Solved

Disable Windows XP "File Download Security Warning" .lnk files

Posted on 2011-09-09
7
1,492 Views
Last Modified: 2012-05-12

I'm trying to suppress the file download – security warning for users accessing a .lnk file embedded within a webpage hosted on an intranet.
The .lnk file calls back to a shortcut located on a windows 2000 SP4 server .
I’ve tried the following steps using GPO, but with no success;
Configuration Settings:
> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]
> Inclusion list for low file types: Set it to Enabled and add the file extension [.lnk]
> Do not preserve zone information in file attachments: Set it to Enabled.
> Add the UNC to Local Intranet or Trusted Sites
> Log off and log back in
> Test accessing the UNC share
Registry keys results after GPO is applied
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".lnk"
"DefaultFileTypeRisk"=dword:00001808
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001
Any advice please?


0
Comment
Question by:SYPTE-IT
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
It's not clear what you are actually trying to do with that .LNK file, and there may be a better way without using a .LNK file and messing with security permissions .

A brief explanation about "Zone" information that may help you understand how Windows "flags" files that are copied from one computer to another, and this includes files downloading from a web page and the browser cache.  This may be relevant to your issue.

The embedded data is written using the same method as a malicious RootKit uses to embed a file inside another and execute it on demand, ie. Alternate Data Stream or ADS.  This is only supported on NTFS volumes.
http://www.wikistc.org/wiki/Alternate_data_streams
 
In the case of the ZoneIdentifier, the data is embedded inside the file like this:
:Zone.Identifier:$DATA       26
The actual data is in the format of an *.INI file. It contains a number that identifies the Internet "Zone" where the file came from, eg.

[ZoneTransfer]
ZoneId=n

where n = one of the following numbers:
NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

The presence of the ZoneIdentifier is what shows the "Are you sure you want to open/execute this file".  The "always show this" tick-box in that dialog allows you to "unblock" the file, and just removes the Data Stream from it.  The Right-Click > Properties dialog for the file will also have an "Unblock" button that does the same.

You can see if a file has the ADS ZoneIdentifier by using SysInternals streams.exe (http://technet.microsoft.com/en-us/sysinternals/bb897440) like this:
streams filename.ext
and the command:
more < "filename.ext:ZoneIdentifier"
or
Notepad "filename.ext:Zone.Identifier"
will show the content.

http://forum.sysinternals.com/topic9115.html

So, what exactly are you trying to do with your .LNK file?
Are you just trying to distribute a desktop shortcut to users, or are you actually trying to have users execute the .LNK file from a hyperlink in a web page?
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Are your Intranet Zones in IE populated properly? What does this .LNK file activate, an .exe? Check the properties on the .EXE, and make sure there is no "unblock" button.....
0
 
LVL 1

Author Comment

by:SYPTE-IT
Comment Utility
Thank you Genius.... will check the .EXE
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:SYPTE-IT
Comment Utility
Hi john6767

Check the .EXE..... no unblock button within the file properties and the server is list in the intranet zone as"file:\\server name"

Hi BillDL

Yes I'm trying to have users execute the .LNK file from a hyperlink in a web page
0
 
LVL 38

Accepted Solution

by:
Insignificant Volunteer earned 500 total points
Comment Utility
Hi SYPTE-IT

To be honest, I still think you are peeing into the wind trying to hyperlink to a LNK file which has its target as an EXE.  I believe you really need to miss out the "middle man", being the LNK file, and try for a solution to set the hyperlink target directly to the EXE but temporarily circumvent the built-in IE security.

I've been messing around with this for quite some time now, but it would seem that Internet Explorer has a list of file extensions perceived as potentially dangerous hardcoded into it.

http://support.microsoft.com/kb/232077

"Internet Explorer contains a predefined, hard-coded list of file extensions that it inherently distrusts. These extensions correspond to generic executables and other kinds of files that have the capability to harm the user's machine without the proper security safeguards. The File Download dialog box cannot be prevented for any files of these types. The Always ask before opening this type of file option will be grayed out on the dialog box and you will not be able to select it. Following is the list of the file extensions for these file types.  As a convention, this article refers to any of these types of files as 'executable' files."

ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsd, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh.

First off, the .LNK file type will NOT normally show in Folder Options > File Types because of the "EditFlags" value in the key:
[HKEY_CLASSES_ROOT\.lnkfile]
which prevents you from Editing that file type in Folder Options and there unticking the "Confirm Open After Download" box.  You can change the "EditFlags" value to zero and make it show in Folder Options, but unticking that box has no effect on the prompt I am shown in IE when I click a hyperlink that has its target as a .LNK file.

The above page shows a method of opening an "executable" which bypasses the in-built security and issues no prompts.  Scroll down to the 2nd code window under the heading "Internet Code Download linking" and you will see a "scripted" link.  Pasted here for convenience and direct reference:
 
<HTML>
<HEAD>
<TITLE>Page of executable links</TITLE><
/HEAD>
<BODY>
<BR/>

<!-- hyperlink uses central script function called linkit() -->

<A HREF="" onclick="return linkit('signed-testfile.exe');">
SIGNED-CLOCK.EXE</A>

<SCRIPT>
// linkit puts filename into HTML content and spews it into iframe
function linkit(filename)
{
   strpagestart = "<HTML><HEAD></HEAD><BODY><OBJECT CLASSID=" +
      "'CLSID:15589FA1-C456-11CE-BF01-00AA0055595A' CODEBASE='";
   strpageend = "'></OBJECT></BODY></HTML>";
   runnerwin.document.open();
   runnerwin.document.write(strpagestart + filename + strpageend);
   window.status = "Done.";
   return false;  // stop hyperlink and stay on this page
}
</SCRIPT>

<!-- hidden iframe used for inserting html content -->

<IFRAME ID=runnerwin WIDTH=0 HEIGHT=0 SRC="about:blank"></IFRAME>

<BR/>
</BODY>
</HTML>

Open in new window

So, all you need is the "linkit" Script on the page, and for each link you create to an executable you just use a modification of a normal hyperlink like this:

<P><A HREF="" onclick="return linkit('file1.exe');">Click to open FILE1</A></P>
<P><A HREF="" onclick="return linkit('file2.exe');">Click to open FILE2</A></P>

Unfortunately I am not conversant enough with JavaScript to make this work (if it is even possible) with any target EXE file that IS NOT in the same folder as the HTM file calling it.  I have tried numerous permutations of UNC paths, relative paths, preceding it with file:///// protocol, http:// protocol, etc, etc, and I cannot get anything to work for me.

The only workaround I could suggest is that, for each EXE file you propose calling from a hyperlink, you place a separate HTM file in the same folder as the EXE with an appropriate file name, and populate it only with a "scripted" link to that program.  You then just call the relevant HTM file from a hyperlink in your master web page, maybe as a JavaScripted presized "popup" window with a "Close" button, or just use  TARGET="_BLANK"  in the link on the master web page to make it open in a new tab.  I'm quite sure that a skilled JavaScript coder could actually take the text of a hyperlink (eg. the file name needed) and create a new popup page on the fly using the above method and with no need for separate HTM files, but that's beyond my skills.

For the Intranet Zone you would probably have to relax the "Launching Programs and Files In An iFRAME" security setting.

That's a bit clunky though.  Perhaps someone more conversant than I can make the 0 x 0 pixel <IFRAME> method described by Microsoft work with a UNC path to a program file.

IF ALL your EXE files are in one share folder, then a convenient way to display the exe files and allow the user to double-click on them would be by placing an <IFRAME> within the page, as described under the "IFRAME linking" heading on the above Microsoft page.

Example:
<p>
<IFRAME WIDTH=200 HEIGHT=100 SRC="\\Computer1\PROGS"></IFRAME>
</p>

There are probably a number of other methods of bypassing security with scripting without disabling security settings permanently, but the above are all that I found and I hope that maybe you can use the concept somehow.

Bill
0
 
LVL 1

Author Closing Comment

by:SYPTE-IT
Comment Utility
Thanks, it looks like you a right in saying that using another mthod if the best way
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Thank you SYPTE-IT
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now