Securing / Locking down _Outlook 2000_ using GPO...

G

Guest

Guest
Archived from groups: microsoft.public.windows.group_policy,microsoft.public.outlook,microsoft.public.outlook.general,microsoft.public.win2000.security (More info?)

Hi all!!

Am trying to do (what seems) impossible:
I'm trying to "lock down" the action that users are enabled to do in
Outlook 2000, using Group Policy or any other available means...
Any help with this scenario would be more than appreciated.

* The issue:
We have a group of users that deal with specially sensitive information.
We have managed to (reasonably) lock down the Windows Desktop, so that
the users are restricted as to where they put information and suchlike.

The only can run a few apps from the Explorer interface (using Group
Policy), and we don't want them to run any others except those whose
links they have handy.

*BUT* this users use Outlook (the share a .pst where they store mails to
be approved and sent by the groups' security supervisor).

We don't want them launching any program from within Outlook. Using the
"disable interface" functionality in the Office Resource Kit, we've
disabled "Options" and "Accounts" (we don't want them to configure any
other email account), "Insert -> Object", "Forms" (apparently, it was
possible to create a form and embed an object/file that could be run).
Also, any "Macros", or "Visual Basic" is gone, too.

Now it seems that it's possible to attach an .exe file to the email,
save the email, and run the file after opening the email. I am looking
into attachment blocking to prevent that....

BUT there seems to be a way to use the "favorites places" bar (on the
left by default) to create a link to programs on the PC, and then run
them... How can I avoid that??!!

Frankly, I'm beginning to despair that securing Outlook in this way can
be done at all. Any and all help will be more than welcome.

Thanks a lot

Javier J.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

You're taking the wrong approach. Think of these kinds of controls as requests
to the computer, asking it to behave nicely. Since you've got Group Policy,
though, you've got a far more powerful option: software restriction policies.

With an SRP you can specify exactly which applications the users can run,
and everything else is blocked. You don't have to worry about hiding shortcut
icons or disabling Outlook functionality or whatever; an SRP is a true enforcement
of only what's allowed.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/srp_overview.mspx
will get you started.

Steve Riley
steriley@microsoft.com



> Hi all!!
>
> Am trying to do (what seems) impossible:
> I'm trying to "lock down" the action that users are enabled to do in
> Outlook 2000, using Group Policy or any other available means...
> Any help with this scenario would be more than appreciated.
> * The issue:
> We have a group of users that deal with specially sensitive
> information.
> We have managed to (reasonably) lock down the Windows Desktop, so that
> the users are restricted as to where they put information and
> suchlike.
> The only can run a few apps from the Explorer interface (using Group
> Policy), and we don't want them to run any others except those whose
> links they have handy.
>
> *BUT* this users use Outlook (the share a .pst where they store mails
> to be approved and sent by the groups' security supervisor).
>
> We don't want them launching any program from within Outlook. Using
> the "disable interface" functionality in the Office Resource Kit,
> we've disabled "Options" and "Accounts" (we don't want them to
> configure any other email account), "Insert -> Object", "Forms"
> (apparently, it was possible to create a form and embed an object/file
> that could be run). Also, any "Macros", or "Visual Basic" is gone,
> too.
>
> Now it seems that it's possible to attach an .exe file to the email,
> save the email, and run the file after opening the email. I am looking
> into attachment blocking to prevent that....
>
> BUT there seems to be a way to use the "favorites places" bar (on the
> left by default) to create a link to programs on the PC, and then run
> them... How can I avoid that??!!
>
> Frankly, I'm beginning to despair that securing Outlook in this way
> can be done at all. Any and all help will be more than welcome.
>
> Thanks a lot
>
> Javier J.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Mmm

Yes and no :)

I'm afraid, I forgot to add that the client OS in question is Windows
_2000_ Pro, so no Software Restriction Policy is avaliable. But good
pointer, I'll look into it...

Just a quick question off-the-top of my head, when I specify _what_
software the user is allowed to run, do I need to specify also the
"Operating System" components, or is the policy only for user-initiated
program startup??...

What I'm trying to get to is that I want to prevent users from running
things such as "ftp.exe" and similar, that are located on %windir% and
%systemroot% (so no path rule) and are ms-provided (no certificate rule,
either)...

Well, truth to be told, the only programs that should run are Outlook
(in "as-restricted-as-possible" mode), ORANT (Oracle NT Client) and the
programs the system needs to connect to the domain and update Group
Policy (whatever those might be).

Thanks a lot anyhow. Any further ideas more than welcome.

