2.3.27.4 Ensure 'ActiveX Control Initialization' is set to 'Enabled: 6'

Information

This policy setting specifies the Microsoft ActiveX initialization security level for all Microsoft Office applications.

The recommended state for this setting is: Enabled: 6

Rationale:

Attackers can use ActiveX controls that include malicious code to attack a computer. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not.

Impact:

This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.

Important: Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though this setting is configured to instruct the control to use safe mode.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 6

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\ActiveX Control Initialization

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 9b3835f67970097ae4345ad9be4e167f2a65cf2a96a14bba9bd3d66becdc0403