Information
*Description*
Microsoft ActiveX' controls and file downloads often have digital signatures attached that
help certify the file's integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can identify
active signers to determine whether you trust them enough to run their software.
The Allow software to run or install even if the signature is invalid setting allows you to
manage whether downloaded software can be installed or run by users even though the
signature is invalid. An invalid signature might indicate that someone has tampered with
the file. If you enable this policy setting, users will be prompted to install or run files with
an invalid signature. If you disable this policy setting, users cannot run or install files with
an invalid signature.
Note Some legitimate software and controls may have an invalid signature and still be OK.
You should carefully test such software in isolation before you allow it to be used on your
organization's network. The recommended state for this setting is- Disabled.
*Rationale*
Microsoft ActiveX controls and file downloads often have digital signatures attached that
certify the file's integrity and the identity of the signer (creator) of the software. Such
signatures help ensure that unmodified software is downloaded and that you can positively
identify the signer to determine whether you trust them enough to run their software. The
validity of unsigned code cannot be ascertained.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Disabled.
Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Advanced Page\Allow software to run or install even if
the signature is invalid.
Impact-Some legitimate software and controls may have an invalid signature. You should carefully
test such software in isolation before it is allowed to be used on your organization's network.