Tech Tip: Properly control ActiveX security

By Mike Mullins

ActiveX is a Microsoft-designed mechanism that allows Web browsers and e-mail programs, such as Outlook, to download and execute programs from the Internet. These programs, known as ActiveX controls, execute as native applications and have full access and rights to everything on the machine within the permissions of the user executing the code.

Most ActiveX controls and plug-ins are attached to Web links or HTML-formatted e-mail messages. While these controls provide benefits to the user, they also can contain vulnerabilities and are potentially dangerous. Whatever damages your current account can do to your machine and network, you've extended to someone you don't know or trust.

To find out what ActiveX controls are currently loaded on your machine, follow these steps:

  1. Open Internet Explorer, and go to Tools | Internet Options.
  2. On the General tab, click Settings.
  3. Select View Objects.

If you're unsure about where you picked up a particular control, double-click it and look at the URL to the right of the CodeBase field. You may recognize some of the controls by their name or by the link from where they were installed. Once controls are installed, they're available to every user who logs on to the machine.

Signed controls

With the proper security settings, you can specify that only signed ActiveX controls are loaded. This might lead you to believe that signed controls are safe to execute, but that's not always the case. Safe controls can come from unsigned sources, and unsafe controls can come from signed sources.

Once a signed control is installed, nothing can stop a hacker from using a vulnerability within a control to install a Trojan or virus to ruin the security from behind your fortress wall. Imagine the damage that can result from a hacker's program running on a trusted machine with the rights and privileges of an authenticated user.

User functionality

It's easy to disable the downloading and execution of all ActiveX controls within the security settings of Internet Explorer. However, this defeats their true purpose and usefulness, which is to increase user functionality.

If there's a secure way to provide users with increased functionality, give them the tools they need by using a protected approach. Decide which controls are safe for executing; then, mark them as Administrator Approved through the use of the Internet Explorer Administration Kit (IEAK), or control their behavior through a group policy object (GPO).

Final thoughts

The lack of reported ActiveX hacking attempts shouldn't lead you to complacency. There are many critics that emphasize the security issues of ActiveX, and even Microsoft admits that ActiveX controls are vulnerable to attack. Don't wait until after you've read about a vulnerability to do something about it.

ActiveX is a key component to most of the enhancement features that your users either want or need to run on their workstations. Disable ActiveX completely on your server, but properly control ActiveX through the IEAK or a GPO to give your users functionality and workstation security.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox