Guidelines on Securing Public Web Servers

ActiveX

   is a set of technologies from Microsoft that provide tools for linking desktop 

applications to the WWW.  ActiveX controls are reusable component program objects that can 

be attached to e mail or downloaded from a Web site.  ActiveX controls also come preinstalled 

on Windows platforms.  Web pages invoke ActiveX controls using a scripting language or 

with an HTML OBJECT tag. 

The ActiveX security model is considerably different from the Java sandbox model.  The Java 

model restricts the permissions of applets to a set of safe actions.  ActiveX, on the other hand, 

places no restrictions on what a control can do.  Instead, ActiveX controls are digitally signed 

by their author under a technology scheme called Authenticode.  The digital signatures are 

verified using identity certificates issued by a trusted certificate authority to an ActiveX 

software publisher.  For an ActiveX publisher s certificate to be granted, the software publisher 

must pledge that no harmful code will be knowingly distributed under this scheme.  The 

Authenticode process ensures that ActiveX controls cannot be distributed anonymously and 

that tampering with the controls can be detected.  This certification process, however, does not 

ensure that a control will be well behaved.  Thus, the ActiveX security model assigns the 

responsibility for the computer system s security to the user [NIST01a].   

Before the browser downloads an unsigned ActiveX control, or a control whose corresponding 

publisher's certificate was issued by an unknown certifying authority, the browser presents a 

dialog box warning the user that this action may not be safe.  Users can choose to abort the 

transfer, or may continue the transfer if they assume the source is trustworthy or they are 

willing to assume the risk.  Most users, are probably unaware of the security implications of 

their decision, which may have serious repercussions.  Even when users are well informed, 

attackers may trick them into approving the transfer.  Because the security of ActiveX depends 

on the knowledge and awareness of the end user, it can be a very risky [NIST01a].   

Figure 6.1 shows the relative risk of ActiveX compared with other popular client side active 

content technologies [NIST01a].   

Figure 6.1: Relative Risk of Common Client Side Active Content  

6.3.2  Server Side Content Generation Technologies and Related Vulnerabilities 

Unlike the above technologies, CGI, ASP, and other similar server interfaces fall on the (Web) 

server side of the client server model.  Common uses of server side execution include [Zir02]: 

43