1

I have a web site (intranet) that allows you to download an executable (currently a .Net Console Application) written in ASP.NET and is using https.

However on many machines I can't run it right away after download - I need to right click on it, go to Properties and click Unblock which makes using this app uncomfortable (users will often have to download this executable and run - every time it is a new one as it is code generated)

Is there any way to make this executable automatically unblocked? Modifying client machine is not an option, but I can do anything with the server.

From the beginning I thought this is impossible as it is a security protection, but Chrome somehow does this. If I take a new PC with IE installed, type Chrome into Bing and install it - I don't have to unblock executable.

So far I've tested this only on W10 Chrome and IE, but I am pretty sure older Windows versions have this problem as well.

Archeg
  • 8,364
  • 7
  • 43
  • 90
  • What if you zip them first? – VDWWD Sep 07 '17 at 08:01
  • @VDWWD This forces the user into additional operation - unzipping. Kind of the same as if they have to go to `Properties` - `Unblock`. Also from the info I found on the web, zipped files will still have to be unblocked. I saw suggestions to change the extension and ask user to rename it back - but this is even worse than asking for an unblock – Archeg Sep 07 '17 at 08:17
  • If the Chrome download is behaving differently, this will either be a hard-coded exception or a decision based on reputation. There's nothing you can do to replicate that from the server side. But I wouldn't have thought it necessary to explicitly unblock the file; if you double-click it, don't you get prompted whether you want to run it or not? – Harry Johnston Sep 07 '17 at 08:27
  • @HarryJohnston It is possible, but I have doubts. Microsoft is not well known for supporting competitors and I hardly believe they willingly help in installing Chrome using IE (how many IE's are used just for that? :) ) But you might be right still. As for the prompt - this is weird but you do not receive prompt. When you run executable - nothing happens, unless you unblock it first. The only way how could I run it without unblocking is to run `cmd` first and run console app from it. This might be though a problem of a test machine I used, I will try another – Archeg Sep 07 '17 at 08:35
  • It seems reasonable to suppose that Chrome *might* be a hard-coded exception as a preemptive measure against further anti-trust lawsuits, but on the whole I think it is more likely to just be Microsoft Smartscreen (or a similar reputation-based technology) doing its thing. I suppose you could try getting an extended validation code signing certificate and see if that makes any difference. Kind of an expensive experiment though! – Harry Johnston Sep 07 '17 at 08:41
  • No it is not possible server side. Windows/your browser will append a metadata block to your file after you downloaded it from a network source which states, that the file originated from an untrusted source. But you can remove the metadata manually (e.g. via command line). What trusting such a file actually does is removing that block of metadata. An option would be to download to a fat formatted drive, as fat does not support metadata on files. If you want to fiddle with it, they are called alternate Datasteams and only available with NTFS. – CShark Sep 07 '17 at 08:54
  • Regarding chrome; it might be possible to avoid that marker by using a properly signed executable or a click once installer? – CShark Sep 07 '17 at 08:55
  • Ok, I see. Just thinking - is it possible to apply a group policy to trust the site and executables downloaded? The site is intranet and using https with correct certificate - but apparently, it is not enough. I know that I can switch this off for a client for all downloads, but our IT will never agree to this. Switching it off only for intranet might work if there is a way... – Archeg Sep 07 '17 at 09:02
  • Windows has several trust zones (internet, intranet, trusted sites and restricted sites) which can be setup using the windows internet options dialog (if I recall correctly). There might be an option to change that behaviour. – CShark Sep 07 '17 at 09:07
  • @CShark I think we nailed it. `Trust zone -> Internet -> Miscellaneous -> Launching applications and unsafe files` If changed to `Enable` allows me to run downloaded app with no problems (it still asks twice are you sure you want to run it, but runs anyway). Of course, I can't change this for all the clients, but it is enabled by default for Local Intranet sites - but for some reason my web site falls into "Internet" category rather than "Local Intranet". This is probably a wrong setup from IT, so my next step is to ask them to fix it and see whether this helps – Archeg Sep 07 '17 at 09:25
  • Great. I'll create an answer later when I have access to a computer again. – CShark Sep 07 '17 at 09:36

2 Answers2

2

The mechanism for showing the untrusted executable dialog is based around alternate Datastreams. The metadata gets added by Windows or the browser when you download something from a network source, thus it is not possible for your file/webserver to influence this behaviour. Windows on the other hand has a ruleset which it uses to apply the flags which can be found in the TrustZone-Settings of your Internet Options.

NTFS has a neat little feature which allows for a file to have multiple contents, also known as alternate Datastreams. This is an NTFS-only feature, so you won't find it on other partition types. This basically allows you to store more data in your file which is not perse visible to the user and cannot be easily found out by a standard windows user. Windows uses those alternate datastreams to mark the origin of a file, especially when downloaded from the inter- or intranet. The Alternate Datastream which is used for this data is called the "Zone.Identifier" and holds an ID to the zone which the file was copied from. When you decide to trust a file you basically tell Windows to remove that datastream.

Windows uses the concept of different zones to classify those files. Windows knows four zones in Total: Internet, Intranet, Trusted Sites and restricted Sites. You can alter the settings and rules for those in the Internet-Options dialog in the tab "Trust Zone"

Security Remark: Before changing your settings for the trust zones in the company consider the security risks of this thrice. As it will allow any executable from those verified sources to be executed, potentially laying way to malicous executables which can then be started by already infected PCs or Users themselves.

CShark
  • 1,413
  • 15
  • 25
  • Don't you think that this advise will weaken overall security in the asker's organization? – bahrep Sep 07 '17 at 12:31
  • Hm, never thought of that. I'll add a remark. For the asker this seems not to be a concern. In his intranet this is already disabled by the company IT, only his website (which resides inside the intranet) gets classified falsely as an internet source. – CShark Sep 07 '17 at 13:22
1

The correct way to resolve that issue is to sign that executable with a trusted and valid code signing certificate which is better to be with EV (Extended Validation). Windows will check the certificate when you run the file and will allow it to run without further actions as it is signed with a trusted cert.

bahrep
  • 29,961
  • 12
  • 103
  • 150