Internet Explorer Untrusted Publishers Mitigations

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Untrusted Publishers Mitigations

Viewing 0 reply threads
  • Author
    • #2208

      Applies To:Windows Server 2003 with SP1
      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does Untrusted Publishers Mitigations do?
      This featureallows the user to block all signed content from a given publisher without showing the Authenticode dialog box to
      the user while doing so.This stops codefrom the blocked publisher from being installed.This featurealso blocks installation of
      code with invalid signatures.
      Who does this feature apply to?
      This featureapplies to all users, sinceit deals with installation and running of applications thataresigned.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Blocked publisher
      Detailed description
      Through Authenticode, the user can block content for a given publisher from installing or running.To do this, the user selects
      the Never install software from PublisherName check box in the Authenticode dialog box. If selected, the user is never
      prompted when codethat is identified with the publisher’s digital signatureis trying to install itself on thesystem. It will be
      automatically blocked without showing the Authenticode dialog box.
      Why is this change important?
      This feature was designed to help users block ActiveX controls and other signed fileformats from repeatedly prompting them
      on the Web. Users had no way of saying, “I don’t want content from this publisher. Do notask meagain.” Becausethey didn’t
      havethis feature, many users installed applications or content just to keep from encountering repeated prompts.
      What works differently?
      Previously, the Authenticode dialog box only supported selecting the Always trust content from PublisherName check box,
      which allowed theautomatic installation of codefrom a specified publisher without prompting the user. Now the user can
      perform the oppositeaction and designatea publisher as untrusted. No application compatibility issues should beencountered
      for trusted code.
      How do I resolve these issues?
      You can unblock a publisher of an add-on by using Manage Add-ons in InternetExplorer.To unblock a publisher to enable
      the download of a specific file,you can removethe publisher from the Untrusted Publishers list.To do this, in Internet
      Explorer, on the Tools menu,click Internet Options,click the Content tab,click the Publishers button and then removethe
      publisher’s namefrom the Untrusted Publishers list.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Blocking invalid signatures
      Detailed description
      By default,Windows blocks theinstallation of signed codeif it has an invalid digital signature.
      Why is this change important? What threats does it help mitigate?
      If code has an invalid signature, it usually means that thecode has been changed sinceit was signed.When this happens,
      InternetExplorer considers thecodeto be unsigned, becausesomeone might havetampered with it. By default, Internet
      Explorer blocks ActiveX applications thatare unsigned that comefrom theInternet zone.This extends that functionality so that
      itapplies to all code with invalid signatures.
      What works differently?
      By default,code with invalid signatures cannot beinstalled.
      How do I resolve these issues?
      To revert to previous functionality and allow unsigned codeto run, seethe RunInvalidSignatures setting in the”What settings
      areadded or changed in Windows Server 2003 Service Pack 1?” section below.
      One prompt per control per page
      Detailed description
      InternetExplorer only prompts once per ActiveX control per page.
      Why is this change important? What threats does it help mitigate?
      This change helps defend against thesocial engineering trick of prompting the user a number of times for thesamecontrol.
      Even though users repeatedly refuse, they cannot get out of theloop,and they mighteventually accept theinstallation out of
      What works differently?
      The user only sees one prompt per page per control.
      Ellipsis placed on text for application description and publisher name
      Detailed description
      When thetext that is given for theapplication description, file name, or publisher nameis wider than the dialog box in width,
      InternetExplorer places an ellipsis on thetext.This helps indicateto the user that thereis moretext that they are not seeing.
      Why is this change important? What threats does it help mitigate?
      This reduces theability of control authors from placing marketing textand EULAs in the dialog box or using other social
      engineering tricks to overwhelm the users and get them to install thecontrol.
      What works differently?
      Application description, file names,and publisher names will contain an ellipsis if thetext is longer than the width of the dialog
      box. No applications or Web pages should need to be modified.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      Setting name Location Previous
      Default value Possible values
      RunInvalidSignatures HKEY_CURRENT_USER
      \Software\Microsoft \Internet
      Explorer \Download
      \Software\Microsoft \Internet
      Explorer \Download
      None 0
      (Controls with invalid
      signatures will be blocked,
      regardless of zone.)
      (Controls with invalid
      signatures will beallowed to
      run, regardless of zone.)

Viewing 0 reply threads
  • You must be logged in to reply to this topic.