Check: DTBI805
Microsoft Internet Explorer 9 STIG:
DTBI805
(in version v1 r15)
Title
ActiveX opt-in prompt must be disallowed. (Cat II impact)
Discussion
This policy setting allows you to turn off the ActiveX opt-in prompt. The ActiveX opt-in prevents Web sites from loading any COM object without prior approval. If a page attempts to load a COM object that Internet Explorer has not used before, an Information bar will appear asking the user for approval. If you enable this policy setting, the ActiveX opt-in prompt will not appear. Internet Explorer does not ask the user for permission to load a control, and will load the ActiveX if it passes all other internal security checks. If you disable or do not configure this policy setting the ActiveX opt-in prompt will appear.
Check Content
The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn off ActiveX opt-in prompt" must be “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext Criteria: If the value NoFirsttimeprompt is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Turn off ActiveX opt-in prompt" to “Enabled”.
Additional Identifiers
Rule ID: SV-40764r1_rule
Vulnerability ID: V-30778
Group Title: DTBI805 - Opt-In Prompts for ActiveX
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |