ActiveX is a major source of security headaches in Microsoft Internet Explorer. Although IT professionals might wish to disable ActiveX altogether, that simply isn't an option for many users, so we need to know how to tweak various settings and permissions for the different security zones in IE. Fortunately, there are a variety of customization options available in IE 6 that can help an administrator improve security, especially with Service Pack 2 for Windows XP installed. However, not many administrators are educated about these options and there is minimal documentation available, so these security best practices for ActiveX and browser add-ons are not widely used.
Managing Add-ons
New in IE 6 for Windows XP SP2 is the Add-on Manager screen. Just what are add-ons? Those are the Browser Helper Objects (BHOs), ActiveX controls, toolbars, and browser extensions that enhance the way Internet Explorer displays Web sites or provides additional functionality to the browser. Some are pre-installed when the operating system is loaded; others are installed by users, or downloaded as users visit certain Web sites.
How can you manage add-ons? Administrators can enable/disable or block users from downloading new add-ons. However, by default, users can change these settings themselves unless they are prevented from doing so by Group Policy or another desktop lockdown tool.
To access add-ons, open Internet Explorer and go to Tools | Manage Add-ons to see all the active Browser Helper Objects as well as any other add-ons that IE has used previously and which are still stored on the computer.
 |
Select any object by name and you can either Enable it if you need it or Disable it if it repeatedly causes problems. You can also update most ActiveX add-ons from this screen by clicking on the Update ActiveX button after selecting the add-on.
Some add-ons are "signed" but come from untrusted sources. The Add-on Manager will normally block those and you need to open the Add-on Manager to unblock any that you need. Beware that doing so automatically moves everything from that publisher to the trusted list. It doesn’t enable only the single add-on you specify. In XP SP2 these blocked add-ons are what show up in the Browser Information Bar to notify you that a site feature is disabled and needs to be authorized if you want to use it.
One important thing to remember is that, even though you have disabled an add-on in the Add-ons Manager, it only applies to the IE browser. Other applications may still activate and use the Add-on because it is still on the system, just disabled at the moment. You need to delete it completely if you don’t trust it and don't want any other applications to use it.
One exception to note is that any ActiveX control that is already "blocked by its compatibility flag" will be disabled in every case, without regard to any changes in the Add-on Manager settings.
ActiveX controls in IE 6
Battling with ActiveX controls is obviously not new to the XP SP2 upgrade of IE 6, but a lot of people who complain about the dangers of ActiveX code don’t seem to realize that there are options for securing ActiveX.
In addition to the changes you can make in the Add-on Manager in XP SP2, you can fine-tune how Internet Explorer treats any ActiveX controls. One of the main security concerns with ActiveX is that an ActiveX control will be compromised by an attacker and then the attacker will gain elevated privileges to do damage on the local machine. An administrator can fight against this by locking down the "Local intranet" privileges in IE. Go to the Tools | Internet Options | Security, which takes you to the Web content zones (Internet, Local intranet, Trusted sites, and Restricted sites). Click on Local intranet and then click the Sites button. Here, you can choose to enable or disable:
- all local (intranet) sites not listed in other zones
- all sites that bypass the proxy server
- all network paths (UNCs)
Click on the Advanced button and you can add or remove specific sites in the Local intranet zone.
Author's note
Under XP SP2 the Local intranet zone receives additional protection intended to keep attackers from using the Local settings to elevate privileges and attack the system. On earlier systems the local file system was presumed to be secure but now the Local machine zone is further locked down by default (all three of the above options are triggered by default). Also, any apparent violation is now supposed to trigger the Browser Information Bar (in XP SP2) to ask permission to continue.
You can also highlight Internet, Trusted sites, or Restricted sites and then click on the Sites button to fine-tune which sites are affected in those zones.
For all four zones you can click on the Custom Level button to bring up the Security Settings screen that offers the same ActiveX options for all four zones:
ActiveX controls and plug-ins
- Automatic prompting for ActiveX controls
- Disable
- Enable
Binary and script behaviors
- Administrator approved
- Disable
- Enable
Download signed ActiveX controls
- Disable
- Enable
- Prompt
Download unsigned ActiveX controls
- Disable
- Enable
- Prompt
Initialize and script ActiveX controls not marked as safe
- Disable
- Enable
- Prompt
Run ActiveX controls and plug-ins
- Administrator approved
- Disable
- Enable
- Prompt
Script ActiveX controls marked safe for scripting
- Disable
- Enable
- Prompt
Each zone has its own default settings for these options but you can also change any individual setting to customize how ActiveX code is dealt with in each situation.
Crash detection
There is also a new browser crash detection feature in XP SP2 that attempts to show which add-on is causing problems. This feature can greatly improve troubleshooting. The crash detection tool is enabled by default in XP SP2 and you probably want to leave it enabled since it shouldn’t even be noticed unless the browser crashes. If you do set NoCrashDetection, the operating system will treat browser crashes in the pre-SP2 manner (i.e., invoke the standard Windows Error Reporting tool).
If you experience problems with this new tool and need to disable or re-enable crash detection, it is done in either the following Registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
For details on how to enable or disable the entire Add-on Manager and/or the new crash detection features, see this Microsoft TechNet article.
End sum
With the options that we've listed, you can fine-tune a variety of settings in order to get granular control over ActiveX and browser add-ons. This will allow you to get all your essential sites working while blocking any dangerous ActiveX controls.
