Chapter 24: Locked-down Configurations

Download CD Content

The Microsoft Windows 2000 and Microsoft Windows XP operating systems can help to provide a security-enhanced working environment for multiple users. This enhanced security is achieved by allowing permission-restricted access to registry branches and hard disk folders on NTFS-formatted disks connected to the same computer running these operating systems. When this restrictive access is enabled on a computer, the computer configuration is known as locked down.

With a locked-down configuration, only someone with administrative permissions to the registry and system-related folders on the hard disk where the operating system resides can make changes to the configuration of the computer. Locking down a system helps to prevent users from installing new software, removing existing software, changing currently configured application settings, updating system files to different levels, and viewing other users’ files.

Locking Down an Office Configuration

Administrators can configure an installation of Microsoft Office 2003 that restricts user access to some or all menu options by using policies, the Custom Installation Wizard or—after an initial installation—the Custom Maintenance Wizard.

To further restrict access to system areas from users, administrators can lock portions of the registry and folders or drives using the security-related features of Microsoft Windows 2000 and Windows XP. Locking the registry can be accomplished safely for the following registry branches:

• HKEY_LOCAL_MACHINE (HKLM)

• HKEY_CLASSES_ROOT (HKCR)

• HKEY_CURRENT_CONFIG (HKCC)

Locking down the HKEY_USERS or HKEY_CURRENT_USER branches can present problems for some applications and should only be done by an experienced administrator after thorough testing of Office applications on a test computer.

Each customized installation of Office is unique and requires testing, especially if registry branches are going to be locked down. Users can encounter problems when applications they are using try to make changes to a locked portion of the registry.

To lock down the registry for systems running Windows 2000 and Windows XP, use the Registry Editor (regedt32.exe for Windows 2000 and regedit.exe for Windows XP). Regedit.exe and regedt32.exe are not available as shortcuts from the Start menu. You must run them by selecting Start, pointing to Run, then typing regedt32 or regedit in the Open combo box.

To lock down a branch of the registry with regedt32 for Windows 2000

1. Select the registry branch or node you want to lock down.

2. Select Security.

3. Select Permissions.

4. Add permissions for administrators of the computer to Full Control, if those permissions are not already present.

5. Set permissions for Everyone to Read.

6. Click OK.

To lock down a branch of the registry with regedit for Windows XP

1. Select the registry branch or node you want to lock down.

2. Select Edit.

3. Select Permissions.

4. Add permissions for administrators of the computer to Full Control, if those permissions are not already present.

5. Set permissions for Everyone to Read.

6. Click OK.

Changes to permissions are enforced the moment you click OK.

You can also create an access control list (ACL) to lock the Policies subkey in the Windows registry. This option prevents users from changing a policy configuration setting by modifying security settings in the user’s registry. See the Group Policy snap-in Help for further information.

To lock the Office-related nodes of the registry, set permissions to HKLM\Software\Microsoft\Office or HKCU\Software\Microsoft\Office, or both. If you don’t want users to have write or edit permissions to any Microsoft applications, set permissions for the nodes HKLM\Software\Microsoft or HKCU\Software\Microsoft, or both. Locking just these nodes does not lock down all of the possible Office registry entries. However, it does cover the majority of entries available to users.

Resources and related information

Enabling Terminal Services on an operating system applies specific permissions to the HKCU and HKLM nodes of the registry. See “Locking Down the Operating System” in the next section for more information.

To restrict access to menu options, see “Managing Users’ Configurations by Policy” in Chapter 18, “Updating Users’ Office 2003 Configurations.”