Internet Explorer Add-on Management and Crash Detection

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Add-on Management and Crash Detection

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2200

    Webmaster
    Keymaster

    The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
    Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
    restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
    Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
    not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
    Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
    using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
    Pack 2.
    What does InternetExplorer Add-on Management and Crash Detection do?
    Thesearetwo new,closely-related features thatareincluded in InternetExplorer.
    InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
    Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
    and could bevery difficult to detect.
    InternetExplorer Add-on Crash Detection attempts to detect crashes in InternetExplorer thatarerelated to an add-on.When
    theadd-on is successfully identified, this information is presented to the user.The user has the option of disabling add-ons to
    diagnosecrashes and improvethe overall stability of InternetExplorer.
    Who does this feature apply to?
    Users will beableto view,enable,and disabletheadd-ons used by InternetExplorer,and identify add-ons that might be
    related to InternetExplorer crashes. Administrators can enforcea list of add-ons thatareallowed or disallowed and restrict the
    ability of users to manageadd-ons.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    InternetExplorer Add-on Management
    Detailed description
    InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
    Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
    and could bevery difficult to detect.Theseadd-ons might provide undesired functionality or services and, in somecases, might
    presenta security risk.
    For example,a user might unintentionally install an add-on that secretly records all Web pageactivity and reports it to a central
    server. Previously, specialized softwareand deep technical knowledge might have been required to identify and removethat
    add-on. InternetExplorer Add-on Management provides an easier way to detectand disablethatadd-on.
    Add-ons include:
    Browser help objects
    ActiveX controls
    Toolbar extensions
    Browser extensions
    Add-ons can beinstalled from a variety of locations and in several ways, including:
    Download and installation whileviewing Web pages.
    Installation by the user by way of an executable program.
    As pre-installed components of the operating system.
    As pre-installed add-ons that come with the operating system.
    Manage Add-ons
    Users can enableand disableeach add-on individually and view information about how often theadd-ons have been used by
    InternetExplorer.To do this, use one of thefollowing procedures to open Manage Add-ons.
    Open Manage Add-ons Using InternetExplorer
    1. Click Start,and then click InternetExplorer.
    2. On the Tools menu,click Manage Add-ons.
    Open Manage Add-ons using the Control Panel
    1. Click Start,and then click Control Panel.
    2. Double-click Internet Options.
    3. Click the Programs tab,and then click Manage Add-ons.
    Manage Add-ons has several options thatallow you to changeyour add-on configuration.
    You can usethe Show drop-down list in Manage Add-ons to control the way in which theadd-ons list is displayed. It has two
    options:
    Add-ons currently loaded in InternetExplorer.This option lists theadd-ons that have been instantiated (or loaded
    into memory) within thecurrent InternetExplorer process and thosethat have been blocked from instantiating.This
    includes ActiveX controls that were used by Web pages that were previously viewed within thecurrent process.
    Add-ons that have been used by InternetExplorer.This option lists all add-ons that have been referenced by
    InternetExplorer and arestill installed.
    Thelist of add-ons shows all installed add-ons of thetypes listed previously in the detailed description section.To enable or
    disablean installed add-on,click theadd-on in thelist, then click Enable or Disable.
    If you click an ActiveX control in thelist, then click Update ActiveX,Windows searches for an updateat thelocation wherethe
    original control was found. If a newer version is found at that location, InternetExplorer attempts to install the update.
    Thelist of add-ons also contains signed add-ons that were blocked from installation becausetheir publisher was untrusted.
    After selecting one of thesecontrols, the user can unblock thecontrol by clicking Allow. Caution should beexercised when
    doing this, becauseclicking Allow removes the publisher from the Untrusted list.
    Blocked Add-on status bar icon
    A Blocked Add-on icon appears in thestatus bar when a Web pageattempts to instantiatean ActiveX control that is disabled
    or blocked becauseits publisher is untrusted. You can doubleclick theicon to open Manage Add-ons.Thestatus bar icon is
    accompanied by a balloon tip thefirst fivetimes itappears.
    Add-on notification balloon tip
    When a Web pageattempts to instantiatea disabled add-on and thereis no current Blocked Add-on status bar icon,a message
    appears to tell the user that thecurrent Web pageis requesting an add-on that is disabled.The user can click the messagefor
