Mark Minasi's Windows Networking Tech Page
Issue #42 October 2004

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document copyright 2004 Mark Minasi.

What's Inside

News:

XP audio seminar series now available!
One-day security seminar comes to NY November 10
Active Directory class comes to NY November 8/9
Windows Security Conference coming to Minneapolis and Arlington, VA November 15 & 18

Tech Section

Stopping bad ActiveX controls for free with a group policy

Conferences
Bring a Seminar to Your Site

News

Hello all —

This month, I want to explain step by step how you can use XP SP2 to simply and easily squash unwanted ActiveX controls, browser helpers, spyware and the like. But first, a word from our sponsor...

My Seminars are Coming to New York November 8-10!

Just one more set of sessions this year, New York (Mahwah, actually) in November. Last chance in 2004 get techie on Active Directory and Windows security.

Seminar: Securing Your Windows Desktops and Servers (November 10)

Everyone wants to secure their network, but many don’t feel that they have the time. I find that a lot of people have a general idea about what they should be doing to secure their networks -- they've heard terms like SMB signing, null session, secure channel, LM hash, and so on -- but haven't the time to sift through the often-contradictory knowledge base articles and the welter of group policy settings, Registry hacks, patches and the like. In just one day, I go through what the big security issues mean and help attendees understand the exact step by step methods that you need to know to make your system more secure.

If you'd like to find out more, please visit www.minasi.com/secoutln.htm.

"Running a 2003/2000-Based Active Directory" (November 8/9)

AD's great, but it can be a fragile flower if not built and maintained properly. Find out how to build, implement, maintain, and repair Active Directory at "Running a 2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm .

IDG’s “WinSec 2004” Coming to Minneapolis and Arlington in November 15 and 18

IDG has put together a one-day conference on Windows security starring my old buddy George Spalding and me. In just one day, you’ll get tons of useful security tips, tricks and techniques, and you’ll often be entertained in the process. Visit http://www.winsec2004.com for more info. We’re only coming to two cities, so I hope to see you in either northern Virginia or Minneapolis.

XP Audio Seminar Series Now Available

You asked for it, we delivered it and they're selling like crazy. The entire two-day XP support seminar (minus the tuning part, as I'm already selling that as a stand-alone CD lecture) on seven audio CDs for $170, or just $99 if you've attended the XP seminar (sorry, the offer's only for those who've attended the XP seminar). Visit http://www.minasi.com/xpaudio for more info.

Tech Section

Using SP2 to Control Exactly Which ActiveX Controls Users Can Install

Last newsletter I talked a bit about some of the neat features in XP’s SP2 and encouraged you to roll it out. (If you didn’t see the newsletter, there’s a free and extensive PowerPoint presentation on SP2; download it at http://www.minasi.com/sp2info/ and I hope you find it useful.) But I only had space to discuss its features in a very broad-brush manner. The problem with SP2 is that while it’s got some nice features, figuring out how to use them isn’t always easy.

One of the features that I really like is SP2’s ability to let you create a group policy that lets you define whose ActiveX controls to install, and whose to never install. Now, I knew that the feature existed, but I hadn’t gotten around to actually figuring out what clicks would make that happen. A few weeks ago, I sat down to map out the step by step methods that I could block a given ActiveX control… and found out that it’s not intuitive at all. (Well, not intuitive unless you know what a “CLSID” is.) I did figure it out eventually, but I walked away from the experience saying, “you know, a smart but busy techie might just give up on this,” and that would be a shame. So in this article, I’ll walk you through the specific steps in blocking and then un-blocking a popular ActiveX control, Macromedia’s Shockwave player, as well as troubleshooting the whole process, should anything go wrong. (I’m not suggesting to anyone that you actually block Shockwave – it’s just that I need an easy example.)

Try this out on a test machine. In this example, I’m not going to tell you to create a domain-based group policy to accomplish the ActiveX restrictions; instead, I’ll show you how to create the restrictions on that test machine’s local group policy object (GPO). I’m doing that because it’s easier to try group policy settings on the local GPO, and besides, I don’t want to tempt anyone into testing out such a powerful setting in their production environment. Once you’re comfortable with it on the local GPO, then of course it’s simple to re-implement it on a live AD’s domain-based GPOs. (And if you’re not comfortable with group policies, then take a look in chapters 8 and 9 of the Mastering 2000 or 2003 Server books.)

Find the Settings

First, let’s find the relevant settings. SP2 introduces 619 new group policy settings, so you’d be forgiven for feeling a bit befuddled when searching for the setting that will get this job done. Open Group Policy Editor and navigate to the category that holds the relevant settings like so:

· Log onto a freshly installed test system running XP with Service Pack 2 as a local administrator

· Click Start / Run…

· In the “Run” dialog, type “gpedit.msc” and click OK

· In the “Group Policy” Microsoft Management Console that appears, open Computer Configuration, then the folder (“category” is the more exact group policy word), Administrative Tools, then Windows Components, Internet Explorer, Security Features, and finally “Add-on Management.”

