The publisher could not be verified - digital signature

My question is similar to this one from 09/14/2005

no digital signature warning - how to make it go away.  Extremely Urgent
asked by chris_certified-nets on 09/14/2005 10:53AM PDT  


I have a Windows Server 2003 terminal server allowing access to ONE app, Mas90 version 5.5.  When the users launch the app they get an "Open File - Security Warning" that the app does not have a digital signature and prompts them to hit "run" to launch it.  In Windows 2000 server there was a GP object ot make these not prompt and run transparently, but I can't find it in 2003.  How can I make this not prompt but just run?
To add to the fun, I am here today only to set up this server and would like to not have to drive cross country back to fix it on another day, so lots of points for a fast answer.


The difference is that I am running Citrix Presentation Server on the Windows Server 2003 (SP1) terminal server and I am not running a single app, there are several including Microsoft Business Solutions - Solomon 5.50.2071.

The solution posted back then was to modify 2 HKCU keys:

1.  HKCU\ Software\ Policies\ Microsoft\ Internet Explorer\ Download\ RunInvalidSignatures

2.  HKCU\ Software\ Policies\ Microsoft\ Internet Explorer\ Main\ CheckExeSignatures


I configured the first key but the second does not exist on my system.  The problem was not cured by item 1 alone.

I did find a solution:

To disable the warning start the Group Policy Editor (Start > Run, type
-gpedit.msc- and press OK) and go to:

-User Configuration > Administrative Templates > Windows Components > 
Attachment Manager- then set -Inclusion list for low file types- to
Enabled and enter the file types you don't want to be warned about in
the box (for example: .exe).


It indeed works! After this change the security notification doesn't appear any more when exe files are executed.  However,  any exe is now allowed to run on this server.  This is dangerous.

Can anyone make the solution provided by Netman66 work, am I overlooking something?
Is there a different way to allow only apps that I (the admin) approve without the user having to click on the run link every time?
 
LVL 3
langerkingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
You can allow this behavior a couple of ways.  I'm not sure which one(s) will work for you.

You can add the application to the exceptions list for the Windows Firewall (or just turn the firewall off)
You can add *.mydomain.local to the list of intranet sites in IE (this can be done with a GPO under User Config -->IE Maintenance)
You can create a batch file to start the application and use the batchfile as the startup program and let it start MAS90.
Bacth file line would read
Start X:\path\to\mas90\mas90.exe

Hope that one of these will help you!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcsweenSr. Network AdministratorCommented:
FYI: The reason the last one works is because cmd.exe will start the file and the same check doesn't exist when using cmd.exe.  Seems like it would be exploitable though, good job MS!
0
langerkingAuthor Commented:
Thanks mcsween!  The windows firewall is turned off, sorry I didn't mention this.  It is the digital signature requirement:
   Open File - Security Warning
   The publisher could not be verified.  Are you sure you want to run this software?

Then you have to click the run button to launch.  It's not being blocked by the firewall

I will try to implement one of your other solutions



0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

mcsweenSr. Network AdministratorCommented:
If it's not a firewall issue then IDK if my second solution will work, but I have personally used the third solution in some of my vbscripts (Calling cmd /c program.exe -switches) from my script instead of calling program.exe because of the same issue.

Good Luck and I hope you don't have to drive cross country again for this!
0
langerkingAuthor Commented:
The other thing I wanted to comment is that I am not running mas90.exe - I have no idea what this is - I was just referring to an earlier solution to a problem similar to mine.

The apps that I am running with this problem are: Solomon vs. 5.50.2071, Abra (HR and Payroll), Goldmine 6.0.

0
langerkingAuthor Commented:
Hi mcsween,
I accepted your answer - the third solution worked.  I can launch Solomon this way.  Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.