Information
*Description*
This policy setting allows you to manage whether scriptlets can be allowed. If you enable
this policy setting, users will be able to run scriptlets. If you disable this policy setting,
users will not be able to run scriptlets. If you do not configure this policy setting, a scriptlet
can be enabled or disabled by the user. The recommended state for this setting is-
Enabled-Disable.
*Rationale*
Scriptlets have been exploited by malicious users in the past, one example is the malware
Exploit-MSWord.k which embedded the class ID of the Microsoft Scriptlet Component
within a Word document and the URL of a website that hosted additional malicious
software. When opened Microsoft Word would process the embedded object then
download and activate the malicious payload. This particular vulnerability was patched
several years ago but disabling this setting in untrusted zones helps mitigate against the
entire class of attacks.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.
User Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Internet Zone\Allow Scriptlets
Then set the Scriptlets option to Disable.
Impact-If you enable this policy setting, users will be able to run scriptlets. If you disable this policy
setting, users will not be able to run scriptlets. If you do not configure this policy setting, a
scriptlet can be enabled or disabled by the user.