3.10 Ensure ActiveX filtering is enabled

Information

Removes ActiveX controls from the HTTP reply traffic received on the security appliance.

Rationale:

ActiveX controls are used to provide a rich users' browsing experience. Because the ActiveX control is a written program that is executed in the users' computers, it can be used by attackers to perform malicious tasks on the machines of their victims.

Impact:

Activex support has been deprecated by Microsoft, and activex support is disabled by default in modern browsers from Microsoft. However, activex support remains a viable attack platform against organizations that have it enabled for legacy applications.

recommended configuration should at a minimum be: filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Additional ports may be required depending on your environment.

Filtering activex on https traffic is not possible, as activex filtering works by commenting out the 'object' references in the live data stream - replacing and , and and tags with comments. Since the native ASA does not have traffic decryption as a feature, this configuration will not work for https traffic, and is why this feature is deprecated on the ASA platform.

Solution

Step 1: Acquire the TCP port used for the HTTP traffic containing ActiveX objects, the IP address <internal_users_ip> and mask <internal_users_mask> of internal users generating the HTTP traffic, and the IP address <external_servers_ip> and mask <external_servers_mask> of the external servers to which the internal users connect and that are source of ActiveX objects.

Step 2: Run the following command to filter ActiveX applets.

hostname(config)# filter activex <port> <internal_users_ip> <internal_users_mask> <external_servers_ip> <external_servers_mask>

Default Value:

ActiveX control filtering is disabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 7fa5a113abb39e5b1679eb2c50534c24cc2d8dcb7d725d201245879e453808b0