Internet Explorer Add-on Management and Crash Detection

The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
Pack 2.
What does InternetExplorer Add-on Management and Crash Detection do?
Thesearetwo new,closely-related features thatareincluded in InternetExplorer.
InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
and could bevery difficult to detect.
InternetExplorer Add-on Crash Detection attempts to detect crashes in InternetExplorer thatarerelated to an add-on.When
theadd-on is successfully identified, this information is presented to the user.The user has the option of disabling add-ons to
diagnosecrashes and improvethe overall stability of InternetExplorer.
Who does this feature apply to?
Users will beableto view,enable,and disabletheadd-ons used by InternetExplorer,and identify add-ons that might be
related to InternetExplorer crashes. Administrators can enforcea list of add-ons thatareallowed or disallowed and restrict the
ability of users to manageadd-ons.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
InternetExplorer Add-on Management
Detailed description
InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
and could bevery difficult to detect.Theseadd-ons might provide undesired functionality or services and, in somecases, might
presenta security risk.
For example,a user might unintentionally install an add-on that secretly records all Web pageactivity and reports it to a central
server. Previously, specialized softwareand deep technical knowledge might have been required to identify and removethat
add-on. InternetExplorer Add-on Management provides an easier way to detectand disablethatadd-on.
Add-ons include:
Browser help objects
ActiveX controls
Toolbar extensions
Browser extensions
Add-ons can beinstalled from a variety of locations and in several ways, including:
Download and installation whileviewing Web pages.
Installation by the user by way of an executable program.
As pre-installed components of the operating system.
As pre-installed add-ons that come with the operating system.
Manage Add-ons
Users can enableand disableeach add-on individually and view information about how often theadd-ons have been used by
InternetExplorer.To do this, use one of thefollowing procedures to open Manage Add-ons.
Open Manage Add-ons Using InternetExplorer
1. Click Start,and then click InternetExplorer.
2. On the Tools menu,click Manage Add-ons.
Open Manage Add-ons using the Control Panel
1. Click Start,and then click Control Panel.
2. Double-click Internet Options.
3. Click the Programs tab,and then click Manage Add-ons.
Manage Add-ons has several options thatallow you to changeyour add-on configuration.
You can usethe Show drop-down list in Manage Add-ons to control the way in which theadd-ons list is displayed. It has two
options:
Add-ons currently loaded in InternetExplorer.This option lists theadd-ons that have been instantiated (or loaded
into memory) within thecurrent InternetExplorer process and thosethat have been blocked from instantiating.This
includes ActiveX controls that were used by Web pages that were previously viewed within thecurrent process.
Add-ons that have been used by InternetExplorer.This option lists all add-ons that have been referenced by
InternetExplorer and arestill installed.
Thelist of add-ons shows all installed add-ons of thetypes listed previously in the detailed description section.To enable or
disablean installed add-on,click theadd-on in thelist, then click Enable or Disable.
If you click an ActiveX control in thelist, then click Update ActiveX,Windows searches for an updateat thelocation wherethe
original control was found. If a newer version is found at that location, InternetExplorer attempts to install the update.
Thelist of add-ons also contains signed add-ons that were blocked from installation becausetheir publisher was untrusted.
After selecting one of thesecontrols, the user can unblock thecontrol by clicking Allow. Caution should beexercised when
doing this, becauseclicking Allow removes the publisher from the Untrusted list.
Blocked Add-on status bar icon
A Blocked Add-on icon appears in thestatus bar when a Web pageattempts to instantiatean ActiveX control that is disabled
or blocked becauseits publisher is untrusted. You can doubleclick theicon to open Manage Add-ons.Thestatus bar icon is
accompanied by a balloon tip thefirst fivetimes itappears.
Add-on notification balloon tip
When a Web pageattempts to instantiatea disabled add-on and thereis no current Blocked Add-on status bar icon,a message
appears to tell the user that thecurrent Web pageis requesting an add-on that is disabled.The user can click the messagefor
more details on blocking add-ons.
You can usetheInternet Options Control Panel to suppress the message.
Why is this change important?
Windows Error Reporting data has shown thatadd-ons area major cause of stability issues in InternetExplorer.Theseadd-ons
significantly affect thereliability of InternetExplorer.Theseadd-ons can also posea security risk, becausethey might contain
malicious and unknown code.
