Custom Administrative Template for Setting the Kill Bit on ActiveX Controls in Internet Explorer

There are a lot of IE related ActiveX control vulnerabilities coming out right now and many of them are zero-day exploits which means the vulnerability details are released and used by the bad guys days or weeks before a patch from Microsoft is available. Even when a patch is available you don't want to load new code on computers unless it's tested for stability problems in your environment.

In such cases your best workaround is to set the "kill bit" on the ActiveX control which prevents it from loading in Internet Explorer. Setting the kill bit doesn't fix the vulnerability but it prevents it from being exploited via maliciuos web or HTML email content.

Microsoft frequently recommends setting the kill bit in the workarounds section of their security bulletins but offer no automated method for setting it. And when you have hundreds or thousands (or even a handful for that matter) of workstations on which to make a registry tweak it's not practical to do it manually.

Load this ADM file up into a group policy object and you are ready to set the kill bit on as many computers you need. Once configured and replicated to all domain controllers it will normally take less than 90 minutes to hit all computers where the GPO is linked.

To kill other ActiveX objects just make a copy of everything between POLICY and END POLICY and then change "927709 - WMI Object Broker" to something descriptive for the class to be executed. Then replace 7F5B7F63-F06F-4331-8A26-339E03C0AE3D with the GUID of the class to be executed as specified in the security bulletin or advisory in question. You can probably see from the code that enabling the policy will set the Compatibility Flags registry value under SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D} to 0x00000400. That's the special value that kills the control.

To load this ADM file into a group policy object, edit the GPO and right-click on Computer Configuration\Administrative Templates and select Add/Remove Templates... On the Add/Remove Templates dialog click Add... Browse to your ADM file and click Open and then Close. Now, under Adminstrative Templates you'll see a new folder called "KillBits" (reminds me of a movie). Select KillBits and you'll see a entry for each class for which you created a policy. Just enabled the policy and computers that apply this GPO will begin killing the specified classes as they refresh group policy or reboot.

Here's a video to take you through the entire process.

When and if you no longer want the ActiveX control dead, you can revive it by disabling the policy.

Word of caution: group policy isn't smart enough to put the Compatibility Flags value back to whatever it was before this ADM file set it to 0x00000400. If that causes a problem you'll need to modify the VALUEOFF value so that sets whatever Compatibility Flags are needed. Check a couple sample systems and document what the current value is before pushing setting the kill bit.

Now you are ready to kill ActiveX controls at a moments notice on computers throughout your network thus mitigating the risk of related zero-day exploits!