Blocking and allowing ActiveX

Discussion in 'other security issues & news' started by meneer, Sep 24, 2003.

Thread Status:
Not open for further replies.
  1. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    In my company the policy is to disallow ActiveX on the internet segment in Internet Explorer. However, we find that lots of the sites that users go to, need ActiveX enabled. So, these sites are entered in the Trusted Zone in IE.
    Since we do not use Windows 2K on our servers and don't have ADS, it seems we can't use the Group Policy mechanism to add sites to the trusted zone, our helpdesk has to manually add a site to the trusted zone on a workstation. We have some 2500 PC's... so, there you have our problem.

    What's your policy on ActiveX and how do you solve, or advise us to solve, the trusted site issue?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Are you saying that people from the help desk go from PC to PC, use the Internet Options, and enter each site manually - or have you packaged the approved trusted site list in some kind of script or program to speed up distribution, even if it still takes a person manually signing on to every PC to execute the script?

    If you have no software distribution tools at all with 2500 PCs, you certainly have your hands full. How do you distribute software updates?

    At the very least I'd create a .reg file with the approved list of trusted sites, locate it on a central server everyone has read access to, and have the PC's pull that file down daily to get whatever updates have been made to it.
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Our helpdesk uses remote control software, but yes, they have to edit the setting manually :'(

    Regular software update take place using sms or other release management tools, however, these activex trusts are so frequent, they would overload our change management processes.
    I would love to just boycot activex sites, but even security aware company's use it on their sites (at least we are removing all activex components form ours, there you have a small victory :) )
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, at the very least, placing the trusted sites into a reg file would make it easier to update on all systems with no chance of errors by typo, etc.

    See IE-SpyAd as an example of the method I'm talking about. The only difference is you'd set the flags for trusted, not restricted sites.
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    o_O Isn't it possible to do a "scripted rollout" during logon to the network?

    I am, by no means, an "expert" on it, but shouldn't that be the solution? 'Would like to hear from an experienced techie on that...
    "Your assignment, should you decide to accept it," is to: Do a "scripted rollout" blocking -ActiveX- use in IE, with the exception of certain "Trusted sites" in the Internet Zone? (meneer, yes? no?)
     
  6. msingle

    msingle Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    82
    Is this something that could be handled by the IE Administration Kit?
     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    We tried using the administration kit, but due to technical circumstances, this installation failed, so our technicians had to resort to a different solution.

    I'm glad to report that there are other problems with our IE6 settings as well, so perhaps we will manage to create a more efficient setup (using the central configuration file).

    Still trying to get Mozilla in our organization, but since we are a 'Microsoft shop' little chance :doubt: (my own security management archive/intranet site is running on an 'illegal' linux box :mad: )
     
  8. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Yes, but there a even better options... central config, group policies (once you're running ADS). One day it will happen... :)
     
Loading...
Thread Status:
Not open for further replies.