- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Beginning September 9, 2014, Microsoft will begin blocking out-of-date ActiveX controls in Internet Explorer. This includes IE 8 through 11 in Windows 7 SP1/Server 2008+ and all versions of IE in Windows 8.x/Server 2012. Microsoft currently has old versions of Java slated as the first ActiveX controls to be blocked, but it stands to reason that old versions of other plug-ins, such as Flash, will show up in the near future.
This is great news on the security front, but it’s really bad news if you have to deal with older versions of ActiveX controls because of older applications, vendor support, or a change control process. Now, the good news: Microsoft has released updated Group Policy ADMX files for Internet Explorer 11 that include settings for ActiveX blocking.
If you’ve never had to update your ADMX files, go to the download and save the file to your local computer. Extract the contents of the .zip file and you should see inetres.adm (for Server 2003), inetres.admx (for Vista/Server 2008 and up), and the folders for each supported language.
Updated Internet Explorer ADMX files for controlling ActiveX blocking
Once you’ve extracted the files, copy the inetres.admx file and your language folder (en-us, in my case) to C:\Windows\PolicyDefinitions\ on your Group Policy Management station. (If you still need support for Server 2003, you’ll also need to copy the inetres.adm file.)
Next, we can start the Group Policy Management Console and access the updated policies. They are located in Computer or User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.
Updated Internet Explorer ActiveX blocking policies in the Group Policy Management Console
Disable ActiveX blocking for all sites
If you opt to completely disable ActiveX blocking, you can set the “Turn off blocking of outdated ActiveX controls for Internet Explorer” option to Enabled.
Policy Setting | Help Description |
Turn off blocking of outdated ActiveX controls for Internet Explorer | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.If you disable or don’t configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library. |
This is probably not the route you want to take since it is going to open you to attacks from Internet-based sites. If you can identify the sites your end users will need to access with older ActiveX controls, there’s a better option.
Disable ActiveX blocking for specific sites
If you can identify URLs of specific sites that need older ActiveX controls, you can Enable the “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” option and then list the URLs. The list supports fully-qualified domains (including wildcards), such as 4sysops.com or *.4sysops.com, intranet domains such as 4sysops, and file system paths such as file:///C:/apps/4sysops/index.htm.
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Policy Setting | Help Description |
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains | This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won’t be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:1. “domain.name.TLD”. For example, if you want to include *.contoso.com/*, use “contoso.com”.2. “hostname”. For example, if you want to include http://example, use “example”.3. “file:///path/filename.htm”. For example, use file:///C:/Users/contoso/Desktop/index.htm. If you disable or don’t configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library. |
Personally, I like this option a lot better since I can whitelist domains owned by my organization as well as third-party “cloud” applications that aren’t hosted in one of our data centers.
Completely block old ActiveX controls
By default, end users will still have the option of bypassing the warning by clicking the “Run this time” button. If you don’t want end users having the option of bypassing the warning, you can enable the “Remove ‘Run this time’ button for outdated ActiveX controls in Internet Explorer” policy to completely prevent the outdated ActiveX control from running.
Policy Setting | Help Description |
Remove “Run this time” button for outdated ActiveX controls in Internet Explorer | This policy setting allows you to stop users from seeing the “Run this time” button and from running specific outdated ActiveX controls in Internet Explorer.If you enable this policy setting, users won’t see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.If you disable or don’t configure this policy setting, users will see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library. |
Logging ActiveX controls
Microsoft has also included new functionality that logs information about ActiveX controls, such as the URL that ran the control and whether it was blocked or not. You can enable this feature in the “Turn on ActiveX control logging in Internet Explorer” policy setting. The log is written to %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv and includes the Source URI, file path, version of the ActiveX control, file version, whether the ActiveX control was allowed or blocked, and the reason the file was allowed or blocked.
Policy Setting | Help Description |
Turn on ActiveX control logging in Internet Explorer | This policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.If you disable or don’t configure this policy setting, Internet Explorer won’t log ActiveX control information.Note that you can turn this policy setting on or off regardless of the “Turn off blocking of outdated ActiveX controls for Internet Explorer” or “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” policy settings.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library. |
I have imported .adm file for AD2003/2008 but still couldn’t see “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains”
Any suggestions ?