The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: [gptalk] lockdown exes

Prev Next

You are not authorized to post a reply.

Page 1 of 2

Author

Messages

MaryWinter User is Offline

Posts:45

09/20/2010 1:18 PM
Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter

gpbaby

Posts:7

09/20/2010 1:35 PM
Hi Mary, You may try to create registry keys for "Image File Execution Options" for those exes and set the debugger to nothing. Create entries by the name of exes in the path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution And create a key debugger and let the value remain empty. http://blogs.msdn.com/b/greggm/archive/2005/02/21/377663.aspx http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Regards, Gowri Kumar On Mon, Sep 20, 2010 at 5:45 PM, Winter.Mary <xxxxxxxxxxxxxxxx> wrote: > Hello List, > You have been a great help the last month or so. I’m hoping you have some > ideas for me. My company purchased Office Pro 2010 and I am setting up > policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office > 2010. There are many more Office settings! There are exes that the managers > do not want people to use. So far I’ve found that I cannot lockdown the > Office 14 directory using Security Settings\File System. I looked into > Software Restriction but it seems daunting. We have around 2000 apps so I > wouldn’t want to do a white list. Has anyone done this before? I have about > 3 exes that I do not want the clients to see or be able to run. If I can’t > figure out how to do it with group policy I will use xcacls. However, we > would prefer group policy and its centralization. > Thanks for any help you can provide. > > Mary Winter > > > > >

Shanzao

Posts:45

09/20/2010 1:35 PM
Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter </PRE> <font face="Arial" size="1"> This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. <p> This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. <p> Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. <p> Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. <p> Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email. </font> <PRE>

dethmag

Posts:1

09/20/2010 1:37 PM
Hey If U are running Windows 7 and probably Windows Server 2008, you have something like AppLocker that is the new tool better than SRP.. and within it you can lock different versions of Office, whole producent content and desired apps. 2010/9/20 Winter.Mary <xxxxxxxxxxxxxxxx>: > Hello List, > You have been a great help the last month or so. I’m hoping you have some > ideas for me. My company purchased Office Pro 2010 and I am setting up > policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office > 2010. There are many more Office settings! There are exes that the managers > do not want people to use. So far I’ve found that I cannot lockdown the > Office 14 directory using Security Settings\File System. I looked into > Software Restriction but it seems daunting. We have around 2000 apps so I > wouldn’t want to do a white list. Has anyone done this before? I have about > 3 exes that I do not want the clients to see or be able to run. If I can’t > figure out how to do it with group policy I will use xcacls. However, we > would prefer group policy and its centralization. > Thanks for any help you can provide. > > Mary Winter > > > > > -- DethMag[dmg] xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx

MaryWinter User is Offline

Posts:45

09/20/2010 1:51 PM
No, we do not have an enterprise license so do not have App Locker. ;-( ~ Mary ~ -----Original Message----- From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of DethMag[dmg] Sent: Monday, September 20, 2010 7:36 AM To: xxxxxxxxxxxxxxxx Subject: Re: [gptalk] lockdown exes Hey If U are running Windows 7 and probably Windows Server 2008, you have something like AppLocker that is the new tool better than SRP.. and within it you can lock different versions of Office, whole producent content and desired apps. 2010/9/20 Winter.Mary <xxxxxxxxxxxxxxxx>: > Hello List, > You have been a great help the last month or so. I'm hoping you have some > ideas for me. My company purchased Office Pro 2010 and I am setting up > policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office > 2010. There are many more Office settings! There are exes that the managers > do not want people to use. So far I've found that I cannot lockdown the > Office 14 directory using Security Settings\File System. I looked into > Software Restriction but it seems daunting. We have around 2000 apps so I > wouldn't want to do a white list. Has anyone done this before? I have about > 3 exes that I do not want the clients to see or be able to run. If I can't > figure out how to do it with group policy I will use xcacls. However, we > would prefer group policy and its centralization. > Thanks for any help you can provide. > > Mary Winter > > > > > -- DethMag[dmg] xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx

MaryWinter User is Offline

Posts:45

09/20/2010 1:59 PM
Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

Shanzao

Posts:45

09/20/2010 2:01 PM
Ok, There are a couple of things you could do here, If you are going to deploy office via CAE, the normal method would be to create an MSI with transform that would create a custom package so that all the work is done prior to deployment, this would be my preferred method, however, this is assuming that you have an onsite packaging team... The alternative would be to use either preferences or GPO restriction policies to remove the file or access to the files. There are other ways to do this, but I like to try and keep it simple Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:52 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, We have HP's CAE formerly known as Radia. I have done xcacls before but it would not be my preferred way to go. Radia could deploy the script. I'm only looking to lock down the 3 Office exes at this point. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

Shanzao

Posts:45

09/20/2010 2:07 PM
What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 2:15 PM
Thanks Sean, Yes, we have a full packaging team but the current idea is that we may want clients to be able to use the exes in the future. So they want to deploy all of Office and have me deal with it. ;-) So if I use a GPO restriction policy we are talking about the Software Restriction under Computer Config\Policies\Windows Settings\Security Settings correct? For instance on One Note, would I create the hash rule or could I find one online that is more authentic? According to the MS kb http://technet.microsoft.com/en-us/library/cc739214(WS.10).aspx I need access control lists in addition to the policy. Do you agree? ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:00 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Ok, There are a couple of things you could do here, If you are going to deploy office via CAE, the normal method would be to create an MSI with transform that would create a custom package so that all the work is done prior to deployment, this would be my preferred method, however, this is assuming that you have an onsite packaging team... The alternative would be to use either preferences or GPO restriction policies to remove the file or access to the files. There are other ways to do this, but I like to try and keep it simple Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:52 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, We have HP's CAE formerly known as Radia. I have done xcacls before but it would not be my preferred way to go. Radia could deploy the script. I'm only looking to lock down the 3 Office exes at this point. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 2:32 PM
Sean, If I use preferences, doesn't that mean that the client could prefer to use the exe? I thought preferences were settings that the client could change if they want to. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:00 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Ok, There are a couple of things you could do here, If you are going to deploy office via CAE, the normal method would be to create an MSI with transform that would create a custom package so that all the work is done prior to deployment, this would be my preferred method, however, this is assuming that you have an onsite packaging team... The alternative would be to use either preferences or GPO restriction policies to remove the file or access to the files. There are other ways to do this, but I like to try and keep it simple Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:52 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, We have HP's CAE formerly known as Radia. I have done xcacls before but it would not be my preferred way to go. Radia could deploy the script. I'm only looking to lock down the 3 Office exes at this point. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

