RG03E – Limiting Office component interaction

This article comes from my good colleague Dave Bryant, who recently came across an issue when you want to restrict users from accessing certain parts of Office. This is something you can use the RES Workspace Manager for. If you want to restrict that behavior, you have to go beyond basic AppGuard configuration. From here I’ll turn it over to Dave:

We recently had a customer who wanted to strictly limit access to certain parts of the Office Suite, based on need. For example, if someone is not part of the PowerPoint group, they should not be able to use PowerPoint by any means. Typically this would rather be applicaple for Visio, Access or MS Project as these are often considered additional apps beyond the basic Word/Excel/PowerPoint/Outlook set.

If you are familiar with RES Workspace Manager already, the task at hand may seem simple enough: Do not give access to the Office apps in question and enable Managed Application Security. However, the issue comes when you use the ability to insert Objects. In this example we’ll use PowerPoint, so you don’t have to install extra office apps to test it for yourself.

What happens is that the calling executable – in this case Winword – will launch PowerPoint embedded. This does not happen through the normal powerpnt.exe . Instead the application’s DLL’s are launched via OLE, thus blocking PowerPoint’s main executable will have no effect. This is one of the nice ways Office can make your day “interesting” when you try to do something out of the norm with it. Fortunately, having the RES Workspace Manager in your tool belt will make short work of this challenge.

To address it and prevent launch of embedded apps, we must use File and Folder Security aka FFS. An important bit to remember about this feature is that it is the only security subsystem of the Workspace Manager that only does blacklisting. If you create a rule in FFS for either a filetype or a specific folder, all access will be disallowed. (Max: For another usage example, have a look at this article). To use FFS to block the launch of unauthorized office applications, you must add a special rule as shown below:

When office launches an embedded application, it does so by creating a hidden folder called executablename.exe.local inside of the Microsoft Office\OfficeVersion folder. So in order to block the ability to insert a PowerPoint object in Word for example you would add C:\Program Files\Microsoft Office\Office14\powerpnt.exe.local\* to Files and Folders Security. Once you’ve created the rule, make sure you either set the proper Access Control on the rule, or perhaps move it to a Managed Application, where it makes sense.

There. Job done. No more users launching embedded apps behind your back!


No Comments

No comments yet.

RSS feed for comments on this post.

Leave a comment

Comments are welcome as always. Just do the math below. * Time limit is exhausted. Please reload the CAPTCHA.