Sunday
Feb142010

"Open File Security - Warning"

If you've had occasion to mess around much with Windows 2003 and Windows 2008 you'll come across this lovely error:

Open File - Security Warning

The publisher could not be verified.  Are you sure you want to run this software?

 

Obviously you don't want to be running any old .exe or .bat on your server/workstation unawares, but what about those services and startup scripts that you've carefully tuned to run? 

We have a bunch of automated stuff that we need to kick off reliably at the grind on unattended servers, and I was finding a number of them were failing to start.  When I logged into the server to see what was up I found this warning just waiting for someone to click on the Ok button.  Sheesh.  I really need this process to run on its own without someone to click Ok at the console.

I finally found the gpedit.msc setting to quiet these warnings once and for all:

Once in gpedit.msc (from Start > Run) navigate to User Configuration, Administrative Templates, Windows Components, Attachment Manager.  From here you can alter the restrictive default behavior and thus allow your vital administrative scripts to run.

Like all things Microsoft it's infinitely configurable.  Delving into this setting allows you to configure risk analysis based on the default handler (i.e. trust Notepad.exe, but not all .txt files), or simply set a blanket policy to trust all .exe file executions.  So you don't need to completely disable the built-in security and can tune it to your needs.

Personally I'm finding that well-informed administrators are a better judge of security than the default server settings...