Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent
6473800
Jerger , ; et al.
October 29, 2002
Title
Declarative permission requests in a computer system
Abstract
Computer-based systems and methods are disclosed for a comprehensive security model for managing active content downloaded from a computer network. The security model includes the configuration of a system security policy that is stored on a host computer. The system security policy is configured by security zone in progressively "finer grain" levels with each level associated with and defining the previous level. These levels may include: protected operations; user permission sets, permissions, parameters and primitives. In the disclosed method and systems, a publisher of active content specifies a requested permission set that includes a list the permissions (defined by parameters, which are defined by primitives) that the active content requires in order to run on the host system. The requested permission set is external to the active content so that it is not necessary to run the active content in order to discover the permissions that the active content requires in order to run. The requested permission set may be included in a signed code package wherein the identity of the active content publisher is guaranteed. A digital signature of the signed code package also guarantees that the contents of the signed code package, including active content, support files, and the requested permission set have not been altered or otherwise corrupted since the signed code package was published. The requested permission set may also be included in a catalog file that can be downloaded separately from the active content.
Inventors:
Jerger; Michael S.
(Kirkland,
WA
)
, Bisset; Jeffrey A.
(Issaquah,
WA
)
, Sinclair; Craig T.
(Redmond,
WA
)
, Toutonghi; Michael J.
(Seattle,
WA
)
Assignee:
Microsoft Corporation
(Redmond,
WA
)
Appl. No.:
116551
Filed:
July 15, 1998
Current U.S. Class:
709/226
726/14
726/27
709/224
Current International Class:
G06F 21/00 (20060101)
Field of Search:
709/217,224,229,221,245,232 713/201 707/9
U.S. Patent Documents
5678041
October 1997
Baker et al.
5684951
November 1997
Goldman et al.
5796942
August 1998
Esbensen
5828893
October 1998
Wied et al.
5835726
November 1998
Shwed
5919247
July 1999
Van Hoff
5930792
July 1999
Polcyn
5940843
August 1999
Zuchnovich et al.
5958051
September 1999
Renaud et al.
5958055
September 1999
Thorne et al.
5963142
October 1999
Zinsky et al.
5987611
November 1999
Freund
5991878
November 1999
McDonough et al.
Other References
Bellovin et al., Network Firewalls, IEEE, Sep. 1994, pp. 50-57.
Primary Examiner:
Sheikh; Ayaz
Assistant Examiner:
Dink; Khanh Quang
Attorney, Agent or Firm:
Christensen O'Connor Johnson Kindness PLLC
Claims
The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising: defining a security zone corresponding to a set of data sources; associating a security policy with the security zone, the security policy including a host permission set created by a user of the host computer that defines a set of permissions that restrict access to the system operations provided by the host computer by computer-executable instructions to be retrieved from said set of data sources; accessing a data source; determining if the accessed data source is one of said sources of computer-executable instructions; if the accessed data source is one of said set of data sources and if data to be retrieved by the host computer from said accessed data source contains computer-executable instructions, obtaining a requested permission set associated with the computer-executable instructions contained in the data retrieved from the accessed data souree, the requested permission set asserting a set of permissions that are requested by the computer-executable instructions for access to the system operations provided by the host computer; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the host permission set.
2. The method of claim 1, further comprising: determining if the computer-executable instructions bear a recognized digital signature; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparson of the requested permission set to the host permission set if it is determined that the computer-executable instructions bear a recognized digital signature.
3. The method of claim 1, further comprising granting a default set of permissions included in an unsigned permission set if it is determined that the computer-executable instructions do not bear a recognized digital signature.
4. The method of claim 2, wherein there are a plurality of host permission sets each including a trusted signed permission set and an untrusted signed permission set, the method further comprising: restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the trusted signed permission set if it is determined that the computer-executable instructions bear a recognized digital signature from a trusted publisher; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if it is determined that the computer-executable instructions bear a recognized digital signature from an untrusted publisher.
5. The method of claim 4, further comprising granting the computer-executable instructions restricted access to the system operations provided by the host computer as specified in the requested permission set if the requested permission set is compared to the trusted signed permission set and is a subset of the trusted signed permission set.
6. The method of claim 5, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
7. The method of claim 6, further comprising persisting the granted permission with the computer-executable instructions.
8. The method of claim 4, further comprising: (a) determining a configuration of the untrusted signed permission set; (i) if the untrusted signed permission set has been configured as a denied permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the requested permission set intersects with the untrusted signed permission set; (ii) if the untrusted signed permission set has been configured as a query permission set, presenting a query dialog and receiving a response from the query dialog if the requested permission set is a subset of the untrusted signed permission set; (1) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and (2) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
9. The method of claim 8, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
10. The method of claim 9, further comprising persisting the granted permission with the computer-executable instructions.
11. The method of claim 8, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects wit the denied permission set.
12. The method of claim 11, further comprising: retrieving a hash value from the recognized digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed; computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
13. The method of claim 12, wherein the hash value representing the computer-executable instructions at the time that the computer-executable instructions was digitally signed from the digital signature and the new hash value for the computer-executable instructions as retrieved from the computer network to the host computer include the requested permission set.
14. The method of claim 1, wherein the requested permission set is externally attached to the computer-executable instructions so that the computer-executable instructions do not have to be run on the host computer in order to be compared to the host permission set on the host computer.
15. The method of claim 14, wherein the requested permission set is retrieved separately from the computer-executable instructions.
16. The method of claim 15, wherein the requested permission set is included in a catalog file.
17. The method of claim 1, wherein the network address from which the computer-executable instructions originate is assured by using a secure server connection.
18. The method of claim 2, further comprising: retrieving a hash value from the digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed; computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
19. A computer-readable medium having computer-executable instructions for performing a method to protect a host computer against unauthorzed access by an object class to system operations provided by the host computer, comprising: configuring a security policy for a security zone, the security zone corresponding to a set of data sources, the security policy including a host permission set created by the user of the host computer that defines a set of permissions that restrict access to the system operations provided by the host computer by object classes received from said set of data sources; accessing a data source; determining if the accessed data source is one of said set of data sources; if the accessed data source is one of said set of data sources and if an object class is to be retrieved by the host computer from the accessed data source, retrieving a requested permission set for the object class to be retrieved, the requested permission set specifying a set of permissions to access the system operations provided by the host computer that the object class requires in order to run on the host computer; and comparing the requested permission set to the host permission set included in the security policy for the security zone to determine the restrictions that will be imposed on the object class if the object class is retrieved by run on the host computer and seeks access to the system operations provided by the host computer.
20. The computer-readable medium of claim 19, further comprising granting a default set of permissions included in an unsigned permission set included in the security policy for the security zone if the object class is not digitally signed.
21. The computer-readable medium of claim 19, wherein if the object class was digitally signed by a trusted publisher, comparing the requested permission set to a trusted signed permission set included in the security policy and granting permissions to access system resources on the host computer if the requested permission set is a subset of the trusted signed permission set.
22. The computer-readable medium of claim 21, further comprising storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
23. The computer-readable medium of claim 19, wherein if the object class was digitally signed by an untrusted publisher: (a) denying the permissions requested by the object class in the requested permission set and not allowing the object class to run on the host computer if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set is configured to deny permissions in the untrusted signed permission set when any permission in the requested permission set intersects with a corresponding permission in the untrusted signed permission set; (b) querying for a query response regarding the permissions requested by the object class in the requested permission set if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set has been configured to query when the requested permission set is a subset of the untrusted signed permission set; (i) granting the requested permission set if approved in the query response; and (ii) denying the requested permission set if not approved in the query response.
24. The computer-readable medium of claim 23, further comprising storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
25. The computer-readable medium of claim 23, further comprising: retrieving a hash value from a recognized digital signature that represents the object class at the time that the object class was digitally signed; computing a new hash value for the object class as retrieved from the accessed data source by the host computer; and denying the object class restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the object class as retrieved from the accessed data source by the host computer.
26. The computer-readable medium of claim 25, wherein the hash value representing the object class at the time that the object class was digitally signed and the new hash value for the object class as retrieved from the accessed data source by the host computer includes a representation of the requested permission set.
27. The computer-readable medium of claim 19, wherein the requested permission set is externally attached to the object class so that the object class does not have to be run on the host computer in order to be compared to the user permission set.
28. The computer-readable medium of claim 27, further comprising granting a default set of permissions included in an unsigned permission set included in the security policy for the security zone if the object class is not digitally signed.
29. The computer-readable medium of claim 27, wherein if the object class was digitally signed by a trusted publisher, comparing the requested permission set to a trusted signed permission set and granting permissions to access system operations on the host computer if the requested permission set is a subset of the trusted signed permission set.
