Event 1026 - ActiveX Blocking
Microsoft ActiveX controls are reusable software components based on ActiveX technology. ActiveX controls add interactivity and additional functionality, such as animations or pop-up menus to a webpage, application, or software development tool. Windows Internet Explorer 8, Windows Internet Explorer 7, and Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) block controls that are unsigned, invalid, or explicitly distrusted by the user. In Internet Explorer 8, users can allow controls to run on more than one website, or all websites, by responding to the Information Bar that drops down when a control is requested for use. These sites can also be edited through the Manage Add-ons interface.
ActiveX controls are very important to web applications because they allow developers to enhance webpages with additional software application features that won't work in standard HTML webpages. Web developers use ActiveX controls to add animation, multimedia and other features to their websites.
Because ActiveX controls, or any browser extension, add features for websites, they also increase the possibility of a security vulnerability. ActiveX Opt-in, added in Internet Explorer 7, will reduce the number of ActiveX controls available to websites on the Internet and thereby reduce the chances of a security vulnerability. Internet Explorer 8 makes it easy to use common sites with important controls but lets users opt-in to using the advanced features that might be exposed by more obscure ActiveX controls.
This Windows Internet Explorer feature is called ActiveX Opt-in. By default, ActiveX Opt-in disables the controls on a user's machine. When the user encounters a webpage with a disabled ActiveX control, they will see an Information Bar with the following text:
This website wants to run the following add-on "ABC Control" from "XYZ Publisher". If you trust the website and the add-on and want to allow it to run, click here..."
The user can choose to enable the ActiveX control from the Information Bar by right-clicking it, as shown in the following screen shot.
After the user selects "Run ActiveX Control", he or she is presented with the following Authenticode dialog box, from which the control can be allowed to run.
Some ActiveX controls will not be disabled by ActiveX Opt-in.
- Controls that are commonly used and that were designed with security scrutiny will not be disabled. These controls will appear on a pre-approved list.
- Controls which were used in Internet Explorer before upgrading to Internet Explorer 8.
- Controls which the user downloads through Internet Explorer 8 will be automatically enabled during the download and install process.
Controls which are on the pre-approved list will run without the Opt-in prompt.
Users are prompted in the follow circumstances:
- On Internet Explorer 8 the first run of the control requires approval
- Each ActiveX control will require approval on a per site basis
- When the ActiveX control needs to be installed
- ActiveX failed to install / was blocked by a security feature
Per-site activation applies when an ActiveX control is built to only run on a select group of websites. If an attempt is made to instantiate such a control on a site other one for which it was built, then Internet Explorer blocks the instantiation.
Logging occurs anytime Internet Explorer disables a control via the ActiveX opt-in feature.
Perform the following steps to see this event logged in the compatibility tool:
- Create a webpage with the following contents. For this example call it 1026.html. The file can be placed anywhere. For this example, the file is located on the desktop.
<html xmlns="http://www.w3.org/1999/xhtml" > <body> <object classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"> </body> </html>
- Open a browser and navigate to the webpage. For example:
The page contains an object tag whose behavior is to instantiate the Microsoft Windows Media Player control. But Internet Explorer prompts the user via the Information Bar asking if they wish to run the add-on. This causes Internet Explorer to log the ActiveX Blocking event.
You may configure Internet Explorer to install ActiveX controls automatically, bypassing any prompting in the Information Bar.
Security Warning: The automatic prompting in Internet Explorer is implemented to help prevent potentially malicious ActiveX controls from being run on the user's webpage. Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
To automatically download ActiveX Controls, perform the following tasks:
- On the Tools menu, select Internet Options
- Select the Security tab
- Select a zone (Internet, Local Intranet, and so on.)
- Click the Custom Level button
- In the "ActiveX controls and plug-ins" section, enable both of the following options:
- Download signed ActiveX controls
- Download unsigned ActiveX controls
This generates a security warning error but does install the ActiveX control without being prompted.
Note This will only work if the control has previously not been installed. If the control is pre-installed, you will still see a per-domain approval Information Bar. If the control is pre-approved (on the pre-approved list), Internet Explorer will assume that the control is allowed on every site by default. This can still be overridden by the user.
This feature can also be controlled by the following Group Policy settings:
|GPO Policy Path||GPO Policy Setting Name||GPO Settings|
|Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Download signed ActiveX controls||
If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
If you disable the policy setting, signed controls cannot be downloaded.
If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
|Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Download unsigned ActiveX controls||
If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
If you disable this policy setting, users cannot run unsigned controls.
If you do not configure this policy setting, users cannot run unsigned controls.