Download, Attachment, and Authenticode Enhancements In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Download, Attachment, and Authenticode Enhancements In Windows Server 2003

Tagged: 

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 weeks, 1 day ago.

  • Author
    Posts
  • #2196

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What do the download, attachment and Authenticode enhancements do?
    In Windows Server 2003 with Service Pack 1, the prompts thatare used for file downloads, mail attachments, shell process
    execution,and program installation have been modified to be moreconsistentand clearer than they werein previous versions
    of Windows Server. In addition, the publisher information will beshown beforea filetypethat is signableand can potentially
    harm the user’s machineis opened. (Common examples of signablefiletypes that can potentially harm the user’s machineare
    .exe, .dll, .ocx, .msi,and .cab.)
    Thereis a new application programming interface(API), which allows application developers to make use of this new user
    interface.For moreinformation regarding the API, see”AES API Integration,” in thesection of this document on changes to email
    features in Windows Server 2003 Service Pack 1.
    Who does this feature apply to?
    Application developers will beableto call the new Attachment Manager dialog box from their Windows applications by using
    the API that is described in the”Attachment Manager API Integration” topic in the”Outlook Express” section of this document.
    Application developers should also beawarethat, in certain scenarios, such as attempting to open an attachment or
    downloading a filethat is potentially dangerous, filetypes that can potentially harm a user’s computer will havetheir digital
    signatures checked beforethey are opened.Thesignatureinformation is presented to the user to help inform the user of the
    file’s publisher.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    InternetExplorer file download prompt
    Detailed description
    When a user uses InternetExplorer to download a file, the dialog box thatappears has thefollowing changes:
    A file handler icon has been added.
    A new information area has been added to the bottom of the dialog box that provides slightly different information,
    depending on whether the downloaded filetypeis of higher or lower risk.
    All filetypes thataresignableand that can potentially harm a user’s computer arechecked for publisher information.This
    information will beshown to the user before opening thefile.
    The publisher information is shown before opening a filetypethat is signableand that can potentially harm the user’s
    computer.The Authenticode dialog box presents this information to the user, who can then makea moreinformed decision
    about running thefile.
    Why is this change important?
    This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer.The
    publisher check provides crucial information when a signatureis found in a fileand provides a systematic way to prevent files
    thatarefrom suspicious publishers from compromising thesecurity of a computer.
    What works differently?
    Files with blocked publishers are notallowed to run.
    How do I resolve these issues?
    You can unblock a publisher of an add-on by using Manage Add-ons in InternetExplorer.To unblock a publisher to enable
    the download of a specific file,you can removethe publisher from the Untrusted Publishers list.To do this, in Internet
    Explorer, on the Tools menu,click Internet Options,click the Content tab,click the Publishers button and then removethe
    publisher’s namefrom the Untrusted Publishers list.
    Outlook Express e-mail attachment prompt
    Detailed description
    The Outlook Express e-mail attachment prompt uses thesame procedures as file downloads and leverages the AES API
    Integration. As a resulte-mail attachments in Outlook Express show the publisher information for files types that can
    potentially harm a user’s computer and any file whose publisher has been blocked will not beallowed to run.
    Why is this change important?
    This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer.
    Add-on install prompt
    Detailed description
    TheInternetExplorer add-on install prompt has been simplified and only displays thefile nameand publisher information
    from the digital signature. It provides a warning about therisk associated with installing theadd-on in order to help the user
    makea good decision about installing theadd-on. Also,additional functionality was added to the prompt so that users always
    block a publisher, indicating that Windows should never trustanything from the publisher.This blocks the publisher from
    running code on thecomputer.
    Why is this change important?
    This change helps bring consistency and clarity to theexperience of downloading files and codeto a user’s computer. In
    addition, the user can choose not to trusta publisher when the user is prompted to install theadd-on.This gives users more
    control over their experience.
    What works differently? Are there any dependencies?
    When you install an add-on, the user interfaceis moreclear and concise.
    How do I resolve these issues?
    By default, InternetExplorer will notallow users to run invalid or unsigned ActiveX controls.TheInformation Bar will provide
    an alternative way for the user to chooseto install a blocked control.For moreinformation seeInternetExplorer Information
    Bar.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Users now have the ability to block a publisher from running code on their computer.

You must be logged in to reply to this topic.