none
GPO Exceptions for sites using Flash RRS feed

  • Question

  • Hi All

    I am trying to implement a GPO for flash exceptions for IE11.

    I have successfully blocked adobe flash in IE and prevent applications from using IE to instantiate Flash Objects. I also added the sites I wanted to exempt from this policy in the Add-on-list and deny all add-ons unless specifically allowed in the Add-On List

    Logged off and did gpupdate /force but I can still not launch the approved site with flash

    Please help..

    Thursday, November 16, 2017 2:29 AM

All replies

  • Hi,

    your company should be using Enterprise Site Mode lists to manage backward compatibility of legacy intranet sites. legacy Macromedia Flash (classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000") will not run on any webpage unless the Emulation Mode is IE8 or lower. Ideally you would ask your programmers to change the <object> tags hosting Macromedia Flash object to use generic object tags with data and type values.

    To find out which IE Emulation mode is being used on an intranet site, select f12>Emulation tab.

    also check that you do not have ActiveX filtering turned on.... Intranet sites are exempt, but external content in object tags or embed or iframes will be blocked on intranet sites. 

    Hosting external content on an intranet site may be leaking information about your internal networks to third-parties. (web search for google dorks) that could compromise integrity.

    If possible include links to problem websites with your questions....so that we can inspect the markup and coding of the web page(s).

    Regards.


    Rob^_^

    Monday, November 20, 2017 9:51 PM
  • Hi Rob

    Thanks for the response. So before applying ESM, should I still have the GPO flash exceptions enabled?


    Wednesday, March 14, 2018 10:17 PM
  • Hi,

    .... mmm... I think there is a miss-understanding...

    "deny all add-ons unless specifically allowed in the Add-On List"

    Flash is implemented as an Active X control, not an Addon... some of your Addons (toolbars and BHOs(browser helper objects)) might be using flash or flash cookies, so you may as well leave "Deny  all add-ons" enabled in your GPO settings.

    "I have successfully blocked adobe flash in IE and prevent applications from using IE to instantiate Flash Objects."

    "I am trying to implement a GPO for flash exceptions for IE11."

    What settings have you used to " blocked adobe flash in IE and prevent applications from using IE to instantiate Flash Objects."?

    see GPO>User/Computer Configuration>Administrative Templates>Windows Components>Internet Explorer>Administrator Approved Controls>Shockwave Flash

    Designates Shockwave flash as an administrator approved control.

    If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run.

    If you disable this policy or do not configure it, this control will not be designated as administrator-approved.

    To specify how administrator-approved controls are handled for each security zone, carry out the following steps:
    1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.
    2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.
    3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.
    4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.

    Have you completed steps 1 to 4 above...?

    Which IE security zone is the website that you want to allow the control to run IN?

    follow these steps.... go to the website you want to allow flash to run in...eg. accounting/help/

    use the File>Properties menu in IE to note which IE Security zone the site is mapped to.

    then

    Tools>Manage Addons>Currently Loaded Addons... locate any Flash ActiveX controls in the list (there may be different versions of flash. eg Macromedia flash, Shockwave Flash) and double click it to display its properties sheet and white listed domains list.

    Copy and paste the Properties sheet details back... (there's a Copy button on the Properties dialog). This will tell us if the website is really using a current version of flash or not.

    The important thing to note is which IE security zone the domain where you want to allow approved ActiveX controls to run in is mapped to.

    If a domain is mapped an IE security zone where you don't allow administrative approved controls to run, then regardless if the domain is in the controls exceptions list (see the Properties Page for the running instance of Flash), it will not run.....

    Also, IE has ActiveX filtering (Tools>ActiveX filtering)....If the domain is mapped to the Internet zone Flash may already be blocked, regardless of the GPO settings for Admin approved controls.

    Ideally, you should configure Flash as an approved control only for the Intranet zone and trusted sites zones.

    Regards.


    Rob^_^

    Thursday, March 15, 2018 2:16 AM