30. The computer-readable medium of claim 29, storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
31. The computer-readable medium of claim 27, wherein if the object class was digitally signed by an untrusted publisher: (a) denying the permissions requested by the object class in the requested permission set and not allowing the object class to run on the host computer when any permission in the requested permission set intersects with a corresponding permission in the untrusted signed permission set if: (i) the object class was digitally signed by an untrusted publisher; (ii) the untrusted signed permission set is configured to deny permissions in the untrusted signed permission set; (b) querying for a query response regarding the permissions requested by the object class in the requested permission set if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set has been configured to query when the requested permission set is a subset of the untrusted signed permission set; (i) granting the requested permission set if approved in the query response; and (ii) denying the requested permission set if not approved in the query response.
32. The computer-readable medium of claim 31, further comprising storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
33. The computer-readable medium of claim 31, further comprising: retrieving a hash value from the recognized digital signature that represents the object class at the time that the object class was digitally signed; computing a new hash value for the object class as retrieved from the accessed data source by the host computer; and denying the object class restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the object class as retrieved from the accessed data source by the host computer.
34. The computer-readable medium of claim 33, wherein the hash value representing the object class at the time that the computer-object class was digitally signed and the new hash value for the object class as retrieved from the accessed data source by the host computer includes the requested permission set.
35. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising: providing a security policy that includes at least one host permission set that defines the access of computer-executable instructions to the system operations provided by the host computer; obtaining a requested permission set associated with the actual computer-executable instructions that specify the access to the system operations provided by the host computer that the computer-executable instructions request; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the at least one host permission set.
36. The method of claim 35, wherein the security policy includes a granted permission set, the method further comprising granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the requested permission set is a subset of the granted permission set.
37. The method of claim 36, wherein a security zone corresponding to a set of locations on a computer network is associated with the security policy and the granted permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a location on the computer network that is associated with the security zone.
38. The method of claim 36, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
39. The method of claim 38, further comprising persisting the granted permission with the computer-executable instructions.
40. The method of claim 35, wherein the security policy includes a denied permission set, the method further comprising denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the requested permission set intersects with the denied permission set.
41. The method of claim 40, wherein a security zone corresponding to a set of data sources is associated with the security policy and the denied permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
42. The method of claim 40, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects with the denied permission set.
43. The method of claim 35, wherein the security policy includes a query permission set, the method further comprising: (a) presenting a query dialog to a user if the requested permission set is a subset of the query permission set; (b) receiving a response from the query dialog; (i) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and (ii) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
44. The method of claim 43, wherein a security zone corresponding to a set of data sources is associated with the security policy and the denied permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
45. The method of claim 43, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
46. The method of claim 45, further comprising persisting the granted permission with the computer-executable instructions.
47. The method of claim 43, wherein the security policy includes a denied permission set, the method further comprising comparing the requested permission set to the query permission set when the requested permission set does not intersect the denied permission set.
48. The method of claim 47, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects with the denied permission set.
49. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising: providing a security policy that includes at least one host permission set that defines the access of computer-executable instructions to the system operations provided by the host computer; determining if the computer-executable instructions bear a recognized digital signature; obtaining a requested permission set associated with the computer-executable instructions, the requested permission set asserting a set of permissions requested by the computer-executable instructions; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the host permission set if it is determined that the computer-executable instructions bear a recognized digital signature.
50. The method of claim 49, further comprising granting a default set of permissions included in an unsigned permission set if it is determined that the computer-executable instructions do not bear a recognized digital signature.
51. The method of claim 49, wherein there are a plurality of host permission sets including a trusted signed permission set and a untrusted signed permission set, the method further comprising: restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if the computer-executable instructions bear a recognized digital signature from a trusted publisher; and restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if the computer-executable instructions bear a recognized digital signature from an untrusted publisher.
52. The method of claim 51, further comprising granting the computer-executable instructions restricted access to the system operations provided by the host computer as specified in the requested permission set if the requested permission set is compared to the trusted signed permission set and is a subset of the trusted signed permission set.
53. The method of claim 52, wherein a security zone corresponding to a set of data sources is associated with the security policy and the trusted signed permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
54. The method of claim 52, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set to access a system operation such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
55. The method of claim 54, further comprising persisting the granted permission with the computer-executable instructions.
56. The method of claim 51, further comprising: (a) determining a configuration of the untrusted signed permission set; (i) denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the untrusted signed permission set has been configured as a denied permission set and if the requested permission set intersects with the untrusted signed permission set; (ii) presenting a query dialog to a user if the untrusted signed permission set has been configured as a query permission set and if the requested permission set is a subset of the untrusted signed permission set; (iii) receiving a response from the query dialog, (1) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and (2) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
57. The method of claim 56, wherein a security zone corresponding to a set of data sources is associated with the security policy and the untrusted signed permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
58. The method of claim 56, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system resource without the need to again compare the requested permission set to the host permission set.
59. The method of claim 58, further comprising persisting the granted permission with the computer-executable instructions.
60. The method of claim 59, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects with the denied permission set.
61. The method of claim 49, further comprising: retrieving a hash value from the recognized digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed; computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and denying the computer-executable instructions access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
62. The method of claim 49, wherein the requested permission set is externally attached to the computer-executable instructions so that the computer-executable instructions do not have to be run on the host computer in order to be compared to the host permission set.
63. The method of claim 49, wherein the requested permission set is retrieved separately from the active content.
64. The method of claim 63, wherein the requested permission set is included in a catalog file.
65. The method of claim 49, wherein the network address from which the computer-executable instructions originate is authenticated by using a secure server connection.
Description
FIELD OF THE INVENTION
The present invention relates to the field of software and, in particular, to methods and systems for a comprehensive security model for managing active content downloaded from a computer network.
BACKGROUND OF THE INVENTION
In recent years, there has been a tremendous proliferation of computers connected to a global computer network known as the Internet. A "client" computer connected to the Internet can download digital information from "server" computers connected to the Internet. Client application and operating system software executing on client computers typically accept commands from a user and obtain data and services by sending requests to server applications running on server computers connected to the Internet. A number of protocols are used to exchange commands and data between computers connected to the Internet. The protocols include the File Transfer Protocol (FTP), the HyperText Transfer Protocol (HTTP), the Simple Mail Transfer Protocol (SMTP), and the "Gopher" document protocol.
The HTTP protocol is used to access data on the World Wide Web, often referred to as "the Web." The World Wide Web is an area within the Internet that stores HTML documents. The World Wide Web is made up of numerous Web sites around the world that maintain and distribute Web documents. A Web site may use one or more Web server computers that are able to store and distribute documents in one of a number of formats including the HyperText Markup Language (HTML). An HTML document can contain text, graphics, audio clips, and video clips, as well as metadata or commands providing formatting information. HTML documents also include embedded "links" that reference other data or documents located on the local computer or network server computers.
A Web browser is a client application, software component, or operating system utility that communicates with server computers via standardized protocols such as HTTP, FTP and Gopher. Web browsers receive documents from the computer network and present them to a user. Microsoft Internet Explorer, available from Microsoft Corporation, of Redmond, Wash., is an example of a popular Web browser.
An intranet is a local area network containing servers and client computers operating in a manner similar to the World Wide Web described above. Additionally, a Web browser on an intranet can retrieve files from a file system server executing on the same computer as the Web browser, or on a remote computer on the local area network. A Web browser can retrieve files on the local area network using the "FILE" protocol, which comprises file system commands. Typically, all of the computers on an intranet are contained within a company or organization. Many intranets have a "firewall" that functions as a gateway between the intranet and the Internet, and prevents outside people from breaking into the computers of an organization. A "proxy server" is one well-known portion of a firewall.
In addition to data and metadata (data about data), HTML documents can contain embedded software components containing program code that perform a wide variety of operations on the host computer to which the document is downloaded. These software components expand the interactive ability of an HTML document and can perform other operations, such as manipulating data and playing audio or video clips. ActiveX is a specification developed by Microsoft Corporation for creating software components that can be embedded into an HTML document. Java is a well-known programming language that can be used to develop small computer applications called "applets" and standalone software components called "classes" which are transmitted with HTML documents when they are downloaded from Web servers to client computers. JavaScript and VBScript are scripting languages that are also used to extend the capabilities of HTML. JavaScript and VBScript scripts are embedded in HTML documents. A browser executes each script as it reaches the position in the script during interpretation of the HTML document.
Some software components transferred over the World Wide Web perform operations that are not desired by a user. This may occur either because a component developer intentionally programmed the software component to maliciously perform a harmful operation, or because an unintentional "bug" in the software causes the component to perform a harmful operation. In addition to components that are transferred with an HTML document or by the HTTP protocol, files transferred to a client computer utilizing other protocols, such as FTP, may include commands that perform harmful operations.