Many users are unaware of theadd-ons they haveinstalled on their computer.Someadd-ons areloaded whenever Internet
Explorer is started, but cannot be detected unless the user searches theregistry.When users experienced crashes, there was no
easy way to diagnose whether theissue was related to an add-on.Even if they suspected that the problem stemmed from
recently-installed software, it was difficult to isolatethecauseand often impossibleto resolveif thesoftware did not provide
an uninstall option.
InternetExplorer Add-on Management, together with Add-on Crash Detection, gives users theability to improvethesecurity
and stability of their systems by identifying and disabling problematicadd-ons. Administrators arealso provided with a
powerful administrativetool to control add-on usein their organization.
What works differently?
Behavior when add-ons are disabled
Disabling an add-on does not removeit from thecomputer. It only prevents InternetExplorer from instantiating the objectand
executing its code.Thereis no guaranteethat the disabled add-on will never beloaded, sincean add-on that is considered by
InternetExplorer to be disabled can still be used by another component in thesystem.The behavior that is displayed by
disabling different object types varies.
If an ActiveX control is disabled,Web pages that rely on thecontrol might not work as expected.They behaveas if the
user has uninstalled thecontrol from thecomputer and declined to install it. Users are not prompted to upgradecontrols
that have been disabled.
If a browser helper object is disabled, functionality that depends on the object is notavailable,and thereis no visual
indication thata component is disabled.
If a browser extension is disabled, toolbar buttons and menu entry points are not shown for thatextension. Internet
Explorer behaves as if theextension was not installed.
If a toolbar extension is disabled, thetoolbar does notappear in InternetExplorer and, on the View menu, theToolbars
item is disabled. InternetExplorer behaves as if thetoolbar was not installed.
Theconcept of a disabled add-on only applies to instances of InternetExplorer (Iexplore.exe) and Windows Explorer
(Explorer.exe) by default. Currently, other programs based on InternetExplorer components, such as the WebBrowser control, do
not respect the disabled state. However,you can usethe featurecontrol key to extend this functionality to other applications.
Somesoftware programs depend on a combination of multipleadd-ons to work correctly,and disabling any one of them
might cause problems. Caution should beexercised when deciding to disable one or moreadd-ons.
Uninstallation
If the user disables a non-ActiveX add-on and subsequently uninstalls and then re-installs it, theadd-on might remain in a
disabled state.This is becauseInternetExplorer is not notified of application installations and does not detectany application
statechanges. However, if InternetExplorer is started whiletheadd-on is not installed, it detects a changeand automatically
clears the disabled state.
If the user disables an ActiveX control and then uninstalls it, the next timea Web pageattempts to usethecontrol, Internet
Explorer detects that thecontrol is no longer presentand clears the disabled state. However, if the ActiveX control is reinstalled
using an executablefile(as opposed to a Web page download) beforethereareany attempts to instantiatethecontrol, then it
remains disabled.This is becauseInternetExplorer does not detecta statechange.
How do I resolve these issues?
In theevent that disabling an add-on causes a lack of functionality, it can berestored by enabling theadd-on in Manage Addons.
InternetExplorer must berestarted for new settings to takeeffect, with theexception of ActiveX controls, wherereloading
theaffected page might besufficient.
InternetExplorer Add-on Management for Administrators
Detailed description
Disabling the Crash Detection feature
To disablethe Crash Detection feature of Add-on Management, see”What settings areadded or changed in Windows
Server 2003 Service Pack 1?” below.When Crash Detection is disabled,a crash in InternetExplorer exhibits previous behavior,
which is usually to invoke Windows Error Reporting. All policies for Windows Error Reporting continueto apply.
Disabling Add-on Management user interface
To disablethe Add-on Management user interface, see”What settings areadded or changed in Windows Server 2003 Service
Pack 1?” below.When the Add-on Management user interfaceis disabled, theEnable and Disable options are unavailablein
Manage Add-ons.
Deny all add-ons unless specifically allowed in the Add-on list
This policy setting allows administrators to ensurethatany InternetExplorer add-ons not listed in the Add-on List policy
setting will be denied.
To set this policy,an administrator can modify the RestrictToList registry key in either of thefollowing locations:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\
Key reference
Name: RestrictToList
Type: DWORD
Value:
1 (Anything not on the Add-on list is considered disabled.)
0 (Anything not on the Add-on list works as it would without policy.)
