If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
How to prevent Office apps from launching executables
I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts. "I noticed that Word and other Office apps will allow a user to execute any file type. All you have to do is click File, Open...select view all file types, right click the file to execute and then select "Run As" and bingo, the file executes. From a security perspective, this is a major issue for our company. Is there any way to limit the file types that can be viewed or designate the directory that the File Open option can only view or disable the Run As option that is displayed when you right click the file?" Thanks -Don |
Ads |
#2
|
|||
|
|||
How to prevent Office apps from launching executables
Ultimately you need to control access to files, including execution, via
user group membership and NTFS permissions. If a user does not have read/execute permissions to a file then they can not execute it. Read the info in the link below on NTFS permissions. Share permissions only apply to files acessed via a network share. When configuring permissions avoid using deny permissions as a lack of permisison is an implicit deny. You can run into BIG problems using deny permissions such as deny to the users or everyone group because those groups also include the administrator account though ultimately an administrator can always regain access if he knows how to. If your users are members of the local administrators group on their computers it will be very difficult to restrict them at best. http://articles.techrepublic.com.com...1-6152061.html Steve "Don Giddens" wrote in message ... I posted the following in an Office forum and they recommended that I post it here. Please let me know your thoughts. "I noticed that Word and other Office apps will allow a user to execute any file type. All you have to do is click File, Open...select view all file types, right click the file to execute and then select "Run As" and bingo, the file executes. From a security perspective, this is a major issue for our company. Is there any way to limit the file types that can be viewed or designate the directory that the File Open option can only view or disable the Run As option that is displayed when you right click the file?" Thanks -Don |
#3
|
|||
|
|||
How to prevent Office apps from launching executables
Unless you also prevent access to the desktop and start menu, I fail to see what security advantage there is in disabling File..Run menu items (which I presume is what you refer-to) If the user can open a commandprompt and understands the basics of DOS syntax they can launch anything they like. Nevertheless you can customise the menus in most Office apps by right-clicking any toolbar and selecting Customise. Drag the items you don't want off the menu to any blank part of the page. Trying to lock-down executables with NTFS permissions is an exercise akin to concreting your furniture to the floor so you needn't bother locking the house. I don't see it as practical, either in terms of the sheer effort involved or the problems it will cause. TrustNoExe may be some help here, we've applied it to some computers whose users have 'itchy fingers.' Though, I have found it to be crashprone on some hardware. http://beyondlogic.org/ "Don Giddens" wrote: I posted the following in an Office forum and they recommended that I post it here. Please let me know your thoughts. "I noticed that Word and other Office apps will allow a user to execute any file type. All you have to do is click File, Open...select view all file types, right click the file to execute and then select "Run As" and bingo, the file executes. From a security perspective, this is a major issue for our company. Is there any way to limit the file types that can be viewed or designate the directory that the File Open option can only view or disable the Run As option that is displayed when you right click the file?" Thanks -Don |
#4
|
|||
|
|||
How to prevent Office apps from launching executables
Our system is locked down so the users don't have access to the desktop.
Basically, we launch our own shell application at boot instead of Explorer. If a user needs access to exe's such as cmd.exe or explorer.exe, they must enter a corporate password that can be configured to change every minute if necessary. Users are typically never provided with the password since a support associate will remote into the system and then they enter the password. Our shell application can be configured to launch additional applications as well, either password protected or open. In this instance, the customer wants to provide their associates with access to Word & Excel, but doing so will circumvent the security of or shell since they will be able to start any application from Word, Excel or any application that utilizes the MS File/Open functionality. "Anteaus" wrote: Unless you also prevent access to the desktop and start menu, I fail to see what security advantage there is in disabling File..Run menu items (which I presume is what you refer-to) If the user can open a commandprompt and understands the basics of DOS syntax they can launch anything they like. Nevertheless you can customise the menus in most Office apps by right-clicking any toolbar and selecting Customise. Drag the items you don't want off the menu to any blank part of the page. Trying to lock-down executables with NTFS permissions is an exercise akin to concreting your furniture to the floor so you needn't bother locking the house. I don't see it as practical, either in terms of the sheer effort involved or the problems it will cause. TrustNoExe may be some help here, we've applied it to some computers whose users have 'itchy fingers.' Though, I have found it to be crashprone on some hardware. http://beyondlogic.org/ "Don Giddens" wrote: I posted the following in an Office forum and they recommended that I post it here. Please let me know your thoughts. "I noticed that Word and other Office apps will allow a user to execute any file type. All you have to do is click File, Open...select view all file types, right click the file to execute and then select "Run As" and bingo, the file executes. From a security perspective, this is a major issue for our company. Is there any way to limit the file types that can be viewed or designate the directory that the File Open option can only view or disable the Run As option that is displayed when you right click the file?" Thanks -Don |
Thread Tools | |
Display Modes | |
|
|