    more details on blocking add-ons.
    You can usetheInternet Options Control Panel to suppress the message.
    Why is this change important?
    Windows Error Reporting data has shown thatadd-ons area major cause of stability issues in InternetExplorer.Theseadd-ons
    significantly affect thereliability of InternetExplorer.Theseadd-ons can also posea security risk, becausethey might contain
    malicious and unknown code.
    Many users are unaware of theadd-ons they haveinstalled on their computer.Someadd-ons areloaded whenever Internet
    Explorer is started, but cannot be detected unless the user searches theregistry.When users experienced crashes, there was no
    easy way to diagnose whether theissue was related to an add-on.Even if they suspected that the problem stemmed from
    recently-installed software, it was difficult to isolatethecauseand often impossibleto resolveif thesoftware did not provide
    an uninstall option.
    InternetExplorer Add-on Management, together with Add-on Crash Detection, gives users theability to improvethesecurity
    and stability of their systems by identifying and disabling problematicadd-ons. Administrators arealso provided with a
    powerful administrativetool to control add-on usein their organization.
    What works differently?
    Behavior when add-ons are disabled
    Disabling an add-on does not removeit from thecomputer. It only prevents InternetExplorer from instantiating the objectand
    executing its code.Thereis no guaranteethat the disabled add-on will never beloaded, sincean add-on that is considered by
    InternetExplorer to be disabled can still be used by another component in thesystem.The behavior that is displayed by
    disabling different object types varies.
    If an ActiveX control is disabled,Web pages that rely on thecontrol might not work as expected.They behaveas if the
    user has uninstalled thecontrol from thecomputer and declined to install it. Users are not prompted to upgradecontrols
    that have been disabled.
    If a browser helper object is disabled, functionality that depends on the object is notavailable,and thereis no visual
    indication thata component is disabled.
    If a browser extension is disabled, toolbar buttons and menu entry points are not shown for thatextension. Internet
    Explorer behaves as if theextension was not installed.
    If a toolbar extension is disabled, thetoolbar does notappear in InternetExplorer and, on the View menu, theToolbars
    item is disabled. InternetExplorer behaves as if thetoolbar was not installed.
    Theconcept of a disabled add-on only applies to instances of InternetExplorer (Iexplore.exe) and Windows Explorer
    (Explorer.exe) by default. Currently, other programs based on InternetExplorer components, such as the WebBrowser control, do
    not respect the disabled state. However,you can usethe featurecontrol key to extend this functionality to other applications.
    Somesoftware programs depend on a combination of multipleadd-ons to work correctly,and disabling any one of them
    might cause problems. Caution should beexercised when deciding to disable one or moreadd-ons.
    Uninstallation
    If the user disables a non-ActiveX add-on and subsequently uninstalls and then re-installs it, theadd-on might remain in a
    disabled state.This is becauseInternetExplorer is not notified of application installations and does not detectany application
    statechanges. However, if InternetExplorer is started whiletheadd-on is not installed, it detects a changeand automatically
    clears the disabled state.
    If the user disables an ActiveX control and then uninstalls it, the next timea Web pageattempts to usethecontrol, Internet
    Explorer detects that thecontrol is no longer presentand clears the disabled state. However, if the ActiveX control is reinstalled
    using an executablefile(as opposed to a Web page download) beforethereareany attempts to instantiatethecontrol, then it
    remains disabled.This is becauseInternetExplorer does not detecta statechange.
    How do I resolve these issues?
    In theevent that disabling an add-on causes a lack of functionality, it can berestored by enabling theadd-on in Manage Addons.
    InternetExplorer must berestarted for new settings to takeeffect, with theexception of ActiveX controls, wherereloading
    theaffected page might besufficient.
    InternetExplorer Add-on Management for Administrators
    Detailed description
    Disabling the Crash Detection feature
    To disablethe Crash Detection feature of Add-on Management, see”What settings areadded or changed in Windows
    Server 2003 Service Pack 1?” below.When Crash Detection is disabled,a crash in InternetExplorer exhibits previous behavior,
    which is usually to invoke Windows Error Reporting. All policies for Windows Error Reporting continueto apply.
    Disabling Add-on Management user interface
    To disablethe Add-on Management user interface, see”What settings areadded or changed in Windows Server 2003 Service
    Pack 1?” below.When the Add-on Management user interfaceis disabled, theEnable and Disable options are unavailablein
    Manage Add-ons.
    Deny all add-ons unless specifically allowed in the Add-on list
    This policy setting allows administrators to ensurethatany InternetExplorer add-ons not listed in the Add-on List policy
    setting will be denied.
    To set this policy,an administrator can modify the RestrictToList registry key in either of thefollowing locations:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\
