Enterprise Management of ActiveX Controls using ActiveX Installer Service

The ActiveX Installer Service (AXIS) is a Windows technology that enables the installation of ActiveX controls to a standard user in the enterprise. It consists of a Windows service, a Group Policy administrative template, and a few changes in Internet Explorer behavior.

Many organizations must install ActiveX controls on their desktops in order to ensure that a variety of programs that they must use on a daily basis will work properly. However, most ActiveX controls must be installed by a member of the Administrators group, and many organizations have configured or want to configure their users to run as standard users, which are non-administrative users that are members of the Users group. As a result, organizations often have to repackage and deploy the ActiveX controls to the users. In addition, many of these ActiveX controls must be regularly updated. Many organizations find this to be difficult and costly to manage for standard users.

With Windows 7/8 the ActiveX Installer Service is a native OS service and you can easily deploy and update ActiveX controls to your standard user environments. The ActiveX Installer Service enables you to leverage Group Policy to define and manage approved host URLs that standard users can use to install ActiveX controls in a locked-down environment. For more information about AXIS, see: https://technet.microsoft.com/en-us/library/cc721964.aspx.

Here is how ActiveX Installer Service works :

image

  1. Define a list of explicitly approved host URLs
  2. AxIS checks Group Policy Object (GPO) to see URL is approved
  3. Internet Explorer asks AxIS to install the ActiveX
  4. No admin credentials required for install if approved
  5. If not approved, administrator credentials required for install
  6. Only installs ActiveX controls with a .cab, .dll, or .ocx file extension

AxInstallerService in Windows allows the corporate administrator to manage ActiveX controls while maintaining a strong security posture, by having users run as standard user with default file system settings. AXIS provides Group Policy options to configure trusted sources of ActiveX controls and a broker process to install controls from those trusted sources on behalf of standard users. The key benefit is that you can maintain a non-administrative security posture on user workstations along with centralized administrative control. AXIS relies on the IT administrator to identify trusted sources (typically Internet or intranet URLs) of ActiveX controls.

When an object tag directs Internet Explorer to invoke a control, AXIS takes the following steps:

  1. Checks that the control is installed. If not, it must be installed prior to use
  2. Checks the AXIS policy setting to verify if the control is from a trusted source
  3. The specific check matches the host name of the URL specified in the CODEBASE attribute of the object tag against the list of trusted locations specified in policy
  4. Downloads and installs the control on the user’s behalf

Some security zones settings configure the ability for computers to execute and/or download ActiveX controls. However, even if Internet Explorer allows an ActiveX control to be downloaded from the web site, the ActiveX control can only be installed from an elevated process or administrative account. One of the goals for enterprises is to only provide end users standard, non-administrative access to their operating system. This means that ActiveX controls downloaded from web sites – regardless of the web site’s security zone – cannot be installed by the end users.

With Windows 7/8 and beyond, AXIS is a native Windows service that will install ActiveX controls on behalf of end-users. Enterprises can maintain a list of approved web sites, implemented via Group Policy, that will cause AXIS to install any required ActiveX controls for the end-user. Further, AXIS can be configured to install ActiveX controls from all Trusted Sites.

The advantage of using AXIS over an Software Distribution tool is that no packaging of ActiveX controls is required, which significantly reduces the amount of time needed to get an ActiveX control installed in production. Group Policy based administration enables rapid changes to the deployed computers. Leveraging AXIS involves some additional management, specifically the management of a Group Policy object to add specific sites to leverage AXIS. The control of ActiveX installation and functional state can be managed in enterprises via Active Directory Group Policy.

Policy Settings

Scope

Policy Path

Turn off ActiveX Opt-In Prompt

User, Machine

Windows Components\Internet Explorer

Only use the ActiveX Installer Service for installation of ActiveX controls

User, Machine

Windows Components\Internet Explorer

Only allow approved domains to use ActiveX without prompt

User, Machine

Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE

Disable Per-User Installation of ActiveX Controls

User, Machine

Windows Components\Internet Explorer

Turn off ActiveX Opt-In prompt: This policy setting allows you to turn off the ActiveX Opt-in prompt. The ActiveX Opt-in prevents websites from loading any COM object without prior approval. If a page attempts to load a COM object that Internet Explorer has not used before, an Information bar will appear asking the user for approval. If you enable this policy setting, the ActiveX Opt-in prompt will not appear. Internet Explorer does not ask the user for permission to load a control, and will load the ActiveX if it passes all other internal security checks. If you disable or do not configure this policy setting, the ActiveX Opt-In prompt will appear.

Only use the ActiveX Installer Service for installation of ActiveX controls:
This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls will only install if the ActiveX Installer Service is present and has been configured to allow ActiveX controls to be installed. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, will be installed using the standard installation process.

