Announcement

Collapse
No announcement yet.

Disabling Binary and Script Behaviors in IE security settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disabling Binary and Script Behaviors in IE security settings

    Good day,

    I am trying to understand the security risks associated with IE binary and script behaviors. From what I understand binary behaviors are run with the same permissions as the local user (can I have verification on this?). In my environment because users have local administrator permissions (don't ask--I am working on this) binary behaviors in the Internet zone are potentially a very dangerous thing.

    So I disabled Binary and Script Behaviors in the internet zone via group policy. However, this caused a somewhat obscure internet website to stop working.

    I need to figure out what I should do with this binary behaviors setting. What is the prevalence of binary behaviors on the internet? Am I right in thinking that they are a dated technology? Am I doing the right thing by disabling them on the Internet zone? Why are they enabled by default in IE8?

    Thank you in advance for you help.

  • #2
    Re: Disabling Binary and Script Behaviors in IE security settings

    Surely somebody here has implemented IE security options via group policy and has had to decide what to do with binary behaviors. Does anybody here have any experience, references, or an opinion of any sort?

    Comment


    • #3
      Re: Disabling Binary and Script Behaviors in IE security settings

      What obscure website and how does it affect it???

      What were the exact GPO settings that you enabled???

      Does this website affect any work that needs to be done???

      Comment


      • #4
        Re: Disabling Binary and Script Behaviors in IE security settings

        Thank you for your reply.

        > What obscure website and how does it affect it???

        Okay, well the website is mapfan.com and it is the Japanese equivalent of Mapquest. If I disable binary behaviors the map images stop displaying.

        > What were the exact GPO settings that you enabled???

        I'm not at work right now and my home computer is Linux based (not Windows) so I can't check, but the setting is in IE security options/settings. You don't need Active Directory see the problem with the site--just try manually disabling the Binary and Script Behaviors security option in the Internet zone.

        > Does this website affect any work that needs to be done???

        I am told that they only need the website to calculate distances between 2 different physical points--they do not actually need to see the map images. However, they are Japanese and are probably lying (not wanting to be a burden, rock the boat, or something like that).

        Comment


        • #5
          Re: Disabling Binary and Script Behaviors in IE security settings

          What happens if you set the GPO to Administrator approved and approve the website???

          I'm also not at work at the moment and won't be for a few days so can't check the GPO setting.

          Comment


          • #6
            Re: Disabling Binary and Script Behaviors in IE security settings

            > What happens if you set the GPO to Administrator approved and approve the website???

            That is a good question. I did a lot of searching on the Administrator approved option in the GPO, but I didn't really understand it. Specifically, take the following syntax for defining admin-approved binary behaviors (http://technet.microsoft.com/en-us/library/cc776248%28WS.10%29.aspx):

            #% Namespace %#% Behavior %=dword:00000001


            What is namespace in this instance? The website URL? What is behavior? The Microsoft documentation is simply too opaque to grasp.

            All the other documentation I read seemed to be geared towards developers running Binary behaviors on the local network. I couldn't find any examples incorporating a 3rd party internet-based website.

            Comment


            • #7
              Re: Disabling Binary and Script Behaviors in IE security settings

              One other thing, regardless of whether I am able add the above site's binary behavior to the admin-approved list (which I am still unsure of how do do), or add the site itself to the trusted sites zone, the fact (at least I think it is a fact) remains that the binary behavior will have full administrator access to the local computer. So what if the binary behavior "goes rogue" so to speak?

              Based on what I've read, it should seem that binary behaviors on the public internet ought to be a major security concern. So why are binary behaviors enabled by default in IE? How commonly are they used on the Internet anyway?

              Comment

              Working...
              X