Thread: How to prevent Office apps from launching executables
View Single Post
  #4  
Old September 21st 09, 08:42 PM posted to microsoft.public.windowsxp.security_admin
Don Giddens
external usenet poster
  
Posts: 2
Default How to prevent Office apps from launching executables
Our system is locked down so the users don't have access to the desktop.
Basically, we launch our own shell application at boot instead of Explorer.
If a user needs access to exe's such as cmd.exe or explorer.exe, they must
enter a corporate password that can be configured to change every minute if
necessary. Users are typically never provided with the password since a
support associate will remote into the system and then they enter the
password.

Our shell application can be configured to launch additional applications as
well, either password protected or open. In this instance, the customer wants
to provide their associates with access to Word & Excel, but doing so will
circumvent the security of or shell since they will be able to start any
application from Word, Excel or any application that utilizes the MS
File/Open functionality.



"Anteaus" wrote:


Unless you also prevent access to the desktop and start menu, I fail to see
what security advantage there is in disabling File..Run menu items (which I
presume is what you refer-to) If the user can open a commandprompt and
understands the basics of DOS syntax they can launch anything they like.

Nevertheless you can customise the menus in most Office apps by
right-clicking any toolbar and selecting Customise. Drag the items you don't
want off the menu to any blank part of the page.

Trying to lock-down executables with NTFS permissions is an exercise akin to
concreting your furniture to the floor so you needn't bother locking the
house. I don't see it as practical, either in terms of the sheer effort
involved or the problems it will cause.

TrustNoExe may be some help here, we've applied it to some computers whose
users have 'itchy fingers.' Though, I have found it to be crashprone on some
hardware.

http://beyondlogic.org/


"Don Giddens" wrote:

I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don
Ads