what will happen if i will disable this function from GPO (the file came from another computer and might be blocked to help protect this computer) Good afternoon,

Question

what will happen if i will disable this function from GPO (the file came from another computer and might be blocked to help protect this computer) Good afternoon,

beqa beridze 0

Good afternoon,

We are facing one problem about files. We are migrating from one fileserver to another and from now on, all users must have only read option on the new fileserver.

We are facing the problem on the new fileserver - users must unblock every single file from file properties.

We can solve this problem by removing the restriction from GPO, that blocks every file property which has received from untrusted source.

We are interested to know what is the risk of removing the restriction from GPO? What is your recommendation to solve this problem? Giving our users editing permission on fileserver is not considered.

Thank you in advance, I am looking forward to your reply.

Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-08-14T05:22:59.1633333+00:00

Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-08-16T07:19:52.92+00:00

Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.

1 answer

Your answer

Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-08-14T05:22:59.1633333+00:00

Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-08-16T07:19:52.92+00:00

Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.

Answer 1

Hello beqa beridze,

Greetings! Welcome to Microsoft Q&A Platform.

I understand that you are facing issues in users unblocking the files from file properties on the new file server is due to a "security feature in Windows" that shows files as "blocked" when they are downloaded from an untrusted source like Internet.

The risk of removing the restriction from GPO: Removing the restrictions from GPO leads to Security Vulnerabilities like a file from untrusted sources will no longer be marked as blocked it leads to risk and many contain malicious code or viruses, and anyone has easy to access the malicious files and it leads to data corruption.

Recommendation to solve removing the restriction from GPO problem:

Use only trusted location network where files are not blocked. Make sure that files migrated are coming from a trusted source. If the files are transferred internally, they are trusted files, you can pre-process these files to remove the "blocked" attribute before users access them.

Modify the GPO settings to be more confident about what from an "untrusted source". This can reduce the number of files that are blocked without entirely removing the protection. Use a script to unblock files in a bulk amount, PowerShell can be used to remove the "blocked" attribute from all files in a directory"Get-ChildItem "path_to_your_files" -Recurse | Unblock-File" To fine whether the files are trusted or not go to 'User Configuration' > 'Administrative Templates' > 'Windows Components' > 'Attachment Manager'.

Locations exist in the Azure portal under Azure Active Directory > Security > Conditional Access > Named locations. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. Learn more here

If you enable Entra authentication for Azure file share, it supports identity-based authentication: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

Here is the doc for your reference: https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/work-with-software-restriction-policies-rules

Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/1321876/we-wanted-to-add-azure-file-share-to-trusted-locat.

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

beqa beridze 0 Reputation points

2024-08-05T13:18:11.8733333+00:00

Hello,

unfortunately that doesn't fix all the problems that we're facing.

to broaden the picture, every file that will be received from foreign source (for example files from different companies, stores, GOV organizations) we'll be blocked and assigning IP range for each one of them isn't an effective solution.

so the specific question will be like this:

can we grant users "view" permission for a file that will be received from "untrusted source", without making them unblock it from file properties ?

if yes - how can we achieve the goal and what are the risks ?
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-08-13T08:33:50.95+00:00

I understand that you are dealing with the Windows security feature that blocks files downloaded from the internet to protect your system. Yes, you can grant users “view” permission for files received from untrusted sources without requiring them to unblock the files from the file properties.

Trusted Locations:

Add the file server or network share as a trusted site in Internet Options.

Go to Control Panel > Internet Options > Security tab.

Select Trusted Sites and click on Sites.

Add the file server’s FQDN or IP address to the list of trusted sites.

Group Policy:

Use Group Policy to disable the feature that blocks files from untrusted sources.

Open Group Policy Editor (gpedit.msc).

Navigate to User Configuration > Administrative Templates > Windows Components > Attachment Manager.

Enable the policy Do not preserve zone information in file attachments.

Mitigation Strategies

Antivirus and Anti-Malware: Ensure robust antivirus and anti-malware solutions are in place and regularly updated.

Educate users about the risks of opening files from untrusted sources and how to identify suspicious files.

Conduct regular security audits to ensure compliance and identify potential vulnerabilities.

By carefully considering these methods and risks, you can make an informed decision on how to handle files from untrusted sources while maintaining security and compliance.

If the issue persists, it might require a deeper investigation. If you have a support plan, please raise a support ticket or else please let us know here. Apologies for any inconvenience with this issue.

Thanks for your patience and co-operation. If the answer helped, please accept the answer.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

what will happen if i will disable this function from GPO (the file came from another computer and might be blocked to help protect this computer) Good afternoon,

1 answer

Your answer