ActiveX Installer Service in Windows 7 Best Practices
Updated: July 10, 2009
Applies To: Windows 7
We recommend that you use the following best practices when you implement the ActiveX Installer Service in your organization.
Only install ActiveX controls from reputable organizations
We recommend that you only install ActiveX controls from publishers that you trust. The ActiveX Installer Service does not determine whether the host presenting the ActiveX control is connected to a secure network. Ensuring that you only install ActiveX controls from reputable publishers will help mitigate this threat.
Deploy commonly used ActiveX controls
We recommend that you deploy ActiveX controls that are commonly used in your environment by using your organization's application deployment method. Many users today use portable computers to connect to multiple networks, including wireless networks. A malicious proxy at an insecure network could attempt to redirect the ActiveX Installation Service to a host with malicious software that represents itself as a commonly used ActiveX control. Ensuring that you deploy commonly used ActiveX controls for your users will help mitigate this threat.
Only use HTTPS host URLs
We recommend that you only modify the value for HTTPS error exceptions to require the connection to pass all verification checks (0). If a remote users connects to an insecure wireless network and the proxy attempts to redirect the connection, this setting will ensure that the ActiveX control installation will fail because the certificate will not be valid.
Consolidate ActiveX controls to a central server
We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is specified in a codebase attribute. Normally, the codebase attribute is specified in the Web page, and the installation process retrieves the ActiveX control from that location.
In managed enterprises, you can use Group Policy to override the codebase attribute that is specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous best practice, only use HTTPS host URLs.
You can configure a common Group Policy setting to redirect all ActiveX control installations to a central server in your organization. You can do this by using the CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath registry key, see Implementing Internet Component Download (http://go.microsoft.com/fwlink/?LinkId=90677).