Internet Explorer Untrusted Publishers Mitigations

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Untrusted Publishers Mitigations

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 weeks, 1 day ago.

  • Author
    Posts
  • #2208

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    Note
    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does Untrusted Publishers Mitigations do?
    This featureallows the user to block all signed content from a given publisher without showing the Authenticode dialog box to
    the user while doing so.This stops codefrom the blocked publisher from being installed.This featurealso blocks installation of
    code with invalid signatures.
    Who does this feature apply to?
    This featureapplies to all users, sinceit deals with installation and running of applications thataresigned.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Blocked publisher
    Detailed description
    Through Authenticode, the user can block content for a given publisher from installing or running.To do this, the user selects
    the Never install software from PublisherName check box in the Authenticode dialog box. If selected, the user is never
    prompted when codethat is identified with the publisher’s digital signatureis trying to install itself on thesystem. It will be
    automatically blocked without showing the Authenticode dialog box.
    Why is this change important?
    This feature was designed to help users block ActiveX controls and other signed fileformats from repeatedly prompting them
    on the Web. Users had no way of saying, “I don’t want content from this publisher. Do notask meagain.” Becausethey didn’t
    havethis feature, many users installed applications or content just to keep from encountering repeated prompts.
    What works differently?
    Previously, the Authenticode dialog box only supported selecting the Always trust content from PublisherName check box,
    which allowed theautomatic installation of codefrom a specified publisher without prompting the user. Now the user can
    perform the oppositeaction and designatea publisher as untrusted. No application compatibility issues should beencountered
    for trusted code.
    How do I resolve these issues?
    You can unblock a publisher of an add-on by using Manage Add-ons in InternetExplorer.To unblock a publisher to enable
    the download of a specific file,you can removethe publisher from the Untrusted Publishers list.To do this, in Internet
    Explorer, on the Tools menu,click Internet Options,click the Content tab,click the Publishers button and then removethe
    publisher’s namefrom the Untrusted Publishers list.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Blocking invalid signatures
    Detailed description
    By default,Windows blocks theinstallation of signed codeif it has an invalid digital signature.
    Why is this change important? What threats does it help mitigate?
    If code has an invalid signature, it usually means that thecode has been changed sinceit was signed.When this happens,
    InternetExplorer considers thecodeto be unsigned, becausesomeone might havetampered with it. By default, Internet
    Explorer blocks ActiveX applications thatare unsigned that comefrom theInternet zone.This extends that functionality so that
    itapplies to all code with invalid signatures.
    What works differently?
    By default,code with invalid signatures cannot beinstalled.
    How do I resolve these issues?
    To revert to previous functionality and allow unsigned codeto run, seethe RunInvalidSignatures setting in the”What settings
    areadded or changed in Windows Server 2003 Service Pack 1?” section below.
    One prompt per control per page
    Detailed description
    InternetExplorer only prompts once per ActiveX control per page.
    Why is this change important? What threats does it help mitigate?
    This change helps defend against thesocial engineering trick of prompting the user a number of times for thesamecontrol.
    Even though users repeatedly refuse, they cannot get out of theloop,and they mighteventually accept theinstallation out of
    frustration.
    What works differently?
    The user only sees one prompt per page per control.
    Ellipsis placed on text for application description and publisher name
    Detailed description
    When thetext that is given for theapplication description, file name, or publisher nameis wider than the dialog box in width,
    InternetExplorer places an ellipsis on thetext.This helps indicateto the user that thereis moretext that they are not seeing.
    Why is this change important? What threats does it help mitigate?
    This reduces theability of control authors from placing marketing textand EULAs in the dialog box or using other social
    engineering tricks to overwhelm the users and get them to install thecontrol.
    What works differently?
    Application description, file names,and publisher names will contain an ellipsis if thetext is longer than the width of the dialog
    box. No applications or Web pages should need to be modified.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Setting name Location Previous
    default
    value
    Default value Possible values
    RunInvalidSignatures HKEY_CURRENT_USER
    \Software\Microsoft \Internet
    Explorer \Download
    HKEY_LOCAL_MACHINE
    \Software\Microsoft \Internet
    Explorer \Download
    None 0
    (Controls with invalid
    signatures will be blocked,
    regardless of zone.)
    1
    (Controls with invalid
    signatures will beallowed to
    run, regardless of zone.)

You must be logged in to reply to this topic.