Solved

Disable Windows XP "File Download Security Warning" .lnk files

Posted on 2011-09-09
7
1,529 Views
Last Modified: 2012-05-12

I'm trying to suppress the file download – security warning for users accessing a .lnk file embedded within a webpage hosted on an intranet.
The .lnk file calls back to a shortcut located on a windows 2000 SP4 server .
I’ve tried the following steps using GPO, but with no success;
Configuration Settings:
> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]
> Inclusion list for low file types: Set it to Enabled and add the file extension [.lnk]
> Do not preserve zone information in file attachments: Set it to Enabled.
> Add the UNC to Local Intranet or Trusted Sites
> Log off and log back in
> Test accessing the UNC share
Registry keys results after GPO is applied
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".lnk"
"DefaultFileTypeRisk"=dword:00001808
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001
Any advice please?


0
Comment
Question by:SYPTE-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:BillDL
ID: 36515484
It's not clear what you are actually trying to do with that .LNK file, and there may be a better way without using a .LNK file and messing with security permissions .

A brief explanation about "Zone" information that may help you understand how Windows "flags" files that are copied from one computer to another, and this includes files downloading from a web page and the browser cache.  This may be relevant to your issue.

The embedded data is written using the same method as a malicious RootKit uses to embed a file inside another and execute it on demand, ie. Alternate Data Stream or ADS.  This is only supported on NTFS volumes.
http://www.wikistc.org/wiki/Alternate_data_streams
 
In the case of the ZoneIdentifier, the data is embedded inside the file like this:
:Zone.Identifier:$DATA       26
The actual data is in the format of an *.INI file. It contains a number that identifies the Internet "Zone" where the file came from, eg.

[ZoneTransfer]
ZoneId=n

where n = one of the following numbers:
NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

The presence of the ZoneIdentifier is what shows the "Are you sure you want to open/execute this file".  The "always show this" tick-box in that dialog allows you to "unblock" the file, and just removes the Data Stream from it.  The Right-Click > Properties dialog for the file will also have an "Unblock" button that does the same.

You can see if a file has the ADS ZoneIdentifier by using SysInternals streams.exe (http://technet.microsoft.com/en-us/sysinternals/bb897440) like this:
streams filename.ext
and the command:
more < "filename.ext:ZoneIdentifier"
or
Notepad "filename.ext:Zone.Identifier"
will show the content.

http://forum.sysinternals.com/topic9115.html

So, what exactly are you trying to do with your .LNK file?
Are you just trying to distribute a desktop shortcut to users, or are you actually trying to have users execute the .LNK file from a hyperlink in a web page?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36520710
Are your Intranet Zones in IE populated properly? What does this .LNK file activate, an .exe? Check the properties on the .EXE, and make sure there is no "unblock" button.....
0
 
LVL 1

Author Comment

by:SYPTE-IT
ID: 36548002
Thank you Genius.... will check the .EXE
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 1

Author Comment

by:SYPTE-IT
ID: 36548068
Hi john6767

Check the .EXE..... no unblock button within the file properties and the server is list in the intranet zone as"file:\\server name"

Hi BillDL

Yes I'm trying to have users execute the .LNK file from a hyperlink in a web page
0
 
LVL 38

Accepted Solution

by:
BillDL earned 500 total points
ID: 36549079
Hi SYPTE-IT

To be honest, I still think you are peeing into the wind trying to hyperlink to a LNK file which has its target as an EXE.  I believe you really need to miss out the "middle man", being the LNK file, and try for a solution to set the hyperlink target directly to the EXE but temporarily circumvent the built-in IE security.

I've been messing around with this for quite some time now, but it would seem that Internet Explorer has a list of file extensions perceived as potentially dangerous hardcoded into it.

http://support.microsoft.com/kb/232077

"Internet Explorer contains a predefined, hard-coded list of file extensions that it inherently distrusts. These extensions correspond to generic executables and other kinds of files that have the capability to harm the user's machine without the proper security safeguards. The File Download dialog box cannot be prevented for any files of these types. The Always ask before opening this type of file option will be grayed out on the dialog box and you will not be able to select it. Following is the list of the file extensions for these file types.  As a convention, this article refers to any of these types of files as 'executable' files."

ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsd, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh.

First off, the .LNK file type will NOT normally show in Folder Options > File Types because of the "EditFlags" value in the key:
[HKEY_CLASSES_ROOT\.lnkfile]
which prevents you from Editing that file type in Folder Options and there unticking the "Confirm Open After Download" box.  You can change the "EditFlags" value to zero and make it show in Folder Options, but unticking that box has no effect on the prompt I am shown in IE when I click a hyperlink that has its target as a .LNK file.

The above page shows a method of opening an "executable" which bypasses the in-built security and issues no prompts.  Scroll down to the 2nd code window under the heading "Internet Code Download linking" and you will see a "scripted" link.  Pasted here for convenience and direct reference:
 
<HTML>
<HEAD>
<TITLE>Page of executable links</TITLE><
/HEAD>
<BODY>
<BR/>

<!-- hyperlink uses central script function called linkit() -->

<A HREF="" onclick="return linkit('signed-testfile.exe');">
SIGNED-CLOCK.EXE</A>

<SCRIPT>
// linkit puts filename into HTML content and spews it into iframe
function linkit(filename)
{
   strpagestart = "<HTML><HEAD></HEAD><BODY><OBJECT CLASSID=" +
      "'CLSID:15589FA1-C456-11CE-BF01-00AA0055595A' CODEBASE='";
   strpageend = "'></OBJECT></BODY></HTML>";
   runnerwin.document.open();
   runnerwin.document.write(strpagestart + filename + strpageend);
   window.status = "Done.";
   return false;  // stop hyperlink and stay on this page
}
</SCRIPT>

<!-- hidden iframe used for inserting html content -->

<IFRAME ID=runnerwin WIDTH=0 HEIGHT=0 SRC="about:blank"></IFRAME>

<BR/>
</BODY>
</HTML>

Open in new window

So, all you need is the "linkit" Script on the page, and for each link you create to an executable you just use a modification of a normal hyperlink like this:

<P><A HREF="" onclick="return linkit('file1.exe');">Click to open FILE1</A></P>
<P><A HREF="" onclick="return linkit('file2.exe');">Click to open FILE2</A></P>

Unfortunately I am not conversant enough with JavaScript to make this work (if it is even possible) with any target EXE file that IS NOT in the same folder as the HTM file calling it.  I have tried numerous permutations of UNC paths, relative paths, preceding it with file:///// protocol, http:// protocol, etc, etc, and I cannot get anything to work for me.

The only workaround I could suggest is that, for each EXE file you propose calling from a hyperlink, you place a separate HTM file in the same folder as the EXE with an appropriate file name, and populate it only with a "scripted" link to that program.  You then just call the relevant HTM file from a hyperlink in your master web page, maybe as a JavaScripted presized "popup" window with a "Close" button, or just use  TARGET="_BLANK"  in the link on the master web page to make it open in a new tab.  I'm quite sure that a skilled JavaScript coder could actually take the text of a hyperlink (eg. the file name needed) and create a new popup page on the fly using the above method and with no need for separate HTM files, but that's beyond my skills.

For the Intranet Zone you would probably have to relax the "Launching Programs and Files In An iFRAME" security setting.

That's a bit clunky though.  Perhaps someone more conversant than I can make the 0 x 0 pixel <IFRAME> method described by Microsoft work with a UNC path to a program file.

IF ALL your EXE files are in one share folder, then a convenient way to display the exe files and allow the user to double-click on them would be by placing an <IFRAME> within the page, as described under the "IFRAME linking" heading on the above Microsoft page.

Example:
<p>
<IFRAME WIDTH=200 HEIGHT=100 SRC="\\Computer1\PROGS"></IFRAME>
</p>

There are probably a number of other methods of bypassing security with scripting without disabling security settings permanently, but the above are all that I found and I hope that maybe you can use the concept somehow.

Bill
0
 
LVL 1

Author Closing Comment

by:SYPTE-IT
ID: 36929877
Thanks, it looks like you a right in saying that using another mthod if the best way
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36930657
Thank you SYPTE-IT
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question