Microsoft® Office XP Resource Kit

microsoft.com Home  
Microsoft
http://www.microsoft.com/office/ork  

    Office Resource Kit
    Toolbox
    Getting Started
    Deployment
    Maintenance
    Worldwide Deployment
    Messaging
    Site Index
    Glossary
Office Resource Kit / Maintenance / Administering Security
Topics in this chapter
  Protecting Office Documents  
  Running Office in a Secure Environment  
  Office Macro Security Settings  
  Security Settings and Related System Policies  
  Microsoft Office Tools on the Web Security Scenarios  
 

Running Office in a Secure Environment

The Microsoft Windows NT® and Microsoft Windows® 2000 operating systems can provide a secure working environment for multiple users. This security is achieved by allowing permission-restricted access to registry branches and folders on NTFS-formatted hard disks connected to the same computer running either of these operating systems. When this restrictive access is enabled on a system, it is known as locked down.

With a locked-down configuration, only someone with administrative permissions to the registry and system-related folders on the hard disk where the operating system resides can make changes to the configuration of the computer. By locking these areas so other users cannot make changes, you can freeze the configuration of the operating system and applications running on it, ensuring the same user experience for all users on the system.

Microsoft Windows 98 and Microsoft Windows Millennium Edition (Windows Me) do not provide for these security capabilities because they are single-user operating systems; therefore, an administrator can only freeze user options within Office through the use of system policies. For more information about setting system policies for Office, see How to Set System Policies.

Locking down a system prevents users from:

  • Installing new software

  • Removing existing software

  • Changing currently configured application settings

  • Updating system files to different levels

  • Viewing other users' files

The added restrictions an administrator imposes can create problems for some users, especially when the needs of the users require changes to the configuration of the applications on the computer. The need to add new software or adjust application settings may cause users some frustration, which can only be alleviated by reviewing the system configuration and making necessary changes at scheduled intervals by the administrator.

Locking down an Office configuration

Administrators have the capability to configure an Office installation on a user's computer and restrict user access to menu options. (These same restrictions can also be set by using system policies.) If the client computer is running Windows NT 4.0 or Windows 2000, there is an extra means of locking down that configuration by locking portions of the registry and folders or drives. The security design of Windows NT 4.0 and Windows 2000 provides administrators with the ability to lock the registry, or portions of the registry, with security and permission settings so users cannot make changes to registry settings. Locking the registry can be accomplished safely for the following registry branches:

  • HKEY_LOCAL_MACHINE (HKLM)

  • HKEY_CLASSES_ROOT (HKCR)

  • HKEY_CURRENT_CONFIG (HKCC)

However, locking down the HKEY_USERS or HKEY_CURRENT_USER branches can present problems for some applications and should only be done by an experienced administrator after thorough testing of Office applications on a test computer.

Each customized installation of Office is unique and requires testing, especially if registry branches are going to be locked down. Users can encounter problems when applications they are using try to make changes to a locked portion of the registry.

To lock down the registry for systems running Windows NT 4.0 and Windows 2000, use the Registry Editor (regedt32.exe). Regedt32.exe is not available as a shortcut from the Start menu. You must run it by selecting Start and pointing to the Run… utility. Then enter regedt32 in the Open combo box.

To lock down a branch of the registry with regedt32

  1. Select the registry branch or node you want to lock down.

  2. Select Security.

  3. Select Permissions.

  4. Add permissions for administrators of the computer to Full Control, if those permissions are not already present.

  5. Set permissions for Everyone to Read.

  6. Click OK.

Changes to permissions are enforced the moment you click OK.

In Windows 2000, you can also create an Access Control List (ACL) to lock the Policies subkey in the Windows registry. This option prevents users from changing a policy configuration setting by modifying security settings in the user's registry. See the Group Policy snap-in Help available with Windows 2000 for further information.

Windows NT 4.0 Terminal Server and Windows 2000 Terminal Services

Terminal Services is a term applied to operating systems that can provide remote multi-user access. These operating systems are available for use by more than one user simultaneously. Windows NT 4.0 Terminal Server and Windows 2000 Terminal Services are the current operating systems that can provide this capability. Since these operating systems allow multiple users to log onto the system at the same time through remote communication links, it creates potential configuration control issues if all users are allowed to make changes to the configuration of the computer at any time.

To avoid these possible configuration problems, Terminal Services locks down the two branches of the registry named HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM). These two branches of the registry must be locked to prevent all users, except administrators, from making changes to the registry. Implementing this restrictive action imposes control of the configuration of the operating system on the administrator.

The locking of registry branches forces administration of the system to become more frequent since users are not allowed to administrate the computer themselves. You should review and make necessary changes to the system on a scheduled basis. If you cannot perform the necessary review and maintenance of the Terminal Server, you should consider removing some of the restrictions or allow one user administrative access so that individual can manage the adding or removal of software depending on the needs of users.

Outlook and Terminal Services

Of all the Office applications, Microsoft Outlook and Microsoft Solution Designer are the most sensitive to a locked-down configuration. Administrators must consider how changes to forms, user e-mail profiles, and the use of roaming profiles can affect the registry prior to implementing changes. Each of these changes requires frequent interaction with locked-down portions of the registry. To properly allow for the usage of the major features of Outlook, you are advised to closely monitor the needs of users with regard to forms and e-mail profiles, which are stored primarily in registry entries. As needs change, the administrator must update the configuration of the system accordingly.

For more information about configuring Outlook, see Installing in a Terminal Services Environment.


Top

 
© 2001 Microsoft Corporation. All rights reserved. Terms of use.
License