Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Internet Explorer Add-Ons (part 2) - How to Configure ActiveX Add-Ons

4. How to Configure ActiveX Add-Ons

ActiveX is a technology that enables powerful applications with rich user interfaces to run within a Web browser. For that reason, many organizations have developed ActiveX components as part of a Web application, and many attackers have created ActiveX components to abuse the platform's capabilities. Some examples of ActiveX controls include the following:

• A component that enables you to manage virtual computers from a Microsoft Virtual Server Web page

• A Microsoft Update component that scans your computer for missing updates

• Shockwave Flash, which many Web sites use to publish complex animations and games

• A component that attempts to install malware or change user settings without the user's knowledge

Earlier versions of Internet Explorer installed ActiveX controls without prompting the users. This provided an excellent experience for Web sites that used ActiveX controls because the user was able to enjoy the control's features without manually choosing to install it. However, malware developers soon abused this capability by creating malicious ActiveX controls that installed software on the user's computer or changed other settings, such as the user's home page.

To enable you to use critical ActiveX controls while blocking potentially dangerous ActiveX controls, Microsoft built strong ActiveX management capabilities into Internet Explorer. The sections that follow describe how to configure ActiveX on a single computer and within an enterprise.

How to Configure ActiveX Opt-in

In Internet Explorer 8, ActiveX controls are not installed by default. Instead, when users visit a Web page that includes an ActiveX control, they see an information bar that informs them that an ActiveX control is required. Users then have to click the information bar and click Install ActiveX Control. If the users do nothing, Internet Explorer does not install the ActiveX control. Figure 2 shows the Genuine Microsoft Software Web page, which requires users to install an ActiveX control before their copy of Windows can be validated as genuine.

Figure 2. The Genuine Microsoft Software page

After the user clicks Install This Add-on, the user needs to respond to a UAC prompt for administrative credentials. Then the user receives a second security warning from Internet Explorer. If the user confirms this security warning, Internet Explorer installs and runs the ActiveX control.

ActiveX Opt-in is enabled by default for the Internet and Restricted Sites zones but disabled by default for the Local Intranet and Trusted Sites zones. Therefore, any Web sites on your local intranet should be able to install ActiveX controls without prompting the user. To change the setting default for a zone, perform these steps:

1. Open Internet Explorer. Click the Tools button on the toolbar, and then click Internet Options.

2. In the Internet Options dialog box, click the Security tab. Select the zone you want to edit, and then click the Custom Level button.

3. Scroll down in the Settings list. Under ActiveX Controls And Plug-Ins, change the setting for the first option, which is Allow Previously Unused ActiveX Controls To Run Without Prompt. If this is disabled, ActiveX Opt-in is enabled. Click OK twice.

Tip

The name "ActiveX Opt-in" can be confusing. Enabling ActiveX Opt-in causes Internet Explorer not to install ActiveX controls by default, instead requiring the user to explicitly choose to configure the add-on.

ActiveX Opt-in applies to most ActiveX controls. However, it does not apply for ActiveX controls on the preapproved list. The preapproved list is maintained in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved. Within this key, there are several subkeys, each with a Class ID (CLSID) of a preapproved ActiveX control. You can identify an ActiveX control's CLSID by viewing the source of a Web page and searching for the <object> tag. For best results, try searching for "<object" in the source of a Web page.

How to Configure ActiveX on a Single Computer

The previous section described how to configure ActiveX Opt-in on a single computer. In addition to that setting, you can configure several other per-zone settings related to ActiveX from the Security Settings dialog box:

• Automatic Prompting For ActiveX Controls This setting is disabled by default for all zones. If you choose to enable this setting, it bypasses the information bar and instead actively prompts the user to install the ActiveX control.

• Download Signed ActiveX Controls The developer can sign ActiveX controls. Typically, signed ActiveX controls are more trustworthy than unsigned controls, but you shouldn't trust all signed ActiveX controls. By default, this setting is set to prompt the user. You can reduce the number of prompts the user receives by changing this setting to Enable.

• Download Unsigned ActiveX Controls By default, unsigned ActiveX controls are disabled. If you must distribute an unsigned ActiveX control, add the site that requires the control to your Trusted Sites list and change this setting for the Trusted Sites zone to Prompt.

• Initialize And Script ActiveX Controls Not Marked As Safe For Scripting This setting is disabled by default for all zones. You should enable it only if you experience a problem with a specific ActiveX control and the developer informs you that this setting is required. In that case, you should add the site to the Trusted Sites list and enable this control only for that zone.