    Key reference
    Name: RestrictToList
    Type: DWORD
    Value:
    1 (Anything not on the Add-on list is considered disabled.)
    0 (Anything not on the Add-on list works as it would without policy.)
    Add-on List
    Administrators can control the use of specificadd-ons through theadd-on list policy. Administrators can chooseto enable or
    disablean add-on as well as allow a specificadd-on to be managed by the user.
    To set this policy,an administrator can createa registry value based on the GUID of theadd-on in either of thefollowing keys
    and then set the desired value:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
    Each add-on is a valuein this registry key with thefollowing properties.
    Key reference
    Name: GUID of add on
    Type: REG_SZ
    Value:
    0 – Add-on is disabled and cannot be managed by theend user.
    1 – Add-on is allowed and cannot be managed by theend user.
    2 – Add-on is allowed and can be managed by theend user.
    The Add-on (CLSID) lists areempty by default.
    Behavior of Management user interface when policies are applied
    When an Add-on Management policy is in effect,and the user selects an add-on from the management list that is disabled by
    policy,Enable and Disable are unavailable.
    Why is this change important?
    This featureallows administrators to control the usage of the new features.
    What works differently?
    The new features for allowing and disallowing add-ons work in conjunction with existing policies for managing ActiveX
    controls. Add-on disabling is applied on top of existing checks and does not replace other security restrictions that might bein
    place.For example, if an ActiveX control is blocked by its ActiveX compatibility flags, it will always be blocked, regardless of the
    add-on management settings.
    Using the”Deny all add-ons unless specifically allowed in the Add-on List” policy will disablescriptand other controls
    necessary for some Web pages to function properly.For a list of CLSIDs that might need to beenabled for certain Web sites to
    function correctly, seethearticle on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=45658
    How do I resolve these issues?
    If you are using the”Deny all add-ons unless specifically allowed in the Add-on list” policy some Web applications might break
    dueto disabled scripting and other disabled controls.For information aboutenabling scripting and other commonly used Web
    controls, seethearticle on the Microsoft Web siteat http://go.microsoft.com/fwlink/?linkid=45658
    In theevent that thesecontrols do notaddress theissueand adding these policies continues to removefunctionality that is
    required for a Web application thatyou want to use, removethe policies that wereapplied and restart InternetExplorer.
    InternetExplorer Add-on Crash Detection
    Detailed description
    Whenever InternetExplorer stops unexpectedly,Windows starts the Add-on Crash Detection program. Add-on Crash Detection
    is an error analysis program thatexamines thestate of theIexplore.exe(InternetExplorer) process. It collects thelist of dynamic
    link libraries (DLLs) thatareloaded,and thevalue of theinstruction pointer register (EIP) at thetime of thecrash. Add-on Crash
    Detection then attempts to find the DLL whose memory rangetheEIP lies within.This DLL is often thecause of thecrash. If a
    DLL is found, it is nota system DLL,and the DLL is the COM server for an InternetExplorer add-on, theInternetExplorer Addon
    Crash Detection dialog boxappears.This dialog box contains information that indicates which add-on caused thecrash, the
    name of thecompany associated with theadd-on,and the description of the DLL filethat contains theadd-on code.To display
    Manage Add-ons, which you can then useto disabletheidentified add-on,click Advanced. After you review theinformation
    and click Continue, thestandard Windows Error Reporting window opens.
    Why is this change important? What threats does it help mitigate?
    For this information, see”InternetExplorer Add-on Management for Users,”earlier in this subject.
    What works differently?
    Sincethis feature only runs when InternetExplorer stops operating, thereshould be no changes to normal operation.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    InternetExplorer Add-on Management and Crash Detection Settings
    Setting name Location Default
    value
    Possible values
    Disable Crash Detection HKCU {or HKLM} \Software\Policies
    \Microsoft\InternetExplorer \Restrictions
    Name: NoCrashDetection
    Type: DWORD
    0 0 — Off,
    1 — On
    Deny all add-ons unless
    specifically allowed in the Add-on
    List
    HKCU {or HKLM}
    \Microsoft\Windows\CurrentVersion
    \Policies\Ext\
    Name: RestrictToList
    Type: DWORD
    0 0 — Off,
    1 — On
    Add-on List HKCU {or HKLM}
    \SOFTWARE\Microsoft\Windows
    \CurrentVersion\Policies\Ext\CLSID
    Name: GUID of thecontrol
    Type: REG_SZ
    Not
    available
    0 – Add-on is disabled and cannot
    be managed by theend user.
    1 – Add-on is allowed and cannot
    be managed by theend user.
    2 – Add-on is allowed and CAN be
    managed by theend user.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Your code does not need to change to work with Internet Explorer Add-on Crash Detection or Add-on Management.

You must be logged in to reply to this topic.