Shanzao

Posts:45

09/20/2010 2:38 PM
The packaging team could create a couple of procedures that have different options allowing the software to be fully controlled from within the "software" application. The first MST could be tailored to not install one note, then another could be created to install it. This would be best practice for software control and simply your bit ;-) With Software Restriction the securest way is to use a Hash rule as this will be for the complete setup, the only issue I have found with hash rules is when updates are applied to machines. Sometimes these executables change, leaving you with an ongoing management issue, so if this route were to be taken then considerations will have to be put in place. The use of access Control lists is indeed recommended for further security protection, very much like the use of xcacls you mentioned previously. When I mentioned preferences, you can actually delete files, however, you made it clear that this needs to be permanent, so a delete would need to be followed by a copy to return the files (messy way ) From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:13 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Thanks Sean, Yes, we have a full packaging team but the current idea is that we may want clients to be able to use the exes in the future. So they want to deploy all of Office and have me deal with it. ;-) So if I use a GPO restriction policy we are talking about the Software Restriction under Computer Config\Policies\Windows Settings\Security Settings correct? For instance on One Note, would I create the hash rule or could I find one online that is more authentic? According to the MS kb http://technet.microsoft.com/en-us/library/cc739214(WS.10).aspx I need access control lists in addition to the policy. Do you agree? ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:00 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Ok, There are a couple of things you could do here, If you are going to deploy office via CAE, the normal method would be to create an MSI with transform that would create a custom package so that all the work is done prior to deployment, this would be my preferred method, however, this is assuming that you have an onsite packaging team... The alternative would be to use either preferences or GPO restriction policies to remove the file or access to the files. There are other ways to do this, but I like to try and keep it simple Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:52 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, We have HP's CAE formerly known as Radia. I have done xcacls before but it would not be my preferred way to go. Radia could deploy the script. I'm only looking to lock down the 3 Office exes at this point. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 2:40 PM
Thanks for your input. I plan to consult with the packaging team. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:36 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes The packaging team could create a couple of procedures that have different options allowing the software to be fully controlled from within the "software" application. The first MST could be tailored to not install one note, then another could be created to install it. This would be best practice for software control and simply your bit ;-) With Software Restriction the securest way is to use a Hash rule as this will be for the complete setup, the only issue I have found with hash rules is when updates are applied to machines. Sometimes these executables change, leaving you with an ongoing management issue, so if this route were to be taken then considerations will have to be put in place. The use of access Control lists is indeed recommended for further security protection, very much like the use of xcacls you mentioned previously. When I mentioned preferences, you can actually delete files, however, you made it clear that this needs to be permanent, so a delete would need to be followed by a copy to return the files (messy way ) From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:13 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Thanks Sean, Yes, we have a full packaging team but the current idea is that we may want clients to be able to use the exes in the future. So they want to deploy all of Office and have me deal with it. ;-) So if I use a GPO restriction policy we are talking about the Software Restriction under Computer Config\Policies\Windows Settings\Security Settings correct? For instance on One Note, would I create the hash rule or could I find one online that is more authentic? According to the MS kb http://technet.microsoft.com/en-us/library/cc739214(WS.10).aspx I need access control lists in addition to the policy. Do you agree? ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:00 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Ok, There are a couple of things you could do here, If you are going to deploy office via CAE, the normal method would be to create an MSI with transform that would create a custom package so that all the work is done prior to deployment, this would be my preferred method, however, this is assuming that you have an onsite packaging team... The alternative would be to use either preferences or GPO restriction policies to remove the file or access to the files. There are other ways to do this, but I like to try and keep it simple Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:52 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, We have HP's CAE formerly known as Radia. I have done xcacls before but it would not be my preferred way to go. Radia could deploy the script. I'm only looking to lock down the 3 Office exes at this point. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

Shanzao

Posts:45

09/20/2010 3:03 PM
Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 3:32 PM
No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

ignaciorenuncio User is Offline

Posts:5

09/20/2010 3:50 PM
Apart from AD Software Restriction Policies, more ideas... Try Trust-No-Exe from BeyondLogic, I used it some time ago. It's free. http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm It has white and black lists, so it could be an option. It also has options for multiple installs at once. The bad news: Works with XP, don't know about Vista/7. Your paid alternative: Faronics Anti-Executable, the true solution. Poor man's alternative: Pass-protect the involved EXEs with a small script in a GPO. Nobody will be able to run them and you can undo it later. Choose a large passphrase. De: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] En nombre de Winter.Mary Enviado el: lunes, 20 de septiembre de 2010 16:31 Para: 'xxxxxxxxxxxxxxxx' Asunto: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email. [cid:gob-mtin3a36.jpg] ________________________________ P Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE!

Shanzao

Posts:45

09/20/2010 3:53 PM
Just had a quick look at the .adm info for this and it appears not to be supported on W2K7 Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Windows XP Professional or Windows Server 2003 only From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 15:31 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 3:55 PM
Thanks Sean. Have a great day. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:51 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Just had a quick look at the .adm info for this and it appears not to be supported on W2K7 Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Windows XP Professional or Windows Server 2003 only From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 15:31 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 4:17 PM
Sean, This setting is in the ADMX and it says Requirements: At Least Windows XP and Windows Server 2003 only. I thought that "At Least" meant it would work on all newer versions as well. This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. It is somewhat confusing because the settings refer to a server and I'm creating this for workstations. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:51 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Just had a quick look at the .adm info for this and it appears not to be supported on W2K7 Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Windows XP Professional or Windows Server 2003 only From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 15:31 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

Shanzao

Posts:45

09/20/2010 4:26 PM
Yes that is exactly what I thought... when looking via gpmc.msc the setting says "at least" and then finishes with "Only" slight contradiction of words The documentation below shows it as only... http://technet.microsoft.com/en-us/library/cc731606(WS.10).aspx If you look at all of the other settings they are worded different... Maybe try looking for the following registry key just in case it is worded incorrectly? HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 16:16 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Sean, This setting is in the ADMX and it says Requirements: At Least Windows XP and Windows Server 2003 only. I thought that "At Least" meant it would work on all newer versions as well. This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. It is somewhat confusing because the settings refer to a server and I'm creating this for workstations. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:51 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Just had a quick look at the .adm info for this and it appears not to be supported on W2K7 Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Windows XP Professional or Windows Server 2003 only From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 15:31 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

