Tag Archives | GPO

IE GPO Zone Templates and the “Open File – Security Warning”

Since you’re reading this you probably already know that Internet Explorer has a number of security zones. URLs are treated differently depending on the zone they fall into. These security zones apply not just to URLs in Internet Explorer but to windows in general e.g. accessing files from a network location. My specific problem was a GPO start-up script that ran backinfo to display the server info on the desktop when an admin user logs on. Backinfo.exe an unsigned application stored on the netlogon share would throw the Open File – Security Warning every time it was launched. More about that soon.

Open File Security Warning

In the enterprise it’s desirable to configure all these zone and security settings using group policy but there are a few gotchas that can make the configuration and testing process a bit confusing.

gpo

A standard zone template can be applied to a user’s settings. After you apply this template you can do a gpupdate /force/target:user; you won’t get a warning about logging on/off. Now in Internet Explorer you’ll notice a couple of things. (1)The security level and visual slider for the zone on the security page will not have changed and will not reflect the template you’ve selected in the GPO. (2)If you click on “Custom level” you’ll see that the individual settings that the selected template represents are in fact set and are now unchangeable, i.e. the policy has applied.
securitypage

Ok so at this point we could be forgiven for assuming that the policy has been fully applied to the system; we can see the changes in IE and we know that gpupadte didn’t ask us to log off/on.

Now on to the “Open File – Security Warning “, this is affected by the setting pictured above, “Launching applications and unsafe files”. Since this is a trusted zone we trust all the locations in this zone so we are happy to launch unsigned applications without a security warning. For some strange reason this setting is one of the only ones that can’t be set individually with group policy, the only way to set it (via GPO) is to apply a template as described above. Both “Low” and “Medium Low” will allow applications to launch from a network location without a security warning.

The thing that’s really confusing is that even though doing the gpupdate updates the policy in IE it is not fully applied to the reset of the system until you log off/on.

In Conclusion

  • Security templates are not visually reflected in the security page of Internet Explorer even though they are applied.
  • Security zone settings are applied to Internet Explorer by doing a gpupdate but a log off/on is required to apply these settings to the rest of the OS
  • The “Launching applications and unsafe files” setting determines whether the “Open File – Security Warning” dialog is displayed when launching applications from a given location
  • The “Launching applications and unsafe files” cannot be set with a an indvidual GPO setting. (You could create a custom adm file though)
  • When setting zone security via GPO I recommend making the Internet Explorer security page invisible to users to avoid confusion as they can still quite happily adjust the security level slider, it just won’t have any effect!
0

Deny yourself access to a Group Policy

When clicking too fast you accidentally denied “Full Control” to “Authenticated Users” for a Group policy you were working on. Since deny takes precedence over allow the results are that you are now denied the ability edit the GPO at all. This includes editing permissions to remove the blundered Access control entry! In the Group Policy management console it Looks like this:

GPO

Components of a Group Policy Object

A GPO is made up of two parts; a set of files in sysvol and an Active Directory object. When correcting GPO permissions you must modify the ACL on the AD object using DSACLS (included in the w2k3 support tools) and the sysvol NTFS permission.

The following dsacls command will remove the offending deny ACE from the ACL, in this case “Authenticated Users” from the AD object. The object is named by the GUID that can be seen on the inaccessible object in the GPMC.

dsacls cn={3EE757FE-B5A4-4D23-937D-A3AF5G7F0CEA}, cn=Policies, cn=System, dc=wordpress, dc=com /R “Authenticated Users”

If successful this command will return a full list of the permissions for the object

Next up you need to remove the deny ACE from the policy’s NTFS folder ACL. Again the GUID of the policy is used to name the folder:
\wordpreessSysvolwordpress.comPolicies{3EE757FE-B5A4-4D23-937D-A3AF5G7F0CEA}

NTFS ACL

At this point your GPO will be accessible within the GPMC and the permissions will be consistent across AD and Sysvol. All that’s left to do is to add “Authenticated Users” back to the GPO. Do this by editing the GPO with the group policy editor; doing so will apply permission changes to both the AD object object and the Sysvol policy folder.

Just thought this might help someone, not that it’s ever happen to me! ;-p

1