4. How to Configure ActiveX Add-Ons
ActiveX is a technology that enables
powerful applications with rich user interfaces to run within a Web
browser. For that reason, many organizations have developed ActiveX
components as part of a Web application, and many attackers have
created ActiveX components to abuse the platform's capabilities.
Some examples of ActiveX controls include the following:
-
A component that enables you to manage virtual computers
from a Microsoft Virtual Server Web page
-
A Microsoft Update component that scans your computer for
missing updates
-
Shockwave Flash, which many Web sites use to publish
complex animations and games
-
A component that attempts to install malware or change
user settings without the user's knowledge
Earlier versions of Internet Explorer installed ActiveX
controls without prompting the users. This provided an excellent
experience for Web sites that used ActiveX controls because the user
was able to enjoy the control's features without manually choosing
to install it. However, malware developers soon abused this
capability by creating malicious ActiveX controls that installed
software on the user's computer or changed other settings, such as
the user's home page.
To enable you to use critical ActiveX controls while blocking
potentially dangerous ActiveX controls, Microsoft built strong
ActiveX management capabilities into Internet Explorer. The sections
that follow describe how to configure ActiveX on a single computer
and within an enterprise.
How to Configure ActiveX Opt-in
In Internet Explorer 8, ActiveX controls are not installed
by default. Instead, when users visit a Web page that includes an
ActiveX control, they see an information bar that informs them
that an ActiveX control is required. Users then have to click the
information bar and click Install ActiveX Control. If the users do
nothing, Internet Explorer does not install the ActiveX control.
Figure 2 shows the
Genuine Microsoft Software Web page, which requires users to
install an ActiveX control before their copy of Windows can be
validated as genuine.
After the user clicks Install This Add-on, the user needs to
respond to a UAC prompt for administrative credentials. Then the
user receives a second security warning from Internet Explorer. If
the user confirms this security warning, Internet Explorer
installs and runs the ActiveX control.
ActiveX Opt-in is enabled by default for the
Internet and Restricted Sites zones but disabled by default for
the Local Intranet and Trusted Sites zones. Therefore, any Web
sites on your local intranet should be able to install ActiveX
controls without prompting the user. To change the setting default
for a zone, perform these steps:
-
Open Internet Explorer. Click the Tools button on the
toolbar, and then click Internet Options.
-
In the Internet Options dialog box, click the Security
tab. Select the zone you want to edit, and then click the
Custom Level button.
-
Scroll down in the Settings list. Under ActiveX Controls
And Plug-Ins, change the setting for the first option, which
is Allow Previously Unused ActiveX Controls To Run Without
Prompt. If this is disabled, ActiveX Opt-in is enabled. Click
OK twice.
Tip
The name "ActiveX Opt-in" can be
confusing. Enabling ActiveX Opt-in causes Internet
Explorer not to install ActiveX controls by default, instead
requiring the user to explicitly choose to configure the
add-on.
ActiveX Opt-in applies to most ActiveX controls. However, it
does not apply for ActiveX controls on the preapproved list. The
preapproved list is maintained in the registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved.
Within this key, there are several subkeys, each with a Class ID
(CLSID) of a preapproved ActiveX control. You can identify an
ActiveX control's CLSID by viewing the source of a Web page and
searching for the <object> tag. For
best results, try searching for "<object" in the source of a
Web page.
How to Configure ActiveX on a Single Computer
The previous section described how to configure ActiveX
Opt-in on a single computer. In addition to that setting, you can
configure several other per-zone settings related to ActiveX from
the Security Settings dialog box:
-
Automatic Prompting For ActiveX
Controls This setting is disabled by default for all
zones. If you choose to enable this setting, it bypasses the
information bar and instead actively prompts the user to
install the ActiveX control.
-
Download Signed ActiveX
Controls The developer can sign ActiveX controls.
Typically, signed ActiveX controls are more trustworthy than
unsigned controls, but you shouldn't trust all signed ActiveX
controls. By default, this setting is set to prompt the user.
You can reduce the number of prompts the user receives by
changing this setting to Enable.
-
Download Unsigned ActiveX
Controls By default, unsigned ActiveX controls are
disabled. If you must distribute an unsigned ActiveX control,
add the site that requires the control to your Trusted Sites
list and change this setting for the Trusted Sites zone to
Prompt.
