Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003 with SP1
Note
The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Notification Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.
In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to instantiate and initialize an object. The ActiveX security model allows controls to be marked as "safe for scripting" and "safe for initialization" and provides users with the ability to block or allow ActiveX controls by security zone, based on those settings. This allows greater flexibility and control of active content in Internet Explorer.
Web developers and network administrators need to be aware of these new restrictions to plan changes or workarounds for any possible impact to their Web site.
Application developers should review this feature to plan to adopt changes in their applications.
Users could be affected by sites that are not compatible with these stricter rules.
None. Existing security functionality is being extended.
The most effective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at the source of the URL binding: URLMON. Declaring an ActiveX control in an HTML page using the <object> tag and CODEBASE attribute is one commonly known example of using BindToObject. The same functionality is used by any component that wants to resolve a URL and get back a stream or object. The ActiveX security model is now applied to all object initializations with a URL as a source.
In the case of ActiveX controls, the ActiveX security model allows controls to be marked as "safe for scripting" or "safe for initialization" and provides users with the ability to block or allow ActiveX controls by zone, based on those settings. In earlier versions of Windows, this security framework was not applied in all cases where URL binding took place. Instead, the calling code was responsible for assuring the integrity and security of the control, which could often result in security vulnerabilities. There are now a number of public exploit variations that expose this exact issue by going through Internet Explorer to compromise vulnerabilities in the calling code.
The ActiveX security model is applied to all object initializations with a URL as a source, and the "Safe for initialization" tag is applied to all objects. This mitigation only applies to cases where Internet Explorer resolves a URL, instantiates an object, and initializes the object with data retrieved from that URL.
Application compatibility problems should be minimal. Applications can opt out if they have their own security manager. For more information about opting out of this security model, see "Security Considerations: URL Security Zones API," on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=21814.
Applications can also opt in or out of this mitigation using the feature control key FEATURE_SAFE_BINDTOOBJECT, as described in the topic Internet Explorer Using Feature Control Registry Settings with Security Zone Settings.
| Setting name | Location | Previous default value | Default value | Possible values |
|---|---|---|---|---|
IExplore.exe Explorer.exe WMPlayer.exe |
HKEY_LOCAL_MACHINE (or Current User)\Software \Microsoft \Internet Explorer\Main \FeatureControl \FEATURE_SAFE_BINDTOOBJECT |
None |
1 |
0 - Off 1 - On |