Friday, April 3, 2009

Windows GPO and trusted Add-Ons

Starting with WinXP SP2, Microsoft now has a feature to only allow explicitly declared Add-Ons in Internet Explorer. For us, this is a great feature. We already have an application whitelist program (Websense Client Policy Manager) that blocks unknown executables, but add-ons such as IE toolbars can still get through. Having control over the IE add-ons completes our goal to "protect the users from themselves."

The steps for implementing Add-on blocking can be found via Google search, so I will not go into them here. For information on initial implementation can be found at How to manage Internet Explorer add-ons in Windows XP Service Pack 2.

At first, it seems deceptively simple. Find a computer with only the add-ons you want (Java, Flash, etc.) and get the CLSID's off of it by clicking manage add-ons in IE, right clicking the column select ClassID so you can see the CLSID, and add those to your GPO whitelist of allowed add-ons, call that project done. Turns out, there are many more add-ons you can not see in add-on management that will not run once you enable the option to only allow whitelisted Add-Ons.

So, here's the symptom: After whitelisting every add-on you can see in the add-on manager, when you attempt to go to certain websites (OWA, Sharepoint, Carpe Diem Web, Java VM test, etc) you will see the blocked add-on icon . You double click the icon to open the add-on manager, yet every add-on still shows as enabled. This affects IE6, IE7, and IE8. IE8's new add-on manager looks nicer, but for what we are trying to do, it offers no more functionality than the others.

MS KB article 555235 is a great place to start to add some of those hidden Add-Ons, most notably, javascript and vbscript. The XML Dom and XML Http add-ons are also important in OWA, else you will have a blank pane where all of your inbox items should be.

Unfortunately, while that should get you a good head start, MS does not list all of the hidden add-ons, and they do not give us an easy method for determining the CLSID for ourselves. MS says you can find the CLSID by looking at the object tag in the html source code. However, on all of the web sites I was testing, not one had an object tag or a CLSID I could get.

To determine what the clsid of the blocked add-on is, you will need a clean (free of malware) pc and a windows account that is part of the add-on blocking GPO.
  1. Log onto the clean pc using the windows account
  2. Run regedit, browse to HKCU\Windows\CurrentVersion\Ext.
  3. Ensuring all IE windows are closed, delete the Settings and Stats keys (they will recreate)
  4. Log off / Log back on
  5. Open IE and browse to the site that causes the add-on block icon to appear
  6. Run regedit, browse to HKCU\Windows\CurrentVersion\Ext\Stats
  7. For each CLSID, open the iexplore key, if there is a dword value of "Blocked", then that is one of the CLSID's you need to add to your GPO's whitelist.
  8. Repeat step 7 until you have found all blocked add-ons.
Once added to the gpo, refresh the user's gpo via gpupdate /force, or just log off and log back on. Attempting to visit that site again should have no problems.

If this has helped you, please add a comment saying so. Thanks for reading.
Posted by at

1 comment:

  1. Mark BrumbyOctober 18, 2013 at 3:41 AM

    Awesome post. When you have the pain of using GAP. This is what you need. !!!

    ReplyDelete

Subscribe to: Post Comments (Atom)