How to prevent Office apps from launching executables

  • Thread starter Thread starter Don Giddens
  • Start date Start date
D

Don Giddens

I posted the following in an Office forum and they recommended that I post it
here. Please let me know your thoughts.

"I noticed that Word and other Office apps will allow a user to execute any
file type. All you have to do is click File, Open...select view all file
types,
right click the file to execute and then select "Run As" and bingo,
the file executes.

From a security perspective, this is a major issue for our company.
Is there any way to limit the file types that can be viewed or
designate the directory that the File Open option can only view or disable
the Run As option that is displayed when you right click the file?"

Thanks
-Don
 
Ultimately you need to control access to files, including execution, via
user group membership and NTFS permissions. If a user does not have
read/execute permissions to a file then they can not execute it. Read the
info in the link below on NTFS permissions. Share permissions only apply to
files acessed via a network share. When configuring permissions avoid using
deny permissions as a lack of permisison is an implicit deny. You can run
into BIG problems using deny permissions such as deny to the users or
everyone group because those groups also include the administrator account
though ultimately an administrator can always regain access if he knows how
to. If your users are members of the local administrators group on their
computers it will be very difficult to restrict them at best.

http://articles.techrepublic.com.com/5100-10878_11-6152061.html

Steve
 
Unless you also prevent access to the desktop and start menu, I fail to see
what security advantage there is in disabling File..Run menu items (which I
presume is what you refer-to) If the user can open a commandprompt and
understands the basics of DOS syntax they can launch anything they like.

Nevertheless you can customise the menus in most Office apps by
right-clicking any toolbar and selecting Customise. Drag the items you don't
want off the menu to any blank part of the page.

Trying to lock-down executables with NTFS permissions is an exercise akin to
concreting your furniture to the floor so you needn't bother locking the
house. I don't see it as practical, either in terms of the sheer effort
involved or the problems it will cause.

TrustNoExe may be some help here, we've applied it to some computers whose
users have 'itchy fingers.' Though, I have found it to be crashprone on some
hardware.

http://beyondlogic.org/
 
Our system is locked down so the users don't have access to the desktop.
Basically, we launch our own shell application at boot instead of Explorer.
If a user needs access to exe's such as cmd.exe or explorer.exe, they must
enter a corporate password that can be configured to change every minute if
necessary. Users are typically never provided with the password since a
support associate will remote into the system and then they enter the
password.

Our shell application can be configured to launch additional applications as
well, either password protected or open. In this instance, the customer wants
to provide their associates with access to Word & Excel, but doing so will
circumvent the security of or shell since they will be able to start any
application from Word, Excel or any application that utilizes the MS
File/Open functionality.
 
Back
Top