Starting with XP Pro SP2, program and other files downloaded from the web from many of the more commonly used web browsers are individually flagged and subsequently carry a security warning when an attempt is made to open or run (execute) them. While initially helpful, the warning may persist when flagged executables or equivalent are opened or run from a networked drive, which most users find to be annoying and unnecessary. In an era where users are increasingly being bombarded by warnings and messages of all kinds, excessive warnings that users continually have to routinely bypass can then lead to users ignoring error messages of true importance.
When an executable file associated with the application is run from a local drive, users have the option to trust that specific application or even all content from a given publisher, and regardless of whether the UAC (User Account Control, applying to Vista and above) is enabled or not.
Open File- Security Warning example, executable downloaded via Internet Explorer 8, Win 7, run from local drive:
But the same is not true when running the same or a similar executable from across an internal network (i.e. the local intranet) . The “Do you want to run this program?” message occurs in that case without end and without an option to not always ask this question before opening the given file which is available when running from a local drive.
Open File- Security Warning example, same executable downloaded via Internet Explorer 8, Win 7, run from network drive (note the lack of an option to not always "ask" before opening the file):
Do you really want Windows to be constantly asking you if you really, truly want to run a program that you launch every day across a network drive?
Fortunately there are some options available to eliminate this security warning that carry little to no security threat. (Always discuss the ramifications of changes to your system security with your IT support.)
While this issue can be dealt with by setting group policies (particularly on larger systems and/or those that have in-house IT support) or by trying to manually delete the zone identifiers that may be associated with the file, the approach we stumbled upon quite a few years ago and which is outlined below is typically the simplest and most effective.
From the Control Panel, proceed to Internet Options then click on the Security tab. With XP Pro you will find Internet Options as a top level option. With Windows 7 and Windows 8, first select Network and Internet and then Internet Options. (Note: you can also access Internet Options from within Internet Explorer itself. Launch IE, click on Tools - or if you can't see the menu try ALT-F then Tools or ALT-T to go directly to Tools - then choose Internet Options at the end of the menu or just press O and finally click on the Security tab. Yet another method is to run inetcpl.cpl.)
Click on the Security tab. Then select/click on Local intranet. Then click on the Sites button. When the Local intranet screen appears, click on the Advanced button.
Under “Add this website to the zone:” type in the drive mapped letter/path or UNC path to the network drive. It can include the actual executable file; however, that is not important and the executable name will be stripped off. Despite the reference to a “website” on this screen (the wording here referring to these local intranet paths solely as "websites" is wrong and confusing), what will be entered here is a locally shared network path on another networked PC.
We used to always uncheck the "Automatically detect intranet network" option and then also uncheck "Include all network paths" option; however, adding a "site" to the zone is supposed to take precedence over the general Local intranet settings. Sometimes we have found that in order for the security warning to go away we have nonetheless still had to uncheck the "Include all network paths" option. So if your warning message persists after following the above, try making those additional changes.
Click on Add and in the "Websites" list box you will see a reference such as the one above or with the server name, e.g. file://computername (where computername is the name of your in-house server or other PC with a shared drive that you want to add to this zone). Click on Close and then OK on each of the prior forms/screens.
Repeat on each PC in your network.
You do not have to restart or re-boot for these settings to take place. Exit out of Internet Options (or out of Internet Explorer if the changes are made there) and then try your desktop icon to see if the warning message is gone.
If the same executable file is replaced in the future by a downloaded file via a browser that attaches a zone identifier or is replaced by a file from somewhere else on your system that has an attached identifier, then even with the security options above in place and regardless of how the UAC has been set, the user will see a warning like the one below.
Open File- Security Warning example, same exact executable re-copied from a local drive where the "Always ask" had not been unchecked, or which had been re-downloaded via IE, with now local intranet settings referencing the PC mapped as drive S: in place:
This warning then is identical to an executable first run on a user's local drive and notice that now
the user will similarly be able to choose to open it in the future without the warning (but still with the ability to at least verify that is it from the same publisher but not much more). This does not guarantee that the file is completely safe but that job is best left to other procedures and protocols.
