In some scenarios, a prompt will occur when trying to download and run an executable either through Internet Explorer or VBScript from a FQDN UNC path. I've had this occur to me when a VBScript was trying to execute robocopy.exe from a remote share using a fully qualified domain name UNC path. The script was not running on the interactive desktop, and the prompt asking for permission to allow execution prevented the script from finishing.
Windows XPSP2 and Windows Server 2003 SP1 both have new functionality with downloaded files that may be executed and check the digital signature on the files. If the binary does not contain a digital signature, a 'Open File - Security Warning' popup indicating that the publisher could not be verified will be displayed, awaiting user interaction to allow or deny the execution request.
In the VBScript scenario, this was only happening because the execution was called from a Fully Qualified Domain Name, and despite being the local domain (in this case), it was still interpreted as a threat and a warning was presented.
-- Popup
Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this software
Name: Robocopy.exe
Publisher: Unknown publisher
Type: Application
From: FQDN server
This file does not have a valid digital signature that verifies its publisher.
--
Workaround:
Add HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes and ensure a semi-colon separated list of extension types exist with those you want to allow. Eg '.exe;.cab'
Note that the path above is to the .default hive, used by the System account. Add to 'Default User\ntuser.dat' or HKCU to modify the default or change the current user respectively. Group policy could also be used to control this setting.
Duplicating the problem:
You can verify the problem before and after by pasting a FQDN UNC path to an IE window, eg
\\server.com.au\c$\windows\system32\robocopy.exe
Or by running the following VBScript:
Set objShell = CreateObject("WScript.Shell")
strCMD = "\\server.com.au\c$\windows\system32\robocopy.exe"
intReturnVal
= objShell.Run(strCMD, 0, TRUE)
References
Internet_Explorer_XPSP2_Security_White_paper.doc
http://www.microsoft.com/downloads/details.aspx?FamilyId=E550F940-37A0-4541-B5E2-704AB386C3ED
Detailed Information on IE problems with XPSP2/2K3SP1:
http://www.jsware.net/jsware/iewacky.php3
Description of IE security zone registry entries:
http://support.microsoft.com/default.aspx?scid=kb;en-us;182569
Problems adding top-level domains to zones site list
http://support.microsoft.com/?kbid=259493
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
1 comment:
Digital Signature is transformation of a message using an asymmetric crypto system such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key.
Post a Comment