One way in which browsers have addressed the security problem presented by potentially harmful software components is to notify the user prior to performing a potentially harmful operation while the software component is running on the host system. The user is permitted to determine, prior to each operation, whether to allow the specified operation. For example, prior to installing a Java class, a browser may display a dialog window specifying the source of the Java class and allowing the user to decide whether or not to install the specified class. Similarly, the browser may present a dialog window to the user prior to downloading a file, executing a program, or executing a script. This security procedure can result in a user repeatedly being presented with dialog windows asking for permission to perform certain operations, interrupting the user's browsing session. Faced with frequent interruptions as the software component runs, a user may respond hastily and improperly.
It is desirable to have a mechanism that allows the fine-grained administration of the permissions given to a software component, or other active content, that is downloaded from a computer network to a host system. Preferably, the mechanism would automatically administer the decision to grant or deny permissions to the downloaded active content to perform certain protected operations on the host system. The mechanism would preferably administer permissions in zones by comparing a requested set of permissions that the active content requires to run with a set of permissions that has been pre-configured in a manner that reflects the risk that active content downloaded from that zone may be harmful to the host system. Additionally, it would be advantageous if the mechanism processed the permissions required by the active content without having to run the active content and that then to stored any granted permissions with the active content so that the permission comparison need only be conducted when the active content is first downloaded. The mechanism would also preferably be able to automatically compare many different types of permissions that may defined by a wide range of expressions. Further, a preferable mechanism would provide sets of predetermined security settings that represent varying levels of trust level that can be associated with a zone, or that provides a way for the user to configure the permission sets down to a very "fine-grained" level. The present invention is directed to providing such a mechanism.
SUMMARY OF THE INVENTION
In accordance with this invention, a system and a computer-based method of providing security when downloading foreign active content from a computer network is disclosed. Foreign active content is untrusted code that may attempt to run on a host system. The method includes configuring a system security policy to establish multiple security zones, each security zone corresponding to a set of locations on a computer network. Each zone has a corresponding security configuration that specifies the actions to be taken when a protected operation is requested by active content downloaded from that security zone. During a Web browsing session, the mechanism of the invention determines the security zone corresponding to the network location currently being browsed. Prior to performing a protected operation, the mechanism of the invention determines the action to perform, based on the current Web site's security zone, the requested operation, and the security setting corresponding to the requested operation and the Web sites zone. The Web browser displays visual information indicating the security zone corresponding to a server computer when a Web document from the server computer is being displayed.
In accordance with other aspects of this invention, during a browsing session between a client computer and a server computer, when a document is received at the client computer the browser determines if the document wishes to perform any protected operations on the client computer. If the document requires access to a protected operation, the browser determines a security setting corresponding to the zone from which the document was retrieved. Depending on the configuration of the protected operation within the security zone, the browser may perform the protected operation, prevent the performance of the protected operation, or query a user whether to perform the protected operation and selectively perform the protected operation based on the user response.
In accordance with other aspects of this invention, the client computer may be located behind a firewall, and receive active content from server computers behind the firewall and remote server computers external to, or outside of, the firewall. The browser may be configured so that one security zone does not include any server computers that are external to the firewall and so that another security zone includes only server computers that are behind the firewall. Preferably, the browser is configured so that the security zone corresponding to the server computers external to the firewall specifies a higher level of security than the security zone corresponding to server computers protected by the firewall.
In accordance with the invention, the system security policy is comprised of a number of security zones that each have an associated zone security configuration that is enforced by a security manager application on the user's computer system. Each security zone is associated with one or more server computers that are grouped into the security zone according to the likelihood that the server computers within that security zone may contain harmful active content. The user may utilize one or more predefined security zones, configure custom security zones, or do nothing and accept a default set of predefined security zones.
In accordance with other aspects of the invention, each security zone has an associated zone security policy. The user may select one of a number of predefined zone security policies, configure a custom zone security policy, or do nothing and accept a default zone security policy for the security zone. In an actual embodiment of the invention, the predefined zone security policies define levels of security that that represent "high" security (most secure), "medium" security (more secure), and a "low" security (least secure). The custom security policy permits the user to customize the zone security policy to a level defined by the user's configuration of the same security components that make up the predefined "high", "medium", and "low" pre-configured security policy options.
In accordance with further aspects of the invention, configuration of the system security policy may include the configuration of progressively "finer grain" steps or levels. The "coarsest grain" level is the configuration of one or more security zones. Each security zone has a set of configurable protected operations that can be configured. For some protected operations that regulate active content, one or more sets of permissions can be configured. Permission sets can be configured for different contexts, for instance, different permission sets can be configured for active content that is digitally signed and for active content that is not digitally signed. Each permission set can have a number of permissions and each of the permissions may have a set of parameters. At the "finest grain" of configuration, the parameters can be configured using one or more primitives.
In accordance with the present invention, at the protected operations configuration level, the user may specify whether a protected operation is allowed (enabled), is not allowed (disabled), or if the user should be prompted to determine the action that should be taken. For some protected operations, it is desirable to specify a "finer grain" configuration of the actions that are available to the protected operation when it is simply "enabled." The right to perform an action on a host system requested by a subject of a protected operation is called a permission. The configuration of the permissions available to a protected operation, at the permission configuration level, is a level "down" in the configuration of the custom zone security policy. The user may specify at the permission configuration level those permissions that define a protected operation. The permission can be granted to the protected operation (enabled), denied to the protected operation (disabled) or the user prompted for instructions when the permission is required.
In addition to configuring protected operations within security zones, the permissions that define protected operations may be configured for the context of the active content that requests the privileged operations. For instance, the user could configure the permission to be enabled when the protected operation is requested by "signed" active content, and disabled when the protected operation is requested by "unsigned" active content. For example, in an actual embodiment of the invention, the administration of permissions available to Java applets and classes is a protected operation. The user may enable or disable individual permissions for Java applets and classes in permission sets that are applied depending on the context of the active content within a zone. A permission may be configured differently in different permission sets within the same security zone. For instance, a signed applet may request access to all files on the host system. In accordance with the invention, the access all files permission may be configured in one permission set to enable the access of all files when the applet is signed and configured differently in a second permission set to disable the access to all files permission when the applet is unsigned.
In accordance with further aspects of the invention, the capabilities of each permission may be defined by a set of "parameters" that can be configured at a parameter configuration level. In contrast to the configuration of the permissions at the permissions configuration level (a level "up") where all the capabilities of the permission are enabled, disabled, or set to require a prompt of the user, the configuration of the parameters at the parameter configuration level allows for the "fine grained" configuration of each permission. For instance, in an actual embodiment of the invention, the File I/O permission determines whether a Java applet can perform file operations on the user's computer. The File I/O permission includes parameters that determine if the File I/O permission has the right to read, write or delete files on the host computer. Parameters are defined using a number of primitive types. In accordance with the invention, a primitive is an expression that can represent values like "5", "true", "*doc", include/exclude pairs and arrays of these types.
In accordance with the present invention, permissions for active content are grouped in one or more user permission sets that are stored in a system registry and associated with a security zone. Each security zone may have a number of differently defined permission sets that are associated with active content having different attributes from within the same security zone. For example, in an actual embodiment of the invention, each security zone has three associated user permission sets that are stored with the zone configuration policy in the system registry: a trusted signed permission set, an untrusted signed permission set, and an unsigned permission set. If the retrieved active content is unsigned (has not been digitally signed) then the unsigned active content is granted a set of permissions corresponding to the unsigned permission set associated with the zone from which the active content was retrieved. If the retrieved active content is signed (has been digitally signed) then the present invention uses the trusted signed permission set and the untrusted signed permission set associated with the security zone from which the active content was downloaded to determine the permissions that will be granted to the active content, denied to the active content, or for which the user will be queried before the permission is granted.
In accordance with further aspects of the invention, the publisher of active content such as Java applets, classes or scripts, may externally attach a list of permissions to the active content that specifies the permissions the active content requires in order to run on the host computer. The list of permissions, or "requested permission set," is prepared by the publisher of the active content and preferably specifies the most restrictive set of permissions within which the active content can run. The present invention allows the publisher to specify each permission down to the parameter configuration level.
In accordance with another aspect of the invention, the publisher attaches the requested permission set to the outside of the active content so that the user computer does not have to run the active content in order to discover the permissions that the active content requires in order to run on the host system. The requested permission set may be included in a signed code package that also contains the computer executable instructions and other files associated with the active content. Requested permission sets may also be signed using a catalog file. A catalog file contains a manifest of hash values for other files such as cabinet files, class files, requested permissions initialization files, etc. The manifest is digitally signed, thereby authenticating the files listed in the manifest if the hash value in the manifest is equal to the newly calculated hash value of the file when it is downloaded. When the signed code package is downloaded to the user's computer, the present invention authenticates the identity of the publisher and verifies that the contents of the signed code package is identical to the information that was in the signed code package when it was signed. If the active content has not been digitally signed, the active content is granted only those permissions contained in the unsigned permission set.
