Adding Sites to the Enhanced Security Configuration Zones

发布时间:2014-10-25 2:23:45
来源:分享查询网

Adding Sites to the Enhanced Security Configuration Zones If your Microsoft Windows Server 2003 application interacts with Web-based content through Windows Internet Explorer, you might need to place the Web site in a different security zone. By default, in Windows Server 2003, all Web sites are in the Internet zone. This topic describes how to add sites to security zones in the enhanced security configuration. Adding Sites Programmatically Adding Sites with a Registry Merge Instructing Users to Add Sites Adding Sites Programmatically One way to add sites to the Intranet or Trusted sites zone is to call the IInternetSecurityManager::SetZoneMapping method exposed by URL Moniker APIs. This enables you to add sites to a security zone either at install time, or at run time. Begin by selecting the security zone which provides the maximum security while still allowing the features required by your application. For a detailed explanation of the security zones and other Internet Explorer settings under the enhanced security configuration, see Enhanced Security Configuration for Internet Explorer. Security Alert  Adding arbitrary Web sites to the Intranet zone can compromise the security of the server. The Medium-low security template allows NTLM credentials to be sent to sites that request them. Only known sites should be added to the Intranet zone to prevent disclosure of this sensitive data. You should review Security Considerations: URL Security Zones API before continuing. Add a Web site to the selected zone by creating an instance of the security manager object, and calling IInternetSecurityManager::SetZoneMapping. Combine the URLZONE_ESC_FLAG flag with the flag specifying the security zone, using a bitwise OR operator. Mappings created without the URLZONE_ESC_FLAG flag are not used in the enhanced security configuration. Security Alert  Adding Web sites to a security zone without using the URLZONE_ESC_FLAG flag can compromise the security of the computer. The URLZONE_ESC_FLAG flag specifies that a URL is mapped to a copy of the specified security zone. Under the enhanced security configuration, this copy is used instead of the original security zone, and any Web sites added without the URLZONE_ESC_FLAG flag are ignored. Earlier versions of Windows, however, use the original security zones with less restrictive security templates. If your installation script adds Web sites to the original security zones and is run in an earlier version of Windows, your application makes the computer more susceptible to attack. You should review Security Considerations: URL Security Zones API before continuing. The following sample shows how to add the URL "http://msdn.microsoft.com" to the Trusted sites zone. Copy Code IInternetSecurityManager *pSecurityManager = NULL; HRESULT hResult = S_OK; ::CoInitialize(NULL); hResult=CoCreateInstance( CLSID_InternetSecurityManager, NULL, CLSCTX_INPROC_SERVER, IID_IInternetSecurityManager, (void **)&pSecurityManager ); if (SUCCEEDED(hResult)) { hResult=pSecurityManager->SetZoneMapping(URLZONE_ESC_FLAG|URLZONE_TRUSTED, L"http://msdn.microsoft.com", SZM_CREATE ); pSecurityManager->Release(); } ::CoUninitialize(); If a Web site is open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect. If zones are mapped as part of an installation, you should delete your zone mappings as part of the uninstallation procedure when the user uninstalls your application. Adding Sites with a Registry Merge Web sites can be added to the Intranet or Trusted sites zone by directly modifying the registry. The key HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains contains the zone mappings under the enhanced security configuration. Each registry key that is below this key in the registry hierarchy is a Web site domain. Each of these keys has values which indicate the allowed protocol and the zone to which that protocol belongs for the domain. A value of 0x001 indicates the Intranet zone and a value of 0x002 indicates the Trusted sites zone. The following sample shows the entries in a .reg file that are used to add the URL "http://www.msdn.microsoft.com" to the Trusted sites zone. Copy Code [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com] @="" [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com/www.msdn] "http"=dword:00000002 The following sample shows the entries in a .reg file that are used to add the URL "http://widgets" to the Intranet zone. Copy Code [[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/widgets] "http"=dword:00000002 If a Web site was open prior to adding it to the Trusted sites or Intranet zone, the user must restart Internet Explorer for these changes to take effect. Instructing Users to Add Sites If your Web-based application receives a user-agent request header which includes the string "Windows NT 5.2", this indicates that the request was made from a computer running Windows Server 2003. If this occurs, any HTML sent to the client should include a NOSCRIPT element with instructions describing how to add your application to the Trusted sites zone. These instructions are only display when the enhanced security configuration is enabled. The following sample shows how to use the NOSCRIPT element. Copy Code <NOSCRIPT> <P>Script, ActiveX Controls, and file downloads are not available for Internet sites under the enhanced security configuration. Add this URL to the Trusted sites zone to continue.</P> </NOSCRIPT> Registry Merge sample code wrong?      neanderthal ... Thomas Lee   |   Careful, the Registry Merge sample code to add the URL "http://widgets" to the Intranet zone looks wrong to me. Shouldn't it be more like:   [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/widgets]"http"=dword:00000001 Regsitry example is incorrect          [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com]@=""[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/EscDomains/microsoft.com/www.msdn]"http"=dword:00000002   These registry keys will not work. It should be:     [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/microsoft.com]@=""[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/ZoneMap/Domains/microsoft.com/www.msdn]"http"=dword:00000002 Reference URL: http://msdn.microsoft.com./en-us/library/ms537181(VS.85).aspx

返回顶部
查看电脑版