Manage ActiveX controls with GPOs in Vista

As you might know there is no good way to control the installation or blocking of ActiveX controls for standard user accounts. Windows Vista introduces a cure to this, and it is called ActiveX Installer Service. This service is not installed by default but can be found in Programs and Features > Turn Windows features on or off. I recommend that you add this component using an unattended answer file in corporate environments. Once installed you can control if a standard user should be able to install certain ActiveX controls or not. I have not found any good step-by-step guides for configuring this so here it comes:

1. When you go to a web site and try to install an ActiveX control, an event is logged in the event viewer specifying the exact origin and http or https address where the ActiveX control resides.

2. Enter the address you found above in the group policy setting “Approved Installation Sites for ActiveX Controls” found in Computer configuration\Administrative templates\Windows Components\ActiveX Installer Service with the additional settings for example 2,2,0,0.

To allow for instance the Windows Genuine Advantage to be allowed to be installed by a regular user you can add the address http://download.microsoft.com with 2,2,0,0. Now you can refresh the policy on your test computer and go to Microsoft Download Center and there try to validate and install the WGA ActiveX control as a regular user account without administrative privileges. Voilà!

Smart card problems with Dell Latitude and Vista

I only have my domain administrator account on a smart card to improve security in my domain, but this is not working as one can expect in Vista. Sometimes, especially when I wake the computer from sleep but also at other times, the credential tile for smart card authentication vanishes as the Smart card service stop working somehow. The only solution to this issue is to reboot the computer unfortunately. After becoming sick and tired of the problem I called Dell from which I got a beta driver. This driver seems to be somewhat more stable but not 100 percent stable. SP1 makes no difference either.

The Vista DVD considered to be a security threat

The Windows Vista DVD is to be considered a security threat! By starting a computer from the Vista installation DVD and choose to Repair the computer instead of installing Vista, the user gets to a number of choices amongst them a command line (cmd.exe). By starting the command line tool you will have full access to all files on the computer and might easily copy them to a removable device of your choice. This is a big difference from Windows XP where you at least had to login to the Recovery Console with an administrator account, in Vista you just get full access to all the user and system files on the computer, no questions asked.

I however live by the principle that if anyone has physical access to a computer it might be compromised anyway, but still it is good to know about this potential security hole. Laptop computers might contain sensitive data and can easily be accessed by anyone who gain access to it if it should be stolen for example. The only way to my knowledge to protect from this “attack” is to use BitLocker (or possibly other encryption software). By using BitLocker the system partition is encrypted and you cannot access it using the method I describe above. If you install Service Pack 1 for Vista you will also be able to encrypt all partitions and disks on your computer, protecting your files and data further, not just the system partition. The BitLocker encryption function is only available with Windows Vista Enterprise and Ultimate Edition