Best IE settings to restrict ActiveX?

Discussion in 'other security issues & news' started by chip718, Mar 17, 2005.

Thread Status:
Not open for further replies.
  1. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Hello. Can some please recommend to me what is the best IE setting to restrict illicit ActiveX software and plugins from being installed on machine? I had some issues in the past, so a friend just used IE Customized settings and set all my ActiveX settings to Disable. Now I cant even update Windows and every time I go to AOL Search I get ActiveX warnings.

    If anyone could help me out I would appreciate it. Thanks.
     
  2. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There are 3 things with IE that can bite you in the behind....and you are experiencing one of them....ActiveX. The other 2 you need to be concerned about are Active script and Java applets....neither of which needs to be enabled unless you Trust the site you are going to. Unfortunately given todays Internet....who thu heck can we trust....which is where you are concerning your deliema :doubt:

    Having said all that....I'll suggest a few things:
    1)Use IE only for Windows update until you have achieved a thourough knowledge of IE necessary to surf securely....and consider an alternative browser that's not being exploited regarding ActiveX.

    or

    2)Follow some of the suggestions presented in the below links concerning tighting down the Internet Zone of IE and how to place sites such as AOL and Microsoft into your Trusted Zone of IE.

    These links:

    Internet Explorer Privacy & Security Settings

    Securing the Internet Zone

    http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#trusted

    Brought to by someone who has used IE only for years without fear of being exploited....but has come to the realization that many users definetly need to use another browser....or pull the plug.

    Regards,
    Bubba
     
  4. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Thanks. I will give it a try.

    I noticed that some pages links don show up with the Scriptin options Disabled
     
    Last edited: Mar 17, 2005
  5. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    In general, I would recommend something similar to the following:
    Code:
    .NET Framework-reliant components
      Run components not signed with Authenticode                    Disable
      Run components signed with Authenticode                        Enable
    ActiveX controls and plug-ins
      Automatic prompting for ActiveX controls                       Enable (*)
      Binary and script behaviors                                    Enable
      Download signed ActiveX controls                               Prompt
      Download unsigned ActiveX controls                             Disable
      Initialize and script ActiveX controls not marked as safe      Disable
      Run ActiveX controls and plug-ins                              Enable
      Script ActiveX controls marked as safe for scripting           Enable
    Downloads
      Automatic prompting for file downloads                         Enable (*)
      File download                                                  Enable
      Font download                                                  Enable
    Java VM
      Java permissions                                               High safety
    Miscellaneous
      Access data sources across domains                             Disable
      Allow META REFRESH                                             Enable
      Allow scripting of Internet Explorer Webbrowser control        Disable
      Allow script-initiated windows without size or position co...  Disable
      Allow web pages to use restricted protocols for active con...  Prompt
      Display mixed content                                          Prompt
      Don't prompt for client certificate selection when no cert...  Disable
      Drag and drop or copy and paste files                          Disable
      Installation of desktop items                                  Disable
      Launching programs and files in an IFRAME                      Disable
      Navigate sub-frames across different domains                   Disable
      Open files based on content, not file extension                Enable
      Software channel permissions                                   Medium safety
      Submit nonencrypted form data                                  Enable
      Use Pop-up Blocker                                             Enable
      Userdata persistence                                           Enable
      Web sites in less privileged web content zone can navigate...  Enable
    Scripting
      Active scripting                                               Enable
      Allow paste operations via script                              Prompt
      Scripting of Java applets                                      Enable
    User Authentication
      Logon                                                          Automatic logon only in...
    Actually, you can play with these all day depending upon just what exactly it is you are trying to achieve and just where your own personal comfort level is with the technology. But the above is probably a pretty good stab at a general config for most people. The two entries marked with the asterisk (*) can be set to "Disable" if you like getting the little yellow alert bar across the top of your browser window as a warm-and-fuzzy, otherwise it basically is just a repetitive alert... you will still be prompted prior to a signed ActiveX control download or with a "Open, Save, Cancel" dialog in the case of a file download.

    The key thing is to not allow any ActiveX controls to execute that aren't signed by a vendor you trust. If you don't trust the control or the publisher then simply say no to the download request prompt, and the control won't download and can't execute. However, if you allow it once, then as configured above, it will already be downloaded and will execute in the future without any other prompting. If you are the sole user of your machine, then this is a workable solution and allows you to go to Windows update, to Macromedia for the ActiveX version of Shockwave/Flash, or to an online virus scanning utility (for example), and not be constantly harassed with prompts and warnings.

    If, however, you want even more restrictions on ActiveX, or if you are on a shared machine where you cannot guarantee that others using it will know whether to permit or deny any given ActiveX control then you can configure IE slightly differently. In that case, take the above config for the "Internet Zone" and Disable everything in the "ActiveX controls and plug-ins" section. Then, setup your "Trusted Zone" with settings similar to above. Then, add "*.microsoft.com" (or, even, if you are more particular just "*.windowsupdate.microsoft.com") to your Trusted zone. That way only the Microsoft site (or Microsoft Windows Update site) will be allowed to download and execute ActiveX controls. All other sites will be in the default Internet Zone for which you will have disabled the ActiveX control download ability and turned off ActiveX execution.
     
  6. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Thanks. I will give it a shot.
     
  7. sultan_emerr

    sultan_emerr Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    18
    Location:
    Tokyo, Japan
  8. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  9. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    Whilst I agree with Alec's settings, I have found one strange quirk within XP SP2: If in device manager you right click, click properties of some device, click troubleshoot: this opens the troubleshooter for that device in Help and support, which apparently uses activeX controls which are not marked as safe (even though they are part of XP!). If you have 'Initialize and script activeX controls not marked as safe' set to disable in the IE internet zone, you get a message that the activeX was blocked when running the troubleshooter and it won't work properly. Therefore I have set that to prompt instead of disable; you then get a warning prompt where you can click OK if you are sure of the circumstances.

    PS I did first try changing the corresponding setting only for the 'My computer' zone alone (zone 0), but it has to be the internet zone, even though the troubleshooters don't actually connect to the internet.
     
  10. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Thanks for the replies.

    Do you all also customize the "Trusted Sites" and "Restricted Sites" in the IE Security or do you leave them on the default?
     
  11. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    chip,
    Go into
    Tools-ie options-Security- and click on Restricted sites then Custom level and set the reset custom settings to HIGH - click reset and OK-do the same with
    Trusted sites-Local Intranet and Internet.

    Then when you visit certain sites you will get a rectangular dialog saying,

    Your current security settings prohibit running Active-X controls on this page.
    As a result page may not display correctly.

    Most sites you just click on the dialog OK button and get on with it as though you didn't even see it.

    However if you are intending to D\L from anywhere then B'4 you go you would need to go into Tools-Internet Opts.- Security-Internet -Custom Level and reset the level to MEDIUM then after D\L return and set to HIGH - press reset and OK.
    This is a bit of a fiddle but I do it 10 times a day because it's worth it.

    Regards.
     
  12. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Thanks again
     
Loading...
Thread Status:
Not open for further replies.