Javier Jarava

Steve Riley [MSFT] wrote:
> You're taking the wrong approach. Think of these kinds of controls as
> requests to the computer, asking it to behave nicely. Since you've got
> Group Policy, though, you've got a far more powerful option: software
> restriction policies.
>
> With an SRP you can specify exactly which applications the users can
> run, and everything else is blocked. You don't have to worry about
> hiding shortcut icons or disabling Outlook functionality or whatever; an
> SRP is a true enforcement of only what's allowed.
>
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/srp_overview.mspx
> will get you started.
>
> Steve Riley
> steriley@microsoft.com
>
>
>
>> Hi all!!
>>
>> Am trying to do (what seems) impossible:
>> I'm trying to "lock down" the action that users are enabled to do in
>> Outlook 2000, using Group Policy or any other available means...
>> Any help with this scenario would be more than appreciated.
>> * The issue:
>> We have a group of users that deal with specially sensitive
>> information.
>> We have managed to (reasonably) lock down the Windows Desktop, so that
>> the users are restricted as to where they put information and
>> suchlike.
>> The only can run a few apps from the Explorer interface (using Group
>> Policy), and we don't want them to run any others except those whose
>> links they have handy.
>>
>> *BUT* this users use Outlook (the share a .pst where they store mails
>> to be approved and sent by the groups' security supervisor).
>>
>> We don't want them launching any program from within Outlook. Using
>> the "disable interface" functionality in the Office Resource Kit,
>> we've disabled "Options" and "Accounts" (we don't want them to
>> configure any other email account), "Insert -> Object", "Forms"
>> (apparently, it was possible to create a form and embed an object/file
>> that could be run). Also, any "Macros", or "Visual Basic" is gone,
>> too.
>>
>> Now it seems that it's possible to attach an .exe file to the email,
>> save the email, and run the file after opening the email. I am looking
>> into attachment blocking to prevent that....
>>
>> BUT there seems to be a way to use the "favorites places" bar (on the
>> left by default) to create a link to programs on the PC, and then run
>> them... How can I avoid that??!!
>>
>> Frankly, I'm beginning to despair that securing Outlook in this way
>> can be done at all. Any and all help will be more than welcome.
>>
>> Thanks a lot
>>
>> Javier J.
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If you configure Group Policy administrative templates/user
configuration/system to populate the list of "run only" applications they
will be able to logon to the computer but not much else. You will then have
to add executables to the run only list for users to run applications which
may not be as simple as it first seems since an application may call related
executables though you can use the free filemon from SysInternals to see
file use in real time and check the log for access denied to troubleshoot
such. You would also want to make sure that Windows Update, antivirus, and
such work. Ntfs permissions can also be used to restrict access to an
executable but many binaries will run if the user is able to access them
from another path. In such case adding those files to the disallowed Windows
application list may help. Note that if a user is able to rename an
executable they can bypass Group Policy application restrictions and be sure
to read full explanation of exactly what these Group Policy settings do.

You may also want to implement computer use policy for users with exactly
spelled out what and what is not acceptable use with stated consequences. If
you don't plan to enforce such a policy don't bother however. I suggest that
you invest in at least a couple of upgrades to XP Pro so you can see the
power of Software Restriction Policies. You more than likely will find
investment XP Pro to be a money saver in the long run and you can manage XP
Pro Group Policy settings in a Windows 2000 domain. --- Steve Umbach


"Javier J" <no.mail@please.no> wrote in message
news:eFl$jGKCFHA.3180@TK2MSFTNGP10.phx.gbl...
> Mmm
>
> Yes and no :)
>
> I'm afraid, I forgot to add that the client OS in question is Windows
> _2000_ Pro, so no Software Restriction Policy is avaliable. But good
> pointer, I'll look into it...
>
> Just a quick question off-the-top of my head, when I specify _what_
> software the user is allowed to run, do I need to specify also the
> "Operating System" components, or is the policy only for user-initiated
> program startup??...
>
> What I'm trying to get to is that I want to prevent users from running
> things such as "ftp.exe" and similar, that are located on %windir% and
> %systemroot% (so no path rule) and are ms-provided (no certificate rule,
> either)...
>
> Well, truth to be told, the only programs that should run are Outlook (in
> "as-restricted-as-possible" mode), ORANT (Oracle NT Client) and the
> programs the system needs to connect to the domain and update Group Policy
> (whatever those might be).
>
> Thanks a lot anyhow. Any further ideas more than welcome.
>
> Javier Jarava
>
> Steve Riley [MSFT] wrote:
>> You're taking the wrong approach. Think of these kinds of controls as
>> requests to the computer, asking it to behave nicely. Since you've got
>> Group Policy, though, you've got a far more powerful option: software
>> restriction policies.
>>
>> With an SRP you can specify exactly which applications the users can run,
>> and everything else is blocked. You don't have to worry about hiding
>> shortcut icons or disabling Outlook functionality or whatever; an SRP is
>> a true enforcement of only what's allowed.
>>
>> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/srp_overview.mspx
>> will get you started.
>>
>> Steve Riley
>> steriley@microsoft.com
>>
>>
>>
>>> Hi all!!
>>>
>>> Am trying to do (what seems) impossible:
>>> I'm trying to "lock down" the action that users are enabled to do in
>>> Outlook 2000, using Group Policy or any other available means...
>>> Any help with this scenario would be more than appreciated.
>>> * The issue:
>>> We have a group of users that deal with specially sensitive
>>> information.
>>> We have managed to (reasonably) lock down the Windows Desktop, so that
>>> the users are restricted as to where they put information and
>>> suchlike.
>>> The only can run a few apps from the Explorer interface (using Group
>>> Policy), and we don't want them to run any others except those whose
>>> links they have handy.
>>>
>>> *BUT* this users use Outlook (the share a .pst where they store mails
>>> to be approved and sent by the groups' security supervisor).
>>>
>>> We don't want them launching any program from within Outlook. Using
>>> the "disable interface" functionality in the Office Resource Kit,
>>> we've disabled "Options" and "Accounts" (we don't want them to
>>> configure any other email account), "Insert -> Object", "Forms"
>>> (apparently, it was possible to create a form and embed an object/file
>>> that could be run). Also, any "Macros", or "Visual Basic" is gone,
>>> too.
>>>
>>> Now it seems that it's possible to attach an .exe file to the email,
>>> save the email, and run the file after opening the email. I am looking
>>> into attachment blocking to prevent that....
>>>
>>> BUT there seems to be a way to use the "favorites places" bar (on the
>>> left by default) to create a link to programs on the PC, and then run
>>> them... How can I avoid that??!!
>>>
>>> Frankly, I'm beginning to despair that securing Outlook in this way
>>> can be done at all. Any and all help will be more than welcome.
>>>
>>> Thanks a lot
>>>
>>> Javier J.
>>>
>>