Title

ActiveX opt-in prompt must be disallowed. (Cat II impact)

Discussion

This policy setting allows you to turn off the ActiveX opt-in prompt. The ActiveX opt-in prevents Websites from loading any COM object without prior approval. If a page attempts to load a COM object that Internet Explorer has not used before, an information bar will appear asking the user for approval. If you enable this policy setting, the ActiveX opt-in prompt will not appear. Internet Explorer does not ask the user for permission to load a control, and will load the ActiveX if it passes all other internal security checks. If you disable or do not configure this policy setting the ActiveX opt-in prompt will appear.

Check Content

The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn off ActiveX opt-in prompt" must be "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext Criteria: If the value NoFirsttimeprompt is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn off ActiveX opt-in prompt" to "Enabled".

Additional Identifiers

Rule ID: SV-45077r1_rule

Vulnerability ID: V-30778

Group Title: DTBI805 - Opt-In Prompts for ActiveX

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.