Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Microsoft MSDN ActiveX Security Improvements and Best Practices

Microsoft MSDN ActiveX Security Improvements and Best Practices

Ratings:

4.0

(2)
|Views: 755 |Likes:
Published by thetae99
Microsoft MSDN
ActiveX Security Improvements and Best Practices
Microsoft MSDN
ActiveX Security Improvements and Best Practices

More info:

Published by: thetae99 on Aug 04, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/06/2012

pdf

text

original

 
©2008MicrosoftCorporation.Allrightsreserved.  ExploringInternetExplorer   
ActiveXSecurity:ImprovementsandBestPractices   
SharonCohen   RobFranco   MicrosoftCorporation   February1,2006   LastUpdated:26September2006   
Contents   
Overview    PrinciplesofSecureDesignforActiveXControls    ThreatModeling   SecureDevelopmentPractices   SecureTestingPractices   
Overview     What'sInThisDocument?   
 ThisdocumentdescribesthechangesinInternetExplorer7thatreducethenumberofActiveXcontrolsenabledbydefault  throughafeaturecalled"ActiveXOpt+In".   ThisdocumentalsodescribessomeofthebestpracticesfordevelopingActiveXcontrolsintendedtoruninInternetExplorer.   ThesebestpracticeshavebeencompiledfromtheSecurityDevelopmentLifecycleandfromsoftwaredeveloperswhodevelop   andtestActiveXcontrolsintendedforsafeuseontheInternet.  
ActiveXOpt+In+What'sNewinIE7forActiveX    
ActiveXcontrolsareveryimportanttotheInternetbecausetheyallowdeveloperstoenhanceWebpageswithadditional softwareapplicationfeaturesthatwon'tworkinstandardHTMLWebpages.WebdevelopersuseActiveXcontrolstoadd   animation,multimediaandotherfeaturestotheirWebsites.  BecauseActiveXcontrols,oranybrowserextension,addfeaturesforWebsites,theyalsoincreasethepossibilityofasecurity   vulnerability.InternetExplorer7(IE7)willreducethenumberofActiveXcontrolsavailabletoWebsitesontheInternetand   therebyreducethechancesofasecurityvulnerability.IE7makesiteasytousecommonsiteswithimportantcontrolsbut  letsusersopt+intousingtheadvancedfeaturesthatmightbeexposedbymoreobscureActiveXcontrols.   ThisIE7featureiscalledActiveXOpt+In.Bydefault,ActiveXOpt+Indisablesthecontrolsonauser'smachine.Whentheuser   encountersaWebpagewithadisabledActiveXcontrol,theywillseeanInformationbarwiththefollowingtext:"Thiswebsite   wantstorunthefollowingadd+on"ABCControl"from"XYZPublisher".Ifyoutrustthewebsiteandtheadd+onandwantto   allowittorun,clickhere"TheusercanchoosetoenabletheActiveXcontrolfromthisInformationbar,asshowninthe   followingfigure.  Aftertheuserselects"RunActiveXControl"theyarepresentedwiththefollowingAuthenticodedialogfromwhichtheycan   allowthecontroltorun.  SomeActiveXcontrolswillnotbedisabledbyActiveXOpt+In.  1.Controlsthatarecommonlyusedandthatweredesignedwithsecurityscrutinywillnotbedisabled.Thesecontrols   willappearonapre+approvedlist.  2.ControlswhichwereusedinIEbeforeupgradingtoIE7.  
 
