The operating system policies discussed in this chapter do not directly affect macro security in Microsoft Office 2003 Editions, nor do they change the way security is handled by any of the Office applications. However, these policies can help limit the exposure of critical portions of a network, operating system, or user interface to potentially destructive changes by users. Some of these settings can even mitigate the first level of attack by most attackers.
By setting these policies, an administrator can reduce the amount of data that users are exposed to or reduce the number of choices users must make while they interact with the system. As a result, productivity can increase by not having to support some features and by streamlining the user interface of the operating system. The policies in this section are available within the listed templates.
It is highly recommended that administrators examine the policy templates for the operating systems their users are working with. Several policies provide methods to help control and enforce the configuration of the operating system and help reduce the probability of a user inadvertently creating a problem. These policies potentially limit access to features of the operating system that users do not need to use or should not use.
Note | The system.adm template cannot be copied between different versions of Microsoft Windows operating systems. The Microsoft Windows 2000 and Microsoft Windows XP operating systems each have a unique system.adm template. Attempting to use a system.adm from a Windows XP system on a Windows 2000 system may cause unexpected results. |
The ADM templates discussed in this chapter are not included with the Office Resource Kit and should already be installed in the INF directory of the Windows install folder. (The Windows install folder can be discovered by entering SET in a command prompt and looking for the returned WINDIR environment variable value.)
The following list of policy templates and associated policy groupings provides a sampling of the policies you can explore to limit the user environment in Microsoft Windows 2000 and Microsoft Windows XP operating systems.
The following policy templates are available for both Windows 2000 and Windows XP:
system.adm
conf.adm
inetres.adm
dw20.adm
These templates should already be installed on your computer. When you install the Office Resource Kit to any computer, the AER_1033.adm (or respective language-related instance of the application error reporting file) will be copied into the INF folder. The AER_1033.adm file replaces the dw20.adm template. When Office 2003 is installed to a system where policies are enabled and in use, the dw20.adm template used by the administrator to create a POL file should be removed from the system, and the settings that were in use should now be reset by using the AER_1033.adm version of the template and then redistributed.
For each template, the respective policy groupings (and the differences between Windows 2000 and Windows XP) are noted below.
system.adm
Start Menu and Taskbar
Desktop
Active Desktop
Active Directory
Control Panel
Add/Remove Programs
Display
Printers
Regional and Language Options
Shared Folders—(Windows XP)
Network
Offline Files
Network Connections—(Windows XP)
Network and Dial-up Connections—(Windows 2000)
System
User Profiles—(Windows XP)
Scripts—(Windows XP)
Ctrl + Alt + Del Options—(Windows XP)
Logon—(Windows XP)
Logon/Logoff—(Windows 2000)
Group Policy
Power Management—(Windows XP)
Windows Components
Windows Explorer
Microsoft Management Console
Task Scheduler
Terminal Services—(Windows XP)
Windows Installer
Windows Messenger—(Windows XP)
Windows Update
conf.adm
Netmeeting
Application Sharing
Audio & Video
Options Page
dw20.adm
Application Error Reporting
General Reporting
Corporate Error Reporting
Queued Reporting
AER_1033.adm—replacement for dw20.adm
Application Error Reporting
General Reporting
Corporate Error Reporting
Queued Reporting
inetres.adm
Internet Explorer
Internet Control Panel
Offline Pages
Browser menus
Toolbars
Persistence Behavior
Administrator Approved Controls
Each operating system uses templates with the same names, but depending on the operating system, there may be different sets of available policies and, as noted below, different text to describe the same policy. Windows XP has more available policies and is a superset of the Windows 2000 policies.
The following list of policies has what are considered to be some of the most beneficial policies available to an administrator in a corporate setting. However, it is recommended that an administrator examine all of the available policies that are part of the system.adm template. Many of the available policies can simplify administration of a large-scale deployment of Office and the related workstations that it is installed to.
system.adm
Remove Run menu from Start Menu
Disable Control Panel—(Windows 2000)
Prohibit access to the Control Panel—(Windows XP)
Disable Task Manager—(Windows 2000)
Remove Task Manager—(Windows XP)
Disable Logoff—(Windows 2000)
Remove Logoff—(Windows XP)
Disable the command prompt—(Windows 2000)
Prevent access to the command prompt—(Windows XP)
Disable registry editing tools—(Windows 2000)
Prevent access to registry editing tools—(Windows XP)
Run only allowed Windows applications
Don’t run specified Windows applications
Disable Add/Remove Programs—(Windows 2000)
Remove Add/Remove Programs Programs—(Windows XP)
Password protect the screen saver
Disable and remove the Shut Down command—(Windows 2000)
Remove and prevent access to the Shut Down command—(Windows XP)
Disable deletion of printers—(Windows 2000)
Prevent deletion of Printers—(Windows XP)
Disable addition of printers—(Windows 2000)
Prevent addition of printers—(Windows XP)
Hide these specified drives in My Computer
No “Entire Network” in My Network Places
Inetres.adm
Disable changing proxy settings
Disable changing ratings settings
Disable changing certificate settings
Do not allow AutoComplete to save passwords
Disable Internet Connection wizard
Disable the Security Page
Disable the Advanced Page
File menu: Disable Save As… menu option
Disable Save this program to disk option
Conf.adm
Prevent automatic acceptance of Calls
Prevent sending files
Prevent receiving files
Disable Chat
Disable application Sharing
Prevent Sharing
Prevent Desktop Sharing
Prevent Sharing Command Prompts
Prevent Sharing Explorer Windows
Limit the Bandwidth of Audio and Video
Disable Audio
Disable full duplex Audio
Prevent sending Video
Prevent receiving Video
Unlike previous releases of the Office Resource Kit, the registry keys associated with these policies will not be presented here. Instead, if you plan to use the policy registry entries by using a means other than the Active Directory directory service, it is recommended that you open the ADM template that the policy entry is stored in and paste the related policy from the template into a REG file. From this REG file, you can distribute the policy registry entries to anyone you want to, employing the means your organization uses to distribute such files. Another option for implementing these policies is to create a test workstation, implement the policies on that computer, and then use the Office Profile Wizard to capture the profile of that computer and distribute it to other users. This process may require customization of the INI file used by the Office Profile Wizard. Remember, though, that a computer profile captured from a Windows XP computer will not implement the Windows XP–only policies on a Windows 2000 computer. Any unsupported policies distributed to the registry of the Windows 2000 computer are ignored.
Note | If you are deploying Office to both Windows 2000 and Windows XP operating systems, use of the system.adm template when creating a policy file requires special handling in the Active Directory implementation of policies on a corporate network. They cannot be used interchangeably. |
If you want to propagate policy registry entries at the time of deployment, it is possible to include the registry entries in the Add/Remove Registry Entries page of the Custom Installation Wizard, and they will be stored in the transform. However, management of the policies after distribution in this method is much more difficult than using Active Directory or distributing the POL file from the domain controller during logon.
Note | Unlike previous releases of Office, the System Policy Editor is no longer supported. Also, posting of a policy file created by the System Policy Editor is no longer supported since the Group Policy snap-in does not create a POL file that can combine both the HKLM and HKCU portions of the registry into one POL file. Only Active Directory implementations of policy files are supported for Office 2003. |