If the active content has been signed, the identity of the publisher and the integrity of the downloaded signed code package are verified by the present invention. If this verification succeeds, the requested permission set is extracted from the signed code package or catalog file and then compared to the user's permission sets associated with the security zone that the signed code package was downloaded from. In an actual embodiment of the invention, the requested permission set from the signed code package is compared to the trusted signed permission set. If the requested permission set contains a subset of the permissions configured in the trusted signed permission set, the permissions requested in the requested permission set are granted and associated with the active content. If the requested permission set includes permissions, or parameters within permissions, that exceed those specified in the trusted signed permission set, the permissions in the requested permission set are compared to the untrusted signed permission set. The untrusted signed permission set may be either a deny set or a query set depending on the value of a Query/Deny flag associated with the untrusted signed permission set. If the untrusted signed permission set is a deny set and the untrusted signed permission set contains (intersects) any permissions, or parameters within permissions, that are within the requested permission set, the requested permission set is automatically denied and the active content is not run. If the untrusted signed permission set is flagged as a query set, the requested permissions must be a subset of the query set before the requested set will be granted. Any permission that is not in the query set is assumed to be in the denied set. Therefore, if the requested set is not a subset of the query set, there is at least one permission that is in the deny set and the requested set is rejected.
In accordance with further aspects of the invention, a requested permission set is automatically compared to a user permission set by the mechanism of the invention to determine if the permissions requested in the requested permission set exceed the permissions defined in the user permission set. The method and system of the invention first determines if there are any permissions in the requested permission set that are not in the user permission set. If the permission is in the requested set and not in the permissions allowed by the user (the user permission set), the requested set is not automatically granted. If the permission is in the requested set and in the denied set then the content is not run. Next, corresponding permissions in the requested permission set and the user permission set are compared to each other. When the permissions compare themselves to each other, they compare parameter to corresponding parameter. To compare a parameter to a corresponding parameter, each primitive that defines a parameter in the requested permission set is compared to a primitive that defines a parameter in the user permission set.
Comparing the requested permission set to the user permission set involves comparing zero or more permissions in the requested permission set to zero or more corresponding permissions in the user permission set. Each permission may have one or more parameters that specify the capabilities of the permission. Each parameter may have one or more primitives that define the parameter. The method and system of the present invention automates these progressive comparisons in a manner that produces a directional result of each comparison and maintains the direction of the result. These results are successively merged to produce a directional comparison result that can be used in later decisions to determine an action to take. For example, when comparing a requested permission set to a user permission set, it is important to be able to determine if the requested permission set is a SUBSET of the user permission set or alternatively, if the user permission set is a SUBSET of the requested permission set. In this example, it is apparent that it is important to keep track of directional nature of the comparison result because in the former case it may be appropriate to grant the permission, while in the latter case it may not be appropriate to grant the permission.
In accordance with the invention, the direction of set comparison results is maintained while the results of many comparisons that may occur on many different levels are combined to produce a cumulative directional set result. In other words, a requested permission set compares to a user permission set, which requires that requested permissions compare to user permissions, which requires that a requested permission's parameters compare with a user's permission's parameters, which requires that the primitives that define a requested permission's parameter compare to a user's permission's primitives. Each comparison results in an answer that must be combined with the answers from all other comparisons in a manner that yields a meaningful combined answer that preserves the direction of the comparison in a directional result.
In an actual embodiment of the present invention, the comparison of a primitive to a primitive produces a cumulative directional primitive result. The cumulative directional primitive result of each parameter is then combined to produce a cumulative directional parameter result. The cumulative directional parameter result of each parameter is then combined to produce a cumulative directional permission result. Finally, the cumulative directional permission result of each permission is combined to produce a cumulative directional permission set result. Because the present invention performs the comparison and accumulates the results in a manner that maintains the direction of the comparison, the cumulative directional result may be used at any level to describe the directional results of all previous comparisons to that level.
In an actual embodiment of the invention, the cumulative directional permission set result is used to determine if the permissions in a user permission set should be granted, denied, or the user should be prompted for a choice of whether to grant or deny the permissions as a set. The present invention is not limited to this implementation, however. For instance, the cumulative permission result could be used to determine if an individual permission should be granted, denied, or the user prompted for the proper action. Other decisions could be based on the cumulative directional result at "lower levels" of the accumulation.
As will be readily appreciated from the foregoing description, a system and method of providing security when downloading active content formed in accordance with the invention provides a way of selectively restricting protective operations that can be performed by active content retrieved from a computer network, such that the restrictions may vary according to the level of trust that a user has for each security zone. The invention allows the user to configure a browser to a fine grain administration of privileges allowed to active content so that the different security zones and different contexts within those security zones reflect different levels of trust for each corresponding group of network locations. Default security settings corresponding to each security zone protected operation, permission and parameter among the security zones simplifies the process of configuring the browser. Allowing a user to modify the default settings provides users with customizable security to allow for differing situations or concerns. The invention minimizes the amount of disruption that may occur during a browsing session in order to determine the user's preferences. By allowing a user to configure the security settings at a time convenient to the user, the invention increases the likelihood that the user will carefully consider the choices involved in security configurations. The ability to customize the security of the host system to a fine grain level also permits more sophisticated users, such as system administrators, to tailor the security of browsers under the administrator's control to the specific security requirements of an organization.
BRIEF DESCRIPTION OF THE INVENTION
The foregoing aspects and many of the attendant advantages of this invention will become more readily appreciated as the same becomes better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
FIG. 1 is a block diagram of a general purpose computer system for implementing the present invention;
FIG. 2 is a block diagram illustrating an architecture of a security method and system in a browser operating on a computer network, in accordance with the present invention;
FIG. 3 is a functional flow diagram illustrating the process of configuring the security method and system of the present invention;
FIG. 4A is a pictorial representation of a "Internet Options" dialog window that exposes the Security tab in accordance with the present invention;
FIG. 4B is a pictorial representation of the "Trusted sites zone" dialog window produced in accordance with the present invention;
FIG. 5A is a pictorial representation of a "Security Settings" dialog window produced in accordance with the present invention;
FIG. 5B is a pictorial representation of a "Security Warning" dialog window produced in accordance with the present invention;
FIG. 6 is a pictorial representation of the "Internet zone" dialog window having a configuration menu for Java permissions on a "View Permissions" tab, in accordance with the present invention;
FIGS. 7A-E are pictorial representations of the "Internet zone" Java permissions window dialog displaying the "Edit Permissions" tab, in accordance with the present invention;
FIG. 8 is a pictorial representation of an "Edit Custom Permissions" dialog window, in accordance with the present invention;
FIGS. 9A-G are pictorial representations of an "Edit Custom Permissions-Unsigned Permissions" dialog window, in accordance with the present invention;
FIG. 9H is a Venn diagram illustrating an include/exclude pair primitive in accordance with the present invention;
FIG. 10 is a block diagram illustrating a signed code package having an externally attached requested permission set in accordance with the present invention;
FIG. 11 is a functional flow diagram illustrating the process of creating and distributing active content with a requested permission set externally attached in accordance with the present invention;
FIGS. 12A-D illustrate a sample initialization (.ini) file used for the declaring of a requested permission set in accordance with the present invention;
FIGS. 13A-C is a functional flow diagram showing the process of checking permissions requested by active content and storing granted permissions with the active content in accordance with the present invention;
FIG. 14A illustrates the eight directional set comparison results of the present invention;
FIG. 14B is a functional flow diagram illustrating the process of comparing permission sets to assign a directional set comparison result in accordance with the present invention;
FIG. 14C is a functional flow diagram illustrating the process of comparing parameters within a pair of permissions to assign a directional set comparison result, in accordance with the present invention;
FIG. 14D is a functional flow diagram illustrating the process of comparing primitives with a pair of parameters to assign a directional set comparison result, in accordance with the present invention;
FIG. 15A is a functional flow diagram illustrating the process of assigning a directional set comparison result to the comparison of inclusive Boolean primitives, in accordance with the present invention;
FIG. 15B is functional flow diagram illustrating the process of assigning a directional set comparison result to the comparison of exclusive Boolean primitives, in accordance with the present invention;
FIGS. 16A-B is a functional flow diagram illustrating the comparison of array primitives to assign a directional set comparison result, in accordance with the present invention;
FIG. 17 is a functional flow diagram illustrating the comparison of numerical limits primitives to assign a directional set comparison result, in accordance with the present invention;
FIGS. 18A-Y are functional flow diagrams and associated look-up tables for the process of comparing regular expressions to assign a directional result, in accordance with the present invention;
FIGS. 18Z-AA illustrate a plurality of example comparisons and the resulting directional set comparison result, in accordance with the present invention;
FIGS. 19A-I are functional flow diagrams and associated lookup tables illustrating the process of comparing include/exclude pair primitives to assign a directional set comparison result, in accordance with the present invention;
FIG. 20 is a merge table used to merge two directional set comparison results to produce a single merged directional set comparison result, in accordance with the present invention;
FIG. 21 is an illustration of an example for merging directional results, in accordance with the present invention;
FIG. 22 is a functional flow diagram illustrating the process of running active content and validating permissions for protected operations in accordance with the present invention; and
FIG. 23 is a functional flow diagram illustrating the process of verifying that the permission to be used has been granted to of each class in a call chain, in accordance with the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The present invention is a system and method for configuring and enforcing a system security policy that protects a user's computer from potentially harmful active content received from a server computer. In an actual embodiment, the present invention is incorporated into the Microsoft Internet Explorer (version 4.0 or later), a Web browser available from Microsoft Corporation, Redmond, Wash. The Microsoft Internet Explorer contains a help file that describes in detail many of the features of the present invention. Further details on how to access the Microsoft Internet Explorer's help file are discussed below with reference to the security configuration user interface. While the following describes the present invention in terms of an actual embodiment of the invention that is incorporated into a World Wide Web browser, the present invention is not limited to applications on the World Wide Web and may be used in any computer environment, for instance, a single computer, a local area network, an intranet, a wide area network, or the Internet.