MaryWinter User is Offline

Posts:45

09/20/2010 4:47 PM
Unfortunately this regkey is either on or off (1 or 0). I want administrators to be able to force off an admin that say, went on vacation but stayed logged in. But I do not want regular users to be able to do this, only administrators. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 10:25 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Yes that is exactly what I thought... when looking via gpmc.msc the setting says "at least" and then finishes with "Only" slight contradiction of words The documentation below shows it as only... http://technet.microsoft.com/en-us/library/cc731606(WS.10).aspx If you look at all of the other settings they are worded different... Maybe try looking for the following registry key just in case it is worded incorrectly? HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 16:16 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Sean, This setting is in the ADMX and it says Requirements: At Least Windows XP and Windows Server 2003 only. I thought that "At Least" meant it would work on all newer versions as well. This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. It is somewhat confusing because the settings refer to a server and I'm creating this for workstations. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:51 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Just had a quick look at the .adm info for this and it appears not to be supported on W2K7 Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, logging off the connected administrator is allowed. Windows XP Professional or Windows Server 2003 only From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 15:31 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes No, it seems that anyone can boot an Admin off and we only want another Admin to be able to do that. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 9:03 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Is the entire policy being ignored, or just certain settings? From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 14:19 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes I am trying to keep it to only 1 person on the PC at a time. And regular users should not be able to bump off an Admin. This is the GPO. The Restricted Group for Builtin\Remote Desktop Users is Domain Users. Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide<file:///C:\Users\cm0498a\Desktop\Win%207%20Remote%20Desktop%20Only%20Settings%2008122010.htm##> Policy Setting Comment Allow users to connect remotely using Remote Desktop Services<javascript:void();> Enabled Deny logoff of an administrator logged in to the console session<javascript:void();> Enabled Limit number of connections<javascript:void();> Enabled RD Maximum Connections allowed 1 Type 999999 for unlimited connections. This works fine in XP but I'm thinking there is a setting I'm missing. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 8:06 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes What's the RDP issue, I'm sure one of us could help From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:59 To: 'xxxxxxxxxxxxxxxx' Subject: RE: [gptalk] lockdown exes Hi Sean, I am also creating the policy for Windows 7 workstations. For the most part I am done with that except for an RDP issue. ~ Mary ~ ________________________________ From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK) Sent: Monday, September 20, 2010 7:34 AM To: xxxxxxxxxxxxxxxx Subject: RE: [gptalk] lockdown exes Hi Mary, I have done a few Software Distribution projects and many upgrade projects This sounds like you are doing a desktop refresh, so a couple of questions.. Are you using any software distribution tools, such as SCCM, Unicenter etc, or are you using AD for the complete control of over 2000 applications? When you say many more exe's are you speaking about securing just office or various applications? Are you looking at securing the new settings in W2K7 as well? When you are saying xcacls. Do you mean deploying a script to run this against all clients, securing the NTFS permissions to executables? Cheers, Sean From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Winter.Mary Sent: 20 September 2010 13:16 To: 'xxxxxxxxxxxxxxxx' Subject: [gptalk] lockdown exes Hello List, You have been a great help the last month or so. I'm hoping you have some ideas for me. My company purchased Office Pro 2010 and I am setting up policy now. We are updating from 2003 and XPsp3 to Windows 7 and Office 2010. There are many more Office settings! There are exes that the managers do not want people to use. So far I've found that I cannot lockdown the Office 14 directory using Security Settings\File System. I looked into Software Restriction but it seems daunting. We have around 2000 apps so I wouldn't want to do a white list. Has anyone done this before? I have about 3 exes that I do not want the clients to see or be able to run. If I can't figure out how to do it with group policy I will use xcacls. However, we would prefer group policy and its centralization. Thanks for any help you can provide. Mary Winter This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England. This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system. Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group. Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.

You are not authorized to post a reply.

Page 1 of 2

Forums >GPTalk >GPTalk Mailing List > [gptalk] lockdown exes

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads