Implementing and Administering the ActiveX Installer Service

You can use this document to learn how to implement and administer the ActiveX® Installer Service in Windows Vista®.

Why the ActiveX Installer Service?

Many organizations must install ActiveX controls on their desktops in order to ensure that a variety of programs that they must use on a daily basis will work properly. However, most ActiveX controls must be installed by a member of the Administrators group and many organizations have configured or want to configure their users to run as standard users, which are non-administrative users that are members of the Users group. As a result, organizations have to repackage and deploy the ActiveX controls to the users. In addition, many of these ActiveX controls must be regularly updated. Many organizations find this to be a difficult and costly process to manage for standard users.

With Windows Vista, you can now easily deploy and update ActiveX controls in a standard user environment. The ActiveX Installer Service enables you to use Group Policy to define approved host URLs that standard users can use to install ActiveX controls.

Note

The ActiveX Installer Service is an optional component on Windows Vista® Ultimate, Windows Vista® Business, Windows Vista® Enterprise.

How the ActiveX Installer Service Works

When a standard user uses Internet Explorer® to browse to a site that requires the user to install an ActiveX control, the ActiveX Installer Service checks whether the URL requesting the ActiveX control installation is approved in Group Policy. This URL is called the host URL. If the host URL is approved, the service installs the ActiveX control for the standard user, and the user does not have to provide administrator credentials or administrative approval. If the host URL is not approved, the default Windows Vista ActiveX control setting is used and the user is required to provide administrator credentials or administrative approval.

Note

We designed the ActiveX Installer Service to allow standard users to install ActiveX controls without having to provide administrator credentials. The service does not affect how members of the Administrators group install ActiveX controls.

The service only installs Microsoft Internet Component Download packaged ActiveX controls; this means that the ActiveX control must be have a .cab, .dll, or .ocx extension in order to be installed using the ActiveX Installer Service.

Enabling the ActiveX Installer Service

You can enable the ActiveX Installer Service using the Control Panel or at the command prompt.

To enable the ActiveX Installer Service using Control Panel

  1. Click the Start button and then click Control Panel.

  2. In Control Panel Home, click Programs.

  3. Under Programs and Features, click Turn Windows features on or off.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. In the Windows Features dialog box, select ActiveX Installer Service, and then click OK.

    After you enable the ActiveX Installer Service, you must use the Group Policy Management Console (GPMC) to configure it.

To enable the ActiveX Installer Service using Command Prompt

  1. Click the Start button, type cmd into the Start Search box, right-click cmd.exe, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In Command Prompt, type ocsetup.exe AxInstallService.

    After you enable the ActiveX Installer Service, you must use the GPMC to configure it.

Configuring the ActiveX Installer Service

After you enable the ActiveX Installer Service, you must use the GPMC to configure it. You must configure the ActiveX Installer Service settings by using an administrative template in Group Policy. The administrative template consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an ActiveX control can be installed.

To configure the ActiveX Installer Service using the Group Policy Management Console

  1. Click the Start button, point to All Programs, click Accessories, and then click Run.

  2. Type mmc, and then click OK.

  3. In the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-ins dialog box, select Group Policy Management Console, and then click Add.

  5. In the Select Group Policy Object dialog box, accept the default setting of the local computer or click Browse to configure a remote computer, and then click Finish.

  6. In the Add/Remove Snap-ins dialog box, click OK.

  7. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click ActiveX Installer Service.

  8. In the details pane, right-click Approved Installation Sites for ActiveX Controls, and then click Properties.

  9. In the Approved Installation Sites for ActiveX Controls Properties dialog box, select Enabled, and then click Show next to Host URLs.

  10. In the Show Contents dialog box, click Add.

  11. In the Add Item dialog box, type the name for the URL where you want to allow ActiveX controls to be installed.

  12. In the Add Item dialog box, type the values for the four ActiveX Installer Service host URLs settings. Tables 1, 2, 3, and 4 show these settings.

When you add a URL, you can specify comma-delimited values that detail the settings for the ActiveX Installer Service. You can configure four values:

  • Installing ActiveX controls that have trusted signatures
  • Installing signed ActiveX controls
  • Installing unsigned ActiveX controls
  • HTTPS error exceptions

Installing ActiveX controls that have trusted signatures

This setting describes the behavior of the service when installation an ActiveX control that is signed by a certificate in the Machine or Enterprise Trusted Publishers store. Table 1 shows possible values for this setting.

Table 1   Values for installing ActiveX controls that have trusted signatures

Value Description

0

Disallows users from installing ActiveX controls that have trusted signatures.

1

Prompts the user before installing ActiveX controls that have trusted signatures.

2

Installs ActiveX controls that have trusted signatures without notifying the user. This is the default value.

Installing signed ActiveX controls

This setting determines the behavior of the service when installing an ActiveX control that is signed by a certificate that is not in the Trusted Publisher Store for the computer or the enterprise.

Table 2   Values for installing signed ActiveX controls

Value Description

0

Disallows installing signed ActiveX controls.

1

Prompts the user before installing signed ActiveX controls. This is the default value.

