Tech Tip: Restrict ActiveX controls/Set up a Dfs root

Windows 2000 Professional: Restrict ActiveX controls

ActiveX controls extend the functionality of Internet Explorer, but they can also pose significant security risks. An ActiveX control could potentially access sensitive data, delete files, or cause other damage.

You can use Windows 2000 group policy to restrict ActiveX controls on a user's computer to a specific set of administrator-approved controls. By doing so, you let users continue using certain controls while restricting all others.

You can configure ActiveX group policy either at the local computer or at a higher level, such as an organizational unit or domain. To configure approved controls at the local level, open the MMC, and add the Group Policy snap-in focused on the local computer. Browse to the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls policy.

You'll find several policies that control specific ActiveX controls. Double-click a policy, and click Enabled to allow the use of that ActiveX control. To prevent its use, choose Disabled. Repeat the process for other controls as needed to allow or deny them based on your user and security requirements.

Windows 2000 Server: Set up a Dfs root

Windows 2000 Server includes the Distributed File System (Dfs) feature, which enables you to build a homogenous file system from disparate volumes and servers. This file system appears under a single namespace. To users, it appears as a single file system. However, the folders and files that make up the file system might actually reside on several different servers.

Windows 2000 Server supports a single Dfs root per server. Adding a Dfs root to a server is easy. Follow these steps:

  1. Navigate to the Administrative Tools folder, and open the Distributed File System console.
  2. Right-click the Distributed File System branch in the console, and choose New Dfs Root, which will start the New Dfs Root Wizard.
  3. Click Next, and then choose a stand-alone root or a domain root. (Stand-alone roots don't integrate with Active Directory or support automatic file replication, but domain roots support both.)
  4. Follow the wizard's prompts, and specify the domain name (for a domain-based root), the server name, and the share to use for the Dfs root. You can choose an existing share or create a new share.

After you create the root, you need to add Dfs links to the root. These links specify the folders that appear under the root, and they can specify folders on the local server, remote servers, or even client workstations.

To add the links, right-click the newly created root in the Dfs console, and choose New Dfs Link. In the resulting dialog box, enter a name for the link, the share to which it points, an optional comment, and the amount of time that clients will cache the link referral. Enter your settings, and click OK. Repeat the process to add other links as needed.

Editor's Picks