Mark Minasi's Windows Networking Tech Page
Issue #42 October 2004
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document
copyright 2004 Mark Minasi.
- XP audio seminar
series now available!
- One-day security
seminar comes to NY November 10
- Active Directory
class comes to NY November 8/9
- Windows Security
Conference coming to Minneapolis and Arlington, VA
November 15 & 18
- Tech Section
- Stopping bad ActiveX
controls for free with a group policy
- Bring a Seminar to
Hello all —
This month, I want to explain step by step how you can use XP SP2 to
simply and easily squash unwanted ActiveX controls, browser helpers, spyware and the like. But first, a word from our
My Seminars are Coming to New York November 8-10!
Just one more set of sessions this year, New York (Mahwah, actually) in
November. Last chance in 2004 get techie on Active Directory and Windows
Seminar: Securing Your Windows Desktops and Servers (November 10)
Everyone wants to secure their network, but many don’t feel that they have
the time. I find that a lot of people
have a general idea about what they should be doing to secure their networks
-- they've heard terms like SMB signing, null session, secure channel, LM
hash, and so on -- but haven't the time to sift through the
often-contradictory knowledge base articles and the welter of group policy
settings, Registry hacks, patches and the like. In just one day, I go
through what the big security issues mean and help attendees understand the
exact step by step methods that you need to know to make your system more
If you'd like to find out more, please visit www.minasi.com/secoutln.htm.
"Running a 2003/2000-Based Active Directory" (November 8/9)
AD's great, but it can be a fragile flower if not built and maintained
properly. Find out how to build, implement, maintain, and repair Active
Directory at "Running a 2003/2000-Based Active Directory;"
information at www.minasi.com/2003outln.htm
IDG’s “WinSec 2004”
Coming to Minneapolis and Arlington in November 15 and 18
IDG has put together a one-day conference on Windows security starring my
old buddy George Spalding and me. In
just one day, you’ll get tons of useful security tips, tricks and techniques,
and you’ll often be entertained in the process. Visit http://www.winsec2004.com
for more info. We’re only coming to
two cities, so I hope to see you in either northern Virginia
XP Audio Seminar Series Now Available
You asked for it, we delivered it and they're selling like crazy.
The entire two-day XP support seminar (minus the tuning part, as I'm already
selling that as a stand-alone CD lecture) on seven audio CDs for $170, or
just $99 if you've attended the XP seminar (sorry, the offer's only for those
who've attended the XP seminar). Visit http://www.minasi.com/xpaudio for
Using SP2 to Control Exactly
Which ActiveX Controls Users Can Install
Last newsletter I talked a bit about some of the neat features in XP’s SP2
and encouraged you to roll it out. (If
you didn’t see the newsletter, there’s a free and extensive PowerPoint
presentation on SP2; download it at http://www.minasi.com/sp2info/
and I hope you find it useful.) But I
only had space to discuss its features in a very broad-brush manner. The problem with SP2 is that while it’s got
some nice features, figuring out how to use
them isn’t always easy.
One of the features that I really
like is SP2’s ability to let you create a group policy that lets you define
whose ActiveX controls to install, and whose to
never install. Now, I knew that the
feature existed, but I hadn’t gotten around to actually figuring out what
clicks would make that happen. A few
weeks ago, I sat down to map out the step by step methods that I could block
a given ActiveX control… and found out that it’s not intuitive at all. (Well, not intuitive unless you know what a
“CLSID” is.) I did figure it out
eventually, but I walked away from the experience saying, “you know, a smart
but busy techie might just give up on this,” and that would be a shame. So in this article, I’ll walk you through
the specific steps in blocking and then un-blocking a popular ActiveX
control, Macromedia’s Shockwave player, as well as troubleshooting the whole
process, should anything go wrong.
(I’m not suggesting to anyone that you actually block Shockwave – it’s
just that I need an easy example.)
