Administering the ActiveX Installer Service in Windows 7

Administering the ActiveX Installer...

Updated: July 10, 2009

Applies To: Windows 7

The ActiveX Installer Service (AXIS) enables IT professionals to manage the deployment of ActiveX® controls by using Group Policy on computers in an organization. ActiveX controls are self-registering COM objects that are used to provide a more interactive user experience when using Internet Explorer. ActiveX controls are often distributed in .cab files. By default, standard user accounts do not have permission to install ActiveX controls. You can use this document to learn how to implement and administer the ActiveX Installer Service in Windows® 7.

Note
The ActiveX Installer Service is not included in Windows Server® 2008 R2. If you attempt to install an ActiveX control from your Web browser on a computer running Windows Server 2008 R2, a User Account Control dialog box with a yellow bar will be displayed warning you that the publisher is unknown.

Starting the ActiveX Installer Service

On computers running Windows 7, the ActiveX Controller Service is enabled by default and configured so that it can be started when it is requested by Web sites that provide ActiveX controls.

Configuring the ActiveX Installer Service

The options and sites used by the ActiveX Installer Service are configured by Group Policy settings, which can be modified by using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. There are two policy settings for the ActiveX Installer Service: Approved Installation Sites for ActiveX Controls and Active X installation policy for sites in Trusted zones. The Approved Installation Sites for ActiveX Controls policy setting consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an ActiveX control can be installed. The Active X installation policy for sites in Trusted zones policy setting identifies the methods by which Trusted sites zones can be used to install ActiveX controls. When a Web site attempts to install an ActiveX control, the ActiveX Installer Service will check to see if the URL of the Web site is listed in either the list of approved installation sites or as part of the Trusted sites zone. If the site is on either of these, the ActiveX Installer Service will check to make sure that the site meets the requirements defined by the policy. If the site and the ActiveX control meet all of the requirements of the policy settings, the control is installed.

Important
You must be logged on with an account that is a member of the Administrators group to modify Group Policy settings.

To configure approved installation policy settings for the ActiveX Installer Service

Click Start, type gpedit.msc in the Search programs and files box, and press ENTER to open the Local Group Policy Editor.
In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click ActiveX Installer Service.
In the details pane, right-click Approved Installation Sites for ActiveX Controls, and then click Edit to open the policy setting.
In the Approved Installation Sites for ActiveX Controls dialog box, click Enabled, and then under Options, click Show.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, type the name for the URL where you want to allow ActiveX controls to be installed.
In the Add Item dialog box, type the values for the four ActiveX Installer Service host URLs settings. Refer to tables 1, 2, 3, and 4 later in this document for a description of these settings.

When you add a URL, you can specify comma-delimited values that detail the settings for the ActiveX Installer Service. You can configure four values:

Installing ActiveX controls that have trusted signatures
Installing signed ActiveX controls
Installing unsigned ActiveX controls
HTTPS error exceptions

Configuring the ActiveX installation policy for the Trusted sites zone

You can add Web sites that are trusted by your organization to the Trusted sites zone to enable them to be able to install ActiveX controls without requiring administrator approval. Sites in the Trusted sites zone can be specified with wildcard characters in combination with a subdomain; for example, adding the Web site https://*.contoso.com to the Trusted sites zone and then configuring the ActiveX installation policy for sites in Trusted zone policy setting would enable all Web sites in the contoso.com domain to install ActiveX controls onto computers in your organization. This can be useful if you have multiple trusted forests in your organization.

To use this policy setting, you must also have enabled the Security Zones: Use only machine settings policy setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and populated the list of trusted sites that you will deploy by Group Policy in the Site to Zone Assignment List policy setting under Computer Configuration\Administrative Templates\Internet Explorer\Internet Control Panel\Security Page.

Security Note
If you decide to use this feature to allow installing from the trusted sites, the Site to Zone Assignment List Group Policy setting must have at least one entry to the trusted sites to prevent standard users from installing arbitrary ActiveX controls. Using subdomains with wildcard characters allows a standard user to install programs and applications from any server in the subdomain that uses wildcard characters, which could include malware and potentially unwanted software. You should make sure that all servers in the subdomain are fully trusted before enabling this feature.

Security Note

If you decide to use this feature to allow installing from the trusted sites, the Site to Zone Assignment List Group Policy setting must have at least one entry to the trusted sites to prevent standard users from installing arbitrary ActiveX controls.

Using subdomains with wildcard characters allows a standard user to install programs and applications from any server in the subdomain that uses wildcard characters, which could include malware and potentially unwanted software. You should make sure that all servers in the subdomain are fully trusted before enabling this feature.

To configure the ActiveX installation policy for sites in Trusted zones

Click Start, type gpedit.msc in the Search programs and files box, and press ENTER to open the Local Group Policy Editor.
In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click ActiveX Installer Service.
In the details pane, right-click Active X installation policy for sites in Trusted zones, and then click Edit to open the policy setting.
In the Active X installation policy for sites in Trusted zones dialog box, click Enabled.
In Options, choose the policy settings that you want to apply to sites in the Trusted sites zone based on the type of ActiveX control that it is attempting to install. You can select either Silently install to have the control installed automatically without requiring the user to approve the installation, Prompt the user to allow the user to decide whether or not the control is installed, or Don't install to prevent controls that match the criteria from being installed. You can configure the policy for the following types of controls:
- ActiveX controls signed by a trusted publisher
- Signed ActiveX controls
- Unsigned ActiveX controls
If the sites in your Trusted sites zone include server validation (HTTPS), you can also configure the policy to control the connection to trusted sites in the presence of certificate errors. By default, all HTTPS connections must supply a server certificate that passes all validation criteria. You should only specify exceptions if you are completely assured of the validity of the trusted site and the reason for the error condition.

Installing ActiveX controls that have trusted publishers

This setting describes the behavior of the service when installing an ActiveX control that is signed by a certificate in the Trusted Publishers store for the computer or enterprise. Table 1 shows possible values for this setting.

Table 1: Values for installing ActiveX controls that have trusted signatures

Value	Description
0	Prevents users from installing ActiveX controls that have trusted signatures.
1	Prompts the user before installing ActiveX controls that have trusted signatures.
2	Installs ActiveX controls that have trusted signatures without notifying the user. This is the default value.

Installing signed ActiveX controls

This setting determines the behavior of the service when installing an ActiveX control that is signed by a certificate that is not in the Trusted Publishers store for the computer or enterprise.

Table 2: Values for installing signed ActiveX controls

Value	Description
0	Prevents the user from installing signed ActiveX controls.
1	Prompts the user before installing signed ActiveX controls. This is the default value.
2	Installs signed ActiveX controls without notifying the user.

Installing unsigned ActiveX controls

This setting determines the behavior of the service when installing an unsigned ActiveX control. Table 3 shows possible values for this setting.

Table 3: Values for installing unsigned ActiveX controls

Value	Description
0	Prevents the user from installing unsigned ActiveX controls. This is the default value.
1	Installs unsigned ActiveX controls without notifying the user.

HTTPS error exceptions

This value controls how the ActiveX Installer Service handles any errors that are detected in an HTTPS connection. By default, the ActiveX Installer Service prevents the installation of an ActiveX control if any errors are detected.

Table 4: Values for HTTPS error exceptions

Value	Description
0	Specifies that the connection must pass all verification checks.
0x00000100	Specifies that the ActiveX Installer Service should ignore errors caused by unknown certification authorities (CAs).
0x00001000	Specifies that the ActiveX Installer Service should ignore errors caused by an invalid common name (CN). A CN is a naming attribute from which an object distinguished name (DN) is formed.
0x00002000	Specifies that the ActiveX Installer Service should ignore errors caused by a certificate's date.
0x00000200	Specifies that the ActiveX Installer Service should ignore errors caused by improper certificate use.

Note
You can use the OR (\|) character to specify multiple error exceptions for the ActiveX Installer Service.

Sample configurations

The following sample configurations describe how you can configure the ActiveX Installer Service; however, these sample configurations are not recommendations.

Default settings

If you do not specify values, the ActiveX Installer Service enforces the default values. The default values are 2,1,0,0. With these settings in effect, the ActiveX Installer Service will:

Prevent unsigned ActiveX controls from being installed.
Prompt the user to approve the installation of a signed ActiveX control.
Automatically install ActiveX controls that are signed by a certificate in the Trusted Publishers store without prompting the user.

High security settings

The most secure configuration of the ActiveX Installer Service is when an administrator configures the service to:

Use an HTTPS site as the host URL.
Allow only ActiveX controls that are signed by a certificate in the Trusted Publishers store to be installed.

The values to configure this setting are 2,0,0,0.