Internet Explorer Add-on Management and Crash Detection

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Internet Explorer Add-on Management and Crash Detection

Viewing 0 reply threads
  • Author
    • #2200

      The Microsoft Windows Server 2003 InternetExplorer Enhanced Security Configuration component (also known as
      Microsoft InternetExplorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more
      restrictiveInternetExplorer security settings that disablescripts, ActiveX components,and file downloads for resources in the
      Internet security zone. As a result, many of thesecurity enhancements included in thelatest release of InternetExplorer will
      not beas noticeablein Windows Server 2003 Service Pack 1.For example, the new InternetExplorer Information Bar and
      Pop-up Blocker features will not be used unless thesiteis in a zone whosesecurity setting allows scripting. If you are not
      using theenhanced security configuration on your server, thesefeatures will function as they do in Windows XP Service
      Pack 2.
      What does InternetExplorer Add-on Management and Crash Detection do?
      Thesearetwo new,closely-related features thatareincluded in InternetExplorer.
      InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
      Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
      and could bevery difficult to detect.
      InternetExplorer Add-on Crash Detection attempts to detect crashes in InternetExplorer thatarerelated to an add-on.When
      theadd-on is successfully identified, this information is presented to the user.The user has the option of disabling add-ons to
      diagnosecrashes and improvethe overall stability of InternetExplorer.
      Who does this feature apply to?
      Users will beableto view,enable,and disabletheadd-ons used by InternetExplorer,and identify add-ons that might be
      related to InternetExplorer crashes. Administrators can enforcea list of add-ons thatareallowed or disallowed and restrict the
      ability of users to manageadd-ons.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      InternetExplorer Add-on Management
      Detailed description
      InternetExplorer Add-on Managementallows users to view and control thelist of add-ons that can beloaded by Internet
      Explorer with more detailed control than before. Italso shows the presence of someadd-ons that were previously not shown
      and could bevery difficult to detect.Theseadd-ons might provide undesired functionality or services and, in somecases, might
      presenta security risk.
      For example,a user might unintentionally install an add-on that secretly records all Web pageactivity and reports it to a central
      server. Previously, specialized softwareand deep technical knowledge might have been required to identify and removethat
      add-on. InternetExplorer Add-on Management provides an easier way to detectand disablethatadd-on.
      Add-ons include:
      Browser help objects
      ActiveX controls
      Toolbar extensions
      Browser extensions
      Add-ons can beinstalled from a variety of locations and in several ways, including:
      Download and installation whileviewing Web pages.
      Installation by the user by way of an executable program.
      As pre-installed components of the operating system.
      As pre-installed add-ons that come with the operating system.
      Manage Add-ons
      Users can enableand disableeach add-on individually and view information about how often theadd-ons have been used by
      InternetExplorer.To do this, use one of thefollowing procedures to open Manage Add-ons.
      Open Manage Add-ons Using InternetExplorer
      1. Click Start,and then click InternetExplorer.
      2. On the Tools menu,click Manage Add-ons.
      Open Manage Add-ons using the Control Panel
      1. Click Start,and then click Control Panel.
      2. Double-click Internet Options.
      3. Click the Programs tab,and then click Manage Add-ons.
      Manage Add-ons has several options thatallow you to changeyour add-on configuration.
      You can usethe Show drop-down list in Manage Add-ons to control the way in which theadd-ons list is displayed. It has two
      Add-ons currently loaded in InternetExplorer.This option lists theadd-ons that have been instantiated (or loaded
      into memory) within thecurrent InternetExplorer process and thosethat have been blocked from instantiating.This
      includes ActiveX controls that were used by Web pages that were previously viewed within thecurrent process.
      Add-ons that have been used by InternetExplorer.This option lists all add-ons that have been referenced by
      InternetExplorer and arestill installed.
      Thelist of add-ons shows all installed add-ons of thetypes listed previously in the detailed description section.To enable or
      disablean installed add-on,click theadd-on in thelist, then click Enable or Disable.
      If you click an ActiveX control in thelist, then click Update ActiveX,Windows searches for an updateat thelocation wherethe
      original control was found. If a newer version is found at that location, InternetExplorer attempts to install the update.
      Thelist of add-ons also contains signed add-ons that were blocked from installation becausetheir publisher was untrusted.
      After selecting one of thesecontrols, the user can unblock thecontrol by clicking Allow. Caution should beexercised when
      doing this, becauseclicking Allow removes the publisher from the Untrusted list.
      Blocked Add-on status bar icon
      A Blocked Add-on icon appears in thestatus bar when a Web pageattempts to instantiatean ActiveX control that is disabled
      or blocked becauseits publisher is untrusted. You can doubleclick theicon to open Manage Add-ons.Thestatus bar icon is
      accompanied by a balloon tip thefirst fivetimes itappears.
      Add-on notification balloon tip
      When a Web pageattempts to instantiatea disabled add-on and thereis no current Blocked Add-on status bar icon,a message
      appears to tell the user that thecurrent Web pageis requesting an add-on that is disabled.The user can click the messagefor
      more details on blocking add-ons.
      You can usetheInternet Options Control Panel to suppress the message.
      Why is this change important?
      Windows Error Reporting data has shown thatadd-ons area major cause of stability issues in InternetExplorer.Theseadd-ons
      significantly affect thereliability of InternetExplorer.Theseadd-ons can also posea security risk, becausethey might contain
      malicious and unknown code.
      Many users are unaware of theadd-ons they haveinstalled on their computer.Someadd-ons areloaded whenever Internet
      Explorer is started, but cannot be detected unless the user searches theregistry.When users experienced crashes, there was no
      easy way to diagnose whether theissue was related to an add-on.Even if they suspected that the problem stemmed from
      recently-installed software, it was difficult to isolatethecauseand often impossibleto resolveif thesoftware did not provide
      an uninstall option.
      InternetExplorer Add-on Management, together with Add-on Crash Detection, gives users theability to improvethesecurity
      and stability of their systems by identifying and disabling problematicadd-ons. Administrators arealso provided with a
      powerful administrativetool to control add-on usein their organization.
      What works differently?
      Behavior when add-ons are disabled
      Disabling an add-on does not removeit from thecomputer. It only prevents InternetExplorer from instantiating the objectand
      executing its code.Thereis no guaranteethat the disabled add-on will never beloaded, sincean add-on that is considered by
      InternetExplorer to be disabled can still be used by another component in thesystem.The behavior that is displayed by
      disabling different object types varies.
      If an ActiveX control is disabled,Web pages that rely on thecontrol might not work as expected.They behaveas if the
      user has uninstalled thecontrol from thecomputer and declined to install it. Users are not prompted to upgradecontrols
      that have been disabled.
      If a browser helper object is disabled, functionality that depends on the object is notavailable,and thereis no visual
      indication thata component is disabled.
      If a browser extension is disabled, toolbar buttons and menu entry points are not shown for thatextension. Internet
      Explorer behaves as if theextension was not installed.
      If a toolbar extension is disabled, thetoolbar does notappear in InternetExplorer and, on the View menu, theToolbars
      item is disabled. InternetExplorer behaves as if thetoolbar was not installed.
      Theconcept of a disabled add-on only applies to instances of InternetExplorer (Iexplore.exe) and Windows Explorer
      (Explorer.exe) by default. Currently, other programs based on InternetExplorer components, such as the WebBrowser control, do
      not respect the disabled state. However,you can usethe featurecontrol key to extend this functionality to other applications.
      Somesoftware programs depend on a combination of multipleadd-ons to work correctly,and disabling any one of them
      might cause problems. Caution should beexercised when deciding to disable one or moreadd-ons.
      If the user disables a non-ActiveX add-on and subsequently uninstalls and then re-installs it, theadd-on might remain in a
      disabled state.This is becauseInternetExplorer is not notified of application installations and does not detectany application
      statechanges. However, if InternetExplorer is started whiletheadd-on is not installed, it detects a changeand automatically
      clears the disabled state.
      If the user disables an ActiveX control and then uninstalls it, the next timea Web pageattempts to usethecontrol, Internet
      Explorer detects that thecontrol is no longer presentand clears the disabled state. However, if the ActiveX control is reinstalled
      using an executablefile(as opposed to a Web page download) beforethereareany attempts to instantiatethecontrol, then it
      remains disabled.This is becauseInternetExplorer does not detecta statechange.
      How do I resolve these issues?
      In theevent that disabling an add-on causes a lack of functionality, it can berestored by enabling theadd-on in Manage Addons.
      InternetExplorer must berestarted for new settings to takeeffect, with theexception of ActiveX controls, wherereloading
      theaffected page might besufficient.
      InternetExplorer Add-on Management for Administrators
      Detailed description
      Disabling the Crash Detection feature
      To disablethe Crash Detection feature of Add-on Management, see”What settings areadded or changed in Windows
      Server 2003 Service Pack 1?” below.When Crash Detection is disabled,a crash in InternetExplorer exhibits previous behavior,
      which is usually to invoke Windows Error Reporting. All policies for Windows Error Reporting continueto apply.
      Disabling Add-on Management user interface
      To disablethe Add-on Management user interface, see”What settings areadded or changed in Windows Server 2003 Service
      Pack 1?” below.When the Add-on Management user interfaceis disabled, theEnable and Disable options are unavailablein
      Manage Add-ons.
