Details
Microsoft ActiveX controls and file downloads often have digital signatures attached that
help certify the file’s integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can identify
active signers to determine whether you trust them enough to run their software.The Allow software to run or install even if the signature is invalid setting allows you to
manage whether downloaded software can be installed or run by users even though the
signature is invalid. An invalid signature might indicate that someone has tampered with
the file. If you enable this policy setting, users will be prompted to install or run files with
an invalid signature. If you disable this policy setting, users cannot run or install files with
an invalid signature.
Note- Some legitimate software and controls may have an invalid signature and still be OK.
You should carefully test such software in isolation before you allow it to be used on your
organization’s network. The recommended state for this setting is- Disabled.
*Rationale*
Microsoft ActiveX controls and file downloads often have digital signatures attached that
certify the file’s integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can positively
identify the signer to determine whether you trust them enough to run their software. The
validity of unsigned code cannot be ascertained.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to
Disabled.
Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet
ExplorerInternet Control PanelAdvanced PageAllow software to run or install even if
the signature is invalid
Impact-Some legitimate software and controls may have an invalid signature. You should carefully
test such software in isolation before it is allowed to be used on your organization’s
network.
Default Value-Disabled
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.