2

Installs signed ActiveX controls without notifying the user.

Installing unsigned ActiveX controls

This setting determines the behavior of the service when installing an unsigned ActiveX control. Table 3 shows possible values for this setting.

Table 3   Values for installing unsigned ActiveX controls

Value Description

0

Disallows installing unsigned ActiveX controls. This is the default value.

1

Installs unsigned ActiveX controls without notifying the user.

HTTPS error exceptions

This value controls the connection checking for the service when downloading the ActiveX control. By default, the ActiveX Installer Service would disallow the install of an ActiveX control if there were any errors detected in an HTTPS connection.

Table 4   Values for HTTPs error exceptions

Value Description

0

Specifies that the connection must pass all verification checks.

0x00000100

Specifies that the ActiveX Installer Service should ignore errors caused by unknown CAs.

0x00001000

Specifies that the ActiveX Installer Service should ignore errors caused by an invalid common name (CN). A CN is a naming attribute from which an object distinguished name (DN) is formed.

0x00002000

Specifies that the ActiveX Installer Service should ignore errors caused by a certificate's date.

0x00000200

Specifies that the ActiveX Installer Service should ignore errors caused by improper certificate use.

Note

You can use the OR (|) character to specify multiple error exceptions for the ActiveX Installer Service.

Sample configuration

You can use the sample configurations below to learn how you can configure the ActiveX Installer Service; however, these sample configurations are not recommendations.

Default settings

If you do not specify values, the ActiveX Installer Service enforces the default values. The default values are 2,1,0,0. With these settings in effect, the ActiveX Installer Service will:

  • Prevent unsigned ActiveX controls from being installed
  • Prompt the user to approve the installation of a signed ActiveX control
  • Automatically install ActiveX controls that are signed by a certificate in the Trusted Publishers Store without prompting the user.

High security settings

The most secure configuration of the ActiveX Installer Service is when an administrator configures the service to:

  • Use an HTTPS site as the host URL
  • Allows only ActiveX controls that are signed by a certificate in the Trusted Publishers Store to be installed

The values to configure this are 2,0,0,0.

Auditing for the ActiveX Installer Service

The ActiveX Installer Service creates four audit events in the Applications audit event log.

The following events are defined logically in the order they would result during the installation of an ActiveX control.

  • Event 4097 (Attempt to install ActiveX control not in Group Policy)
    This event occurs when the ActiveX Installer Service is asked to download a control from a host URL that is not within the list of allowed installation hosts. This event is very important because you can use the enumerated host information in the event to author your ActiveX Installer Service Group Policy.
  • Event 4098 (ActiveX control passed all Group Policy checks)
    This event occurs when the ActiveX Installer Service is first queried to install an ActiveX control from a host that is listed in the list of allowed installation hosts. The next step that ActiveX Installer Service will complete is to download the ActiveX control from the host.
  • Event 4099 (ActiveX control blocked by Group Policy)
    This event occurs when the ActiveX Installer Service attempts to download an ActiveX control that does not meet the required signing setting in Group Policy. If the ActiveX control is unsigned, and Group Policy requires that all ActiveX controls are signed, then this error would occur.
  • Event 4100 (Failed to download ActiveX control)
    This event occurs when the ActiveX Installer Service attempts to download an ActiveX control from a host that does not meet the criteria you have specified in Group Policy. If an HTTPS site has an expired or bad certificate, and this was required by Group Policy, then this error would occur.

Best Practices for Using the ActiveX Installer Service

We recommend that you use the following best practices when you implement the ActiveX Installer Service in your organization.

  • Only install ActiveX controls from reputable organizations
    We recommend that you only install ActiveX controls from publishers that you know and trust. The ActiveX Installer Service does not determine whether the host presenting the ActiveX control is connected to a secure network. Ensuring that you only install ActiveX controls from reputable publishers will help mitigate this threat.
  • Deploy commonly used ActiveX controls
    We recommend that you deploy ActiveX controls that are commonly used in your environment by using your organization's application deployment method. Many users today use laptops to connect to multiple networks, including wireless hot spots. A malicious proxy at an insecure network could attempt to trick the ActiveX Installation Service by redirecting it to a host with malicious software that represents itself as a commonly used ActiveX control. Ensuring that you deploy commonly used ActiveX controls for your users will help mitigate this threat.
  • Only use HTTPS host URLs
    We recommend that you only modify the value for HTTPS error exceptions to require the connection to pass all verification checks (0). If a remote users connects to an insecure wireless network, and the proxy attempts to redirect the connection, this setting will ensure that the ActiveX control installation will fail since the certificate will be invalid.
  • Consolidate ActiveX controls to a central server
    We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is called a CODEBASE. Normally, the CODEBASE is specified in the Web page, and the installation process retrieves the ActiveX control from that location.
    In managed enterprises, you can use Group Policy to override the CODEBASE that is specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous best practice, only use HTTPS host URLs.
    You can configure a common Group Policy setting to redirect all ActiveX control installations to a central server in your organization. You can do this by using the CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath see Implementing Internet Component Download (https://go.microsoft.com/fwlink/?LinkId=90677).