(And yes, if you’re wondering why this stuff that lets you restrict downloading and running ActiveX controls wasn’t in the categories that actually exist and are named “Restrict ActiveX Install” or “Restrict File Download,” then that makes two of us. But remember what I always say: “hey, if this stuff gets easy, we’ll all have to go find jobs.”)

Two Important Settings

In that category/folder, you’ll see just four settings – “Deny all add-ons unless specifically allowed in the Add-on List,” “Add-on List,” “Process List,” and “All Processes.” We’re going to work with the first two.

You may recall that I mentioned in the last newsletter that as of SP2, Microsoft refers to ActiveX controls and browser helpers under the generic term “add-ons,” and that’s what these policy settings refer to. Whenever you see “add-on list,” think “list of ActiveX controls and browser helpers.” (And if you’re wondering what a browser helper is, think “the Google toolbar.”)

Under SP2, IE’s default behavior is the same as it has always been: any user can download and install any ActiveX control or browser helper. “Deny all add-ons unless specifically allowed in the Add-on List” changes IE’s behavior to the opposite stance – it ain’t lettin’ you install any add-ons unless you specifically name them as acceptable. You then name the acceptable add-ons in the “Add-on List” policy setting.

Actually, you can name add-ons and then either designate them as acceptable or unacceptable. Why name something as unacceptable when “Deny all add-ons unless specifically allowed in the Add-on List” makes everything unacceptable by default? Because you might have a different approach to controlling add-ons: maybe you don’t mind what people download and use, so long as it’s not (to pick a random example) Gator. In that case, you wouldn’t bother with the “Deny all…” policy. So you can either blackball everything and create exceptions, or allow everything and veto a few exceptions.

First, Disallow Everything

Let’s start with the “nothing’s okay unless I approve it” approach. To do that, we’d start with the “Deny all …” policy setting. Double-click on the “Deny all add-ons unless specifically allowed in the Add-on List” setting and check the “Enabled” radio button, then click OK. You needn’t log off and back on, and you needn’t even run gpupdate; apparently IE re-reads the effect of this group policy setting every time it’s refreshed. A simple F5, then, will cause IE to realize that it’s no longer supposed to allow any add-ons. Try it out: go to Macromedia’s site at www.macromedia.com, visit the Downloads link and try to install the Shockwave or Flash add-ins. You’ll probably see a balloon that says

“Add-on Disabled. This Web page wants to use an add-on that is either disabled or from a publisher you have blocked. To enable the add-on, click here.”

Clicking on the link brings up the new-to-SP2 dialog box “Manage Add-ons,” which lets you enable, disable, or update ActiveX controls. You’ll see that all of the add-ons in your IE are disabled. Click one and try to enable it, and you’ll see in the lower-left hand corner the message “This add-on is managed by your administrator,” and the Enable and Disable radio buttons are grayed out.

If It Didn’t Work…

After trying this on a test system, I thought to re-check my work on my laptop, only to find that despite doing the same few simple steps that nothing happened. I’d refresh, reboot, gpupdate /force, you name it, but the changes to my local group policy did not take effect. (And no, I didn’t have a conflicting GPO on the domain.) So I checked the Registry. Enabling the “Deny all add-ons unless specifically allowed in the Add-on List” works by setting a Registry entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext named RestrictToList, a REG_DWORD. When set to 1, this value entry disallows all browser add-ons except for the ones listed in the Add-on List; 0 has the effect of either disabling the policy or leaving it as “not configured.” So I directly edited the Registry – RestrictToList’s value was 0 – and once RestrictToList was set to 1, I saw the behavior that I expected.

Why didn’t I get the effect of the local group policy? I honestly don’t know. My machine gets other group policies just fine – perhaps this is an SP2 glitch.

Now Permit Shockwave To Run

Clearly we’re not going to get very far with a copy of IE that cannot use ActiveX controls like Shockwave, Flash, Windows Update or Trend’s free housecall.antivirus.com scanner, or browser helpers like the Google Toolbar. So while it’s nice to know that we’re protected from all of the bad add-ons out there, we do need the good add-ons. So we can override the “don’t allow anything” setting, adding in exceptions with the next group policy setting, “Add-on list.” Let’s see how to allow Shockwave.

Open up Group Policy Editor again (start / run / gpedit.msc) and return to the Computer Configuration / Administrative Templates / Windows Components / Internet Explorer / Security Features / Add-on Management category. This time, double-click on the “Add-on List” setting, and click “Enabled,” then “Show…” to see the Add-on List. When you first open that list, you’ll see two columns, “Value Name” and “Value.” Click “Add…” and you’ll get a dialog box that somewhat cryptically asks you to enter a “name” and “value” of the “item.” Let’s translate that.

“Item” refers, of course, to the add-on that you want to allow. “Value” is one of three possible numbers:

· 0 means “don’t run this add-on.”