A better solution than the above would be to allow end users to "trust" individual files including executables regardless of their location (and especially if the executable has been digitally signed and therefore involves a known/verified publisher) and then using file verification (such as a file hash which would need to take into account alternate data streams associated with the file) technology to detect changes in a file that could then trigger a new one-time warning (with more information about the nature of the changes that might be helpful) to appear should a change occur that a user with no additional privileges would be allowed to then stop from continuing to occur as in the last example above. This could be set as a property of the icon by a user with administrative privileges, i.e. "trust this file." This is also not a perfect solution but an approach of this nature in combination with other security software and related protocols and procedures would provide a better balance between security and ease of use.
Some additional technical details: Zone identifiers are alternate data streams (ADS) which came into existence with Windows NT (first introduced in 1993) and are sometimes referred to as NTFS ("new technology file system") streams. These allow the same exact file to be associated with more than a single data stream and only occur on NTFS drives. These additional data streams however are not readily viewable without special tools such as Microsoft's Streams (a Sysinternals utility) or now with the Windows PowerShell. Unfortunately malware can also take advantage of these alternate data streams, but ADS features are built into systems that use NTFS and cannot be disabled.
Internet Zones discussed in the context of Internet Explorer 11:
http://technet.microsoft.com/en-us/library/dd346863.aspx
Security Zones:
http://technet.microsoft.com/en-us/library/dd361896.aspx
Note these definitions/discussion from the above:
Local intranet zone: "The Local intranet zone includes all sites inside an organization's firewall (for computers connected to a local network). "
Include all network paths option: "Include all network paths (UNCs). Network paths (for example, \\servername\sharename\file.txt) are typically used for local network content that should be included in the Local intranet zone. If some of your network paths should not be in the Local intranet zone, clear this check box and then use other means to designate the Local intranet zone membership. In certain Common Internet File System (CIFS) configurations, for example, it is possible for a network path to reference Internet content. "
Firefox browser: Firefox had an option in its about:config settings to remove zone information when files were downloaded in a number of older releases. The setting which could be set to false was:
browser.download.saveZoneInformation
However that has since been removed in the latest Firefox releases and can no longer be set. Since January of 2014, Firefox only marks executable file types with a zone identifier indicating Internet origin.
Scanners: A free scanner that can detect otherwise invisible alternate data streams (you can also choose whether to show or ignore "safe" ADS content and you can also remove either kind including the safe type which triggers the "Do you want to run file?" message):
http://www.pointstone.com/products/ADS-Scanner/
There are other free scanners such as Microsoft's Streams:
http://technet.microsoft.com/en-us/sysinternals/bb897440
When an executable file associated with the application is run from a local drive, users have the option to trust that specific application or even all content from a given publisher, and regardless of whether the UAC (User Account Control, applying to Vista and above) is enabled or not.
Open File- Security Warning example, executable downloaded via Internet Explorer 8, Win 7, run from local drive:
But the same is not true when running the same or a similar executable from across an internal network (i.e. the local intranet) . The “Do you want to run this program?” message occurs in that case without end and without an option to not always ask this question before opening the given file which is available when running from a local drive.
Open File- Security Warning example, same executable downloaded via Internet Explorer 8, Win 7, run from network drive (note the lack of an option to not always "ask" before opening the file):
Do you really want Windows to be constantly asking you if you really, truly want to run a program that you launch every day across a network drive?
Most users do not need nor want the aggravation and annoyance of this yet additional warning message, particularly if they are running the program from an established desktop shortcut and even if the program is located on a non-local drive, since that is after all one of the purposes of a network drive.
Fortunately there are some options available to eliminate this security warning that carry little to no security threat. (Always discuss the ramifications of changes to your system security with your IT support.)
While this issue can be dealt with by setting group policies (particularly on larger systems and/or those that have in-house IT support) or by trying to manually delete the zone identifiers that may be associated with the file, the approach we stumbled upon quite a few years ago and which is outlined below is typically the simplest and most effective.
From the Control Panel, proceed to Internet Options then click on the Security tab. With XP Pro you will find Internet Options as a top level option. With Windows 7 and Windows 8, first select Network and Internet and then Internet Options. (Note: you can also access Internet Options from within Internet Explorer itself. Launch IE, click on Tools - or if you can't see the menu try ALT-F then Tools or ALT-T to go directly to Tools - then choose Internet Options at the end of the menu or just press O and finally click on the Security tab. Yet another method is to run inetcpl.cpl.)
