1.2.1.4 Ensure 'Bind to Object' is set to Enabled - exprwd.exe

Information

This setting determines whether Microsoft Internet Explorer performs its typical safety checks on Microsoft ActiveX#x00AE; controls when opening URLs that are passed to it by an Office application. By default, Internet Explorer performs additional safety checks when ActiveX controls are initialized. Specifically, it prevents the control from being created if the kill bit is set in the registry. It also checks the security settings for the zone of the URL in which the control is instantiated to determine whether the control can be safely initialized. For the same behavior of the selectable applications, such as Excel and Word when they instantiate the use of Internet Explorer, the policy must be Enabled and the applications selected. The recommended state for this setting is: Enabled. (Check: groove.exe, excel.exe, mspub.exe, powerpnt.exe, pptview.exe, visio.exe, winproj.exe, outlook.exe, spDesign.exe, exprwd.exe, msaccess.exe, onent.exe, mse7.exe) Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled. Computer Configuration\Administrative Templates\Microsoft Office 2016 (Machine)\Security Settings\IE Security\Bind to Object Impact: Enabling this setting can cause some disruptions for users who open Web pages that contain potentially dangerous ActiveX controls from Office applications. However, because any affected controls are usually blocked by default when Internet Explorer opens Web pages, most users should not experience significant usability issues.

See Also

https://workbench.cisecurity.org/files/571

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|3.1

Plugin: Windows

Control ID: 97921291db4a9144180193876649ddef3aa30efb0e126cf3f7c9de0506dbdbc4