The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Notification Bar and
Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
What does BindToObject Mitigation do?
In Windows Server 2003 with Service Pack 1, the ActiveX security model is applied in all cases where URL binding is used to
instantiateand initializean object.The ActiveX security model allows controls to be marked as “safefor scripting”and “safefor
initialization”and provides users with theability to block or allow ActiveX controls by security zone, based on thosesettings.
This allows greater flexibility and control of activecontent in InternetExplorer.
Who does this feature apply to?
Web developers and network administrators need to beaware of these new restrictions to plan changes or workarounds
for any possibleimpact to their Web site.
Application developers should review this featureto plan to adopt changes in their applications.
Users could beaffected by sites thatare not compatible with thesestricter rules.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
None.Existing security functionality is being extended.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
ActiveX security model applied to URL object initializations
The mosteffective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at thesource of the
URL binding: URLMON. Declaring an ActiveX control in an HTML page using the