Web browsers commonly operate within the World Wide Web, which is a portion of a global computer network known as the Internet. The Internet is comprised of a plurality of server and client computers that are interconnected for the communication of digital data. A Web site is a computer network location that stores digital data. A Web site may correspond to one or more server computers, or to a subset of the data stored on a server computer. A server computer may include multiple Web sites. For example, the data contained within a directory structure stored on a server computer may correspond to a Web site. A Web site may be identified by a specification of an Internet domain, an Internet protocol (IP) address, or a directory path.
Web sites store digital data in groupings known as documents. The process of locating and receiving digital documents from Web sites is referred to as "browsing." A Web document may contain text, image data, sound data, format data and a variety of other information known to those skilled in the art. Web documents may also have "links" or references to various information stored on the same or another Web site at other locations. Increasing, Web documents also contain, or provide links to, "active content" that may provide some functionality either within the Web document, separately as a mini-application ("applet"), as a function library or class, or even as a full-scale computer program. As used herein, active content is defined as any computer-executable instructions that are downloaded (retrieved) from a server computer and that can run on a user's (or host) computer. Examples of active content are Java applets, Java classes, HTML scripts, Java scripts, VB scripts and ActiveX controls.
While the functionality provided by active content may provide many benefits to the user, this functionality comes with some risks to the user's system. Any code that runs on a user's computer has the potential to "harm" the user's system. For instance, malicious active content may purposefully delete files from the user's hard disk. Active content does not have to be "malicious" to be harmful to a user's system --"buggy" code can inadvertently do as much harm to a user's computer as code that is purposefully designed to do harm. It is a purpose of the present invention to provide a mechanism that allows the user to draw a balance between the advantages of allowing active content to run and the risks of letting that active content run on the user's computer. In accordance with the present invention, this balance between what the active content will be permitted to do on the user's computer and what the active content will be restricted from doing can be configured down to a very "fine grain" level and associated with the zone of where the active content was retrieved from and the context in which it was retrieved. The mechanism of the invention also enforces the security configuration once made.
The system security policy of the present invention is configured in progressively more "fine-grained levels" of configuration. As the configuration moves "down" the levels from the configuration of security zones to configuring primitives that define the parameters of a permission, the method and system of the present invention permit progressively "finer grain" control of just what the active content will be permitted to do on the user's system.
Once the configuration is completed, the invention provides a mechanism for comparing the information in the system security policy to the requirements of the downloaded active content. The invention advantageously provides for a requested permission set to be externally attached to the active content. The requested permission set specifies those permissions that the publisher of the active content asserts are necessary for the active content to run. The requested permission set is then compared by the mechanism of the present invention to one or more user permission sets (configured by the user) to determine if the requested permission set will be granted by the security manager. The method and system of the present invention to make this comparison between permission sets is described in detail below starting with the discussion of FIG. 13A.
Exemplary Computer System and Network
As well known to those familiar with the World Wide Web, a Web browser executes on a computer, such as a general purpose personal computer. FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the invention may be implemented. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network Process, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
With reference to FIG. 1, an exemplary system for implementing the invention includes a general purpose computing device in the form of a conventional personal computer 120, including a processing unit 121, a system memory 122, and a system bus
123 that couples various system components including the system memory to the processing unit 121. The system bus 123 may be any one of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read only memory (ROM) 124 and random access memory (RAM) 125. A basic input/output system 126 (BIOS), containing the basic routines that helps to transfer information between elements within the personal computer 120, such as during start-up, is stored in ROM 124. The personal computer 120 further includes a hard disk drive 127 for reading from and writing to a hard disk, not shown, a magnetic disk drive 128 for reading from or writing to a removable magnetic disk 129, and an optical disk drive 130 for reading from or writing to a removable optical disk 131 such as a CD ROM or other optical media. The hard disk drive 127, magnetic disk drive 128, and optical disk drive 130 are connected to the system bus 123 by a hard disk drive interface 132, a magnetic disk drive interface 133, and an optical drive interface 134, respectively. The drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the personal computer 120. Although the exemplary environment described herein employs a hard disk, a removable magnetic disk 129 and a removable optical disk 131, it should be appreciated by those skilled in the art that other types of computer-readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital versatile disks, Bernoulli cartridges, random access memories (RAMs), read only memories (ROM), and the like, may also be used in the exemplary operating environment.
A number of program modules may be stored on the hard disk drive 127, magnetic disk drive 128, optical disk drive 130, ROM 124 or RAM 25, including an operating system 135, one or more application programs 136, other program modules, and program data 138. A user may enter commands and information into the personal computer 120 through input devices such as a keyboard 140 and pointing device 142. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 121 through a serial port interface 146 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB). A monitor 147 or other type of display device is also connected to the system bus 123 via an interface, such as a video interface 148. One or more speakers 157 are also connected to the system bus 123 via an interface, such as an audio interface 156. In addition to the monitor and speakers, personal computers typically include other peripheral output devices (not shown), such as printers.
The personal computer 120 may operate in a networked environment using logical connections to one or more remote computers, such as remote computers 149 and 160. Each remote computer 149 or 160 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 120. The logical connections depicted in FIG. 1 include a local area network WAN) 151
and a wide area network (WAN) 152. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet. As depicted in FIG. 1, the remote computer 160 communicates with the personal computer 120 via the local area network 151. The remote computer 149 communicates with the personal computer 120 via the wide area network 152.
When used in a LAN networking environment, the personal computer 120 is connected to the local network 151 through a network interface or adapter 153. When used in a WAN networking environment, the personal computer 120 typically includes a modem 154 or other means for establishing communications over the wide area network 152, such as the Internet. The modem 154, which may be internal or external, is connected to the system bus 123 via the serial port interface 146. In a networked environment, program modules depicted relative to the personal computer 120, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
Architecture of the Security Model
FIG. 2 illustrates the architecture of a security method and system formed in accordance with the present invention incorporated into a Web browser 204 communicating over a local area network 151 and a wide area network 152, such as the Internet. The local area network 151 functions as an intranet, connecting client computers executing Web browsers 204 to one or more local Web server computers 208. The local area network 151 communicates with the wide area network 152 through a firewall 212. The firewall 212 may comprise a computer that physically connects to the LAN 151 and the wide area network 152. Alternatively, the firewall 212 may comprise one or more computer programs executing on a computer connected to the LAN 151 and not intermediate to LAN 151 and the wide area network 152. The firewall 212 may include a component known as a proxy server. A proxy server ensures that the topology and addressing of the local area network 151 within the firewall 212 remains hidden from any program operating on the wide area network 152. A common function of a firewall 212 is to examine packets coming from the wide area network 152 and then either to let them through or block them according to a set of rules defined by the administrator of the local area network 151. A primary purpose of the security measures is to exclude potentially harmful content from reaching the local area network 151 that could adversely affect the programs and other data located on the local Web server 208.
