Configure the "Internet Explorer Processes (Restrict ActiveX Install)" setting.

Back

CONTROL ID
04352

CONTROL TYPE
Configuration

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Configure Internet Browser security options according to organizational standards., CC ID: 02166

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

ActiveX content should be prevented from automatically installing on a computer when a website is visited. (§ 3.5.43, Australian Government ICT Security Manual (ACSI 33))
Is the system configured to filter hostile active x? (Table Row VI.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
This setting prevents ActiveX control installation prompts. By preventing this prompt, users will not be able to download ActiveX controls that are not permitted by the security policy. The Internet Explorer Processes (Restrict ActiveX Install) setting should be Enabled. (Pg 87, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
Title: Set 'Restrict ActiveX Install' to 'Enabled' Description: This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. The recommended state for this setting is: Enabled. Rationale: Users often choose to install software such as … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1_Set_Restrict_ActiveX_Install_to_Enabled Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.1_, The Center for Internet Security Microsoft Internet Explorer 10 Level 1 Benchmark, 1.0.0)
Title: Set 'Restrict ActiveX Install' to 'Enabled' Description: This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. The recommended state for this setting is: Enabled. Rationale: Users often choose to install software such as … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1_Set_Restrict_ActiveX_Install_to_Enabled Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.2_, The Center for Internet Security Microsoft Internet Explorer 10 Level 1 Benchmark, 1.0.0)
Title: Set 'Restrict ActiveX Install' to 'Enabled' Description: This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. The recommended state for this setting is: Enabled. Rationale: Users often choose to install software such as … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1_Set_Restrict_ActiveX_Install_to_Enabled Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.3_, The Center for Internet Security Microsoft Internet Explorer 10 Level 1 Benchmark, 1.0.0)
Title: Set 'Restrict ActiveX Install' to 'Enabled' Description: This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. The recommended state for this setting is: Enabled. Rationale: Users often choose to install software such as … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1_Set_Restrict_ActiveX_Install_to_Enabled Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.4_, The Center for Internet Security Microsoft Internet Explorer 10 Level 1 Benchmark, 1.0.0)
Internet Explorer Processes (Restrict ActiveX Install) Technical Mechanisms: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved) HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\expl… (CCE-3924-8, Common Configuration Enumeration List, Combined XML: Internet Explorer 7, 5.20130214)
The "Restrict ActiveX Install: Internet Explorer Processes" machine setting should be configured correctly. Technical Mechanisms: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install\Internet Explorer Processes Par… (CCE-10405-9, Common Configuration Enumeration List, Combined XML: Microsoft Internet Explorer 8, 5.20130214)
The "Restrict ActiveX Install: Internet Explorer Processes" current user setting should be configured correctly. Technical Mechanisms: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install\Internet Explorer Processes HKEY_CURRENT… (CCE-16645-4, Common Configuration Enumeration List, Combined XML: Microsoft Internet Explorer 8, 5.20130214)
Internet Explorer Processes (Restrict ActiveX Install) (oval:gov.nist.fdcc.ie7:def:658, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4)
Internet Explorer Processes - Restrict ActiveX Install - Local Computer (IEProcesses_RestrictActiveXInstall_LocalComputer, NIST SCAP Microsoft Internet Explorer Version 7 (fdcc-ie7-xccdf.xml), FDCC IE7 (1.2) SCAP Content - OVAL 5.4)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie7:def:31108, oval:gov.nist.USGCB.ie7:tst:31108, oval:gov.nist.USGCB.ie7:obj:31108, oval:gov.nist.USGCB.ie7:ste:31108, USGCB: Guidance for Securing Microsoft Internet Explorer 7, v1.2.3.1)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie7:def:31108, oval:gov.nist.USGCB.ie7:tst:31126, oval:gov.nist.USGCB.ie7:obj:31126, oval:gov.nist.USGCB.ie7:ste:31126, USGCB: Guidance for Securing Microsoft Internet Explorer 7, v1.2.3.1)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie7:def:31108, oval:gov.nist.USGCB.ie7:tst:31127, oval:gov.nist.USGCB.ie7:obj:31127, oval:gov.nist.USGCB.ie7:ste:31127, USGCB: Guidance for Securing Microsoft Internet Explorer 7, v1.2.3.1)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie8:def:31108, oval:gov.nist.USGCB.ie8:tst:31108, oval:gov.nist.USGCB.ie8:obj:31108, oval:gov.nist.USGCB.ie8:ste:31108, USGCB: Guidance for Securing Microsoft Internet Explorer 8, v1.2.3.1)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie8:def:31108, oval:gov.nist.USGCB.ie8:tst:31126, oval:gov.nist.USGCB.ie8:obj:31126, oval:gov.nist.USGCB.ie8:ste:31126, USGCB: Guidance for Securing Microsoft Internet Explorer 8, v1.2.3.1)
The Restrict ActiveX Install\Internet Explorer Processes policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. (xccdf_gov.nist_rule_IEProcesses_RestrictActiveXInstall_LocalComputer, oval:gov.nist.USGCB.ie8:def:31108, oval:gov.nist.USGCB.ie8:tst:31127, oval:gov.nist.USGCB.ie8:obj:31127, oval:gov.nist.USGCB.ie8:ste:31127, USGCB: Guidance for Securing Microsoft Internet Explorer 8, v1.2.3.1)
This setting prevents ActiveX control installation prompts. By preventing this prompt, users will not be able to download ActiveX controls that are not permitted by the security policy. The Internet Explorer Processes (Restrict ActiveX Install) setting should be Enabled. (Pg 95, NSA Guide to Security Microsoft Windows XP)