Plan COM object categorization settings for Office 2013

Article
12/26/2016

Applies to: Office 365 ProPlus

Summary Explains how to use COM object categorization to control the behavior of certain COM objects in Office 2013.

Audience: IT Professionals

COM objects can include ActiveX, Object Linking and Embedding (OLE), Excel RealTimeData (RTD) servers, and Office Web Components (OWC) data source providers. You can control the behavior of certain COM objects in Office 2013 by using COM object categorization. For example, you can create a security allow list, which will only allow the specified COM objects to load or you could choose to override the Internet Explorer kill bit.

Roadmap arrow for guide to Office security.

This article is part of the Guide to Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.

Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.

In this article:

About COM object categorization
Configure Group Policy security settings for COM object categorization
Add COM object categorization in registry

About COM object categorization

Office 2013 first checks whether any of the Group Policy settings for COM object categorization are configured. If any of the settings are enabled to use COM object categorization, Office 2013 verifies that the specified COM objects are categorized correctly within the registry.

To enable COM object categorization within your organization, first determine which Group Policy security settings fit the needs of your organization. Then, add the category ID for the targeted COM objects within the registry.

Configure Group Policy security settings for COM object categorization

There are four COM object categorization Group Policy settings:

Check OWC data source providers
Check Excel RTD servers
Check OLE objects
Check ActiveX objects

You can configure Check OWC data source providers and Check Excel RTD servers to be either enabled or disabled. If you enable these settings, Office 2013 will load only the COM objects that are categorized correctly.

When you select Enabled, you'll notice that Check OLE objects and Check ActiveX objects have additional options. These options are listed in the following table.

Options for Check OLE objects and Check ActiveX objects settings

Option	Description
Do not check	Office loads (OLE/ActiveX) objects without checking if they are categorized correctly before loading.
Override IE kill bit list (default behavior)	Office uses the category list to override Internet Explorer kill bit checks.
Strict allow list	Office loads only Active X objects that are categorized correctly.

The Override IE kill bit list option lets you specifically list which OLE or ActiveX controls will be allowed to load within Office 2013 as long as they are categorized correctly, even if they are on the Internet Explorer kill bit list. Use this control when you want to allow a COM object that is designated as unsafe to load in Internet Explorer but which you know is safe to load in Office. Office also checks whether the Office COM kill bit is enabled. For more information about the Office COM kill bit and how it affects ActiveX control settings, see Plan security settings for ActiveX controls for Office 2013. If the Office COM kill bit is enabled and there is no alternate CLSID, also known as a “Phoenix bit,” the COM object won’t load. For more information about kill bit behavior, see the How to stop an ActiveX control from running in Internet Explorer article.

Use the Strict allow list option when you want to create a security allow list that only allows the specified controls to load and disallows any OLE or ActiveX objects that aren’t on the list.

If you enable any of the COM object categorization settings within Group Policy, the next step is to add the COM object categorization in the registry.

Add COM object categorization in registry

Each Group Policy setting has a corresponding COM object categorization setting within the registry. These settings are listed in the following table.

Group Policy settings and Category IDs

Group Policy setting	Category ID (CATID)
Check OWC data source providers	{A67A20DD-16B0-4831-9A66-045408E51786}
Check Excel RTD servers	{8F3844F5-0AF6-45C6-99C9-04BF54F620DA}
Check OLE objects	{F3E0281E-C257-444E-87E7-F3DC29B62BBD}
Check ActiveX objects	{4FED769C-D8DB-44EA-99EA-65135757C156}

To add the corresponding COM object category ID in the registry

Add a correct CATID for the designated COM objects, except when the Group Policy setting is either set to disabled or enabled | Do not check. In the registry, look for a key named Implemented Categories. If it doesn’t already exist, add it to the CLSID of the COM object. Then, add a subkey that contains the CATID to the Implemented Categories key.

For example, if you create an allow list and allow only the OLE object to be used in Office, you should first look up the CLSID for that COM object in the following location in the registry:

HKEY_CLASSES_ROOT\CLSID

Then, if you are looking for the OLE object Microsoft Graph Chart, you can expect the CLSID {00020803-0000-0000-C000-000000000046}. After finding it, either verify that the Implemented Categories key already exists or create one if it doesn’t exist. The path in this example is:

HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories
Finally, add a new subkey for the CATID that corresponds to the Check OLE object Group Policy setting to the Implemented Categories key.

The final path and values for this example: HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented Categories\{F3E0281E-C257-444E-87E7-F3DC29B62BBD}

Note

For more information, refer to the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool TechNet article.