With every release of Windows, there are also a slew of new security features to fix the problems with the previous versions of Windows! That’s why User Account Control was included in Windows Vista and 7 to fix problems with Windows XP. Every release of Internet Explorer has had some kind of security update included with it. In IE 7, Protected Mode was introduced to prevent malicious code running in IE from modifying or accessing system settings or personal files. In IE 9, the SmartScreen Filter was introduced to prevent socially-engineered attacks. IE 10 is no different!
Enhanced Protected Mode is a new feature in Internet Explorer 10 that basically adds on more features to Protected Mode. Before we get into details, here’s a quick overview of the main additions included in Enhanced Protected Mode in IE 10:
– 64-bit processes – When EPM is enabled in IE 10, all processes will be running as 64-bit processes. There are some memory protection features in IE 10 that can utilize the larger 64-bit address space more effectively, thereby making the system more secure.
– Protecting personal information – With EPM, IE 10 is restricted from accessing personal information in locations like Documents, etc. For example, when you attach a file to an email in IE 10 with EPM enabled, IE will only be able to access the file temporarily when you click the Open button in the file upload dialog. That is not the case without EPM.
– Protecting Intranets – A few more changes in IE 10 now prevent IE tab processes from accessing domain credentials, prevent tabs from operating as local web servers and prevents tabs from connecting to intranet servers.
In Windows 8, there are two versions of Internet Explorer 10: Metro style IE and desktop IE. These are two completely different beasts! To get started, Metro IE always runs with Enhanced Protected Mode enabled. Desktop IE does not have EPM enabled by default. Why is this exactly? I explain below.
How Enhanced Protected Mode works in IE
In order to understand how EPM really works, you need to understand the architecture behind IE 10. IE 10 has what is called multi-process architecture. Basically, this means that there are tiers. The first tier of processes are the Frame or Manager processes. This is your IE 10 window. Within that window, you have tabs or content processes. Every single web page rendered in IE 10 is done so in one of the tab or content processes. In addition, all ActiveX controls and toolbars also run in tab or content processes.
In Windows 8 with both versions of IE, the frame or manager processes ALWAYS run as 64-bit processes. In the Metro version of IE 10, the content or tab processes also run as 64-bit processes. However, in the desktop version of IE 10, the content or tab processes run as 32-bit processes. Why is this you ask? Why does the desktop version of IE 10 have a manager process running in 64-bit, but the tabs all running in 32-bit?
This is because there are very few plugins or add-ons that support 64-bit at this time. This is why Metro IE does not support any plugins or toolbars whatsoever. If you want to install a toolbar or run a certain plugin, you’ll have to switch to the desktop version. Since all the tabs are running as 32-bit processes, everything is compatible and you can install add-ons and plugins without a problem.
If you enable Enhanced Protected mode in the desktop version of IE 10, all webpages that load in the Internet Zone or Restricted Zone will start using 64-bit processes. Note that the other zones will still use 64-bit processes, but they won’t have EPM enabled. In addition to the benefit of 64-bit processes, the second benefit to enabling EPM is that the tab or content processes are “sandboxed” in an AppContainer. What the heck is an AppContainer?
AppContainers in IE 10
Starting in Windows Vista, there was the addition of integrity levels assigned to processes (low, medium, high). The levels determined what parts of the system and registry the process could access. Even though an IE tab runs in a Low integrity level, it still had read access to the entire disk in previous versions of Windows and IE. With Windows 8 and AppContainer, IE is blocked from reading and writing to most of the system.
Note that the AppContainer is only a feature of Windows 8. That means when IE 10 comes out for Windows 7, it will only enable 64-bit tab processes to run if EPM is enabled. This also means that EPM does absolutely nothing on a Windows 7 32-bit system because a 32-bit system cannot support 64-bit tabs or AppContainer.
With Metro IE 10, all tabs run in 64-bit and with EPM enabled, meaning that they run inside AppContainer. For desktop IE 10, the tabs run in 32-bit low integrity mode by default and therefore do not run in AppContainer. To get the extra security, you have to enable EPM in desktop mode, which would switch the tabs to 64-bit processes and enable AppContainer.
Also, it’s worth noting that all Windows Store apps (Metro apps) run inside this AppContainer object.
Benefits of AppContainer
So what’s so great about the AppContainer? There are basically three key benefits to using AppContainer in IE 10:
1. Inbound Connections Blocked – The first network restriction is that an EPM tab cannot accept inbound network connections. Some add-ons have this ability to accept remote connections, which could allow someone to remotely connect and access your system. This is no longer possible with EPM.
2. Loopback Blocked – A tab running inside AppContainer cannot connect to a locally running service outside of their own container. This means that if you have a local IIS server running on your machine, you actually won’t be able to connect to it from inside a EPM tab. If you try to go to http://127.0.0.1 from an IE 10 tab with EPM enabled, you’ll get a This page can’t be displayed error.
Remember, though, that EPM only works on tabs that are in the Internet and Restricted Sites zones like I mentioned above. http://127.0.0.1 is considered an Internet zone URL and that’s why it’s blocked. However, if you were to type the hostname like http://localhost, it would be considered a Local Intranet Zone url and therefore not be blocked.
3. Intranet Resources Blocked – Lastly, this restrictions prevents Internet pages from accessing intranet resources, serving up images from intranet resources, etc. This feature adds so much security that you will actually be blocked from going to a router address like http://192.168.1.254 using an EPM tab. This is because browsers consider that address an Internet Zone address and EPM kicks in. You have to add the URL to your Trusted Sites zone (which does not have EPM enabled) and then you’ll be able to load it.
I tried this on my home computer and it was blocked, but got a message saying Private network access is off for this site. I was given the option to enable it and then I was able to view the URL:
It’s nice that you get this message with the option to enable rather than a Page cannot be displayed error. As you can see, enabling EPM really makes IE 10 a lot more secure. Obviously, you have to see your usage of add-ons to determine whether you can enable it for the desktop version of IE.
What’s nice about EPM is that even if you have it enabled on the desktop version of IE 10 and you run into a site that requires ActiveX control that is not EPM-compatible, you’ll be given the option to re-load the page in a special low integrity 32-bit tab instead of the normal 64-bit tab running in AppContainer. Any add-ons that are not EPM-compatible will be disabled.
Enabling Enhance Protected Mode in Desktop IE 10
Lastly, I just want to mention how you would actually turn on EPM in desktop IE 10 if you want to. Click on the gear icon at the top right, then Internet Options, Advanced tab and scroll down under Security.
That’s a lot of technical detail to handle, but hopefully it gives you an idea about what that setting really means. You’ll probably see a bunch of online guide showing you how to enable or disable Enhanced Protected Mode, but you should really also understand what it does and how it works in both version of IE in Windows 8. If you have any questions, feel free to post a comment. Enjoy!