Try this out on a test machine. In
this example, I’m not going to tell you to create a domain-based group policy
to accomplish the ActiveX restrictions; instead, I’ll show you how to create
the restrictions on that test machine’s local
group policy object (GPO). I’m doing
that because it’s easier to try group policy settings on the local GPO, and
besides, I don’t want to tempt anyone into testing out such a powerful
setting in their production environment.
Once you’re comfortable with it on the local GPO, then of course it’s
simple to re-implement it on a live AD’s domain-based GPOs. (And if you’re not comfortable with group
policies, then take a look in chapters 8 and 9 of the Mastering 2000 or 2003
Find the Settings
First, let’s find the relevant settings.
SP2 introduces 619 new group
policy settings, so you’d be forgiven for feeling a bit befuddled when
searching for the setting that will get this job done. Open Group Policy Editor and navigate to
the category that holds the relevant settings like so:
Log onto a freshly installed test system
running XP with Service Pack 2 as a local administrator
Click Start / Run…
In the “Run” dialog, type “gpedit.msc”
and click OK
In the “Group Policy” Microsoft Management
Console that appears, open Computer Configuration, then the folder
(“category” is the more exact group policy word), Administrative Tools, then
Windows Components, Internet Explorer, Security Features, and finally “Add-on
(And yes, if you’re wondering why this stuff that lets you restrict
downloading and running ActiveX controls wasn’t in the categories that
actually exist and are named “Restrict ActiveX Install” or “Restrict File
Download,” then that makes two of us.
But remember what I always say:
“hey, if this stuff gets easy, we’ll all have to go find jobs.”)
Two Important Settings
In that category/folder, you’ll see just four settings – “Deny all add-ons
unless specifically allowed in the Add-on List,” “Add-on List,” “Process
List,” and “All Processes.” We’re
going to work with the first two.
You may recall that I mentioned in the last newsletter that as of SP2,
Microsoft refers to ActiveX controls and browser helpers under the generic
term “add-ons,” and that’s what these policy settings refer to. Whenever you see “add-on list,” think “list
of ActiveX controls and browser helpers.”
(And if you’re wondering what a browser helper is, think “the Google
Under SP2, IE’s default behavior is the same as it has always been: any user can download and install any ActiveX
control or browser helper. “Deny all
add-ons unless specifically allowed in the Add-on List” changes IE’s behavior
to the opposite stance – it ain’t lettin’ you
install any add-ons unless you specifically name them as acceptable. You then name the acceptable add-ons in the
“Add-on List” policy setting.
Actually, you can name add-ons and then either designate them as
acceptable or unacceptable. Why name something as unacceptable when
“Deny all add-ons unless specifically allowed in the Add-on List” makes
everything unacceptable by default?
Because you might have a different approach to controlling
add-ons: maybe you don’t mind what
people download and use, so long as it’s not (to pick a random example)
Gator. In that case, you wouldn’t
bother with the “Deny all…” policy. So
you can either blackball everything and create exceptions, or allow
everything and veto a few exceptions.
First, Disallow Everything
Let’s start with the “nothing’s okay unless I approve it” approach. To do that, we’d start with the “Deny all
…” policy setting. Double-click on the
“Deny all add-ons unless specifically allowed in the Add-on List” setting and
check the “Enabled” radio button, then click OK. You needn’t log off and back on, and you
needn’t even run gpupdate; apparently IE re-reads
the effect of this group policy setting every time it’s refreshed. A simple F5, then, will cause IE to realize
that it’s no longer supposed to allow any add-ons. Try it out:
go to Macromedia’s site at www.macromedia.com, visit the Downloads
link and try to install the Shockwave or Flash add-ins. You’ll probably see a balloon that says
This Web page wants to use an add-on that is either disabled or from a
publisher you have blocked. To enable
the add-on, click here.”
Clicking on the link brings up the new-to-SP2 dialog box “Manage Add-ons,”
which lets you enable, disable, or update ActiveX controls. You’ll see that all of the add-ons in your
IE are disabled. Click one and try to
enable it, and you’ll see in the lower-left hand
corner the message “This add-on is managed by your administrator,” and the
Enable and Disable radio buttons are grayed out.