The security provided by a firewall is essentially a "rough sort" that exclude content that may adversely affect the local web servers 208 connected to the local area network 151 without taking into consideration that it is sometimes desirable to download potentially harmful code from the wide area network. The present invention provides a method and system for allowing some of this potentially harmful content to be downloaded to the local area network while preserving the security of the local area network 151. In an actual embodiment of the invention, the security measures of the present invention are implemented in a browser 204 that is responsible for the download. The level of access given to active content downloaded from the wide area network is configurable in progressively more "fine-grained" levels that will be discussed in detail below.
The browser 204 includes a security configuration user interface 226 that is pictorially shown in FIGS. 4-9 (discussed below). The security configuration user interface 226 allows for the configuration of user permission sets that comprise progressively more "fine-grained" definitions of the permissions that an Internet security manager 222, which also forms part of the browser 204 will grant to active content coming from anywhere other than the local computer on which the Web browser is running. The security configuration user interface 226 allows the configuration of these actions by zone and by permission sets within zones. The configuration 227 of the security by configuration user interface 226 is stored in a system registry 224.
A remote Web server 214 communicates over the wide area network 152 to the Web browser 204. The remote Web server 214 may comprise one or more computer programs executing on the remote computer 149 illustrated in FIG. 1. As should be understood by those skilled in the art of computer systems, and others, the architecture illustrated in FIG. 2 is exemplary, and alternative architectures may be used without departing from the spirit of the invention. For example, the firewall 212 is not required by the invention. Similarly, the invention does not require both the local area network 151 and the local Web server 208. As illustrated in FIG. 1, the client computer executing the Web browser 204 may communicate with the wide area network via a modem
154. Additionally, a Web server may comprise a server program that executes on the same client computer executing the Web browser 204. In such a configuration, communication between a client computer and a server computer refers to communication between programs or software components executing on the same computer.
As depicted in FIG. 2, the Web browser 204 includes three components that perform operations in response to receiving documents from a local Web server 208 or a remote Web server 214: an MSHTML component 216, an SHDOCVW component 218, and a JAVAVM component 220. The MSHTML component 216 performs operations that control the display of an HTML page. The MSHTML component, in cooperation with additional components (not shown), also controls scripting. The SHDOCVW component 218 performs operations related to the user interface. The JAVAVM component 220 performs operations related to Java applets. The MSHTML component 216, the SHDOCVW component 218, and the JAVAVM component 220 perform similarly with respect to the mechanism of the present invention. Each of these components communicates with an Internet security manager 222.
The Internet security manager 222 performs operations to determine the security zone corresponding to a Web server and to determine the permissible operations corresponding to a security zone. The Internet security manager passes security information to the MSHTML component 216, the SHDOCVW component 218, and the JAVAVM component 220, when requested. The Internet security manager 222 illustrated in FIG. 2 communicates with the system registry 224. The system registry 224 operates as a database of information pertaining to application programs that execute on the personal computer 120 (FIG. 1). Windows 95 and Windows 98, available from Microsoft Corporation, of Redmond, Wash., are examples of operating systems that provide a system registry that is employed by application programs to store configuration information for subsequent retrieval.
The mechanism of the invention configures the Web browser to specify a plurality of zones. Each zone includes one or more Web sites, each Web site being situated on a corresponding computer network. The configuration includes information specifying a set of security settings corresponding to each zone. A security setting is a specification indicating an action to perform when a Web page from one of the zones requests a protected operation to be performed. During a Web browsing session, the mechanism of the invention determines the zone corresponding to the Web site currently being browsed. Prior to performing the protected operation, the mechanism of the invention determines the action to perform, based on the current Web site's zone, the requested operation, and the security setting corresponding to the requested operation and the Web site's zone. Depending upon the security setting, the Web browser may perform the requested operation, prevent the requested operation from being performed, or prompt the user for a decision as to whether to perform the requested operation. During the browsing of a Web site, the browser visually indicates the zone corresponding to the Web site.
As noted above, the security configuration user interface component 226 located within the browser 204 stores information pertaining to security in the system registry 224. At the broadest level, the security configuration user interface component 226 stores information representing the security settings corresponding to each security zone and the distribution of Web sites among the security zones. An exemplary zone configuration, denoted Zone A, is shown in block form within the system registry 224 illustrated in FIG. 2. The zone configuration may include a plurality of zones defined by the user, by a system administrator, or shipped as a default with the product incorporating the present invention. The configuration of Zone A (FIG.
2) includes settings for protected operations 228 that represent certain fundamental operations that if made available to active content have the potential to enable harm to the user's computer. A listing of the some of the protected operations that may be configured by the security configuration user interface 226 appears below.
For some protected operations, such as the permissions granted to active content downloaded from sources outside the user's computer, it is desirable to limit the permissions given to the active content to only those that the active content may legitimately require and that the user is comfortable granting. An actual implementation of the invention defines Java applets and classes 230 as a protected operation. The Java applets and classes 230 are assigned permissions that define the operations that the Java applet and classes 230 are permitted to access. These permissions are determined by the Internet security manager 222 by comparing them against a trusted signed permission set 232, an untrusted signed permission set 234, and an unsigned default permission set 236. The untrusted signed permission set 234 has an associated query/deny flag 235 stored in the system registry 224 that indicates whether the untrusted signed permission set 234 is a query set or a deny set. As will be discussed below, the three set 232, 234, 236 configuration is used by the present invention to determine the permissions granted to the Java applets and classes downloaded from Zone A 226. The security zone 226 is discussed in detail below.
The security configuration user interface 226 does not need to be part of the browser 204 and can be its own application or utility found in another application. For example, addition to the security configuration user interface 226 found in the Microsoft Internet Explorer, an actual embodiment of an alternate security configuration user interface that can also be used to edit the system security policy (FIG. 3) is found in the Internet Explorer Administration Kit (IEAK) available from Microsoft Corporation, Redmond, Wash. The IEAK has a help file containing information on using the security user interface 226 and the configuration of permissions within zones. As will be understood by those skilled in the art of computer programming and others, alternative mechanisms for storing and accessing the security configuration information may be used. For example, the security configuration information described as residing in the system registry 224 may alternatively reside in one or more data structures internal to the application or in files.
I. Configuration of the System Security Policy
An overview of the configuration of the system security policy is illustrated in FIG. 3. As mentioned above, the configuration of the system security policy allows the configuration of progressively more "fine-grain" configuration levels. Each configuration level is a refinement of the previous configuration level. The configuration levels are discussed in detail below, but in overview are: A. Configure a security zone (block 310) or accept a predefined set of security zones; 1. Configure one or more protected operations (block 312) associated with each security zone defined in the previous level or accept a predefined set of protected operations; a) Configure one or more permission sets (block 314) for a protected operation defined in the previous level or accept a predefined set of permission sets; 1) Configure one or more permissions for each permission set defined in the previous level (block 316) or accept a predefined set of permissions; (a) Configure one or more parameters (block 318) for each permission defined in the previous level using one or more primitives.
In the following discussion, a user is defined as anyone having the right to configure the system security policy. This can include the end user of the browser or a system administrator. As the user "drills down" through the configuration of the progressively more fine-grained definitions of the security policy, there is a corresponding level of sophistication that is required of the user. To provide for the varying levels of user sophistication, as indicated in the overview above, at most levels the user can select predefined settings that define the configuration from that level down.
A. Configuration of Security Zones
The highest level of configuration is the security zone configuration 31025 exemplified by the security configuration user interface 226 dialog windows shown in FIGS. 4A and 4B. FIG. 4A illustrates an "Internet Options" dialog window 402 that is presented by the security configuration user interface component 226 to configure security zones. As depicted in FIG. 4A, a "zone" pull-down control 404 lists the different security zones. In one actual embodiment of the invention, four security zones are provided: a "local intranet" zone, a "trusted sites" zone, a "restricted sites" zone, and an "Internet" zone. The local intranet zone includes Web sites that reside on the local area network 151 (FIG. 2) and reside on the same side of the firewall
212 as the Web browser 204. The trusted sites zone includes Web sites that a user trusts. These are sites that a user believes have little risk that they contain files or documents that include harmful active content. Trusted sites may reside on the local area network 151 or the wide area network 152. The restricted sites zone includes sites that a user does not trust. In general, a user does not want to allow any operations to be performed in response to files or documents received from a restricted site that may allow potentially harmful active content to be executed. The Internet zone includes by default all Web sites that are not in the local intranet zone or have not been assigned to any other zone. While this actual embodiment of the invention provides four default security zones, additional custom zones may be configured by the user. Alternative embodiments could specify more zones, or less zones, or allow a user to create or delete security zones.
