ActiveX Installer Service


ActiveX was introduced with IE many years ago to allow developers to include active content in a web page. It was a competitor to Netscape's plug-in technology and eventually won that battle. A battle ActiveX never quite managed to win, even though it, by and large, was the only competitor until things such as Shockwave and Flash (which were actually implemented as ActiveX objects) showed up, was security. The thought of web pages provisioning content to be run unfettered on a user's computer made just about everyone nervous, and in order to install the controls, users had to be administrators. There is no way to install controls per user.

In Windows XP, and particularly in SP2, some additional controls were introduced for ActiveX controls, and these controls have been expanded in Windows Vista.

The ActiveX Installer service is nominally a part of UAC (see Chapter 4). This is quite logical if one considers that one of the primary benefits it provides is that users no longer need to be administrators to install ActiveX controls. To use the ActiveX Installer Service an administrator first enables the service, which is included on the Business, Enterprise, and Ultimate SKUs of Windows Vista. After that you would use the Group Policy Administrative Template, under Computer Configuration:Administrative Templates:Windows Components:ActiveX Installer Service to configure which hosts users can install controls from.

To configure the ActiveX Installer Service you need the exact host URL where the ActiveX control is hosted. If you do not know that you can get it by taking the following steps while logged on as a standard user on a computer where the ActiveX Installer Service optional feature has been installed:

  1. Open a web browser.

  2. Navigate to a page that tries to install the control you want.

  3. Click the yellow ribbon to install the ActiveX control.

  4. Cancel the UAC elevation prompt.

  5. Open the Application Event Log and search for event ID 4097 from the ActiveX Installer Service.

  6. The event data includes the URL that the control came from.

Perhaps the best way to use the ActiveX Installer Service is to capture a set of controls that your users are trying to install on their computers. You can then use this list to develop a list of your own controls that you want them to install without elevation.

Unfortunately, documentation on the ActiveX Installer Service is extremely terse at the moment, and the configuration of the GPO is obscure to say the least. There are some articles, including one in TechNet Magazine, that mention it (http://www.microsoft.com/technet/technetmag/issues/2006/11/UAC/default.aspx). However, in aggregate they make it seem as if you simply enable the policy with a single click. To really make use of this feature you need to understand the relatively obtuse configuration interface. It consists of a name/value pair, where all the values have defaults. The name is the URL of the ActiveX control you wish to allow your users to install. The value is a comma-separated list of four possible values.

  • Installation behavior for controls signed with a cert chaining to a root cert in the trusted publishers store. Default value is 2.

  • Installation behavior for controls signed with an untrusted cert. Default value is 1.

  • Installation behavior for unsigned controls. Default value is 0.

  • Policy for how to handle HTTPS validation of the download site, if it uses HTTPS. Default value is 0.

After configuring the ActiveX Installer Service to allow users to install the Adobe Flash Player and to verify the certificate on the site, you would create a setting in Group Policy as shown in Figure 6-4.

image from book
Figure 6-4: The ActiveX Installer Service configured to allow you to install the Adobe Flash Player

The first three values in the comma-separated value list can take on a value of 0, 1, or 2. 0 means "fail the installation." 1 means "prompt the user and install if the user decides to do so." 2 means "succeed." The final value can take a bitmask to control how to validate certificates for an HTTPS download. If you leave it at 0, which is the default, all validation will take place. You can configure it to ignore some components of the validation, but it is highly recommended that you do not do so. Unfortunately, many vendors, such as Adobe, as shown in Figure 6-4, do not provide an HTTPS download link for their ActiveX controls. For that reason, we highly recommend organizations host controls internally on trusted servers and only allow installation from there.

With the settings made, as in Figure 6-4, a standard user can go to any Web site that installs the control from the approved sites and install it without needing administrative credentials. Instead of an elevation prompt, the user gets a simple warning from the ActiveX Installer Service, as shown in Figure 6-5.

image from book
Figure 6-5: After the ActiveX Installer Service has been configured to allow installation, the user gets a simple installation dialog box.

It is worth noting here that the ActiveX Installer Service works for non-administrators only. Members of the Administrators group still require a UAC elevation to install ActiveX controls. The policy does not affect them.

As a final note, it is extremely important to remember that the ActiveX Installer Service does NO validation on the control itself. The only validation is that it is signed, and, if the site providing it supports it, that the connection uses HTTPS. For this reason we highly recommend that you either provision controls only from sites that can authenticate themselves using HTTPS, or only authorize controls signed with trusted certificates, or both. Your organizations personal level of paranoia will decide which set of options you use, but configuring the ActiveX Installer Service with a "2,0,0,0" value combination seems perfectly reasonable.



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net