Administering the ActiveX Installer Service in Windows 7

Applies To: Windows 7, Windows Server 2008 R2

The ActiveX Installer Service (AXIS) enables IT professionals to manage the deployment of ActiveX® controls by using Group Policy on computers in an organization. ActiveX controls are self-registering COM objects that are used to provide a more interactive user experience when using Internet Explorer. ActiveX controls are often distributed in .cab files. By default, standard user accounts do not have permission to install ActiveX controls. You can use this document to learn how to implement and administer the ActiveX Installer Service in Windows® 7.

Note

The ActiveX Installer Service is not included in Windows Server® 2008 R2. If you attempt to install an ActiveX control from your Web browser on a computer running Windows Server 2008 R2, a User Account Control dialog box with a yellow bar will be displayed warning you that the publisher is unknown.

Starting the ActiveX Installer Service

On computers running Windows 7, the ActiveX Controller Service is enabled by default and configured so that it can be started when it is requested by Web sites that provide ActiveX controls.

Configuring the ActiveX Installer Service

The options and sites used by the ActiveX Installer Service are configured by Group Policy settings, which can be modified by using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. There are two policy settings for the ActiveX Installer Service: Approved Installation Sites for ActiveX Controls and Active X installation policy for sites in Trusted zones. The Approved Installation Sites for ActiveX Controls policy setting consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an ActiveX control can be installed. The Active X installation policy for sites in Trusted zones policy setting identifies the methods by which Trusted sites zones can be used to install ActiveX controls. When a Web site attempts to install an ActiveX control, the ActiveX Installer Service will check to see if the URL of the Web site is listed in either the list of approved installation sites or as part of the Trusted sites zone. If the site is on either of these, the ActiveX Installer Service will check to make sure that the site meets the requirements defined by the policy. If the site and the ActiveX control meet all of the requirements of the policy settings, the control is installed.

Important

You must be logged on with an account that is a member of the Administrators group to modify Group Policy settings.

To configure approved installation policy settings for the ActiveX Installer Service

  1. Click Start, type gpedit.msc in the Search programs and files box, and press ENTER to open the Local Group Policy Editor.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click ActiveX Installer Service.

  4. In the details pane, right-click Approved Installation Sites for ActiveX Controls, and then click Edit to open the policy setting.

  5. In the Approved Installation Sites for ActiveX Controls dialog box, click Enabled, and then under Options, click Show.

  6. In the Show Contents dialog box, type the name for the URL where you want to allow ActiveX controls to be installed in the Value name text box, and then type the values for the four ActiveX Installer Service host URL settings. When you add a URL, you can specify comma-delimited values that detail the settings for the ActiveX Installer Service. You can configure four values:

    • Installing ActiveX controls that have trusted signatures. For information about the values, see Installing ActiveX controls that have trusted publishers in this document.

    • Installing signed ActiveX controls. For information about the values, see Installing signed ActiveX controls in this document.

    • Installing unsigned ActiveX controls. For information about the values, see Installing unsigned ActiveX controls in this document.

    • HTTPS error exceptions. For information about the values, see HTTPS error exceptions in this document.

Note

To help you decide which values to use, see the Sample configurations section.

  1. When you finish adding URLs, click OK twice to apply the changes.

Configuring the ActiveX installation policy for the Trusted sites zone

You can add Web sites that are trusted by your organization to the Trusted sites zone to enable them to be able to install ActiveX controls without requiring administrator approval. Sites in the Trusted sites zone can be specified with wildcard characters in combination with a subdomain; for example, adding the Web site https://*.contoso.com to the Trusted sites zone and then configuring the ActiveX installation policy for sites in Trusted zone policy setting would enable all Web sites in the contoso.com domain to install ActiveX controls onto computers in your organization. This can be useful if you have multiple trusted forests in your organization.

To use this policy setting, you must also have enabled the Security Zones: Use only machine settings policy setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and populated the list of trusted sites that you will deploy by Group Policy in the Site to Zone Assignment List policy setting under Computer Configuration\Administrative Templates\Internet Explorer\Internet Control Panel\Security Page.

Security Note
If you decide to use this feature to allow installing from the trusted sites, the Site to Zone Assignment List Group Policy setting must have at least one entry to the trusted sites to prevent standard users from installing arbitrary ActiveX controls.

Using sub-domains with wildcard characters allows a standard user to install programs and applications from any server in the sub-domain that uses wildcard characters, which could include malware and potentially unwanted software. You should make sure that all servers in the sub-domain are fully trusted before enabling this feature.

