Internet Explorer Untrusted Publishers Mitigations

Applies To:Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does Untrusted Publishers Mitigations do?
This featureallows the user to block all signed content from a given publisher without showing the Authenticode dialog box to
the user while doing so.This stops codefrom the blocked publisher from being installed.This featurealso blocks installation of
code with invalid signatures.
Who does this feature apply to?
This featureapplies to all users, sinceit deals with installation and running of applications thataresigned.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Blocked publisher
Detailed description
Through Authenticode, the user can block content for a given publisher from installing or running.To do this, the user selects
the Never install software from PublisherName check box in the Authenticode dialog box. If selected, the user is never
prompted when codethat is identified with the publisher’s digital signatureis trying to install itself on thesystem. It will be
automatically blocked without showing the Authenticode dialog box.
Why is this change important?
This feature was designed to help users block ActiveX controls and other signed fileformats from repeatedly prompting them
on the Web. Users had no way of saying, “I don’t want content from this publisher. Do notask meagain.” Becausethey didn’t
havethis feature, many users installed applications or content just to keep from encountering repeated prompts.
What works differently?
Previously, the Authenticode dialog box only supported selecting the Always trust content from PublisherName check box,
which allowed theautomatic installation of codefrom a specified publisher without prompting the user. Now the user can
perform the oppositeaction and designatea publisher as untrusted. No application compatibility issues should beencountered
for trusted code.
How do I resolve these issues?
You can unblock a publisher of an add-on by using Manage Add-ons in InternetExplorer.To unblock a publisher to enable
the download of a specific file,you can removethe publisher from the Untrusted Publishers list.To do this, in Internet
Explorer, on the Tools menu,click Internet Options,click the Content tab,click the Publishers button and then removethe
publisher’s namefrom the Untrusted Publishers list.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Blocking invalid signatures
Detailed description
By default,Windows blocks theinstallation of signed codeif it has an invalid digital signature.
Why is this change important? What threats does it help mitigate?
If code has an invalid signature, it usually means that thecode has been changed sinceit was signed.When this happens,
InternetExplorer considers thecodeto be unsigned, becausesomeone might havetampered with it. By default, Internet
Explorer blocks ActiveX applications thatare unsigned that comefrom theInternet zone.This extends that functionality so that
itapplies to all code with invalid signatures.
What works differently?
By default,code with invalid signatures cannot beinstalled.
How do I resolve these issues?
To revert to previous functionality and allow unsigned codeto run, seethe RunInvalidSignatures setting in the”What settings
areadded or changed in Windows Server 2003 Service Pack 1?” section below.
One prompt per control per page
Detailed description
InternetExplorer only prompts once per ActiveX control per page.
Why is this change important? What threats does it help mitigate?
This change helps defend against thesocial engineering trick of prompting the user a number of times for thesamecontrol.
Even though users repeatedly refuse, they cannot get out of theloop,and they mighteventually accept theinstallation out of
frustration.
What works differently?
The user only sees one prompt per page per control.
Ellipsis placed on text for application description and publisher name
Detailed description
When thetext that is given for theapplication description, file name, or publisher nameis wider than the dialog box in width,
InternetExplorer places an ellipsis on thetext.This helps indicateto the user that thereis moretext that they are not seeing.
Why is this change important? What threats does it help mitigate?
This reduces theability of control authors from placing marketing textand EULAs in the dialog box or using other social
engineering tricks to overwhelm the users and get them to install thecontrol.
What works differently?
Application description, file names,and publisher names will contain an ellipsis if thetext is longer than the width of the dialog
box. No applications or Web pages should need to be modified.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Setting name Location Previous
default
value
Default value Possible values
RunInvalidSignatures HKEY_CURRENT_USER
\Software\Microsoft \Internet
Explorer \Download
HKEY_LOCAL_MACHINE
\Software\Microsoft \Internet
Explorer \Download
None 0
(Controls with invalid
signatures will be blocked,
regardless of zone.)
1
(Controls with invalid
signatures will beallowed to
run, regardless of zone.)