2.ControlswhichwereusedinIEbeforeupgradingtoIE7.  3.ControlswhichtheuserdownloadsthroughIE7willbeautomaticallyenabledduringthedownloadandinstalprocess.  Controlswhichareonthepre+approvedlistwillrunwithouttheOpt+Inprompt;however,ifacontrolispre+approvedbutisnot  installedonthemachine,theuserwillhavetogothroughtheexistingXPSP2downloadbehaviortogetthecontrol.  
WheredoesActiveXOpt+Inapply?Wheredoesitnotapply?   
ActiveXOpt+InappliestocontrolsruninInternetExplorerandanyapplicationswhichopt+intoManageAdd+onsthroughthe   featurecontrolkey.ActiveXOpt+Incanbeenabledordisabledonazone+by+zonebasisthroughtheIESecuritySettingspanel.   Thesetting,"AllowpreviouslyunusedActiveXcontrolstorunwithoutprompt"enablesanddisablesthefeature.Bydefault,  ActiveXOpt+InappliestocontrolsusedontheInternetandrestrictedsiteszoneswhilecontrolsusedonanintranetand   trustedsiteszoneswillnotbeaffectedbyActiveXOpt+In.  
Shouldyourcontrolbeonthepre+approvedlist?   
Havingyourcontrolonthepre+approvedlistcanbevaluableinsome,butnotall,situations.Thesituationsbelowwillhelpyou   determineifyouneedyourcontroltobeonthepre+approvedlist.  Puttingacontrolonthepre+approvedlistwillattracttheattentionandscrutinyofthesecurityresearchcommunity.Any   vulnerabilitiesfoundinyourcontrolwouldexposeasignificantlylargernumberofusersthanifyourcontrolwerenotonthe   pre+approvedlist.Keepingyourcontroloffthepre+approvedlistwillkeepuserssecurebydefaultandprotectcustomerswho   arenotusingyourcontrol.   Yourcontrol 
should    
beonthepre+approvedlistif:  
Yourcontrolis(oruses)anActiveXcontrolthatispre+installedonauser'smachinebyWindowsorbyanOEM
ControlsinstalledbyWindowsorbyanOEMwillbedisabledbyActiveXOpt+Inunlessyoutakestepstopre+  approvethem.Pre+approvingyourcontrolswillinsurethatusershavethebestpossibleexperienceonyourWeb   sitebecauseitwillworkthewaythatyouandtheuserexpect.  
YourcontrolisintendedtorunfromInternetZoneWebpages
If,intheprocessofinstallingyourapplication,ActiveXcontrolsareinstalledwhichareintendedtorunonthe   Internet,youmightwanttoaddthesecontrolstothepre+approvedlist.Becausethecontrolswereinstalledby   software,andnotbytheuser,thecontrolswillbedisabledbyActiveXOpt+In.   Yourcontrolshould   
not   
beonthepre+approvedlistif:  
YourcontrolisnotintendedtoberuninWebpagesservedfromtheInternet
IfyourcontrolisnotintendedtoruninpagesservedfromtheInternet,thenitshouldnotbeonthepre+approved   list.TherearetwostepswehighlyrecommendinordertopreventthecontrolfromrunninginIE.  1.Killbittingthecontrol[http://support.microsoft.com/kb/240797]willensurethatitcanneverloadin   IE.Killbittingthecontrolonlyrequiressettingaregistrybitandiseasilyaccomplished.  
 
1.Killbittingthecontrol[http://support.microsoft.com/kb/240797]willensurethatitcanneverloadin   IE.Killbittingthecontrolonlyrequiressettingaregistrybitandiseasilyaccomplished.  2.Donotmarkthecontrolsafeforinitializationorscripting.Youshouldensurethisistrueinboththe   componentcategoriesaswellasthrough   
IObjectSafety    
Mechanisms.  
Yourcontrolisdownloadedtotheuser'smachine. 
Ifyourcontrolisnotlocallyinstalledontheuser'smachinethenthereisnoneedtobeonthepre+approvedlist.  Whentheuserdownloadsthecontrolandchoosestoinstallit,thenthecontrolwillbeapproved.Theuserwillnot  bepromptedagainafterchoosingtoinstallfromtheauthenticodedialog.Note:onlythecontrolwhoseCLSIDwas   includedintheobjecttagwillbeapproved.Ifyouhaveasinglecabfilewhichinstallsmultiplecontrols,onlythe   controlinitializedintheobjecttagwillbeapproved.Youmightneedtopre+approveanyothercontrolswhich   the.CABfileinstalls.  
Yourcontrolisonlyintendedtorunonyourcorporateintranetoryourcontrolisforalineofbusinessapplication. 
 Youshouldnotaddthesecontrolstothepre+approvedlist.ActiveXOpt+Inisturnedoffbydefaultintheintranet  zonesoyourcorporateActiveXcontrolswillnotbeaffected.Itwouldbeagoodideatozone+lockthesecontrolsor   restricttheircapabilitieswhennotrunningonanintranet.  Ifyouhavecontrolscreatedforbusinessapplicationswhicharenotapplicabletothegeneralpublic,these   controlsshouldnotbepre+approved.Youshouldworkwiththenetworkadministratorswhereyourapplications   runtoensurethattherightcontrolsgetapprovedonyourusers’machines.Thiscanbedoneeitherthrough   ManageAdd+Onsgrouppolicy[http://support.microsoft.com/kb/883256]orbyaddingthecontrolstothepre+  approvedlistintheregistry.  
Howdoesmycontrolgetontothepre+approvedlist?   
Becausepre+approvedcontrolsaddtotheattacksurfaceofauserssystem,youshouldmakesurethatyourcontrolshave   beendesignedwithsecurityinmind.AsthevendorforyourActiveXcontrol,youareresponsiblefordesigningandtestingit  toensurethatthecontrolmeetsthebestpracticescriteriadescribedinthisdocument.Byaddingyourcontroltothepre+  approvedlist,youarewarrantingthatyouhavereviewedthebestpracticesforsecuredevelopmentoutlinedinthis   documentandcertifythatimplementationofyourcontrolfollowedtheseorequivalentprinciplesforsecuredevelopmentof  ActiveXcontrols.Youarecertifyingthatyourcontrolhasnovulnerabilitiestothebestofyourknowledge.   Toputyourcontrolonthepre+approvedlist,youneedtowritetheCLSIDofthecontroltothefollowingregistrylocation.  
HKEY_LOCAL_MACHINE    SOFTWARE    Microsoft   Windows   CurrentVersion    Ext   PreApproved    
IfMicrosoftdeterminesthatacontrolhasavulnerabilityandpresentsadangertoendusers,Microsoftreservestherightto   removethatcontrolatanytimefromthepre+approvedlist.  
HowtobuildsecureActiveXcontrols   
BuildingasecureActiveXcontrolrequiresthatdesigners,developers,andtestersfocusonsecuritythroughouttheproduct  lifecycle.Designersmustrestrictthecapabilitiesofthecontrolsothatitcanaccomplishonlytheworkitneedstodowithout  anyadditionalcapabilitiesthatmightleadtoexploits.Developersmustcodethecontroltoactappropriatelyandsafelywhen   handlingdata.Testersmustincludetestcasesbasedonpotentialthreatstothecontrol.Ateachstageinthedevelopment  lifecycle,securitymustbeconsidered.Thenextsectionsgointomoredetailsonspecificstepsandconsiderationsateach   stageinthelifecycleofacontrol.  
PrinciplesofSecureDesignforActiveXControls   
DesigningforsecurityisimportantbecauseActiveXcontrolsareexposedtocontentfrommaliciousWebsites.AnyWebsite   cantrytousethecontrol;allitneedsisthecontrol'sclassidentifier(CLSID).Whenyoudesignedyourcontrol,youmayhave   thoughtprimarilyaboutthecontrolbeingusedbysomewellintentionedpages,maybeevenonyourownwebsite.Tobesafe   forrunningintheinternetzone,youmustdesignyourcontroltobesafewhenloadedfromanypageontheinternet,  particularlymaliciouspages.YouneedtoensurethatmaliciousWebsitescan'texploityourcontroltoharmtheuser'ssystem.  Asyoudesign,thinkabouthowthefunctionalityofyourcontrolcouldbeexploitedandwhatmeasuresyoucantaketo   protectusersfromtheseexploits.  
Restrictthecapabilitiesofyourcontrol  
BecauseanActiveXcontrolisaMicrosoftWin32component,thereisnosandboxing++itcanrunwithoutrestrictions.You   shouldthinkabouthowyoucanrestrictthefunctionalityofyourcontroltopreventothersfromrepurposingittomalicious   ends.OneofthefirstthingsyoushouldthinkaboutwhenyouconsiderwritinganActiveXcontrolisifyoureallyneedan   ActiveXcontroltoaccomplishthefunctionalityyouneed.Ifyoudonotneedaccesstosystemresources,youcanwritethe   controlasaDynamicHTML(DHTML)behavior[http://msdn.microsoft.com/library/default.asp?url=/workshop/author/  behaviors/overview.asp].  Inorderforyourcontroltobesafe,theinterfaceexposedto   
IDispatch   
(andthereforetheWeb)shouldbescopedasnarrowly   aspossiblewhilestillmeetingyourfunctionalrequirements.Ifyourfunctiondoesnotabsolutelyrequireinputparameters,  thenremovethem.Ifyoucannarrowthescopeoftheinputparameterstoahandfulofknowninputs,thendoso.Ifyour   controlwritesdatatothelocalcomputer,orinanywaychangesthestateorbehaviorofthesystem,taketimetoconsider   howyourcontrolmightbeabusedbyamaliciousthirdparty.  Somescenariosyoushouldconsiderwhendesigningyourcontrolincludethefollowing.  

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->