Download, Attachment, and Authenticode Enhancements

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What do the download, attachment and Authenticode enhancements do?

In Windows Server 2003 with Service Pack 1, the prompts that are used for file downloads, mail attachments, shell process execution, and program installation have been modified to be more consistent and clearer than they were in previous versions of Windows Server. In addition, the publisher information will be shown before a file type that is signable and can potentially harm the user’s machine is opened. (Common examples of signable file types that can potentially harm the user’s machine are .exe, .dll, .ocx, .msi, and .cab.)

There is a new application programming interface (API), which allows application developers to make use of this new user interface. For more information regarding the API, see "AES API Integration," in the section of this document on changes to e-mail features in Windows Server 2003 Service Pack 1.

Who does this feature apply to?

Application developers will be able to call the new Attachment Manager dialog box from their Windows applications by using the API that is described in the "Attachment Manager API Integration" topic in the "Outlook Express" section of this document.

Application developers should also be aware that, in certain scenarios, such as attempting to open an attachment or downloading a file that is potentially dangerous, file types that can potentially harm a user’s computer will have their digital signatures checked before they are opened. The signature information is presented to the user to help inform the user of the file’s publisher.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Internet Explorer file download prompt

Detailed description

When a user uses Internet Explorer to download a file, the dialog box that appears has the following changes:

  • A file handler icon has been added.

  • A new information area has been added to the bottom of the dialog box that provides slightly different information, depending on whether the downloaded file type is of higher or lower risk.

All file types that are signable and that can potentially harm a user’s computer are checked for publisher information. This information will be shown to the user before opening the file.

The publisher information is shown before opening a file type that is signable and that can potentially harm the user’s computer. The Authenticode dialog box presents this information to the user, who can then make a more informed decision about running the file.

Why is this change important?

This change helps bring consistency and clarity to the experience of downloading files and code to a user’s computer. The publisher check provides crucial information when a signature is found in a file and provides a systematic way to prevent files that are from suspicious publishers from compromising the security of a computer.

What works differently?

Files with blocked publishers are not allowed to run.

How do I resolve these issues?

You can unblock a publisher of an add-on by using Manage Add-ons in Internet Explorer. To unblock a publisher to enable the download of a specific file, you can remove the publisher from the Untrusted Publishers list. To do this, in Internet Explorer, on the Tools menu, click Internet Options, click the Content tab, click the Publishers button and then remove the publisher’s name from the Untrusted Publishers list.

Outlook Express e-mail attachment prompt

Detailed description

The Outlook Express e-mail attachment prompt uses the same procedures as file downloads and leverages the AES API Integration. As a result e-mail attachments in Outlook Express show the publisher information for files types that can potentially harm a user’s computer and any file whose publisher has been blocked will not be allowed to run.

Why is this change important?

This change helps bring consistency and clarity to the experience of downloading files and code to a user’s computer.

Add-on install prompt

Detailed description

The Internet Explorer add-on install prompt has been simplified and only displays the file name and publisher information from the digital signature. It provides a warning about the risk associated with installing the add-on in order to help the user make a good decision about installing the add-on. Also, additional functionality was added to the prompt so that users always block a publisher, indicating that Windows should never trust anything from the publisher. This blocks the publisher from running code on the computer.

Why is this change important?

This change helps bring consistency and clarity to the experience of downloading files and code to a user’s computer. In addition, the user can choose not to trust a publisher when the user is prompted to install the add-on. This gives users more control over their experience.

What works differently? Are there any dependencies?

When you install an add-on, the user interface is more clear and concise.

How do I resolve these issues?

By default, Internet Explorer will not allow users to run invalid or unsigned ActiveX controls. The Information Bar will provide an alternative way for the user to choose to install a blocked control. For more information see Internet Explorer Information Bar.

What settings are added or changed in Windows Server 2003 Service Pack 1?

Users now have the ability to block a publisher from running code on their computer.