The ActiveX Installer Service (AXIS) is a Windows technology that enables the installation of ActiveX controls to a standard user in the enterprise. It consists of a Windows service, a Group Policy administrative template, and a few changes in Internet Explorer behavior.
Many organizations must install ActiveX controls on their desktops in order to ensure that a variety of programs that they must use on a daily basis will work properly. However, most ActiveX controls must be installed by a member of the Administrators group, and many organizations have configured or want to configure their users to run as standard users, which are non-administrative users that are members of the Users group. As a result, organizations often have to repackage and deploy the ActiveX controls to the users. In addition, many of these ActiveX controls must be regularly updated. Many organizations find this to be difficult and costly to manage for standard users.
With Windows 7/8 the ActiveX Installer Service is a native OS service and you can easily deploy and update ActiveX controls to your standard user environments. The ActiveX Installer Service enables you to leverage Group Policy to define and manage approved host URLs that standard users can use to install ActiveX controls in a locked-down environment. For more information about AXIS, see: http://technet.microsoft.com/en-us/library/cc721964.aspx.
Here is how ActiveX Installer Service works :
AxInstallerService in Windows allows the corporate administrator to manage ActiveX controls while maintaining a strong security posture, by having users run as standard user with default file system settings. AXIS provides Group Policy options to configure trusted sources of ActiveX controls and a broker process to install controls from those trusted sources on behalf of standard users. The key benefit is that you can maintain a non-administrative security posture on user workstations along with centralized administrative control. AXIS relies on the IT administrator to identify trusted sources (typically Internet or intranet URLs) of ActiveX controls.
When an object tag directs Internet Explorer to invoke a control, AXIS takes the following steps:
Some security zones settings configure the ability for computers to execute and/or download ActiveX controls. However, even if Internet Explorer allows an ActiveX control to be downloaded from the web site, the ActiveX control can only be installed from an elevated process or administrative account. One of the goals for enterprises is to only provide end users standard, non-administrative access to their operating system. This means that ActiveX controls downloaded from web sites – regardless of the web site’s security zone – cannot be installed by the end users.
With Windows 7/8 and beyond, AXIS is a native Windows service that will install ActiveX controls on behalf of end-users. Enterprises can maintain a list of approved web sites, implemented via Group Policy, that will cause AXIS to install any required ActiveX controls for the end-user. Further, AXIS can be configured to install ActiveX controls from all Trusted Sites.
The advantage of using AXIS over an Software Distribution tool is that no packaging of ActiveX controls is required, which significantly reduces the amount of time needed to get an ActiveX control installed in production. Group Policy based administration enables rapid changes to the deployed computers. Leveraging AXIS involves some additional management, specifically the management of a Group Policy object to add specific sites to leverage AXIS. The control of ActiveX installation and functional state can be managed in enterprises via Active Directory Group Policy.
Turn off ActiveX Opt-In Prompt
Windows Components\Internet Explorer
Only use the ActiveX Installer Service for installation of ActiveX controls
Only allow approved domains to use ActiveX without prompt
Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE
Disable Per-User Installation of ActiveX Controls
Turn off ActiveX Opt-In prompt: This policy setting allows you to turn off the ActiveX Opt-in prompt. The ActiveX Opt-in prevents websites from loading any COM object without prior approval. If a page attempts to load a COM object that Internet Explorer has not used before, an Information bar will appear asking the user for approval. If you enable this policy setting, the ActiveX Opt-in prompt will not appear. Internet Explorer does not ask the user for permission to load a control, and will load the ActiveX if it passes all other internal security checks. If you disable or do not configure this policy setting, the ActiveX Opt-In prompt will appear.
Only use the ActiveX Installer Service for installation of ActiveX controls: This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls will only install if the ActiveX Installer Service is present and has been configured to allow ActiveX controls to be installed. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, will be installed using the standard installation process.
Disable Per-User Installation of ActiveX Controls: This policy setting allows you to disable the per-user installation of ActiveX controls. This policy only affects ActiveX controls that can be installed on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis.
Configuring the ActiveX Installer Service
The ActiveX Installer Service is enabled by default in Windows 7 /8 , you only need GPMC to configure it. You must configure the ActiveX Installer Service settings by using an administrative template in Group Policy. The administrative template consists of a list of approved installation sites, which the ActiveX Installer Service uses to determine whether an ActiveX control can be installed. We recommend Domain policies over Local policies.
To configure the ActiveX Installer Service using local GPMC (similar steps for Domain Policy)
When you add a URL, you can specify comma-delimited values that detail the settings for the ActiveX Installer Service. You can configure four values:
ActiveX Recommended Practices
▪ Only install ActiveX controls from reputable organizations - We recommend that you only install ActiveX controls from publishers that you know and trust. The ActiveX Installer Service does not determine whether the host presenting the ActiveX control is connected to a secure network. Ensuring that you only install ActiveX controls from reputable publishers will help mitigate this threat.
▪ Deploy commonly used ActiveX controls - We recommend that you deploy ActiveX controls that are commonly used in your environment by using your organization's application deployment method. Many users today use laptops to connect to multiple networks, including wireless hot spots. A malicious proxy at an insecure network could attempt to trick the ActiveX Installation Service by redirecting it to a host with malicious software that represents itself as a commonly used ActiveX control. Ensuring that you deploy commonly used ActiveX controls for your users will help mitigate this threat.
▪ Only use HTTPS host URLs - We recommend that you only modify the value for HTTPS error exceptions to require the connection to pass all verification checks (0). If a remote users connects to an insecure wireless network, and the proxy attempts to redirect the connection, this setting will ensure that the ActiveX control installation will fail since the certificate will be invalid.
▪ Consolidate ActiveX controls to a central server - We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is called a CODEBASE. Normally, the CODEBASE is specified in the Web page, and the installation process retrieves the ActiveX control from that location. In managed enterprises, you can use Group Policy to override the CODEBASE that is specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous recommended practice, only use HTTPS host URLs. You can configure a common Group Policy setting to redirect all ActiveX control installations to a central server in your organization. You can do this by using the CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath see Implementing Internet Component Download http://go.microsoft.com/fwlink/?LinkId=90677
AXIS Implementation Checklist
Most Common Controls
More Information about ActiveX can be found:
This post is based on the work of Steve Campbell (Architect with Microsoft Consulting Services US ) and was contributed by Lutz Seidemann, a Solution Architect with Microsoft Consulting Services – World Wide Client Center of Excellence.
I can't for the life of me get AXIS to function in our environment. Troubleshooting tips just rehash the same Microsoft language that I've read again and again. Your post makes specific mention of other IE policy settings (like "Turn off ActiveX Opt-In prompt") but it doesn't recommend an action for them. Am I supposed to enable those policies? Disable them? Do they conflict with AXIS if they aren't set a specfiic way? I could really use some guidance on this. Thanks.
Funny to see an article on this now, as I just had to review our AXIS GPO last week. We've been running with it since we rolled out Vista years ago. It has been great.