If It Didn’t Work…
After trying this on a test system, I thought to re-check my work on my
laptop, only to find that despite doing the same few simple steps that
nothing happened. I’d refresh, reboot,
gpupdate /force, you name it, but the changes to my
local group policy did not take effect.
(And no, I didn’t have a conflicting GPO on the domain.) So I checked the Registry. Enabling the “Deny all add-ons unless
specifically allowed in the Add-on List” works by setting a Registry entry in
named RestrictToList, a REG_DWORD. When set to 1, this value entry disallows
all browser add-ons except for the ones listed in the Add-on List; 0 has the
effect of either disabling the policy or leaving it as “not configured.” So I directly edited the Registry – RestrictToList’s value was 0 – and once RestrictToList was set to 1, I saw the behavior that I
Why didn’t I get the effect of the local group policy? I honestly don’t know. My machine gets other group policies just
fine – perhaps this is an SP2 glitch.
Now Permit Shockwave To Run
Clearly we’re not going to get very far with a copy of IE that cannot use
ActiveX controls like Shockwave, Flash, Windows Update or Trend’s free
housecall.antivirus.com scanner, or browser helpers like the Google
Toolbar. So while it’s nice to know
that we’re protected from all of the bad add-ons out there, we do need the good add-ons. So we can override the “don’t allow
anything” setting, adding in exceptions with the next group policy setting,
“Add-on list.” Let’s see how to allow
Open up Group Policy Editor again (start / run / gpedit.msc)
and return to the Computer Configuration / Administrative Templates / Windows
Components / Internet Explorer / Security Features / Add-on Management
category. This time, double-click on
the “Add-on List” setting, and click “Enabled,” then “Show…” to see the
Add-on List. When you first open that
list, you’ll see two columns, “Value Name” and “Value.” Click “Add…” and you’ll get a dialog box
that somewhat cryptically asks you to enter a “name” and “value” of the “item.” Let’s translate that.
“Item” refers, of course, to the add-on that you want to allow. “Value” is one of three possible numbers:
0 means “don’t run this add-on.”
1 means “let this run.”
2 means “let the user control this
This leaves only “Value Name,” which is how XP wants you to identify a
particular ActiveX control or browser helper.
Now, you’d think that to enable Shockwave, you’d insert the words
“Macromedia Shockwave” or the URL of the page that you go to in order to
download Shockwave. But nope. Here’s Shockwave’s name, as far as XP’s
Wait, don’t go. Yup, it’s ugly, but
it’s not impossible to figure out.
That’s a “CLSID,” or “Class ID.”
Apparently – I’m not a coder, so I wouldn’t know for sure – add-ins
need a unique CLSID. (Nor do I know
what would keep a hacker from simply stealing the CLSID of a trusted add-on
like Shockwave, but if Microsoft’s using CLSIDs
then I’ll assume for the moment that snatching a CLSID isn’t all that
easy.) Anyway, the problem soon
becomes “how do I get the CLSID of a given add-on?” There are two ways.
First, go to an XP SP2 system that’s got the add-on located on it. Open the Add-on Manager from Internet
Explorer (Tools / Manage Add-ons…) and right-click the column heading row –
the things that say “Name,” “Publisher,” and the like. Check the “Class ID” line and now you’ll
see the CLSIDs of all of the add-ons on that
computer.” But there’s some bad
news: you can’t copy the CLSID to the
Clipboard. Arrgh. So you’ve got to retype it by hand. (Don’t forget the curly braces, either – XP
Alternatively, you can go to the Web page where you first downloaded the
add-on and look at its source code (View / Source) and search for the phrase
“clsid:” in the HTML source code, and note that
there is no space between “clsid” and “:,” the colon.
