Skip navigation

Vista's ActiveX Installer

Take charge of ActiveX-control downloads with this new service

One of the problems associated with least privileged user accounts in Windows XP is that when users browse to a Web site that requires them to download an ActiveX control to display the Web page contents, they don't have the authority to install the control. An ActiveX control from a rogue Web site can be used for malicious purposes. Therefore, ActiveX controls should always be installed with caution from trusted sources only, preferably by an administrator who understands the risks. In practice, this means that users with limited privileges must wait until a support technician with administrative privileges has time to install controls for them. Hardly an ideal situation, but preferable to running Microsoft Internet Explorer (IE) with administrative privileges, in most cases.

This is where Windows Vista’s ActiveX Installer Service comes in. This service—in Vista Ultimate, Business, and Enterprise editions only—can be used in conjunction with Group Policy to determine whether a least privileged user is allowed to install an ActiveX control package (i.e., an .ocx, .dll, or .cab file) from a particular URL. If ActiveX Installer Service finds the URL on the allowed list in Group Policy, the service will install the control on the user’s behalf. Although Installer Service has some limitations (which I discuss below), it does give users and their administrators some control over ActiveX objects, so I believe it's worth using. Let's look at how to set up Installer Service to install Adobe Flash Player for users who request it.

Background and Moving Ahead
I should note that pre-Vista, IE isn’t totally without control over ActiveX components. In XP Service Pack 2 (SP2) with IE 6.0 or later, it's possible to run as an administrator and block installation of all ActiveX controls. For each IE security zone, you can configure whether an administrative user can download and run signed or unsigned ActiveX controls. Also, you can define a list of "administrator approved" ActiveX controls in Group Policy that local administrators can run. These Group Policy settings are fine for restricting administrative users, but they don’t help when it comes to allowing least privileged users to install controls. These users are barred from installing controls no matter what policy is set.

To make use of ActiveX Installer Service, you must install it because it’s an optional Windows component. In the Ultimate, Business, or Enterprise edition of Vista, log on with an account that has administrative privileges, open Control Panel, and select Programs. Select Turn Windows features on or off. You’ll see ActiveX Installer Service at the top of the list. Select its check box as shown in Figure 1, then click OK.

Allowing Flash Player
Before you can actually set a policy that specifies which URLs least privileged users can download ActiveX controls from, you need some information about those Web sites and controls. To get that information, you can generate an event related to a URL and control and look in the event description.

To cause an event, first log on to Vista with a user account that's a member of the built-in users group only. You shouldn't have any administrative privileges.

For the purposes of this article, we're going to work with Flash Player, so go to the Adobe Flash Player Download Center at http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash. (If you already have this control installed on your system, you can use IE's Manage Add-ons tool to remove it.)

Click the button to install Flash Player 9 on your computer. Vista's User Access Control (UAC) will prompt you to enter an administrator username and password for the Internet Explorer Add-on Installer. At this point, click Cancel on the UAC prompt. Now, you have your event.

Log off as the standard user and log back on as an administrator. (You could probably use Fast User Switching—FUS—here, but I prefer during testing not to use it, especially when making changes to Group Policy. In my experience, depending on which policy I'm modifying, a log on or off or even a reboot might be required. The results are more consistent when you log off and on, even if it takes a little longer.)

Open the Event Viewer (type event in the Search box on the Start menu, and the Event Viewer will appear under Programs), and search the application event log for event ID 4097. Figure 2 shows the event information, which gives you two important pieces of data: the name of the ActiveX control file and the host URL. The control filename—swflash.cab—tells you that this is a file that ActiveX Installer Service can handle. (Remember that Installer can install controls packaged as .ocx, .dll, or .cab files.) The host URL—http://fpdownload.macromedia.com—is what you need to configure ActiveX Installer Service to allow to install the control.

In a corporate environment, you’d configure an Active Directory (AD)-based Group Policy Object (GPO) in order to set up Installer for multiple machines, but for the purposes of testing, I'll describe configuring the local computer policy to enable standard users to install Flash Player.

At the Start menu, type gpedit.msc in the Search box, and click Enter. Under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service, click Approved Installation Sites for ActiveX Controls, select Enabled, and click Show. In the Show Contents dialog box, click Add and enter the host URL http://fpdownload.macromedia.com as the value name and 2,1,0,0 as the value. Click OK. Figure 3 shows the resulting dialog box.

The first three digits of value 2,1,0,0 tell ActiveX Installer Service how trusted, signed, and unsigned controls should be handled. A 0 means don’t install, a 1 means prompt the user before installing, and a 2 means silent install. Thus, in the value 2,1,0,0, the 2 tells Installer that it can silently install trusted controls, the 1 tells Installer to prompt the user before installing digitally signed controls, and the 0 ensures that unsigned controls won't be installed.

The fourth digit of value 2,1,0,0 tells ActiveX Installer Service how to handle HTTP Secure (HTTPS) certificate errors. The default value is 0, which means that there can be no certificate errors when installing a control. The other possible values are listed in Table 1. If an ActiveX control is hosted from an HTTPS URL, the non-0 settings lower the security requirements for resolving problems with certificate errors.

Click OK in the Approved Installation Sites for ActiveX Controls dialog box and close Group Policy Editor (GPE). To make sure that the policy takes effect immediately, we need to force a policy update. Open a command prompt and type

gpupdate /force 

It will take a few seconds for the policy to be refreshed.

Tests and Caveats
After the command has completed, log back on as the standard user and try again to install Flash Player. Open IE and go once again to the Adobe Flash Player Download Center Web site. Attempt to install the control again and notice the difference in behavior. This time, an ActiveX Installer Service prompt will ask you for permission to install the control. Grant the permission, and after a few seconds, you should see that the process has been successful from the flash animation in the Web browser window. No administrative privileges required.

You should confirm that if you as the standard user browse to another site that prompts for the download and installation of an ActiveX control, Vista applies its standard security restrictions. For example, if you browse as the standard user to http://www.apple.com/quicktime/player/win.html, UAC will prompt you for administrative credentials because the host URL isn't defined in a policy. Cancel the UAC request and (after logging off as the standard user and logging back on as an administrator) check the application event log again for event ID 4097. Note the different host URL for Apple QuickTime.

The policy that you’ve just configured should let a standard user install any ActiveX controls that are in the required package format and that are hosted at the Adobe URL the policy specifies. However, in my testing, I’ve experienced problems installing certain controls even if they're packaged in one of the supported formats. For example, ActiveX Installer Service installation of the Adobe Shockwave Player (which is in the correct format and is at the same Adobe URL as Flash Player) prompts for credentials, which defeats the point of Installer. The lesson here is that you need to test every potential ActiveX control that you want Installer to approve for installation on your network.

If the fact that you're trusting the hosting company and any controls it decides to publish at the given URL, rather than any one specific ActiveX control, gives you pause, you'll need to look for a different solution. However, in my opinion, ActiveX Installer Service is a huge improvement over managing ActiveX controls in previous versions of Windows. See the Windows IT Pro article "Deactivate ActiveX to Protect Your SBS Network," January 2006, InstantDoc ID 48400, for instructions about how to manage ActiveX downloads in pre-Vista Windows.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish