Plan COM object categorization for Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2011-08-05

Banner stating end of support date for Office 2010 with link to more info

You can control the behavior of certain COM objects in Microsoft Office 2010 by using COM object categorization. COM objects can include ActiveX, Object Linking and Embedding (OLE), Excel RealTimeData (RTD) servers, and Office Web Components (OWC) data source providers. For example, you can create a security allow list, which will only allow the specified COM objects to load or you could choose to override the Internet Explorer kill bit.

In this article:

  • About COM object categorization

  • Configure Group Policy security settings for COM object categorization

  • Add COM object categorization in registry

About COM object categorization

Office 2010 will first check whether any of the Group Policy settings for COM object categorization is configured. If any of the settings are enabled to use COM object categorization, Office 2010 will verify the specified COM objects are categorized correctly within the registry.

To enable COM object categorization within your organization, you first need to determine how to best configure the Group Policy security settings for the needs of your organization. Then, you need to add the category id for the targeted COM objects within the registry.

Configure Group Policy security settings for COM object categorization

There are four COM object categorization Group Policy settings:

  • Check OWC data source providers

  • Check Excel RTD servers

  • Check OLE objects

  • Check ActiveX objects

Check OWC data source providers and Check Excel RTD servers can be configured to be either enabled or disabled. Enabling these settings will force Office 2010 to only load the COM objects that are categorized correctly.

Check OLE objects and Check ActiveX objects have additional options when you select Enabled. These options are listed in the following table.

Option

Description

Do not check

Office loads (OLE/ActiveX) objects without checking if they are categorized correctly before loading.

Override IE kill bit list (default behavior)

Office uses the category list to override Internet Explorer kill bit checks.

Strict allow list

Office loads only Active X objects that are categorized correctly.

The Override IE kill bit list option lets you specifically list which OLE or ActiveX controls will be allowed to load within Office 2010 as long as they are categorized correctly, even if they are on the Internet Explorer kill bit list. Use this control when you want to allow a COM object that is designated as unsafe to load in Internet Explorer. However, you know that the COM object is safe to load in Microsoft Office. Office also checks whether the Office COM kill bit is enabled. For more information about the Office COM kill bit, see Plan security settings for ActiveX controls for Office 2010. If the Office COM kill bit is enabled and there is no alternate CLSID, also known as a “Phoenix bit,” the COM object will not load. For more information about kill bit behavior, see How to stop an ActiveX control from running in Internet Explorer (https://go.microsoft.com/fwlink/p/?LinkId=183124).

Use the Strict allow list option when you want to create a security allow list to only allow the specified controls to load and to disallow all other OLE or ActiveX objects, not on the list, from loading.

If you enable any of the COM object categorization settings within Group Policy, the next step is to add the COM object categorization in the registry.

Add COM object categorization in registry

Each Group Policy setting has a corresponding COM object categorization setting within the registry. These settings are listed in the following table.

Group Policy setting

Category ID (CATID)

Check OWC data source providers

{A67A20DD-16B0-4831-9A66-045408E51786}

Check Excel RTD servers

{8F3844F5-0AF6-45C6-99C9-04BF54F620DA}

Check OLE objects

{F3E0281E-C257-444E-87E7-F3DC29B62BBD}

Check ActiveX objects

{4FED769C-D8DB-44EA-99EA-65135757C156}

Except when the Group Policy setting is either configured to disabled or enabled | Do not check, you need to add a correct CATID for the designated COM objects. In the registry, you add a key (if it does not already exist) named Implemented Categories to the CLSID of the COM object. Then, you add a subkey that contains the CATID to the Implemented Categories key.

For example, if you create an allow list and allow only the OLE object, Microsoft Graph Chart, to be used in Office, you would first look up the CLSID for that COM object in the following location in the registry:

HKEY_CLASSES_ROOT\CLSID

The CLSID for the Microsoft Graph Chart is {00020803-0000-0000-C000-000000000046}. The next step is to either verify that either the key, Implemented Categories, already exists or create one if it does not. The path in this example will be:

HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories

Finally, you would add a new subkey for the CATID that corresponds to the Check OLE object Group Policy setting to the Implemented Categories key. The final path and values for this example will be:

HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories\{F3E0281E-C257-444E-87E7-F3DC29B62BBD}

Note

For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.