      Deny all add-ons unless specifically allowed in the Add-on list
      This policy setting allows administrators to ensurethatany InternetExplorer add-ons not listed in the Add-on List policy
      setting will be denied.
      To set this policy,an administrator can modify the RestrictToList registry key in either of thefollowing locations:
      Key reference
      Name: RestrictToList
      Type: DWORD
      1 (Anything not on the Add-on list is considered disabled.)
      0 (Anything not on the Add-on list works as it would without policy.)
      Add-on List
      Administrators can control the use of specificadd-ons through theadd-on list policy. Administrators can chooseto enable or
      disablean add-on as well as allow a specificadd-on to be managed by the user.
      To set this policy,an administrator can createa registry value based on the GUID of theadd-on in either of thefollowing keys
      and then set the desired value:
      Each add-on is a valuein this registry key with thefollowing properties.
      Key reference
      Name: GUID of add on
      Type: REG_SZ
      0 – Add-on is disabled and cannot be managed by theend user.
      1 – Add-on is allowed and cannot be managed by theend user.
      2 – Add-on is allowed and can be managed by theend user.
      The Add-on (CLSID) lists areempty by default.
      Behavior of Management user interface when policies are applied
      When an Add-on Management policy is in effect,and the user selects an add-on from the management list that is disabled by
      policy,Enable and Disable are unavailable.
      Why is this change important?
      This featureallows administrators to control the usage of the new features.
      What works differently?
      The new features for allowing and disallowing add-ons work in conjunction with existing policies for managing ActiveX
      controls. Add-on disabling is applied on top of existing checks and does not replace other security restrictions that might bein
      place.For example, if an ActiveX control is blocked by its ActiveX compatibility flags, it will always be blocked, regardless of the
      add-on management settings.
      Using the”Deny all add-ons unless specifically allowed in the Add-on List” policy will disablescriptand other controls
      necessary for some Web pages to function properly.For a list of CLSIDs that might need to beenabled for certain Web sites to
      function correctly, seethearticle on the Microsoft Web siteat
      How do I resolve these issues?
      If you are using the”Deny all add-ons unless specifically allowed in the Add-on list” policy some Web applications might break
      dueto disabled scripting and other disabled controls.For information aboutenabling scripting and other commonly used Web
      controls, seethearticle on the Microsoft Web siteat
      In theevent that thesecontrols do notaddress theissueand adding these policies continues to removefunctionality that is
      required for a Web application thatyou want to use, removethe policies that wereapplied and restart InternetExplorer.
      InternetExplorer Add-on Crash Detection
      Detailed description
      Whenever InternetExplorer stops unexpectedly,Windows starts the Add-on Crash Detection program. Add-on Crash Detection
      is an error analysis program thatexamines thestate of theIexplore.exe(InternetExplorer) process. It collects thelist of dynamic
      link libraries (DLLs) thatareloaded,and thevalue of theinstruction pointer register (EIP) at thetime of thecrash. Add-on Crash
      Detection then attempts to find the DLL whose memory rangetheEIP lies within.This DLL is often thecause of thecrash. If a
      DLL is found, it is nota system DLL,and the DLL is the COM server for an InternetExplorer add-on, theInternetExplorer Addon
      Crash Detection dialog boxappears.This dialog box contains information that indicates which add-on caused thecrash, the
      name of thecompany associated with theadd-on,and the description of the DLL filethat contains theadd-on code.To display
      Manage Add-ons, which you can then useto disabletheidentified add-on,click Advanced. After you review theinformation
      and click Continue, thestandard Windows Error Reporting window opens.
      Why is this change important? What threats does it help mitigate?
      For this information, see”InternetExplorer Add-on Management for Users,”earlier in this subject.
      What works differently?
      Sincethis feature only runs when InternetExplorer stops operating, thereshould be no changes to normal operation.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      InternetExplorer Add-on Management and Crash Detection Settings
      Setting name Location Default
      Possible values
      Disable Crash Detection HKCU {or HKLM} \Software\Policies
      \Microsoft\InternetExplorer \Restrictions
      Name: NoCrashDetection
      Type: DWORD
      0 0 — Off,
      1 — On
      Deny all add-ons unless
      specifically allowed in the Add-on
      HKCU {or HKLM}
      Name: RestrictToList
      Type: DWORD
      0 0 — Off,
      1 — On
      Add-on List HKCU {or HKLM}
      Name: GUID of thecontrol
      Type: REG_SZ
      0 – Add-on is disabled and cannot
      be managed by theend user.
      1 – Add-on is allowed and cannot
      be managed by theend user.
      2 – Add-on is allowed and CAN be
      managed by theend user.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Your code does not need to change to work with Internet Explorer Add-on Crash Detection or Add-on Management.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.