2.25.13 Ensure 'ActiveX Control Initialization' is set to Disabled

Information

This policy setting specifies the Microsoft ActiveX#x00AE; initialization security level for all Microsoft Office applications. The recommended state for this setting is: Disabled Attackers can use ActiveX controls that include malicious code to attack a computer. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\ActiveX Control Initialization Impact: This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI. Important Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode.

See Also

https://workbench.cisecurity.org/files/571

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2)

Plugin: Windows

Control ID: 02ca53268fb9e720c089b19f0fed978a47156c7fae58fffba5543eacae530779