You can use this document to learn how to implement and administer the ActiveX® Installer Service in Windows Vista®.
Why the ActiveX Installer Service?
Many organizations must install ActiveX controls on their desktops in order to ensure that a variety of programs that they must use on a daily basis will work properly. However, most ActiveX controls must be installed by a member of the Administrators group and many organizations have configured or want to configure their users to run as standard users, which are non-administrative users that are members of the Users group. As a result, organizations have to repackage and deploy the ActiveX controls to the users. In addition, many of these ActiveX controls must be regularly updated. Many organizations find this to be a difficult and costly process to manage for standard users.
With Windows Vista, you can now easily deploy and update ActiveX controls in a standard user environment. The ActiveX Installer Service enables you to use Group Policy to define approved host URLs that standard users can use to install ActiveX controls.
The ActiveX Installer Service is an optional component on Windows Vista® Ultimate,
Windows Vista® Business, Windows Vista® Enterprise.
How the ActiveX Installer Service Works
When a standard user uses Internet Explorer® to browse to a site that requires the user to install an ActiveX control, the ActiveX Installer Service checks whether the URL requesting the ActiveX control installation is approved in Group Policy. This URL is called the host URL. If the host URL is approved, the service installs the ActiveX control for the standard user, and the user does not have to provide administrator credentials or administrative approval. If the host URL is not approved, the default Windows Vista ActiveX control setting is used and the user is
required to provide administrator credentials or administrative approval.
We designed the ActiveX Installer Service to allow standard users to install ActiveX controls without having to provide administrator credentials. The service does not affect how members of the Administrators group install ActiveX controls.
The service only installs Microsoft Internet Component Download packaged ActiveX controls; this means that the ActiveX control must be have a .cab, .dll, or .ocx extension in order to be installed using the ActiveX Installer Service.
Enabling the ActiveX Installer Service
You can enable the ActiveX Installer Service using the Control Panel or at the command prompt.
To enable the ActiveX Installer Service using Control Panel
1. Click the Start button and then click Control Panel.
2. In Control Panel Home, click Programs.
3. Under Programs and Features, click Turn Windows features on or off.
4. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
5. In the Windows Features dialog box, select ActiveX Installer Service, and then click
6. After you enable the ActiveX Installer Service, you must use the Group Policy Management Console (GPMC) to configure it.
To enable the ActiveX Installer Service using Command Prompt
1. Click the Start button, type cmd into the Start Search box, right-click cmd.exe, and then click Run as administrator.
2. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
3. In Command Prompt, type ocsetup.exe AxInstallService. After you enable the ActiveX Installer Service, you must use the GPMC to configure it.
Configuring the ActiveX Installer Service After you enable the ActiveX Installer Service, you must use the GPMC to configure it. You
must configure the ActiveX Installer Service settings by using an administrative template in Group Policy. The administrative template consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an
ActiveX control can be installed.
To configure the ActiveX Installer Service using the Group Policy Management Console
1. Click the Start button, point to All Programs, click Accessories, and then click Run.
2. Type mmc, and then click OK.
3. In the File menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-ins dialog box, select Group Policy Management Console,
and then click Add.
5. In the Select Group Policy Object dialog box, accept the default setting of the local
computer or click Browse to configure a remote computer, and then click Finish.
6. In the Add/Remove Snap-ins dialog box, click OK.
7. In the console tree, expand Local Computer Policy, expand Computer Configuration,
expand Administrative Templates, expand Windows Components, and then click
ActiveX Installer Service.
8. In the details pane, right-click Approved Installation Sites for ActiveX Controls, and
then click Properties.
9. In the Approved Installation Sites for ActiveX Controls Properties dialog box, select
Enabled, and then click Show next to Host URLs.
10. In the Show Contents dialog box, click Add.
11. In the Add Item dialog box, type the name for the URL where you want to allow
ActiveX controls to be installed.
12. In the Add Item dialog box, type the values for the four ActiveX Installer Service host URLs settings. Tables 1, 2, 3, and 4 show these settings. When you add a URL, you can specify comma-delimited values that detail the settings for the
ActiveX Installer Service. You can configure four values:
• Installing ActiveX controls that have trusted signatures
• Installing signed ActiveX controls
• Installing unsigned ActiveX controls
• HTTPS error exceptions
Installing ActiveX controls that have trusted signatures
This setting describes the behavior of the service when installation an ActiveX control that is signed by a certificate in the Machine or Enterprise Trusted Publishers store. Table 1 shows possible values for this setting.
Table 1 Values for installing ActiveX controls that have trusted signatures
0 Disallows users from installing ActiveX controls that have trusted signatures.
1 Prompts the user before installing ActiveX controls that have trusted signatures.
2 Installs ActiveX controls that have trusted signatures without notifying the user. This is the default value. Installing signed ActiveX controls
This setting determines the behavior of the service when installing an ActiveX control that is signed by a certificate that is not in the Trusted Publisher Store for the computer or the enterprise.
