When securing a small business network, whether it's based on Windows Small Business Server 2003 (SBS 2003) or Windows Server 2003, I like to suggest blocking ActiveX controls on the Windows XP Service Pack 2 (SP2) machines on the network and allowing only specified controls. By blocking most ActiveX controls—or, in recent Microsoft terminology: add-ons—you can substantially reduce the risk of users running code within Microsoft Internet Explorer (IE) and infecting their machines with malicious programs, spyware, and viruses.
In SBS 2003 and Windows 2003, Microsoft has given us new Group Policy tools to manage ActiveX controls in our domains. With these new Group Policy settings, administrators can add allowed ActiveX controls to a Group Policy "white list" and block any other add-ons from being loaded on client machines. Unfortunately, these tools don't make the process as easy as it could be. You must find the globally unique identifier (GUID), or Class ID, of the add-ons you want to allow and you must type in these long strings of letters and numbers, rather than copying and pasting them in. But the directions in this article should help you over these rough spots, and maybe improvements in Windows Vista and IE 7.0 will ease the process.
This article is aimed specifically at networks that use SBS 2003, which comes with Windows SharePoint Services, Microsoft Outlook Web Access (OWA), and other SBS 2003 features that use IE add-ons to function. However, you can take similar steps in an enterprise network if you're running these same features or products.
STEP 1: Find the GUID of the Add-ons That You Want to Allow
To put ActiveX controls on a Group Policy white list, you first must discover which controls your users need. Then, you must discover each control's Class ID so that you can type it into your Group Policy Object (GPO).
On a client machine that you think has the ActiveX controls that you want your users to have, start IE, then select Manage Add-ons from the Tools menu. In the Manage Add-ons dialog box, you can view two lists of ActiveX controls: a list of add-ons currently loaded and a list of add-ons that have been loaded at one time or another. Right-click the column headings of whichever list is currently visible and select Class ID to add the Class ID column to the dialog box, as Figure 1 shows.
Look through the two lists of ActiveX controls and write down the Class IDs of the ones you want to put on your GPO white list exactly as shown— with beginning and ending brackets and hyphens. Unfortunately, there's no way to copy the Class IDs from this list and paste them into the GPO. You're going to have to type in the Class IDs, so be careful to write them down correctly.
Unfortunately, the Manage Add-ons lists in IE 6.0 don't show all the ActiveX controls that run on a system—apparently because these add-ons are sitting behind another process. I've done a little detective work and have assembled a list of addons that SBS 2003 organizations need to allow to make various SBS 2003 features, such as Remote Web Workplace and OWA, work. Web Table 1 shows this list. You'll need to type the Class IDs of the add-ons for the SBS 2003 features you use in your GPO allow list.
Depending on what other add-ons you require, you might need to do some additional sleuthing to discover other ActiveX controls that your client machines need to allow so that the Web sites your users need will work properly for them. It's great to do this discovery up front, before you block all ActiveX controls (except the ones you add to your white list) in Step 2 below. But keep in mind that you're likely to miss some ActiveX controls at this stage, so you'll probably need to add more Class IDs to your white list after you put ActiveX blocking into effect.
To discover the Class IDs that a Web site is loading on a client system, first download and install the Debugging Tools for Windows. Start the WinDbg tool, and configure the symbol path to point to the Microsoft public symbol server Then attach to IE's process (IEXPLORE), which should already be running, and set the following breakpoint in the console window:
bp SHLWAPI!SHCoExtensionAllowed
"db poi(esp+4); g"
Press F5 to allow IE to run, and open the desired Web site in IE. In the debugger window, you'll see output from the computer's memory that looks similar to the output in Figure 2. Each line represents an ActiveX control that requires operator approval before the control can run (some controls might appear more than once). The character strings that the debugger outputs aren't in Class ID format— they must be translated into that format.
For example, the first line in Figure 2 contains the string in the first line of Figure 3. If you reorder the first eight number/letter pairs, eliminate the spaces, and add brackets and hyphens, you end up with the Class ID for the JavaScript addon, which the second line in Figure 3 shows. Once you have the Class IDs, you just have to determine whether you want to add their associated controls to your allow list. (I never said this was easy.)
Alternatively, if you know you want to allow a particular add-on that doesn't appear on IE's Manage Add-ons lists, you can contact the add-on's vendor and request the Class ID. Tracking down and manually writing down the GUIDs for all the ActiveX controls you want to allow can be a tedious process. The good news is that you only have to do it once if you use a GPO to apply the allow list.
STEP 2: Add the GUIDs to the GPO's Allow List
After you have the GUIDs, you can add them to a GPO's allow list. On an XP SP2 client, open the most recent version of Group Policy Management Console (GPMC). Alternatively, you can download the XP SP2 Administrative Template (.adm) files and use them with GPMC on your server. Of course, if you already have Windows 2003 SP1 installed, the GPO entries that were new in XP SP2 are already included.
After opening GPMC, you can edit one of your existing policies or create a new one specifically for these settings. I created a new, separate policy for my allow list so that if I need to, I can disable the policy without affecting anything else.
Open the policy, and under the User node or Computer node, navigate to Administrative Templates\Windows Components\ Internet Explorer\Security Features\Add-on Management. Enable the Deny all add-ons unless specifically allowed in the add-on list option to set the XP SP2 machines to allow only the ActiveX controls you add to the list. The node under Add-on Management is Add-on List. Open it, select Enabled, and click Show to open a dialog box that shows any allowed ActiveX control GUIDs and lets you enter GUIDs.
Click Add and type in the GUID of an add-on that you want to allow, including the beginning and ending brackets and the hyphens, and set the value of the item to 1 to enable it. (It seems totally crazy that you have to enter 1—why would you go through the bother of adding a GUID and then setting it to 0, or Off?) Figure 4 shows the Add Item dialog box with the GUID for the Macromedia Shockwave Flash Object entered. Check your typing carefully before clicking OK. Once you've entered a GUID and clicked OK, you can't go back and edit the value; if you've made a mistake, you must delete the entire entry and add it again. This is a real problem given the long strings of numbers and letters you must type for each GUID.
After you've entered all the GUIDs you want to add to your allow list, close the GPO. At a command prompt on the client machine, type
GPUpdate /force
or reboot the machine, then test the white list by surfing to the Web sites your users visit and making sure that the pages load normally. Add-on blocking is a very powerful feature of XP SP2. Microsoft could definitely improve the process of enabling only a specified list of ActiveX controls in a GPO— and let's hope some improvements are coming in IE 7.0—but the rudimentary tools are in place, and taking the trouble to block unwanted controls will make your network, large or small, a safer place.