-
Initialize And Script ActiveX
Controls Not Marked As Safe For Scripting This setting is disabled by default for all
zones. You should enable it only if you experience a problem
with a specific ActiveX control and the developer informs you
that this setting is required. In that case, you should add
the site to the Trusted Sites list and enable this control
only for that zone.
-
Run ActiveX Controls And
Plug-Ins This setting controls whether ActiveX controls
will run, regardless of how other settings are defined. In
other words, if this setting is disabled, users cannot run
ActiveX controls, even using ActiveX Opt-in. This setting is
enabled for all zones except for the Restricted Sites
zone.
-
Script ActiveX Controls Marked
Safe For Scripting Some ActiveX controls are marked safe for
scripting by the developer. This setting is enabled for all
zones except for the Restricted Sites zone. Typically, you
should leave this at the default setting. Because the
developer chooses whether the control is marked safe for
scripting, this marking does not indicate that the ActiveX
control is more trustworthy than any other control.
How to Manage ActiveX Add-Ons on a Single Computer
To configure ActiveX on a single computer, follow these
steps:
-
Open Internet Explorer.
-
Click the Tools button on the toolbar, click Manage
Add-Ons, and then click Enable Or Disable Add-Ons.
The Manage Add-Ons dialog box appears.
-
Click the Show list, and then click Downloaded ActiveX
Controls.
-
Select the ActiveX control you want to manage, and then
select either of the following. Click OK.
5. How to Configure ActiveX Installer Service
Some critical Web applications might require ActiveX controls
to run. This can be a challenge if your users lack administrative
credentials because UAC requires administrative credentials to
install ActiveX controls (although any user can access an ActiveX
control after it is installed).
Fortunately, you can use the ActiveX Installer Service to enable standard users to
install specific ActiveX controls. To configure the list of sites
approved to install ActiveX controls, perform these steps:
-
Open the Group Policy Object (GPO) in the Group Policy
Object Editor.
-
Browse to Computer Configuration\Administrative
Templates\Windows Components\ActiveX Installer Service.
-
Double-click the Approved Installation Sites For ActiveX
Controls setting. Enable it.
-
Click Show to specify host Uniform Resource Locators
(URLs) that are allowed to distribute ActiveX controls. In the
Show Contents dialog box, click Add and configure the host URLs
as follows:
-
Configure each item name as the host name of the Web
site from which clients will download the updated ActiveX
controls, such as http://activex.microsoft.com.
-
Configure each value name using four numbers separated
by commas (such as "2,1,0,0"). These values are described
later in this section.
-
Click OK to save the setting for the new policy.
When you configure the list of approved installation sites for
ActiveX Controls, you configure a name and value pair for each site.
The name will always be the URL of the site hosting the ActiveX
control, such as http://activex.microsoft.com.
The value consists of four numbers:
-
Trusted ActiveX
Controls Define the first number as 0 to block trusted
ActiveX controls from being installed, as 1 to prompt the user
to install trusted ActiveX controls, or as 2 to install trusted
ActiveX controls automatically, without prompting the
user.
-
Signed ActiveX
Controls Define the second number as 0 to block signed
ActiveX controls from being installed, as 1 to prompt the user
to install signed ActiveX controls, or as 2 to install signed
ActiveX controls automatically, without prompting the
user.
-
Unsigned ActiveX
Controls Define the third number as 0 to block unsigned
ActiveX controls from being installed or define this number as 1
to prompt the user to install unsigned ActiveX controls. You
cannot configure unsigned ActiveX controls to be installed
automatically.
-
Server Certificate
Policy Set this value to 0 to cause the ActiveX Installer Service to abort installation if
there are any certificate errors. Alternatively, you can set it
to 256 to ignore an unknown CA, 512 to ignore invalid
certificate usage, 4096 to ignore an unknown common name in the
certificate, or 8192 to ignore an expired certificate. Add these
numbers to ignore multiple types of certificate errors.
For example, the numbers 2,1,0,0 would cause the ActiveX Installer Service to silently install trusted
ActiveX controls, prompt the user for signed controls, never install
unsigned controls, and abort installation if any Hypertext Transfer
Protocol Secure (HTTPS) certificate error occurs.
When a user attempts to install an ActiveX control that has
not been approved, the ActiveX Installer Service creates an event in the
Application Log with an Event ID of 4097 and a source of
AxInstallService.
