Internet Explorer Untrusted Publishers Mitigations
Applies To: Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Information Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.
What does Untrusted Publishers Mitigations do?
This feature allows the user to block all signed content from a given publisher without showing the Authenticode dialog box to the user while doing so. This stops code from the blocked publisher from being installed. This feature also blocks installation of code with invalid signatures.
Who does this feature apply to?
This feature applies to all users, since it deals with installation and running of applications that are signed.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Blocked publisher
Detailed description
Through Authenticode, the user can block content for a given publisher from installing or running. To do this, the user selects the Never install software from PublisherName check box in the Authenticode dialog box. If selected, the user is never prompted when code that is identified with the publisher’s digital signature is trying to install itself on the system. It will be automatically blocked without showing the Authenticode dialog box.
Why is this change important?
This feature was designed to help users block ActiveX controls and other signed file formats from repeatedly prompting them on the Web. Users had no way of saying, "I don’t want content from this publisher. Do not ask me again." Because they didn’t have this feature, many users installed applications or content just to keep from encountering repeated prompts.
What works differently?
Previously, the Authenticode dialog box only supported selecting the Always trust content from PublisherName check box, which allowed the automatic installation of code from a specified publisher without prompting the user. Now the user can perform the opposite action and designate a publisher as untrusted. No application compatibility issues should be encountered for trusted code.
How do I resolve these issues?
You can unblock a publisher of an add-on by using Manage Add-ons in Internet Explorer. To unblock a publisher to enable the download of a specific file, you can remove the publisher from the Untrusted Publishers list. To do this, in Internet Explorer, on the Tools menu, click Internet Options, click the Content tab, click the Publishers button and then remove the publisher’s name from the Untrusted Publishers list.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Blocking invalid signatures
Detailed description
By default, Windows blocks the installation of signed code if it has an invalid digital signature.
Why is this change important? What threats does it help mitigate?
If code has an invalid signature, it usually means that the code has been changed since it was signed. When this happens, Internet Explorer considers the code to be unsigned, because someone might have tampered with it. By default, Internet Explorer blocks ActiveX applications that are unsigned that come from the Internet zone. This extends that functionality so that it applies to all code with invalid signatures.
What works differently?
By default, code with invalid signatures cannot be installed.
How do I resolve these issues?
To revert to previous functionality and allow unsigned code to run, see the RunInvalidSignatures setting in the "What settings are added or changed in Windows Server 2003 Service Pack 1?" section below.
One prompt per control per page
Detailed description
Internet Explorer only prompts once per ActiveX control per page.
Why is this change important? What threats does it help mitigate?
This change helps defend against the social engineering trick of prompting the user a number of times for the same control. Even though users repeatedly refuse, they cannot get out of the loop, and they might eventually accept the installation out of frustration.
What works differently?
The user only sees one prompt per page per control.
Ellipsis placed on text for application description and publisher name
Detailed description
When the text that is given for the application description, file name, or publisher name is wider than the dialog box in width, Internet Explorer places an ellipsis on the text. This helps indicate to the user that there is more text that they are not seeing.
Why is this change important? What threats does it help mitigate?
This reduces the ability of control authors from placing marketing text and EULAs in the dialog box or using other social engineering tricks to overwhelm the users and get them to install the control.
What works differently?
Application description, file names, and publisher names will contain an ellipsis if the text is longer than the width of the dialog box. No applications or Web pages should need to be modified.
What settings are added or changed in Windows Server 2003 Service Pack 1?
| Setting name | Location | Previous default value | Default value | Possible values |
|---|---|---|---|---|
RunInvalidSignatures |
HKEY_CURRENT_USER \Software\Microsoft \Internet Explorer \Download HKEY_LOCAL_MACHINE \Software\Microsoft \Internet Explorer \Download |
None |
0 (Controls with invalid signatures will be blocked, regardless of zone.) |
1 (Controls with invalid signatures will be allowed to run, regardless of zone.) |