The Internet Options dialog window 402 includes a zone description static text control 406 that provides a short description of the zone selected in the zone pull down control 404. Some of the security zones are configurable, and allow a user to specify the Web sites that are included within the zone. In the actual embodiment referenced above, the local intranet zone, the trusted sites zone, and the restricted sites zone are configurable in this manner. When one of these configurable zones is selected in the zone pull down control 404 an "add sites" push-button control 418 is enabled. When a user selects the add sites push-button control 418, the Web browser 204 presents a "Web sites" dialog window 420 that allows a user to specify the Web sites corresponding to a security zone, illustrated in FIG. 4B and described below. The Web sites dialog window 420 provides a user with the ability to specify the Web sites corresponding to a security zone.
The title 422 of the Web sites dialog window 420 indicates the currently selected security zone from the Internet Options dialog window 402 (FIG. 4A). To add a Web site to the currently selected zone, a user enters the Web site address and a corresponding protocol in an "add" text box 424 and then selects an "add" button 426.
As discussed above, the Internet security manager 222 determines the security zone ID based on the address (URL) of the current Web page. The Internet security manager 222 parses the Web page address to determine the servers that are to be included in the zones according to the listing of domains within each zone. The domain has a number of sub-domains. The "top level" domain indicates a general classification or geographical location. The "second level domain" is registered to a particular user or organization. The last sub-domain is a server computer at the second level domain. For example, if the Web page address (URL) is: http ://www.microsoft.com/ie/plus/default.htm the corresponding top level domain is: .com the corresponding second level domain is: microsoft.com (registered to Microsoft Corporation, Redmond, Wash.) and a server named "www" at microsoft.com is fully described as: www.microsoft.com
The protocol specified in this URL is HTTP, which is used to retrieve a Web document located on the server www.microsoft.com at the path/ie/plus/default.htm. Documents can also be retrieved using other protocols such as the FTP or "FILE" protocol. For example, the corresponding address is in a local file system; c:.backslash.documents.backslash.doc1.htm the corresponding domain is "c:.backslash.", the document is located at path .backslash.documents.backslash.doc1.htm, and the corresponding protocol is FILE, indicating a file system protocol.
Wildcard characters may be used to specify multiple domain names. In the present invention, wildcard characters include the "*" character (indicating zero or more characters) and the "?" character (indicating any single character). For instance the regular expression "*.microsoft.com" specifies all servers at the "microsoft.com" second level domain. If the expression is "web?.microsoft.com", this indicates all servers at microsoft.com beginning with the characters "web" followed by a single character (e.g., web1, web2, webX etc.). Preferably, when the Internet security manager 222 analyzes the expression, explicit specifications take precedence over general specifications. For example, if a system is configured with "office.microsoft.com" in a first zone, and "*.microsoft.com" in a second zone, a match with "office.microsoft.com" overrides the second specification of the more general *.microsoft.com and the Web site will be considered by the Internet security manager 222 to be part of the first zone.
A user may configure the Web browser 204 so that two different protocols corresponding to the same domain reside in two different security zones. For example, referring to the addresses illustrated above, the combination of HTTP and www.microsoft.com may be configured in the trusted sites security zone, while the combination of FTP and www.microsoft.com may be configured within the Internet security zone. A user may also specify a Web site using numeric IP addresses or a numeric range to include all Web sites having an IP address within the range.
The "Web sites" list box 428 (FIG. 4B) displays a list of Web sites that are currently configured within the currently selected security zone. To remove a Web site from a security zone, a user selects a Web site within the Web site list box 428
and selects the "remove" button 430. By selecting (checking) check box 432, the user is required to use the HTTPS protocol for all web sites entered. The HTTPS protocol is Web server software for Microsoft Windows NT available from Microsoft Corporation, Redmond, Wash. Among other advantages, the HTTPS protocol offers secure network connections and verification that the server purporting to send the information is actually the server sending the information.
As shown in FIG. 4A, most of the dialog windows presented by the security configuration user interface 226 have an "OK" or "Save" button 433, a "Cancel" button 434, and sometimes an "Apply" button 436. Pressing (by selecting with an input device such as a mouse or keyboard) the "OK" or "Save" button 433 causes the configuration indicated on the current dialog to be saved and exits the dialog. Pressing the "Cancel" button closes the current dialog without recording any configuration change made in the dialog. The "Apply" button 436, when available, saves and applies the configuration but does not exit the dialog. Other dialog windows (e.g., FIG. 5B) present a "Yes" button 514 that when pressed accepts the action suggested in the dialog window, a "No" button 516 that does not accept the action suggested in the dialog window, and a "More Info" or "Help" button 518 that accesses a help file that displays a dialog with an explanation of the dialog from which it is called. The help file may also be accessed for many of the individual controls within the dialog by selecting the control and pushing the "F1" key on the computer keyboard.
The Internet Options dialog window 402 also includes a mechanism for selecting a security level corresponding to each security zone. As depicted in FIG. 4A, a choice of four security levels is provided for each security zone (the Internet zone is currently displayed in the dialog window 402): high level 408, medium level 410, low level 412, and custom level 414. Each security level has a corresponding radio button control. The high security level 408 provides the most security, and excludes the greatest number of potentially damaging operations. The low security level 412 provides the lowest level of security and allows the most operations to be performed without warning the user. The custom security level 414 allows a user to customize the configuration for a security zone by specifying an action to be taken corresponding to each protected operation. The use of the custom security level is described in detail below. Alternate embodiments of the invention may include additional security levels or fewer security levels than the four levels depicted in FIG. 4A.
For each of the security zones, a user can specify the corresponding security level. Each security zone has a default security level, which is used if not changed by a user. The default security level for the local intranet zone is medium. The default security level for the trusted sites zone is low. The default security level for the restricted sites zone is high, and the default security level for the Internet zone is medium. When a user selects a security zone in the zone pull-down control 404, the security configuration UI component 226 indicates the corresponding security level by selecting the corresponding security level radio button 408, 410, 412, or 414. The zone security level can be reset to the default value for the zone by pressing reset button 419.
1). Configuration of Protected Operations
In the next level down of configuration, a set of protected operations is configured for each security zone (see, FIG. 3; block 312). When the custom security level radio button 414 is selected, a "settings" push-button 416 (FIG. 4A) is enabled. Pressing the settings push-button 416 causes the security configuration user interface 226 to display a "Security Settings" dialog window 502, illustrated in FIG. 5. The security settings dialog window 502 includes a protected operation settings window
504, which provides a list of protected operations that can be configured by the mechanism of the invention. For each protected operation, a set of two or more corresponding settings is displayed with associated mutually exclusive radio buttons. A user can select a setting corresponding to each operation listed in the security settings dialog window 502 by selecting the associated radio button.
In one actual embodiment of the invention, the security configuration user interface 226 provides settings for each of the protected operations listed below. Under each protected operation, the choices for each setting are listed with an "O" character representing the associated radio button for the selection. Script ActiveX Controls Marked "Safe for Scripting." O Enable O Prompt O Disable Run ActiveX Controls and Plug-Ins O Enable O Prompt O Disable Download Signed ActiveX Controls 0
Enable O Prompt O Disable Download Unsigned ActiveX Controls O Enable 0 Prompt O Disable Initialize and Script ActiveX Controls Not Marked As "Safe." O Enable O Prompt O Disable Java Permissions O Custom O Lowsafety O Medium safety O Highsafety O Disable Java Active Scripting O Enable O Prompt O Disable Scripting of Java Applets O Enable O Prompt O Disable File Download O Enable O Disable Font Download O Enable O Prompt O Disable Log-On O Automatic log-on only in Internet zone O Anonymous log-on O Prompt for user name and password O Automatic log-on with current user name and password Submit Nonencrypted Form Data O Enable O Prompt O Disable Launching Applications and Files in an IFRAME O Enable O Prompt O Disable Installation of Desktop Items O Enable O Prompt O Disable Drag and Drop or Copy and Paste Files O Enable O Prompt O Disable Software Channel Permissions O Low safety O Medium safety O High safety
The set of protected operations can be extended within the present invention. A setting of "enable" corresponding to an operation indicates that the operation is to be performed, when requested, without warning the user. A setting of "disable" indicates that the corresponding operation is not to be performed. A setting of "prompt" indicates that, when the corresponding operation is requested, the Web browser should query the user for instructions or whether to proceed with the operation.
FIG. 5B illustrates an exemplary "security warning" dialog window 510 that is displayed in response to a request to perform an operation having a corresponding "prompt" setting. As illustrated in FIG. 5B, the security warning dialog window 510
preferably informs the user of the operation to be performed and the current Web site that is requesting the operation. The user can answer yes or no to indicate whether the operation is to be performed. As depicted in FIG. 5B, in one actual embodiment, the security warning dialog window 510 includes an "always trust software" checkbox 512. When a user selects this checkbox, all software that is properly digitally signed from the specified source is considered to be "trusted software."
