5.1.1 Configure 'Disable All ActiveX'

Information

This policy setting controls whether ActiveX controls are disabled. If you enable this policy
setting, Office 2010 applications do not initialize ActiveX controls from non-trusted
locations, and do not notify the user that the ActiveX controls are disabled. If you disable or
do not configure this policy setting, users can set the trust level for ActiveX controls in the
Trust Center in the 2010 versions of Microsoft Access, PowerPoint, Word, and Excel. The
default configuration does not load untrusted ActiveX controls, but uses the Message Bar to
prompt users about the control, and they can then choose whether to run the control.
Configure this setting in a manner that is consistent with the security and operational
requirements of your organization.

*Rationale*

An ActiveX control can be a simple text box or a more complex object, such as a special
toolbar, an entire dialog box, or a small application. ActiveX controls are used in Web sites
and in applications. ActiveX controls are not stand-alone programs, and can be run only
from within host programs, such as Internet Explorer and Microsoft Office programs.
However, ActiveX controls are very powerful, because they are Component Object Model
(COM) objects and have unrestricted access to the computer on which they run. ActiveX
controls can access the local file system and change the registry settings of your operating
system. If an attacker repurposes an ActiveX control to take over your computer, the effect
can be significant. By default, users can set the trust level for ActiveX controls in the Trust
Center in the 2010 versions of Microsoft Access, PowerPoint, Word, and Excel. The default
configuration does not load untrusted ActiveX controls, but uses the Message Bar to
prompt users about the control, and they can then choose whether to run the control. If
users choose to run all controls without prompting and without restrictions, a dangerous
control could affect their computers.

Solution

Configure the following Group Policy setting in a manner that is consistent with the
security and operational requirements of your organization-


Impact-ActiveX controls can provide additional functionality in documents, so disabling them can
reduce functionality for users. You should ensure that users are aware that this setting is
enabled, because they are not notified by the application that ActiveX controls have been
disabled. It is also important to determine that ActiveX controls are not used to provide
business-critical functionality before enabling this setting.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18b.

Plugin: Windows

Control ID: 4400bf1967bf5831108ee92ed1e1a551226a132ad501292cbaa82e090ba48bec