Download, Attachment, and Authenticode Enhancements In Windows Server 2003

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What do the download, attachment and Authenticode enhancements do?
In Windows Server 2003 with Service Pack 1, the prompts thatare used for file downloads, mail attachments, shell process
execution,and program installation have been modified to be moreconsistentand clearer than they werein previous versions
of Windows Server. In addition, the publisher information will beshown beforea filetypethat is signableand can potentially
harm the user’s machineis opened. (Common examples of signablefiletypes that can potentially harm the user’s machineare
.exe, .dll, .ocx, .msi,and .cab.)
Thereis a new application programming interface(API), which allows application developers to make use of this new user
interface.For moreinformation regarding the API, see”AES API Integration,” in thesection of this document on changes to email
features in Windows Server 2003 Service Pack 1.
Who does this feature apply to?
Application developers will beableto call the new Attachment Manager dialog box from their Windows applications by using
the API that is described in the”Attachment Manager API Integration” topic in the”Outlook Express” section of this document.
Application developers should also beawarethat, in certain scenarios, such as attempting to open an attachment or
downloading a filethat is potentially dangerous, filetypes that can potentially harm a user’s computer will havetheir digital
signatures checked beforethey are opened.Thesignatureinformation is presented to the user to help inform the user of the
file’s publisher.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
InternetExplorer file download prompt
Detailed description
When a user uses InternetExplorer to download a file, the dialog box thatappears has thefollowing changes:
A file handler icon has been added.
A new information area has been added to the bottom of the dialog box that provides slightly different information,
depending on whether the downloaded filetypeis of higher or lower risk.
All filetypes thataresignableand that can potentially harm a user’s computer arechecked for publisher information.This
information will beshown to the user before opening thefile.
The publisher information is shown before opening a filetypethat is signableand that can potentially harm the user’s
computer.The Authenticode dialog box presents this information to the user, who can then makea moreinformed decision
about running thefile.
Why is this change important?
This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer.The
publisher check provides crucial information when a signatureis found in a fileand provides a systematic way to prevent files
thatarefrom suspicious publishers from compromising thesecurity of a computer.
What works differently?
Files with blocked publishers are notallowed to run.
How do I resolve these issues?
You can unblock a publisher of an add-on by using Manage Add-ons in InternetExplorer.To unblock a publisher to enable
the download of a specific file,you can removethe publisher from the Untrusted Publishers list.To do this, in Internet
Explorer, on the Tools menu,click Internet Options,click the Content tab,click the Publishers button and then removethe
publisher’s namefrom the Untrusted Publishers list.
Outlook Express e-mail attachment prompt
Detailed description
The Outlook Express e-mail attachment prompt uses thesame procedures as file downloads and leverages the AES API
Integration. As a resulte-mail attachments in Outlook Express show the publisher information for files types that can
potentially harm a user’s computer and any file whose publisher has been blocked will not beallowed to run.
Why is this change important?
This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer.
Add-on install prompt
Detailed description
TheInternetExplorer add-on install prompt has been simplified and only displays thefile nameand publisher information
from the digital signature. It provides a warning about therisk associated with installing theadd-on in order to help the user
makea good decision about installing theadd-on. Also,additional functionality was added to the prompt so that users always
block a publisher, indicating that Windows should never trustanything from the publisher.This blocks the publisher from
running code on thecomputer.
Why is this change important?
This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer. In
addition, the user can choose not to trusta publisher when the user is prompted to install theadd-on.This gives users more
control over their experience.
What works differently? Are there any dependencies?
When you install an add-on, the user interfaceis moreclear and concise.
How do I resolve these issues?
By default, InternetExplorer will notallow users to run invalid or unsigned ActiveX controls.TheInformation Bar will provide
an alternative way for the user to chooseto install a blocked control.For moreinformation seeInternetExplorer Information
Bar.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Users now have the ability to block a publisher from running code on their computer.