Microsoft is adding a brand-new feature to Windows Vista to allow businesses to load ActiveX controls on systems running without admin privileges.
The new feature, called ActiveX Installer Service, will be fitted into the next public release of Vista to provide a way for enterprises to cope with the UAC (User Account Control) security mechanism.
UAC, formerly known as LUA (Limited User Account), is enabled by default in Vista to separate Standard User privileges from those that require admin rights to harden the operating system against malware and malicious hacker attacks.
However, because UAC will block the installation of ActiveX controls on Standard User systems, enterprise applications that use the technology will encounter breakages. ActiveX controls are objects used to enhance a users interaction with an application.
Microsoft introduced the service at the TechEd conference in Boston and said it will be an optional component on the Ultimate, Business and Enterprise SKUs of Windows Vista. The service is expected to debut in Windows Vista RC1 (Release Candidate 1) and will only be enabled on clients where its installed.
In an interview with eWEEK, Microsoft security chief Ben Fathi said the decision to add the ActiveX installer was a direct result of demands from beta testers. “The feedback we get is that UAC is great but, in the enterprise, there is a legitimate need to install applications on Standard User systems. We had to create a way to safely preapprove applications without the need for an admin password,” Fathi explained.
Fathi, a corporate vice president in Microsofts Security Technology Unit, said a system administrator can go into a console and define a list of Web sites and applications that are preapproved.
Steve Hiskey, lead program manager for User Account Control in Microsofts Windows Security Core group, said a Group Policy mechanism will be provided to set up a way for the designation of Host URLs from which standard users can install ActiveX controls.
According to an entry posted to Microsofts UAC blog, the ActiveX Installer Service will consist of a Windows service, a Group Policy administrative template and a few changes in the Internet Explorer browser.
Before installing the ActiveX control, the Installer service will check to see if the Host URL of the CODEBASE is defined and listed in Group Policy and if it is allowed. If the service policy permits the install of the ActiveX control, it will create an instance of the Internet Explorer ActiveX installer object to be used to install the control.
If Group Policy does not specify that the ActiveX control is allowed to install, then the default Windows Vista behavior is resumed: An authentication prompt is required to install an ActiveX control.
The authentication prompts in current beta versions of Vista have been criticized as a major annoyance, prompting Microsoft to announce several significant tweaks aimed at reducing the number of privilege elevation prompt pop-ups that appear to the end user.
In Windows Vista RC1, Microsoft plans to make changes in the operating system to create safe scenarios for the Standard User account to accomplish tasks that used to require a privilege elevation prompt. It will also apply application compatibility fixes, called “shims,” for applications that need help running as Standard User.
Fathi said the company is also considering automatic shimming for legacy applications that may never be changed to work with the default UAC settings. “There are line-of-business applications that will never work with UAC for a variety of reasons. Maybe they dont have the source code anymore or the person that wrote that code is gone. There are hundreds of these applications out there,” Fathi said.