Microsoft's USGCB Tech Blog

A technical resource to help implement the US Govt Configuration Baseline (USGCB) on the Windows platform.

November, 2011

  • Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad.

    This post is about a security setting that is often underestimated in its ability to enable serious harm when relaxed. But relaxing it is exactly what I often see being done in enterprise environments. The risk is real that anyone who has any control over any content on any web server in those security zones could easily and surreptitiously take complete control of visitors’ computers and user accounts, and in a way that could be difficult or impossible to trace.  You should make sure the setting is disabled.  Full details (and demo) in the blog post.