Operating System Policies

The operating system policies discussed in this chapter do not directly affect macro security in Microsoft Office 2003 Editions, nor do they change the way security is handled by any of the Office applications. However, these policies can help limit the exposure of critical portions of a network, operating system, or user interface to potentially destructive changes by users. Some of these settings can even mitigate the first level of attack by most attackers.

By setting these policies, an administrator can reduce the amount of data that users are exposed to or reduce the number of choices users must make while they interact with the system. As a result, productivity can increase by not having to support some features and by streamlining the user interface of the operating system. The policies in this section are available within the listed templates.

It is highly recommended that administrators examine the policy templates for the operating systems their users are working with. Several policies provide methods to help control and enforce the configuration of the operating system and help reduce the probability of a user inadvertently creating a problem. These policies potentially limit access to features of the operating system that users do not need to use or should not use.

The ADM templates discussed in this chapter are not included with the Office Resource Kit and should already be installed in the INF directory of the Windows install folder. (The Windows install folder can be discovered by entering SET in a command prompt and looking for the returned WINDIR environment variable value.)

Windows 2000 and Windows XP policies

The following list of policy templates and associated policy groupings provides a sampling of the policies you can explore to limit the user environment in Microsoft Windows 2000 and Microsoft Windows XP operating systems.

The following policy templates are available for both Windows 2000 and Windows XP:

• system.adm

• conf.adm

• inetres.adm

• dw20.adm

These templates should already be installed on your computer. When you install the Office Resource Kit to any computer, the AER_1033.adm (or respective language-related instance of the application error reporting file) will be copied into the INF folder. The AER_1033.adm file replaces the dw20.adm template. When Office 2003 is installed to a system where policies are enabled and in use, the dw20.adm template used by the administrator to create a POL file should be removed from the system, and the settings that were in use should now be reset by using the AER_1033.adm version of the template and then redistributed.

For each template, the respective policy groupings (and the differences between Windows 2000 and Windows XP) are noted below.

• system.adm

  Start Menu and Taskbar

  Desktop

Active Desktop

Active Directory

Control Panel

Add/Remove Programs

Display

Printers

Regional and Language Options

Shared Folders—(Windows XP)

Network

Offline Files

Network Connections—(Windows XP)

Network and Dial-up Connections—(Windows 2000)

System

User Profiles—(Windows XP)

Scripts—(Windows XP)

Ctrl + Alt + Del Options—(Windows XP)

Logon—(Windows XP)

Logon/Logoff—(Windows 2000)

Group Policy

Power Management—(Windows XP)

Windows Components

Windows Explorer

Microsoft Management Console

Task Scheduler

Terminal Services—(Windows XP)

Windows Installer

Windows Messenger—(Windows XP)

Windows Update

• conf.adm

  Netmeeting

Application Sharing

Audio & Video

Options Page

• dw20.adm

  Application Error Reporting

General Reporting

Corporate Error Reporting

Queued Reporting

• AER_1033.adm—replacement for dw20.adm

  Application Error Reporting

General Reporting

Corporate Error Reporting

Queued Reporting

• inetres.adm

  Internet Explorer

Internet Control Panel

Offline Pages

Browser menus

Toolbars

Persistence Behavior

Administrator Approved Controls

Security-related policies

Each operating system uses templates with the same names, but depending on the operating system, there may be different sets of available policies and, as noted below, different text to describe the same policy. Windows XP has more available policies and is a superset of the Windows 2000 policies.

The following list of policies has what are considered to be some of the most beneficial policies available to an administrator in a corporate setting. However, it is recommended that an administrator examine all of the available policies that are part of the system.adm template. Many of the available policies can simplify administration of a large-scale deployment of Office and the related workstations that it is installed to.

• system.adm

  Remove Run menu from Start Menu

  Disable Control Panel—(Windows 2000)

  Prohibit access to the Control Panel—(Windows XP)

  Disable Task Manager—(Windows 2000)

  Remove Task Manager—(Windows XP)

  Disable Logoff—(Windows 2000)

  Remove Logoff—(Windows XP)

  Disable the command prompt—(Windows 2000)

  Prevent access to the command prompt—(Windows XP)

  Disable registry editing tools—(Windows 2000)

  Prevent access to registry editing tools—(Windows XP)

  Run only allowed Windows applications

  Don’t run specified Windows applications

  Disable Add/Remove Programs—(Windows 2000)

  Remove Add/Remove Programs Programs—(Windows XP)

  Password protect the screen saver

  Disable and remove the Shut Down command—(Windows 2000)

  Remove and prevent access to the Shut Down command—(Windows XP)

  Disable deletion of printers—(Windows 2000)

  Prevent deletion of Printers—(Windows XP)

  Disable addition of printers—(Windows 2000)

  Prevent addition of printers—(Windows XP)

  Hide these specified drives in My Computer

  No “Entire Network” in My Network Places

• Inetres.adm

  Disable changing proxy settings

  Disable changing ratings settings

  Disable changing certificate settings

  Do not allow AutoComplete to save passwords

  Disable Internet Connection wizard

  Disable the Security Page

  Disable the Advanced Page

  File menu: Disable Save As… menu option

  Disable Save this program to disk option

• Conf.adm

  Prevent automatic acceptance of Calls

  Prevent sending files

  Prevent receiving files

  Disable Chat

  Disable application Sharing

  Prevent Sharing

  Prevent Desktop Sharing

  Prevent Sharing Command Prompts

  Prevent Sharing Explorer Windows

  Limit the Bandwidth of Audio and Video

  Disable Audio

  Disable full duplex Audio

  Prevent sending Video

  Prevent receiving Video

Unlike previous releases of the Office Resource Kit, the registry keys associated with these policies will not be presented here. Instead, if you plan to use the policy registry entries by using a means other than the Active Directory directory service, it is recommended that you open the ADM template that the policy entry is stored in and paste the related policy from the template into a REG file. From this REG file, you can distribute the policy registry entries to anyone you want to, employing the means your organization uses to distribute such files. Another option for implementing these policies is to create a test workstation, implement the policies on that computer, and then use the Office Profile Wizard to capture the profile of that computer and distribute it to other users. This process may require customization of the INI file used by the Office Profile Wizard. Remember, though, that a computer profile captured from a Windows XP computer will not implement the Windows XP–only policies on a Windows 2000 computer. Any unsupported policies distributed to the registry of the Windows 2000 computer are ignored.

If you want to propagate policy registry entries at the time of deployment, it is possible to include the registry entries in the Add/Remove Registry Entries page of the Custom Installation Wizard, and they will be stored in the transform. However, management of the policies after distribution in this method is much more difficult than using Active Directory or distributing the POL file from the domain controller during logon.