Security Settings and Related System Policies
Security is an important subject for today's businesses. The increase in malicious hacking of corporate computers has forced businesses worldwide to develop better methods of protecting their data and systems. As a way to help administrators enable the security features of Microsoft Office XP, Microsoft has created system policies that force the use of security features and are available in the Office10.adm policy template.
Note Removing registry keys in the HKEY_CURRENT_USER registry branch using the Add/Remove Registry Entries page of the Custom Installation Wizard does not work on Windows Terminal Server. However, adding registry keys using this page works as expected. It is possible to add and remove registry keys in the HKEY_CURRENT_USER registry branch for Windows Terminal Server systems using the Add/Remove Registry Entries page of the Custom Maintenance Wizard.
Security settings can be enforced in one of four registry areas within two branches of the registry — Local Machine (HKLM) and Current User (HKCU).
Local Machine (associated with the Default Computer policy profile in the System Policy Editor)
- HKLM\Software\Policies\Microsoft\…
- HKLM\Software\Microsoft\…
Current User (associated with the Default User policy profile in the System Policy Editor)
- HKCU\Software\Policies\Microsoft\…
- HKCU\Software\Microsoft\…
The content in this topic covers most of the concerns an administrator will have when viewing the Specify Office Security Settings page of either the Custom Installation Wizard or the Custom Maintenance Wizard. Most of these settings can also be set using a policy when the appropriate ADM template is added to the System Policy Editor or Group Policy snap-in with Microsoft Windows 2000.
Included in this topic are policy settings relevant to maintaining a secure user environment related to the operating system user interface.
Adding Microsoft to the trusted source list
The trusted source list is managed in four possible places within the registry. Policy settings are in the Policies node of the registry and are controlled by using the System Policy Editor. The first two registry key entry examples shown below can be set by using the Specify Office Security Settings page of the Custom Installation Wizard or the Custom Maintenance Wizard. Registry key examples:
HKLM\Software\Microsoft\VBA\Trusted
HKCU\Software\Microsoft\VBA\Trusted
HKLM\Software\Policies\Microsoft\VBA\Trusted
HKCU\Software\Policies\Microsoft\VBA\Trusted
Use of the HKLM key prevents users from modifying the trusted sources list.
By adding recognized value names and data to any of these keys instructs Office to trust or not trust sources. For example, adding Microsoft Corporation nnnn (where nnnn is a year) as a value name instructs Office to trust all sources with a digital signature from Microsoft. It is preferable to use the Specify Office Security Settings page of the Custom Installation Wizard or Custom Maintenance Wizard to propagate your request to trust Microsoft certificates, but if it is absolutely necessary, you can create a configuration maintenance file (CMW file) with the Custom Maintenance Wizard and then use the Custom Maintenance Wizard Viewer to view the contents of the file to identify the registry data value if the setting must be made manually. You use the listed value name and data to populate the registry setting.
Value Name: Microsoft Corporation nnnn
Data type: REG_BINARY
Value data: (data content provided by wizards)
Setting the value name of the key to No source will be trusted. - your Administrator forces Office to not trust any sources. Setting this key disallows the option to let users trust a source. This setting can be controlled by the Custom Installation Wizard and the Custom Maintenance Wizard with the check box Ensure users cannot add trusted sources through Office on the Specify Office Security Settings page.
Value Name: No source will be trusted. - your Administrator
Data type: REG_BINARY
Value data:
(d3,0f,d6,00,91,21,bf,51,7e,60,48,a2,99,ba,25,00,b7,96,08,01)
Use of the HKLM node only allows the use of what is in the list and does not allow users to add entries through the Office user interface (the Custom Installation Wizard and the Custom Maintenance Wizard do not use the HKCU node for this key).
Application Security key
Through the use of the application Security key, you can instruct Office to set macro security for each application or for the trusting of all installed add-ins. The basic key consists of the following, where <APP> can be any or all of the listed applications (Microsoft Word, Microsoft Excel, Microsoft Access, Microsoft PowerPoint):
HKCU\Software\Microsoft\Office\10.0\<APP>\Security
The parallel keys as specified through a policy setting are:
HKLM\Software\Policies\Microsoft\Office\10.0\<APP>\Security
HKCU\Software\Policies\Microsoft\Office\10.0\<APP>\Security
The Specify Office Security Settings page of both the Custom Installation Wizard or Custom Maintenance Wizard contain the check box Trust all installed add-ins and templates. When this check box is set to checked, it creates the non-policy version of this key and adds the value DontTrustInstalledFiles to the key. When this policy is set to 1, this registry value instructs the Office application listed in the <APP> portion of the key to trust all currently installed add-ins and templates (and their respective macros) within specific folders created by Office applications. It does not accept all currently installed add-ins and templates on the user's computer, only those installed by specific Microsoft applications. If you use either HKLM or HKCU when setting a registry entry for a policy, you will prevent users from changing the setting.
Value name: DontTrustInstalledFiles
Data type: REG_DWORD
Value data:
0 // Do not trust Installed Files
If you use the Specify Office Security Settings page of either the Custom Maintenance Wizard or the Custom Installation Wizard, and change the Default Security Level for an application, this process is the same as using the Security dialog available through the application's user interface. Use of this key sets the macro security level for each application specified in the <APP> portion of the key to the respective value data listed below.
<APP> = Word, Excel, Access, PowerPoint, Publisher, Outlook
Value name: Level
Data type: REG_DWORD
Value data:
1 // Low
2 // Medium
3 // High
Common Security key
Through the use of the common Security key, you can instruct Office to set ActiveX security for all applications. This key can be set through either the Custom Installation Wizard or the Custom Maintenance Wizard.
HKCU\Software\Microsoft\Common\Security
By using the System Policy Editor, you can set the equivalent key for Office applications.
HKLM\Software\Policies\Microsoft\Common\Security
HKCU\Software\Policies\Microsoft\Common\Security
The value name UFIControls can be set for any of these keys to the following values and respective actions:
Value name: UFIControls
Data type: REG_DWORD
Value Data:
1 // No warning.
2 // No warning (use safe mode if available)
3 // Alert. Do not load any UFI controls.
4 // Alert. Do not load any UFI controls (use safe mode if available)
5 // Prompt the user.
6 // Prompt the user (use safe mode if available)
See documentation on ActiveX control development for information on safe mode for ActiveX controls. Look for the following object and method: IObjectSafetyImpl::SetInterfaceSafetyOptions. The IObjectSafety interface allows a client to retrieve and set an object's safety levels. For example, a Web browser may call IObjectSafety::SetInterfaceSafetyOptions to make a control safe for initialization or safe for scripting.
The use of safe mode for an ActiveX control instructs it to run but not process data. This should force the control to read in the data but not change the data in anyway or write it back out. However, not all controls are designed with a safe mode and therefore may process data even though you instructed the control to use safe mode.
Setting the Unsafe ActiveX Initialization to combo box to "Initialize using control defaults. User will be warned." in either the Custom Installation Wizard or the Custom Maintenance Wizard adds the UFIControls value to the common security key and adds a data value of 3.
Setting the Unsafe ActiveX Initialization to combo box to "Prompt user to use persisted data or control defaults." in either the Custom Installation Wizard or the Custom Maintenance Wizard adds the UFIControls value to the common security key and adds a data value of 5.
Configuring security-related system policies
This section includes samples of system policies for security-related configuration options of Office and related applications. Most of these policies do not affect security directly, nor do they directly change Office XP; however, they limit the exposure of critical portions of a network, operating system, or user interface to destructive changes by users. By setting these policies, an administrator can reduce the amount of data users must consider, or reduce the choices users must make while they interact with the system. As a result, productivity can increase by not having to support some features and by streamlining the user interface of the operating system. The policies in this section are available with the listed templates.
It is highly recommended for administrators to examine the policy templates for the operating systems with which their users are working. Several policies provide methods to control and enforce the configuration of the operating system and reduce the probability of a user creating a problem. These policies limit the access of users to features of the operating system they do not need to change.
Windows NT and Windows 2000
The following list of policy templates and system policies highlights some of the more important system policies you can use to limit the user environment in Microsoft Windows NT and Windows 2000 operating systems:
- common.adm - Shell | Restrictions
- common.adm - System | Restrictions
- winnt.adm - Windows NT Shell | Restrictions
Windows 2000–related system policies are also found in the conf.adm and system.adm policy templates.
common.adm - Shell | Restrictions
- Remove Run command from Start Menu
- Hide drives in My Computer
- No "Entire Network" in Network Neighborhood
- Remove Shut Down command from Start menu
common.adm - System | Restrictions
- Run only allowed Windows applications
winnt.adm - Windows NT Shell | Restrictions
- Remove the "Map Network Drive" and "Disconnect Network Drive" options
Windows 2000 only
The following list of policies highlights some of the more important system policies you can use to limit the user environment in the Windows 2000 operating system:
- system.adm - Administrative | Start Menu & Taskbar
- system.adm - Administrative | Windows Components | Windows Explorer | Common Open File Dialog
system.adm - Administrative | Start Menu & Taskbar
- Do not keep history of recently opened documents
system.adm - Administrative | Windows Components | Windows Explorer | Common Open File Dialog
- Hide the Common Dialog Places Bar
- Hide Common Dialog Back button
- Hide the drop-down list of recent files
Sample system policies explained
Provided in this section is an in-depth explanation of the policies presented earlier in this topic. Each explanation provides the registry key, value name, data type, and associated data necessary to enforce the policy.
Remove Run command from Start Menu
When this policy is enabled, Windows 2000 removes Run from the Start menu and disables launching the Run dialog by pressing the Windows Key + R.
If an application has a "run" function that allows users to start a program by typing in its name and path in a dialog, the application disables this functionality when this policy is enabled.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoRun
Data type: REG_DWORD
Value data:
0 // Display the Run option
1 // Do not display the Run option
Hide drives in My Computer
When enabled, this policy removes the icons representing the selected disk drives from My Computer, Windows Explorer, My Network Places, and the Windows common dialogs.
All Office applications hide any of the listed drives when this policy is enabled. This includes any buttons, menu options, icons, or other visual representation of drives in Office applications. This does not preclude the user from accessing drives by manually entering drive letters in dialogs.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoDrives
Data type: REG_DWORD
Value data:
0 // Display drives
1 // Do not display drives
No "Entire Network" in "My Network Places"
When enabled, this policy removes all computers outside of the user's workgroup or local domain from lists of network resources in Windows Explorer and My Network Places.
When this policy is enabled, applications that allow users to browse network resources must limit browsing functionality to a local workgroup or domain.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
Value name: NoEntireNetwork
Data type: REG_DWORD
Value data:
0 // Show
1 // Remove
Remove Shut Down command from Start menu
This policy prevents the user from using the Windows user interface to shut down the system.
When this policy is enabled, applications that enable the user to shut down Windows must disable this capability.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoClose
Data type: REG_DWORD
Value data:
0 // disabled
1 // enabled
Run only allowed Windows Applications
When this policy is enabled, users can only run applications listed in the value data field of this registry key. Applications with the ability to run and start other applications are also restricted to the applications appearing in this value data field.
This restriction does not apply when launching applications via OLE/COM/DCOM. If you use ShellExecuteEx, Windows 2000 will handle this automatically.
The only exception to this restriction is for OLE/DCOM where an installation of Microsoft Internet Explorer is displaying a file in its native format (Word, Excel, etc.) within the browser. Use the executable names (including extension) in the Data field separated by a semicolon.
Template: common.adm
Path: System | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: RestrictRun
Data type: REG_SZ (string)
Value data:
WinWord.exe;Excel.exe;PowerPnt.exe
Remove "Map Network Drive" and "Disconnect Network Drive"
When this policy is enabled, users are prevented from using Windows Explorer and My Network Places to connect to other computers or to close existing connections.
When this policy is enabled, applications do not provide buttons, menu options, icons, or any other visual representation that enable a user to map to or disconnect from network drives.
Template: winnt.adm
Path: Windows NT Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Value name: NoNetConnectDisconnect
Data type: REG_DWORD
Value data:
0 // Display
1 // Remove
Do not keep history of recently opened documents
When this policy is enabled, the system does not save shortcuts to most recently used (MRU) documents in the Start menu.
When this policy is enabled, applications must not keep any MRU lists.
Template: system.adm
Path: Administrative | Start Menu & Taskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoRecentDocsHistory
Data type: REG_DWORD
Value data:
0 // Display shortcuts in MRU list
1 // Do not display shortcuts in MRU list
This policy affects Office applications in the following ways:
- Do not show MRU lists while the policy is enabled.
- Do not save new entries into MRU lists (freeze the list) while the policy is enabled, which means that after the policy is turned off, the MRU list will not contain any files used while the policy was on, but will contain files used before the policy was enabled.
- If there is an MRU option in the Options dialog, it is grayed out while the policy is enabled.
- After the policy is turned off, the user MRU settings and the application policy MRU settings are restored to the state before the policy was enabled.
For example, if the number of MRU files was five (5) before the policy was enabled, it becomes zero (0) when the policy is turned on, and becomes five again when the policy is turned off.
- If both the application MRU policy and the system MRU policy are enabled, the system policy setting is used.
Hide Common Dialog Places Bar
The places bar allows users to navigate via the common file open/file close dialog directly to the following locations:
- History folder
- Desktop
- My Documents
- My Computer
- My Network Places
When this policy is enabled, Windows 2000 removes the Places Bar from the Windows common dialog.
When this policy is set, applications that provide their own file open/file close dialogs must remove any equivalent functionality from the Places Bar. Applications using the Windows common dialog API automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoPlaceBar
Data type: REG_DWORD
Value data:
0 // Display Places bar
1 // Do not display Places bar
Hide Common Dialog Back button
When this policy is enabled, Windows 2000 removes the Back button from the common dialog, preventing the user from browsing to the previous folder accessed from the dialog.
When this policy is set, applications with their own file open/file close dialogs must remove any Back button functionality from these dialogs. Applications using the Windows common dialog API automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoBackButton
Data type: REG_DWORD
Value data:
0 // Display back button
1 // Do not display back button
Hide the dropdown list of recent files
When this policy is enabled, Windows 2000 removes the MRU list from the common dialog.
When this policy is set, applications with their own file/open dialogs must not display an MRU list in these dialogs. Applications using the Windows common dialog API will automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoFileMru
Data type: REG_DWORD
Value data:
0 // Display MRU list
1 // Do not display MRU list
|
microsoft.com Home
