A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How to prevent Office apps from launching executables



 
 
Thread Tools Display Modes
  #1  
Old September 18th 09, 11:31 PM posted to microsoft.public.windowsxp.security_admin
Don Giddens
external usenet poster
 
Posts: 2
Default How to prevent Office apps from launching executables

I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don
Ads
  #2  
Old September 19th 09, 04:09 AM posted to microsoft.public.windowsxp.security_admin
Old Rookie
external usenet poster
 
Posts: 44
Default How to prevent Office apps from launching executables

Ultimately you need to control access to files, including execution, via
user group membership and NTFS permissions. If a user does not have
read/execute permissions to a file then they can not execute it. Read the
info in the link below on NTFS permissions. Share permissions only apply to
files acessed via a network share. When configuring permissions avoid using
deny permissions as a lack of permisison is an implicit deny. You can run
into BIG problems using deny permissions such as deny to the users or
everyone group because those groups also include the administrator account
though ultimately an administrator can always regain access if he knows how
to. If your users are members of the local administrators group on their
computers it will be very difficult to restrict them at best.

http://articles.techrepublic.com.com...1-6152061.html

Steve


"Don Giddens" wrote in message
...
I posted the following in an Office forum and they recommended that I post
it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute
any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don



  #3  
Old September 20th 09, 10:01 PM posted to microsoft.public.windowsxp.security_admin
Anteaus
external usenet poster
 
Posts: 1,330
Default How to prevent Office apps from launching executables


Unless you also prevent access to the desktop and start menu, I fail to see
what security advantage there is in disabling File..Run menu items (which I
presume is what you refer-to) If the user can open a commandprompt and
understands the basics of DOS syntax they can launch anything they like.

Nevertheless you can customise the menus in most Office apps by
right-clicking any toolbar and selecting Customise. Drag the items you don't
want off the menu to any blank part of the page.

Trying to lock-down executables with NTFS permissions is an exercise akin to
concreting your furniture to the floor so you needn't bother locking the
house. I don't see it as practical, either in terms of the sheer effort
involved or the problems it will cause.

TrustNoExe may be some help here, we've applied it to some computers whose
users have 'itchy fingers.' Though, I have found it to be crashprone on some
hardware.

http://beyondlogic.org/


"Don Giddens" wrote:

I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don

  #4  
Old September 21st 09, 08:42 PM posted to microsoft.public.windowsxp.security_admin
Don Giddens
external usenet poster
 
Posts: 2
Default How to prevent Office apps from launching executables

Our system is locked down so the users don't have access to the desktop.
Basically, we launch our own shell application at boot instead of Explorer.
If a user needs access to exe's such as cmd.exe or explorer.exe, they must
enter a corporate password that can be configured to change every minute if
necessary. Users are typically never provided with the password since a
support associate will remote into the system and then they enter the
password.

Our shell application can be configured to launch additional applications as
well, either password protected or open. In this instance, the customer wants
to provide their associates with access to Word & Excel, but doing so will
circumvent the security of or shell since they will be able to start any
application from Word, Excel or any application that utilizes the MS
File/Open functionality.



"Anteaus" wrote:


Unless you also prevent access to the desktop and start menu, I fail to see
what security advantage there is in disabling File..Run menu items (which I
presume is what you refer-to) If the user can open a commandprompt and
understands the basics of DOS syntax they can launch anything they like.

Nevertheless you can customise the menus in most Office apps by
right-clicking any toolbar and selecting Customise. Drag the items you don't
want off the menu to any blank part of the page.

Trying to lock-down executables with NTFS permissions is an exercise akin to
concreting your furniture to the floor so you needn't bother locking the
house. I don't see it as practical, either in terms of the sheer effort
involved or the problems it will cause.

TrustNoExe may be some help here, we've applied it to some computers whose
users have 'itchy fingers.' Though, I have found it to be crashprone on some
hardware.

http://beyondlogic.org/


"Don Giddens" wrote:

I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 02:45 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.