Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
One of the most common calls that we get relates to the warning dialogs, the "gold bar" message or even the infamous "Red X" image being displayed where the ActiveX control should be loaded. In some instances, the problem is caused by a failure of the control itself. However, the more common cause is due to the way that the Internet Explorer Zone security settings are configured that prevents the control from loading (or disabling some of its features). Below are the ActiveX failure messages that we've all seen:
To resolve these zone issues, the ActiveX control needs to comply with several security measures that are in place. One such method of resolving the issue is code signing the ActiveX control. This is done with a certificate that is specifically created for code signing. Before signing, the ActiveX control should be packaged into a .CAB file that contains not only the binary file of the control but also the .INF file used to install the control. For more information on code signing, please see the Introduction to Code Signing Article on MSDN and also Richard Lewis' blog post on Application Security.
Within Internet Explorer, there are five different Security Zones that can be accessed within Internet Options. However, within the UI, there are only four zones visible. These four zones are:
The fifth security zone is the Local Machine zone. This zone is an implicit zone that exists on the local computer. You cannot configure the security settings for this zone via the Internet Explorer options or the Security Zones property sheet. If you have administrator privileges, you can modify the security settings for the Local Machine zone by modifying the registry.
Each of these security zones uses a default template which can be viewed by highlighting the zone icon in the list as shown above. The templates are designed to provide the best security possible when connecting to web sites. The security settings for these zones can be customized by selecting a zone and then clicking on the "Custom Level ..." button. Although the templates are in place, there are no sites added by default to any of the zones shown above. Within each of the templates there are individual security settings that pertain to ActiveX controls. The table below shows the details for the ActiveX controls and plug-ins security settings. Please note that some of these settings are specific to Windows XP Service Pack 2 and later operating systems.
As you can see, the more restrictive the nature of the zone the more restrictive the settings for the ActiveX controls. This is to protect the user. However if the ActiveX control is unsigned and the page is loaded in the Internet zone, by default the control will not run (per the table above). ActiveX controls are very powerful and versatile. However, they may also be extremely insecure. Because an ActiveX control is a COM object it can do anything that the user can do from that computer. Once a user downloads an ActiveX control, that control may be vulnerable to attack because any web application on the Internet can repurpose it and use the control for its own ends. However, there are measures that can be taken when writing ActiveX controls to guard against this. The following should be considered when creating an ActiveX control:
And that brings us to the end of this post on ActiveX and Security. In our three-part series we have gone over the basics of ActiveX, covered the management of ActiveX controls within Internet Explorer and covered the Security aspects of ActiveX within the Internet Explorer environment. I hope you have found this information useful.
- Brent Goodpaster
PingBack from http://www.ditii.com/2007/12/04/introduction-to-activex-part-three-security-and-security-zones/
FYI: color blind people need high contract background/font displays to read them but information is very helpful!