· 1 means “let this run.”

· 2 means “let the user control this add-on.”

This leaves only “Value Name,” which is how XP wants you to identify a particular ActiveX control or browser helper. Now, you’d think that to enable Shockwave, you’d insert the words “Macromedia Shockwave” or the URL of the page that you go to in order to download Shockwave. But nope. Here’s Shockwave’s name, as far as XP’s concerned:

{166B1BCA-3F9C-11CF-8075-444553540000}

Wait, don’t go. Yup, it’s ugly, but it’s not impossible to figure out. That’s a “CLSID,” or “Class ID.” Apparently – I’m not a coder, so I wouldn’t know for sure – add-ins need a unique CLSID. (Nor do I know what would keep a hacker from simply stealing the CLSID of a trusted add-on like Shockwave, but if Microsoft’s using CLSIDs then I’ll assume for the moment that snatching a CLSID isn’t all that easy.) Anyway, the problem soon becomes “how do I get the CLSID of a given add-on?” There are two ways.

First, go to an XP SP2 system that’s got the add-on located on it. Open the Add-on Manager from Internet Explorer (Tools / Manage Add-ons…) and right-click the column heading row – the things that say “Name,” “Publisher,” and the like. Check the “Class ID” line and now you’ll see the CLSIDs of all of the add-ons on that computer.” But there’s some bad news: you can’t copy the CLSID to the Clipboard. Arrgh. So you’ve got to retype it by hand. (Don’t forget the curly braces, either – XP needs them.)

Alternatively, you can go to the Web page where you first downloaded the add-on and look at its source code (View / Source) and search for the phrase “clsid:” in the HTML source code, and note that there is no space between “clsid” and “:,” the colon. You’ll see a piece of HTML that encloses what should look like a CLSID in braces. For example, at the Shockwave download page (as of late October 2004) I found this snippet of code:

… classid="clsid:166B1BCA-3F9C-11CF-8075-444553540000" codebase=…

Type or cut and paste that CLSID into the “Value Name” field, but remember that it’s got to be enclosed in braces – don’t enter 166B1BCA-3F9C-11CF-8075-444553540000, enter {166B1BCA-3F9C-11CF-8075-444553540000}. Once you’ve got the value name and the value – 1, recall – then click OK three times to add the entry in Group Policy Editor. Refresh IE and now it’ll let you install Shockwave … but nothing else. To allow other add-ons, just repeat the process.

But the group policy setting is just the high-level interface; what’s happening in the Registry? Inside the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Ext key, you’ll find a new key, “CLSID.” In that key you’ll find a REG_SZ entry whose name is the Shockwave CLSID, and whose value is either 0, 1, or 2.

Now Turn the Tables – Everything But Shockwave Runs

I think what I’ve presented so far covers the way that most people would use this – reject all ActiveX controls and browser helpers except for the small group of acceptable ones. But for some the story will different; for those folks, it might make more sense to allow every single ActiveX control, except for a few bad eggs. How can SP2’s add-on control serve their needs? Simple. First, do not enable the “Deny all add-ons unless specifically allowed in the Add-on List” setting; either disable it or leave it as “not configured.” Second, for any add-ons that you want to prohibit, first find their CLSIDs as before, and add them to the Add-on List, but set their values not to 1 (allow add-on to run) but to 0 (disallow add-on). Anyone trying to install or use those add-ons will fail.

I know that many of you are twitchy about installing SP2, and for good reason; as I said last time, you really need to test your old or funky apps before deploying SP2. But remember that a look at my SP2 PowerPoint shows you that you can roll out SP2 and still roll back its new security incrementally, just enough to make many “broken by SP2 apps” work just fine.

Conferences

Join me at one of these great shows.

Windows Connections October 24-27, Orlando

The magazine that I write for, Windows IT Pro Magazine, holds its next Windows Magazine Live! conference in The Land Of The Mouse this October. It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, IIS Answer Man Brett Hill, Uberscripter Bob Wells, Steve Riley and Mike Danseglio (imagine, they got all three of Microsoft's best speakers) and more — great speakers all and really smart guys. I'm also doing talks on XP's SP2, Software Update Services, and XP goodies. Watch http://www.winconnections.com/ for more info on this show.

WinSec 2004 Minneapolis November 15, Arlington VA November 18

The one and only team of Minasi and Spalding, the veritable Martin and Lewis of security talks (he’s Lewis, in case you wondered), come to Minneapolis and Arlington, VA for one day only! Learn to secure your Windows systems and have a few chuckles in the process – find out more at http://www.winsec2004.com.

Bring Mark to your site to teach or help with your AD rollout

I'm keeping busy doing Active Directory and Security seminars and writing, but I've still got time to visit your firm. In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information. Please forward it to any associates who might find it helpful, and accept my thanks. We are now at over 36,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

Mark Minasi's Windows Networking Tech Page Issue #42 October 2004