Windows – Disable Application run – Security warning

group-policysecurity-warningwindows

Our company has an internal software application (.xbap and .application) that is launched through Internet Explorer and it's hosted on several servers. There are tens of computers that access it. Every time anyone tries to open it there is a Security warning popup.

My goal is to get rid of the warning popup and go straight to launching that application.

I've googled around and found some ways:

Add exception to Internet explorer security settings – it's blocked by administration and it would work for the local machine, I want to get rid of the popup for all machines.
Generate certificate and sign code – I've successfully signed my code, but security warning popup still appears, but there is a green shield icon instead of the red one (it still appears because the program requires Machine Access – and it always will).

Now I want some way to change group policy, so Admins will take list of servers where our application runs, add it to exception for this security warning popup. This way we won't have to change IE security settings on tens of PCs.

Is this possible? Or is there any other way?

Edit:

Picture of security warning. Let me know if it's there, I can't see it myself.

I cannot upload my screenshot (policy), but I found this one which is exactly the same:

When I signed my code, the shield turned green and publisher field was filled, but the popup remained.

Edit2: My bad, the application is not .exe but .xbap and .application

Edit3: Managed to get rid of the popup. After code signing, I've added the certificate in IE Trusted Root Certification Authorities and Trusted Publisher. Now I just need to find a way to add it for all users.

Best Answer

The solution that solved my problem.

I've signed my application with a certificate (pfx - with private key). (In Visual studio, right click project, properties, signing ClickOnce manifest)
I've passed the certificate without the private key (.cer) to our admin team and they used Group policy (GPO) to add this certificate to IE - Trusted Root Certification Authorities and Trusted publishers.

As a user, I would add it through IE \ Internet options \ Content \ Certificates, correct tabs.

Commands

Set-ClientAccessServer -Identity EXCHANGE-SERVER -AutoDiscoverServiceInternalUri https://exchange-server.yourdomain.com/Autodiscover/Autodiscover.xml

Enable-OutlookAnywhere -Server EXCHANGE-SERVER -ExternalHostname "exchange-server.yourdomain.com" -DefaultAuthenticationMethod "Basic" -SSLOffloading:$False

Set-OABVirtualDirectory -identity "EXCHANGE-SERVER\OAB (Default Web Site)" -externalurl https://exchange-server.yourdomain.com/OAB -RequireSSL:$true -InternalUrl https://exchange-server.yourdomain.com/OAB

Set-WebServicesVirtualDirectory -identity "EXCHANGE-SERVER\EWS (Default Web Site)" -externalurl https://exchange-server.yourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$True -InternalUrl https://exchange.haseke.de/EWS/Exchange.asmx

How to suppress “WARNING: This key is not certified with a trusted signature!”

Any page that tells you to use --edit-key <id> trust in order to suppress this warning is, generally, going in the completely wrong direction. The confusing message actually has nothing to do with the key's trust setting. A trusted signature is one that was made by a valid key:

Key validity defines whether this key belongs to the person that it claims.
Key trust defines whether this key is allowed to sign other keys (Web-of-Trust). In other words, a trusted key may act as a CA and mark other keys as valid, transitively.

So in order to suppress the "untrusted signature" warning on a per-key basis, you have to mark the key as a valid (as that's literally the purpose of this warning).

To mark a key as valid, you usually sign it:

gpg --lsign-key "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Alternatively if you have the 'tofu' or 'tofu+pgp' trust-model active, you can also do:

gpg --tofu-policy good "4DCE 3C80 AAB2 CAB1 E60C  9A3C 05F4 2D66 9306 CC77"

Now you should see this in --list-keys or --edit-key:

pub  dsa1024/05F42D669306CC77
     created: 2011-08-31  expires: never       usage: SC  
     trust: unknown       validity: full

There is also a config option to suppress this warning for all keys; it's called trust-model always. It means GnuPG acts as if all keys were signed by a fully trusted key.

Finally, subkeys have neither trust nor validity settings, they're only containers for cryptographic parameters so they inherit this from the primary key.

Best Answer

Related Solutions

Outlook shows certificate security warning in local LAN although certificate is only associated to IIS

Commands

How to suppress “WARNING: This key is not certified with a trusted signature!”

Related Question