The security settings dialog window 502 (FIG. 5A) also includes a "reset" push-button 506 and a "reset to" pull-down control 508. When a user presses the reset button 506, all of the settings corresponding to the protected operations in the custom security level are reset to the security level specified in the "reset to" pull-down control 508. The user can then make changes to individual settings in the protected operation settings control window 504.
Administering Permissions in Zones
a) Configuration of Permission Sets for Certain Protected Operations
For certain protected operations, it is advantageous to provide for a more "fine grained" configuration of security policy than the "enable", "disable" and "prompt" configuration options discussed above. The administration of active content from zones that are not fully trusted is an example of when fine grained configuration is particularly beneficial. The purpose of active content has progressed from displaying animation in Web documents to providing useful features and utilities that the user may wish to use. In general, however, the more functionality offered by the active content the more access and control that the active content must have to the host system.
Giving access and control to active content implies risk to the host system that the active content will perform some harmful action. The present invention allows the user to balance the risk of the active content performing harmful action versus the reward of the active content as advertised and to configure a security policy accordingly. By associating a security policy with a zone from which the active content is downloaded, the user can effectively assign a certain security policy to a group of Web sites having active content that pose similar risk.
Returning to FIG. 3, the fine-grained administration of the security settings for the individual protected operations is illustrated in a protected operations configuration block 312. Protected operations are defined by permissions grouped in permission sets. Permissions are configured in permission sets for use in the administration of permissions within zones, which is discussed in detail below (see FIG. 3, block 314).
The individual permissions for a protected operation associated with a security zone are configured in a block 314. In FIG. 5A, the configuration dialog window 504 shows a protected operation for Java classes and applets 514. The Java protected operation 514 has a set of constituent permissions which determine the capabilities that will be allowed to downloaded Java active content from the security zone being configured. At the configuration of the permissions level 314 (FIG. 3), the user can specify the low safety default set of permissions 518, the medium safety default set of permissions 520, or the high safety default set of permissions 522. The user can also select to disable any Java content 524 or to create a custom set of permissions
526. The selection of the custom set of permissions 526, low safety set of permissions 518, medium safety set of permissions 520, high safety set of permissions 522 or to disable Java active content 524 altogether is accomplished by selecting the radio button associated with each of these entries.
In FIG. 5A, the radio button associated with a custom set of Java permissions is shown as selected. The selection of the custom set of permissions 526 radio button exposes a Java custom settings button 530. The Java custom settings button 530
is pressed in order to reach an Internet zone configuration screen 610 illustrated in FIG. 6. The Internet zone configuration screen 610 includes a view permissions tab 612. The view permissions tab 612 exposes a hierarchical listing of the permissions associated with the Java applets and classes protected operation in three permission sets. The first permission set is displayed as the permissions given to unsigned content permission set 616. The second permissions set is the permissions that signed content are allowed permission set 618 and the third permissions set are the permissions that the signed content are denied 620. Under each of these three permission sets 616, 618, and 620 are a list of the configurable permissions in the permission set. Each permission has a set of parameters that define the scope of the permission. The hierarchical display in the permission listing window can be expanded and collapsed to reveal more or less information as desired by the user using a treeview control known to those skilled in the art. For instance, it is possible to expose below the file I/O permission the read-from file URL code base parameter 624. The read-from file URL code base parameter 624, in turn, can be opened to expose the setting of the parameter which is indicated to be "OK" 626.
The permissions that may be configured for unsigned content 616 are: File I/O Network I/O User Interface Access System Properties Reflection Threads
A similar set of permissions is listed for the permissions that signed content are allowed permission set 618 with the additional permissions: Client Storage User File I/O
The permissions that signed content is denied permission set 620 indicate that no permissions have currently been specified.
Custom permission sets may be defined for certain protected operations. In an actual embodiment of the invention, custom permission sets may be defined for Java applets and classes. However, the present invention also contemplates alternative embodiments for protected operations that regulate other active content. Permissions within each permission set 616, 618, and 620 are independently configurable.
1). Configure Permissions Associated with a Permission Set
The next level down in the progressively more fine-grain configuration of the system security policy is to configure the permissions associated with each permission set (see FIG. 3, block 316). FIGS. 7A-E illustrate the user configuration interface 226 for the configuration of individual permissions within a permission set. A detailed description of the permissions that may be configured for the invention as actually implemented in the Microsoft Internet Explorer are defined in detail in several published sources available to software developers through the Microsoft Web site (www.microsoft.com) and the Microsoft Developer Network ("MSDN") subscription service available from Microsoft Corporation, Redmond, Wash. on CD-ROM. One of these published sources is entitled "Trust-Based Security For Java" <mk:@ivt:pdinet/good/java/htm/trust_based_security.htm> (MSDN Library CD, Apr. 19, 1998), incorporated herein by reference.
At this level of configuration, permissions can be configured for signed content and unsigned content permission sets. Signed content means content that has been digitally signed in such a manner that the integrity of the content and the identity of the publisher is guaranteed. The content is unsigned if the content does not have a digital signature. The creation and components of a digital signature are discussed in detail below.
The configuration of permissions indicated in FIGS. 7A-E allows the user to disable or enable groups of permissions or individual permissions. The edit permissions user interface 702 is exposed by selecting the edit permissions tab 704. The permissions are grouped under the permissions that will be configured for the unsigned content and a separate set of permissions that will be assigned to signed content. The permissions are displayed in a permission display window 706 which displays a hierarchy of the following permission configuration options: Unsigned Content Run Unsigned Content O Run in a sandbox O Disable O Enable O Additional Unsigned Permissions Access to all Files O Disable O Enable Access to all Network Addresses O Disable O Enable Execute O Disable O Enable Dialogs O Disable O Enable System Information O Disable O Enable Printing O Disable O Enable Protected Scratch Space O Disable O Enable User Selected File Access O Disable O Enable Signed Content Run Signed Content O Prompt O Disable O Enable Additional Signed Permissions Access to all Files O Prompt O Disable O Enable Access to all Network Addresses O Prompt O Disable O Enable Execute O Prompt O Disable O Enable Dialogs O Prompt O Disable O Enable System Information O Prompt O Disable O Enable Printing O Prompt O Disable O Enable System Information O Prompt O Disable O Enable Printing O Prompt O Disable O Enable Protected Scratch Space O Prompt O Disable O Enable User Selected File Access O Prompt O Disable O Enable
Standard security for Java active content has been to run the code in a "sandbox" that provides very limited access to the host system resources. The user can elect to run unsigned active content in the sandbox by selecting radio button 708. The user can also choose to disable all permissions for unsigned content by selecting radio button 710. When the disable unsigned content radio button 710 is selected, the ability of the user to enable or disable individual permissions for running unsigned content is also disabled by "graying out" the remaining radio buttons under the additional unsigned permissions listing 712. Similarly, if the user chooses to enable all permissions for unsigned content by selecting the unsigned content enable radio button 714, all permissions are enabled for the unsigned content and the radio buttons are "grayed out" so that the user is unable to specify whether individual permissions for the unsigned content are enabled or disabled.
If the user desires to run the unsigned content in the sandbox but to provide additional unsigned permissions, the user selects the run in sandbox radio button 708. Individual permissions generally indicated by 716 can then be individually enabled or disabled by selecting the corresponding radio button. For instance, if the user desires to allow the active content downloaded from the security zone to be able to print, the user selects the enable radio button 718 under the printing permission 720 to enable printing.
As with most levels of granularity in configuration of security settings, it is possible to reset all of the actions to the default values provided in a high security, medium security, and low security permission defaults by selecting one of those options in the reset drop-down box 722 and pressing the reset button 724. The permissions may also be reset to a saved permissions set 726 by selecting the saved permissions option 726 in the reset to drop-down box 722 and pressing the reset button 724. A dialog inquires if the user would like to save the configuration as a saved permission set when the user exits the dialog window shown in FIGS. 7A-E. The configuration is written to the system registry 224 and the dialog window 702 is closed if the user invokes the "OK" button. If the user invokes the "Cancel" button 740, the dialog window 702 is closed and the new configuration is not saved in the system registry 224.
The configurations of the permissions for signed content is illustrated in FIGS. 7C-E. Signed content is inherently more trustworthy, but not necessarily trusted, because the code has been digitally signed by an identifiable publisher and the digital signature guarantees that the downloaded content is exactly what the publisher originally published. All permissions in the run signed content list 726 can be enabled by the user by selecting the enable signed content permissions radio button
728 or disabled by selecting the run signed content disable radio button 730. As described above with regard to the unsigned content, enabling or disabling the signed content by radio button 728 and 730 enables or disables all of the permissions listed under the additional signed permissions list 732 by graying-out the radio button for the individual permissions.
If the user wishes to be prompted before signed content is allowed to run, the user selects the signed content prompt radio button 734 and then individually configures