• Run ActiveX Controls And Plug-Ins This setting controls whether ActiveX controls will run, regardless of how other settings are defined. In other words, if this setting is disabled, users cannot run ActiveX controls, even using ActiveX Opt-in. This setting is enabled for all zones except for the Restricted Sites zone.

• Script ActiveX Controls Marked Safe For Scripting Some ActiveX controls are marked safe for scripting by the developer. This setting is enabled for all zones except for the Restricted Sites zone. Typically, you should leave this at the default setting. Because the developer chooses whether the control is marked safe for scripting, this marking does not indicate that the ActiveX control is more trustworthy than any other control.

How to Manage ActiveX Add-Ons on a Single Computer

To configure ActiveX on a single computer, follow these steps:

1. Open Internet Explorer.

2. Click the Tools button on the toolbar, click Manage Add-Ons, and then click Enable Or Disable Add-Ons.

   The Manage Add-Ons dialog box appears.

3. Click the Show list, and then click Downloaded ActiveX Controls.

4. Select the ActiveX control you want to manage, and then select either of the following. Click OK.

   • Disable to disable the ActiveX control.

   • Delete to remove the ActiveX control.

5. How to Configure ActiveX Installer Service

Some critical Web applications might require ActiveX controls to run. This can be a challenge if your users lack administrative credentials because UAC requires administrative credentials to install ActiveX controls (although any user can access an ActiveX control after it is installed).

Fortunately, you can use the ActiveX Installer Service to enable standard users to install specific ActiveX controls. To configure the list of sites approved to install ActiveX controls, perform these steps:

1. Open the Group Policy Object (GPO) in the Group Policy Object Editor.

2. Browse to Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service.

3. Double-click the Approved Installation Sites For ActiveX Controls setting. Enable it.

4. Click Show to specify host Uniform Resource Locators (URLs) that are allowed to distribute ActiveX controls. In the Show Contents dialog box, click Add and configure the host URLs as follows:

   • Configure each item name as the host name of the Web site from which clients will download the updated ActiveX controls, such as http://activex.microsoft.com.

   • Configure each value name using four numbers separated by commas (such as "2,1,0,0"). These values are described later in this section.

5. Click OK to save the setting for the new policy.

When you configure the list of approved installation sites for ActiveX Controls, you configure a name and value pair for each site. The name will always be the URL of the site hosting the ActiveX control, such as http://activex.microsoft.com. The value consists of four numbers:

• Trusted ActiveX Controls Define the first number as 0 to block trusted ActiveX controls from being installed, as 1 to prompt the user to install trusted ActiveX controls, or as 2 to install trusted ActiveX controls automatically, without prompting the user.

• Signed ActiveX Controls Define the second number as 0 to block signed ActiveX controls from being installed, as 1 to prompt the user to install signed ActiveX controls, or as 2 to install signed ActiveX controls automatically, without prompting the user.

• Unsigned ActiveX Controls Define the third number as 0 to block unsigned ActiveX controls from being installed or define this number as 1 to prompt the user to install unsigned ActiveX controls. You cannot configure unsigned ActiveX controls to be installed automatically.

• Server Certificate Policy Set this value to 0 to cause the ActiveX Installer Service to abort installation if there are any certificate errors. Alternatively, you can set it to 256 to ignore an unknown CA, 512 to ignore invalid certificate usage, 4096 to ignore an unknown common name in the certificate, or 8192 to ignore an expired certificate. Add these numbers to ignore multiple types of certificate errors.

For example, the numbers 2,1,0,0 would cause the ActiveX Installer Service to silently install trusted ActiveX controls, prompt the user for signed controls, never install unsigned controls, and abort installation if any Hypertext Transfer Protocol Secure (HTTPS) certificate error occurs.

When a user attempts to install an ActiveX control that has not been approved, the ActiveX Installer Service creates an event in the Application Log with an Event ID of 4097 and a source of AxInstallService.

How Internet Explorer Works in 64-bit Versions of Windows 7

Because it provides a wider data bus, allowing many times greater scalability, 64-bit computing is the future. Right now, however, most users run 32-bit versions of Windows.

Unfortunately, although 64-bit versions of Windows are fundamentally superior, they do have some compatibility problems in the real world. In particular, 64-bit versions of Internet Explorer can't use 32-bit components (such as ActiveX controls, which might provide critical functionality for many Web sites). Although 64-bit components are becoming more common, some critical components still aren't available for 64-bit.

For that reason, the 32-bit version of Internet Explorer is the default even in 64-bit versions of Windows. If a user instead chooses to use the 64-bit version of Internet Explorer (there's a shortcut for it on the Start menu), test any problematic Web pages in the 32-bit version of Internet Explorer before doing any troubleshooting.