I believe IE Team can do the same thing! Make the settings screen consistent with Windows 7 Control Panel windows. Be consistent with Network and Sharing Center, and keep the current Internet Options dialog as "Advanced Settings"

  32. Jenn says:

    Watching users get stuck trying to use Windows 8 on the desktop… Merging Aero and Metro into a common interface for BOTH platforms (touch and desktop) is an UTTER FAILURE!

    http://www.youtube.com/watch

    Just one of many videos showing how Windows 8 will fail.

  33. Tom says:

    IE should let us block CSS, scripts, flash and html includes from domains other than the URL being accessed on a domain by domain basis.   Developer mode in IE 9 HTTP request trace has well tuned sites like http://www.microsoft.com needing 96 different HTTP requests.  Less well tuned sites require much more and are considerably slower to load.   A nice to have in IE would be a 'disable images/enable images' toggle button as well as a 'show images for this site' button.

  34. NP says:

    I do not have Java installed on my system. Every time I visit a website that needs Java I get a model dialog from IE 9 telling me to install it. First of all a model dialog is very bad design and it interupts my work. Most importantly though this model dialog keeps appearing and re-appearing if the site continues trying to load Java. So, a site that continuously tries to load Java triggers this annoying model dialog over and over. It is lik a denial of service attack. Please improve this experience.

  35. EricLaw [MSFT] says:

    @NP: Are you talking about IE9 or IE10 with EPM enabled? In IE9, simply click the "Do not show me this message again" checkbox. If you're talking about IE10 with EPM enabled, the checkbox does not work properly, a bug that will be fixed in a future update. thanks.

  36. Edna Beard says:

    Nocomment at this time.  I am newand just getting Started.

  37. Not a f*ck given for enterprise users says:

    This broke a lot of functionality for us.

    I wish to they would leave IE settings alone and/or make it easier to use for enterprise users.

    IE10 removed 'Internet explorer maintenance' making all of your trusted/intranet sites break.

    IE11 EPM breaks most plugins EVEN AV PLUGINS which actually puts users at risk much more, and the official fix? "oh just disable Enhanced Protection Mode. No wonder (google)chrome is destroying (microsoft)internet explorer.