To configure the ActiveX installation policy for sites in Trusted zones

  1. Click Start, type gpedit.msc in the Search programs and files box, and press ENTER to open the Local Group Policy Editor.

  2. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click ActiveX Installer Service.

  3. In the details pane, right-click Active X installation policy for sites in Trusted zones, and then click Edit to open the policy setting.

  4. In the Active X installation policy for sites in Trusted zones dialog box, click Enabled.

  5. In Options, choose the policy settings that you want to apply to sites in the Trusted sites zone based on the type of ActiveX control that it is attempting to install.

    • To install the control automatically without requiring the user to approve the installation, select Silently install.

    • To allow the user to decide whether or not to install the control, select Prompt the user.

    • To prevent controls that match the criteria from being installed, select Don't install.

    You can configure the policy for the following types of controls:

    • ActiveX controls signed by a trusted publisher

    • Signed ActiveX controls

    • Unsigned ActiveX controls

  6. If the sites in your Trusted sites zone include server validation (HTTPS), you can also configure the policy to control the connection to trusted sites in the presence of certificate errors. By default, all HTTPS connections must supply a server certificate that passes all validation criteria. You should only specify exceptions if you are completely assured of the validity of the trusted site and the reason for the error condition.

  7. Click OK to apply the changes.

Installing ActiveX controls that have trusted publishers

This setting describes the behavior of the service when installing an ActiveX control that is signed by a certificate in the Trusted Publishers store for the computer or enterprise. Table 1 shows possible values for this setting.

Table 1: Values for installing ActiveX controls that have trusted signatures

Value Description

0

Prevents users from installing ActiveX controls that have trusted signatures.

1

Prompts the user before installing ActiveX controls that have trusted signatures.

2

Installs ActiveX controls that have trusted signatures without notifying the user. This is the default value.

Installing signed ActiveX controls

This setting determines the behavior of the service when installing an ActiveX control that is signed by a certificate that is not in the Trusted Publishers store for the computer or enterprise.

Table 2: Values for installing signed ActiveX controls

Value Description

0

Prevents the user from installing signed ActiveX controls.

1

Prompts the user before installing signed ActiveX controls. This is the default value.

2

Installs signed ActiveX controls without notifying the user.

Installing unsigned ActiveX controls

This setting determines the behavior of the service when installing an unsigned ActiveX control. Table 3 shows possible values for this setting.

Table 3: Values for installing unsigned ActiveX controls

Value Description

0

Prevents the user from installing unsigned ActiveX controls. This is the default value.

1

Prompts the user before installing unsigned ActiveX controls.

HTTPS error exceptions

This value controls how the ActiveX Installer Service handles any errors that are detected in an HTTPS connection. By default, the ActiveX Installer Service prevents the installation of an ActiveX control if any errors are detected.

Table 4: Values for HTTPS error exceptions

Value Description

0

Specifies that the connection must pass all verification checks.

0x00000100

Specifies that the ActiveX Installer Service should ignore errors caused by unknown certification authorities (CAs).

0x00001000

Specifies that the ActiveX Installer Service should ignore errors caused by an invalid common name (CN). A CN is a naming attribute from which an object distinguished name (DN) is formed.

0x00002000

Specifies that the ActiveX Installer Service should ignore errors caused by a certificate's date.

0x00000200

Specifies that the ActiveX Installer Service should ignore errors caused by improper certificate use.

Note

To implement multiple exceptions, add the appropriate DWORD value for the desired exception(s) to form a cumulative value.
For example, to ignore only HTTPS certificate warnings related to date and improper usage, the fourth policy entry should be represented by the value of 0x00002200.

Sample configurations

The following sample configurations describe how you can configure the ActiveX Installer Service; however, these sample configurations are not recommendations.

Default settings

If you do not specify values, the ActiveX Installer Service enforces the default values. The default values are 2,1,0,0. With these settings in effect, the ActiveX Installer Service will:

  • Prevent unsigned ActiveX controls from being installed.

  • Prompt the user to approve the installation of a signed ActiveX control.

  • Automatically install ActiveX controls that are signed by a certificate in the Trusted Publishers store without prompting the user.

High security settings

The most secure configuration of the ActiveX Installer Service is when an administrator configures the service to:

  • Use an HTTPS site as the host URL.

  • Allow only ActiveX controls that are signed by a certificate in the Trusted Publishers store to be installed.

The values to configure this setting are 2,0,0,0.