Disable Per-User Installation of ActiveX Controls: This policy setting allows you to disable the per-user installation of ActiveX controls. This policy only affects ActiveX controls that can be installed on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.

 

Configuring the ActiveX Installer Service

The ActiveX Installer Service is enabled by default in Windows 7 /8 , you only need GPMC to configure it. You must configure the ActiveX Installer Service settings by using an administrative template in Group Policy. The administrative template consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an ActiveX control can be installed. We recommend Domain policies over Local policies.

To configure the ActiveX Installer Service using local GPMC (similar steps for Domain Policy)

  1. Press Windows Key + R to open the Run command.

  2. Type mmc, and then click OK.

  3. In the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-ins dialog box, select Group Policy Management Console, and then click Add.

  5. In the Select Group Policy Object dialog box, accept the default setting of the local computer or click Browse to configure a remote computer, and then click Finish.

  6. In the Add/Remove Snap-ins dialog box, click OK.

  7. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click ActiveX Installer Service.

    image

  8. In the details pane, click Approved Installation Sites for ActiveX Controls to edit
    image

  9. In the Approved Installation Sites for ActiveX Controls Properties dialog box, select Enabled, and then click Show next to Host URLs.

  10. In the Show Contents dialog box type the name for the URL where you want to allow ActiveX controls to be installed

  11. Type the values for the four ActiveX Installer Service host URLs settings.
    image

  12. Click OK

  13. In the details pane, click Establish ActiveX installation policy for sites in Trusted zones to Edit.

  14. Make your selection for the Trusted zones
     imageimage

  15. Click OK to close

When you add a URL, you can specify comma-delimited values that detail the settings for the ActiveX Installer Service.
You can configure four values:

  • Installing ActiveX controls that have trusted signatures
  • Installing signed ActiveX controls
  • Installing unsigned ActiveX controls
  • HTTPS error exceptions

 

ActiveX Recommended Practices

Only install ActiveX controls from reputable organizations -
We recommend that you only install ActiveX controls from publishers that you know and trust. The ActiveX Installer Service does not determine whether the host presenting the ActiveX control is connected to a secure network. Ensuring that you only install ActiveX controls from reputable publishers will help mitigate this threat.

Deploy commonly used ActiveX controls -
We recommend that you deploy ActiveX controls that are commonly used in your environment by using your organization's application deployment method. Many users today use laptops to connect to multiple networks, including wireless hot spots. A malicious proxy at an insecure network could attempt to trick the ActiveX Installation Service by redirecting it to a host with malicious software that represents itself as a commonly used ActiveX control. Ensuring that you deploy commonly used ActiveX controls for your users will help mitigate this threat.

Only use HTTPS host URLs -
We recommend that you only modify the value for HTTPS error exceptions to require the connection to pass all verification checks (0). If a remote users connects to an insecure wireless network, and the proxy attempts to redirect the connection, this setting will ensure that the ActiveX control installation will fail since the certificate will be invalid.

Consolidate ActiveX controls to a central server -
We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is called a CODEBASE. Normally, the CODEBASE is specified in the Web page, and the installation process retrieves the ActiveX control from that location.
In managed enterprises, you can use Group Policy to override the CODEBASE that is specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous recommended practice, only use HTTPS host URLs.
You can configure a common Group Policy setting to redirect all ActiveX control installations to a central server in your organization. You can do this by using the CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath see Implementing Internet Component Download https://go.microsoft.com/fwlink/?LinkId=90677

 

AXIS Implementation Checklist

  1. Gather ActiveX controls - You can assess which controls, if any, are appropriate to use within your organization. You may need to gather an inventory of existing ActiveX controls already in production use. The Microsoft  Assessment and Planning Toolkit or Application Compatibility Manager as part of the Windows 8 ADK will help for the inventory.
  2. Create and implement Group Policies

 

Most Common Controls

 

More Information about ActiveX can be found:

This post is based on the work of  Steve Campbell  (Architect with Microsoft Consulting Services US ) and was contributed by Lutz Seidemann , a Solution Architect with Microsoft Consulting Services – World Wide Client Center of Excellence.

The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

Comments

  • Anonymous
    June 17, 2013
    I can't for the life of me get AXIS to function in our environment.  Troubleshooting tips just rehash the same Microsoft language that I've read again and again. Your post makes specific mention of other IE policy settings (like "Turn off ActiveX Opt-In prompt") but it doesn't recommend an action for them. Am I supposed to enable those policies?  Disable them?  Do they conflict with AXIS if they aren't set a specfiic way?  I could really use some guidance on this.  Thanks.

  • Anonymous
    June 23, 2013
    Funny to see an article on this now, as I just had to review our AXIS GPO last week. We've been running with it since we rolled out Vista years ago. It has been great.

  • Anonymous
    December 17, 2015
    why is it so difficult to install IE addons without administrator rights, it is ridiculous.