Add-on List
Administrators can control the use of specificadd-ons through theadd-on list policy. Administrators can chooseto enable or
disablean add-on as well as allow a specificadd-on to be managed by the user.
To set this policy,an administrator can createa registry value based on the GUID of theadd-on in either of thefollowing keys
and then set the desired value:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
Each add-on is a valuein this registry key with thefollowing properties.
Key reference
Name: GUID of add on
Type: REG_SZ
Value:
0 – Add-on is disabled and cannot be managed by theend user.
1 – Add-on is allowed and cannot be managed by theend user.
2 – Add-on is allowed and can be managed by theend user.
The Add-on (CLSID) lists areempty by default.
Behavior of Management user interface when policies are applied
When an Add-on Management policy is in effect,and the user selects an add-on from the management list that is disabled by
policy,Enable and Disable are unavailable.
Why is this change important?
This featureallows administrators to control the usage of the new features.
What works differently?
The new features for allowing and disallowing add-ons work in conjunction with existing policies for managing ActiveX
controls. Add-on disabling is applied on top of existing checks and does not replace other security restrictions that might bein
place.For example, if an ActiveX control is blocked by its ActiveX compatibility flags, it will always be blocked, regardless of the
add-on management settings.
Using the”Deny all add-ons unless specifically allowed in the Add-on List” policy will disablescriptand other controls
necessary for some Web pages to function properly.For a list of CLSIDs that might need to beenabled for certain Web sites to
function correctly, seethearticle on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=45658
How do I resolve these issues?
If you are using the”Deny all add-ons unless specifically allowed in the Add-on list” policy some Web applications might break
dueto disabled scripting and other disabled controls.For information aboutenabling scripting and other commonly used Web
controls, seethearticle on the Microsoft Web siteat http://go.microsoft.com/fwlink/?linkid=45658
In theevent that thesecontrols do notaddress theissueand adding these policies continues to removefunctionality that is
required for a Web application thatyou want to use, removethe policies that wereapplied and restart InternetExplorer.
InternetExplorer Add-on Crash Detection
Detailed description
Whenever InternetExplorer stops unexpectedly,Windows starts the Add-on Crash Detection program. Add-on Crash Detection
is an error analysis program thatexamines thestate of theIexplore.exe(InternetExplorer) process. It collects thelist of dynamic
link libraries (DLLs) thatareloaded,and thevalue of theinstruction pointer register (EIP) at thetime of thecrash. Add-on Crash
Detection then attempts to find the DLL whose memory rangetheEIP lies within.This DLL is often thecause of thecrash. If a
DLL is found, it is nota system DLL,and the DLL is the COM server for an InternetExplorer add-on, theInternetExplorer Addon
Crash Detection dialog boxappears.This dialog box contains information that indicates which add-on caused thecrash, the
name of thecompany associated with theadd-on,and the description of the DLL filethat contains theadd-on code.To display
Manage Add-ons, which you can then useto disabletheidentified add-on,click Advanced. After you review theinformation
and click Continue, thestandard Windows Error Reporting window opens.
Why is this change important? What threats does it help mitigate?
For this information, see”InternetExplorer Add-on Management for Users,”earlier in this subject.
What works differently?
Sincethis feature only runs when InternetExplorer stops operating, thereshould be no changes to normal operation.
What settings are added or changed in Windows Server 2003 Service Pack 1?
InternetExplorer Add-on Management and Crash Detection Settings
Setting name Location Default
value
Possible values
Disable Crash Detection HKCU {or HKLM} \Software\Policies
\Microsoft\InternetExplorer \Restrictions
Name: NoCrashDetection
Type: DWORD
0 0 — Off,
1 — On
Deny all add-ons unless
specifically allowed in the Add-on
List
HKCU {or HKLM}
\Microsoft\Windows\CurrentVersion
\Policies\Ext\
Name: RestrictToList
Type: DWORD
0 0 — Off,
1 — On
Add-on List HKCU {or HKLM}
\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\Ext\CLSID
Name: GUID of thecontrol
Type: REG_SZ
Not
available
0 – Add-on is disabled and cannot
be managed by theend user.
1 – Add-on is allowed and cannot
be managed by theend user.
2 – Add-on is allowed and CAN be
managed by theend user.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Your code does not need to change to work with Internet Explorer Add-on Crash Detection or Add-on Management.