You’ll see a piece of HTML that encloses what should look like a CLSID
in braces. For example, at the
Shockwave download page (as of late October 2004) I found this snippet of
Type or cut and paste that CLSID into the “Value Name” field, but remember
that it’s got to be enclosed in braces – don’t enter
Once you’ve got the value name and the value – 1, recall – then click
OK three times to add the entry in Group Policy Editor. Refresh IE and now it’ll let you install
Shockwave … but nothing else. To allow
other add-ons, just repeat the process.
But the group policy setting is just the high-level interface; what’s
happening in the Registry? Inside the
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion
\ policies \ Ext key, you’ll find a new key, “CLSID.” In that key you’ll find a REG_SZ entry
whose name is the Shockwave CLSID, and whose value is either
0, 1, or 2.
Now Turn the Tables – Everything But Shockwave Runs
I think what I’ve presented so far covers the way that most people would
use this – reject all ActiveX controls and browser helpers except for the small group of
acceptable ones. But for some the
story will different; for those folks, it might make more sense to allow
every single ActiveX control, except for a few bad eggs. How can SP2’s add-on control serve their
needs? Simple. First, do not enable the “Deny all add-ons
unless specifically allowed in the Add-on List” setting; either disable it or
leave it as “not configured.” Second,
for any add-ons that you want to prohibit, first find their CLSIDs as before, and add them to the Add-on List, but
set their values not to 1 (allow add-on to run) but to 0 (disallow
add-on). Anyone trying to install or
use those add-ons will fail.
I know that many of you are twitchy about installing SP2, and for good
reason; as I said last time, you really need to test your old or funky apps
before deploying SP2. But remember
that a look at my SP2 PowerPoint shows you that you can roll out SP2 and still
roll back its new security incrementally, just
enough to make many “broken by SP2 apps” work just fine.
Join me at one of these great shows.
Windows Connections October 24-27, Orlando
The magazine that I write for, Windows IT Pro Magazine,
holds its next Windows Magazine Live! conference
in The Land Of The Mouse this October. It's a jam-packed set of great
talks by some great speakers including of the Microsoft tech world's foremost
megacephaloids like Mark Russinovich,
IIS Answer Man Brett Hill, Uberscripter Bob Wells,
Steve Riley and Mike Danseglio (imagine, they got
all three of Microsoft's best speakers) and more — great speakers all
and really smart guys. I'm also doing talks on XP's SP2, Software
Update Services, and XP goodies. Watch http://www.winconnections.com/
for more info on this show.
WinSec 2004 Minneapolis
November 15, Arlington VA November 18
The one and only team of Minasi and Spalding, the veritable Martin and
Lewis of security talks (he’s Lewis, in case you wondered), come to
Minneapolis and Arlington, VA for one day only! Learn to secure your Windows systems and
have a few chuckles in the process – find out more at http://www.winsec2004.com.
Bring Mark to your site to teach or help with your AD rollout
I'm keeping busy doing Active Directory and Security seminars and writing,
but I've still got time to visit your firm. In just two days, I'll make
your current NT techies into 2000, XP, Active Directory and 2003
experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large
educational, pharmaceutical, agricultural, aerospace, utility, banking,
government, telecommunication, law enforcement, publishing, transportation,
and other organizations that I've assisted, either take a peek at the course
outlines at www.minasi.com/presentations.htm,
mail our assistant Jean Snead at Assistant@Minasi.com,
or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays,
Until Next Month...
Have a quiet and safe month.
Please share this newsletter; I'd like very much to expand this periodical
into a useful source of NT/2000/2003/XP information. Please forward it
to any associates who might find it helpful, and accept my thanks. We
are now at over 36,000 subscribers and I hope to use this to get information
to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for
letting me visit with you, and take care. Many, many thanks to the
readers who have mailed me to offer suggestions, errata, and those kind
reviews. As always, I'm at http://www.minasi.com/gethelp
and please join us at the Forum with technical questions at www.minasi.com/forum.
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2004 Mark Minasi. You are encouraged to quote this
material, SO LONG as you include this entire document; thanks.