2.1 Set 'Prevent per-user installation of ActiveX controls' to 'Enabled'

Information



This policy setting allows you to prevent the installation of ActiveX controls on a per-user
basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user
basis. If you disable or do not configure this policy setting, ActiveX controls can be installed
on a per-user basis. The recommended state for this setting is- Enabled.

*Rationale*

Per-user installation of ActiveX controls is a convenient feature that many organizations
may want to leverage. One benefit is that even if the user installs a control that includes a
malicious payload its impact will be limited to the privileges of the user who installed it.
Nevertheless, restricting the installation of ActiveX controls to administrators and using the
ActiveX Installer Service or some other centralized software deployment tool is a more
effective method for avoiding malware.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Prevent per-user installation of ActiveX controls

Impact-
If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If
you disable or do not configure this policy setting, ActiveX controls can be installed on a
per-user basis.

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: ac103d33aa8631516358f38ea4a9157ef96c233a784bad24affd3acb7ff70e96