Many organizations still rely on legacy applications built using ActiveX technology. It is essential to understand which ActiveX controls are in use as those organizations look to adequately use Edge IE Mode after the Internet Explorer end of life date.
ActiveX use must be tracked and controlled
One of the complexities of ActiveX centers around the fact they are installed binary components. The modern web uses flexible, load-on-demand extensions that don’t require administrative privilege. ActiveX represents a security threat and operations challenge because it is installed and has system access. A compromised ActiveX component can make the entire user system vulnerable. Knowing which applications require ActiveX control is critical to rationalizing and securing the system. It’s equally important to identify which installed ActiveX components aren’t needed and can be safely removed, helping to reduce attack surface and avoid unnecessary patching/update cycles.
Identifying ActiveX controls
Tools like Process Explorer were designed as troubleshooting resources for IT administrators to drill into a specific application case and identify the detailed system resources are being accessed in that single situation. While that works well as a ‘one-off’ solution, it requires more than a dozen steps to identify the ActiveX components being loaded, and it’s an impractical approach for an enterprise-level problem. Organizations with even only a handful of applications find Process Explorer unhelpful at a simple scale.
In addition to the scale issues, Process Explorer only offers half of the answers IT administrators need to effectively manage ActiveX in the organization and enable a smooth transition to Edge IE Mode. Knowing which ActiveX controls are required is undoubtedly helpful but leaving unneeded ActiveX controls installed presents a security vulnerability.
Gathering ActiveX data at the enterprise level
Browsium Proton was designed to provide a true enterprise-level solution for managing ActiveX in the organization, regardless of size. Proton gathers data both on the installed ActiveX components on all systems in the enterprise and correlates the usage activity of web applications that load any given ActiveX control. With both pieces of data, organizations can quickly identify which ActiveX controls are needed for their web applications—knowing which specific users allows you to leverage Browsium Ion to build granular configurations to load only those ActiveX controls required securely and where they are needed.
With the usage and system information from Browsium Proton, organizations can automatically collect data on all web applications, all users, and all systems within days. Browsium Proton will correlate all the information and cross-reference usage details in near real-time. Enabling IT administrators to act on the information without having to integrate 3rd party data warehouse tools or depend on other parts of the organization to help collate the data.
Browsium Proton offers near real-time telemetry that allows you to “see” potential security vulnerabilities and make proactive changes.
It’s like X-ray vision for ITOM.
Proton shines a light into the dark places of your IT environment. After all, you can’t fix what you can’t see, and the design of browsers and web applications inherently make it hard to see the details.
Ion 2.x or 3.0
If you are using Ion to access a web application that uses ActiveX controls, you will want to know if the correct ActiveX controls are being loaded or not. This article will step you through some steps to demonstrate which specific ActiveX controls are being loaded in given Internet Explorer window.
The tool we will be using to check ActiveX controls is Windows Sysinternals Process Explorer. It is provided as a free download from Microsoft.
You will need to download and unzip the Process Explorer package. The application does not have an installer, so unzip it somewhere convenient so that you can launch it when needed.
For our example, we will use the popular site, SpeedTest.net, to show how you can view the ActiveX controls that are loaded in a page.
1. Load the web page you want to test. For this test, you can go to http://speedtest.net/. Make sure that you don’t navigate to another tab or application. You will want Internet Explorer to be on top of your other applications
2. Launch Process Explorer (double-clicking on the procexp.exe file)
3. Click and hold on the “Find Window’s Process” icon; the Process Explorer window will disappear
4. While continuing to hold your mouse button down, hover over the web page you want to check
5. Release your mouse button
6. Process Explorer will reappear and the Internet Explorer process will be highlighted
7. Right-click on the highlighted process and select Properties
8. Choose the Threads tab
NOTE: You may receive a warning that you need to install the Debugging Tools for Windows. You can dismiss the warning.
9. Browse through the threads until you find one with “ocx” in the name (in this example, Flash10l.ocx)
10. Next, click on the OCX that you want to investigate further
11. Click the ‘Module’ button
12. Select the ‘Details’ tab – in this case the file is Flash10l.ocx
NOTE: Within the Properties window General tab, you can also see which directory the OCX was loaded from.
13. Each unique OCX is a separate ActiveX control. Each ActiveX control may need its own entry in the corresponding Ion Profile to load that control. Ion clients typically do not need to add ActiveX controls to their profiles, but in some cases this may be necessary (if the ActiveX control is not loading by default). Please see our Ion Knowledge Base for information on how to edit an Ion Profile to support a custom ActiveX control
Posted in: Ion Knowledge Base