Table 2 Values for installing signed ActiveX controls
0 Disallows installing signed ActiveX controls.
1 Prompts the user before installing signed ActiveX controls. This is the default value.
2 Installs signed ActiveX controls without notifying the user.
Installing unsigned ActiveX controls
This setting determines the behavior of the service when installing an unsigned ActiveX control.
0 Disallows installing unsigned ActiveX controls. This is the default value.
1 Installs unsigned ActiveX controls without notifying the user.
HTTPS error exceptions This value controls the connection checking for the service when downloading the ActiveX control. By default, the ActiveX Installer Service would disallow the install of an ActiveX control if there were any errors detected in an HTTPS connection.
0 – Specifies that the connection must pass all verification checks.
0x00000100 – Specifies that the ActiveX Installer Service should ignore errors caused by unknown CAs.
0x00001000 – Specifies that the ActiveX Installer Service should ignore errors caused by an invalid common name (CN). A CN is a naming attribute from which an object distinguished name (DN) is formed.
0x00002000 – Specifies that the ActiveX Installer Service should ignore errors caused by a certificate’s date.
0x00000200 – Specifies that the ActiveX Installer Service should ignore errors caused by improper certificate use.
You can use the OR (|) character to specify multiple error exceptions for the ActiveX Installer Service.
You can use the sample configurations below to learn how you can configure the ActiveX Installer Service; however, these sample configurations are not recommendations.
If you do not specify values, the ActiveX Installer Service enforces the default values. The default values are 2,1,0,0. With these settings in effect, the ActiveX Installer Service will:
• Prevent unsigned ActiveX controls from being installed
• Prompt the user to approve the installation of a signed ActiveX control
• Automatically install ActiveX controls that are signed by a certificate in the Trusted Publishers Store without prompting the user.
High security settings
The most secure configuration of the ActiveX Installer Service is when an administrator
configures the service to:
• Use an HTTPS site as the host URL
• Allows only ActiveX controls that are signed by a certificate in the Trusted Publishers Store to be installed The values to configure this are 2,0,0,0.
Auditing for the ActiveX Installer Service
The ActiveX Installer Service creates four audit events in the Applications audit event log. The following events are defined logically in the order they would result during the installation of an ActiveX control.
• Event 4097 (Attempt to install ActiveX control not in Group Policy)
This event occurs when the ActiveX Installer Service is asked to download a control from a host URL that is not within the list of allowed installation hosts. This event is very important because you can use the enumerated host information in the event to author your ActiveX Installer Service Group Policy.
• Event 4098 (ActiveX control passed all Group Policy checks)
This event occurs when the ActiveX Installer Service is first queried to install an ActiveX
control from a host that is listed in the list of allowed installation hosts. The next step that ActiveX Installer Service will complete is to download the ActiveX control from the host.
• Event 4099 (ActiveX control blocked by Group Policy)
This event occurs when the ActiveX Installer Service attempts to download an ActiveX control that does not meet the required signing setting in Group Policy. If the ActiveX control is unsigned, and Group Policy requires that all ActiveX controls are signed, then this error would occur.
• Event 4100 (Failed to download ActiveX control)
This event occurs when the ActiveX Installer Service attempts to download an ActiveX control from a host that does not meet the criteria you have specified in Group Policy. If an HTTPS site has an expired or bad certificate, and this was required by Group Policy, then this error would occur.
Best Practices for Using the ActiveX Installer Service
We recommend that you use the following best practices when you implement the
ActiveX Installer Service in your organization.
• Only install ActiveX controls from reputable organizations
We recommend that you only install ActiveX controls from publishers that you know and trust. The ActiveX Installer Service does not determine whether the host presenting the ActiveX control is connected to a secure network. Ensuring that you only install ActiveX controls from reputable publishers will help mitigate this threat.
• Deploy commonly used ActiveX controls
We recommend that you deploy ActiveX controls that are commonly used in your
environment by using your organization’s application deployment method. Many users
today use laptops to connect to multiple networks, including wireless hot spots. A
malicious proxy at an insecure network could attempt to trick the ActiveX Installation
Service by redirecting it to a host with malicious software that represents itself as a
commonly used ActiveX control. Ensuring that you deploy commonly used ActiveX
controls for your users will help mitigate this threat.
• Only use HTTPS host URLs
We recommend that you only modify the value for HTTPS error exceptions to require the connection to pass all verification checks (0). If a remote users connects to an insecure wireless network, and the proxy attempts to redirect the connection, this setting will ensure that the ActiveX control installation will fail since the certificate will be invalid.
• Consolidate ActiveX controls to a central server
We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is called a
CODEBASE. Normally, the CODEBASE is specified in the Web page, and the
installation process retrieves the ActiveX control from that location.
In managed enterprises, you can use Group Policy to override the CODEBASE that is
specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous best practice, only use HTTPS host URLs.
You can configure a common Group Policy setting to redirect all ActiveX control
installations to a central server in your organization. You can do this by using the
CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath see
Implementing Internet Component Download