Click on the Security tab. Then select/click on Local intranet. Then click on the Sites button. When the Local intranet screen appears, click on the Advanced button.
Under “Add this website to the zone:” type in the drive mapped letter/path or UNC path to the network drive. It can include the actual executable file; however, that is not important and the executable name will be stripped off. Despite the reference to a “website” on this screen (the wording here referring to these local intranet paths solely as "websites" is wrong and confusing), what will be entered here is a locally shared network path on another networked PC.
We used to always uncheck the "Automatically detect intranet network" option and then also uncheck "Include all network paths" option; however, adding a "site" to the zone is supposed to take precedence over the general Local intranet settings. Sometimes we have found that in order for the security warning to go away we have nonetheless still had to uncheck the "Include all network paths" option. So if your warning message persists after following the above, try making those additional changes.
Click on Add and in the "Websites" list box you will see a reference such as the one above or with the server name, e.g. file://computername (where computername is the name of your in-house server or other PC with a shared drive that you want to add to this zone). Click on Close and then OK on each of the prior forms/screens.
Repeat on each PC in your network.
You do not have to restart or re-boot for these settings to take place. Exit out of Internet Options (or out of Internet Explorer if the changes are made there) and then try your desktop icon to see if the warning message is gone.
Open File- Security Warning example, same exact executable re-copied from a local drive where the "Always ask" had not been unchecked, or which had been re-downloaded via IE, with now local intranet settings referencing the PC mapped as drive S: in place:
This warning then is identical to an executable first run on a user's local drive and notice that now
the user will similarly be able to choose to open it in the future without the warning (but still with the ability to at least verify that is it from the same publisher but not much more). This does not guarantee that the file is completely safe but that job is best left to other procedures and protocols.
A better solution than the above would be to allow end users to "trust" individual files including executables regardless of their location (and especially if the executable has been digitally signed and therefore involves a known/verified publisher) and then using file verification (such as a file hash which would need to take into account alternate data streams associated with the file) technology to detect changes in a file that could then trigger a new one-time warning (with more information about the nature of the changes that might be helpful) to appear should a change occur that a user with no additional privileges would be allowed to then stop from continuing to occur as in the last example above. This could be set as a property of the icon by a user with administrative privileges, i.e. "trust this file." This is also not a perfect solution but an approach of this nature in combination with other security software and related protocols and procedures would provide a better balance between security and ease of use.
Some additional technical details: Zone identifiers are alternate data streams (ADS) which came into existence with Windows NT (first introduced in 1993) and are sometimes referred to as NTFS ("new technology file system") streams. These allow the same exact file to be associated with more than a single data stream and only occur on NTFS drives. These additional data streams however are not readily viewable without special tools such as Microsoft's Streams (a Sysinternals utility) or now with the Windows PowerShell. Unfortunately malware can also take advantage of these alternate data streams, but ADS features are built into systems that use NTFS and cannot be disabled.
Internet Zones discussed in the context of Internet Explorer 11:
http://technet.microsoft.com/en-us/library/dd346863.aspx
Security Zones:
http://technet.microsoft.com/en-us/library/dd361896.aspx
Note these definitions/discussion from the above:
Local intranet zone: "The Local intranet zone includes all sites inside an organization's firewall (for computers connected to a local network). "
Include all network paths option: "Include all network paths (UNCs). Network paths (for example, \\servername\sharename\file.txt) are typically used for local network content that should be included in the Local intranet zone. If some of your network paths should not be in the Local intranet zone, clear this check box and then use other means to designate the Local intranet zone membership. In certain Common Internet File System (CIFS) configurations, for example, it is possible for a network path to reference Internet content. "
Firefox browser: Firefox had an option in its about:config settings to remove zone information when files were downloaded in a number of older releases. The setting which could be set to false was:
browser.download.saveZoneInformation
However that has since been removed in the latest Firefox releases and can no longer be set. Since January of 2014, Firefox only marks executable file types with a zone identifier indicating Internet origin.
Scanners: A free scanner that can detect otherwise invisible alternate data streams (you can also choose whether to show or ignore "safe" ADS content and you can also remove either kind including the safe type which triggers the "Do you want to run file?" message):
http://www.pointstone.com/products/ADS-Scanner/
There are other free scanners such as Microsoft's Streams:
http://technet.microsoft.com/en-us/sysinternals/bb897440
No comments:
Post a Comment