[THIN] Re: Restricting application/plugin installs in IE5
- From: "Braebaum, Neil" <neil.braebaum@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 31 Jan 2003 11:20:59 -0000
Rick and Matthew...
What I do for TS environments (it's different for the normal production
desktops - but they're sorta outta my area, anyways) is pretty much ban
ActiveX downloads and installs - the users would never have the permissions
to do the installs, and the controls via browser restrictions wouldn't
permit.
That said, I do have a LOB app that uses released ActiveX controls for part
of the functionality.
What I do is pre-empt the download / install of this (including the digital
certificate), on a per-user basis as part of the login environment for my TS
users (bearing in mind, mandatory profiles).
I guess what I'm suggesting is that there is a middle ground between
allowing, or disallowing ActiveX usage - but I suspect that middle ground
isn't the most easiest.
Neil
> -----Original Message-----
> From: Mack, Rick [mailto:RMack@xxxxxxxxxxxxxx]
> Sent: 31 January 2003 10:41
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Restricting application/plugin installs in IE5
>
> Hi Matthew,
>
> It's difficult to lock down everything short of getting a
> third-party product to manage your system, however it's
> relatively easy to stop known activex controls from loading
> via IE. Its fairly easy to set IE policies to stop any
> activex control, but this approach tends to cause political
> problems because there are actually some useful and desirable
> activex controls and plugins out there.
>
> If you don't wnat to ban activex control downloads totally,
> the first thing is to look at technote Q240797, which
> describes the activex control "kill bit". Ignore the
> instructions on how to find out the classid of the activex
> control you want to ban.
>
> While there is a list of registered activex controls under
> HKLM\Software\Microsoft\Internet Explorer\ActiveX
> Compatibility, the various activex controls are presented
> using their ClassID only, no other clue as to what they represent.
>
> However, if you've got a system (can be PC, not server) with
> the activex controls you want to ban downloaded already, go
> to "%systemroot%\downloaded program files" or
> %systemroot%\oocache (depending on O.S. and browser version).
> Double-clicking on the the application activex control
> objects in this folder will give you the classid of the
> application (ID:).
>
> As an example, Shockwave Flash has a classid of
> {D27CDB6E-AE6D-11CF-96B8-444553540000}. So if I create the
> key HKLM\Software\Microsoft\Internet Explorer\ActiveX
> Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} and add
> a value "Comaptibility Flags", Reg_dword, 0x0000400, that
> will prevent users from installing flash.
>
> Another example is the Windows Update Client,
> {9F1C11AA-197B-4942-BA54-47A8489BB47F}.
>
> I guess there's no reason why we couldn't compile a fairly
> complete list of "bannable" activex controls, with even a
> policy template or regfile to select/deselect them. If only I
> had time ;-).
>
> Any takers?
>
> If you're already stuck with installed activex controls,
> technote Q154850 tells you how to get rid of them.
>
> -----Original Message-----
> From: Shaw, Matthew [mailto:Matt.Shaw@xxxxxxxxx]
> Sent: Friday, January 31, 2003 0:09
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Restricting application/plugin installs in IE5
>
> Hey folks,
>
> I've been given the task of administering a Windows NT4
> TSE/Metaframe 1.8 installation with 8 servers, 2 of which are
> configured for publishing IE5 (seamless). The previous owner
> did not secure the environment at all and I've been working
> to improve on the security without impacting the
> functionality for the users too much. I'm at somewhat of a
> disadvantage because I'm coming from the UNIX world primarily
> and am a little flaky with NT4 stuff.
>
> One of my oustanding problems is that of users installing
> applications and/or plugins via Internet Explorer. For
> instance, user goes to www.yahoo.com <http://www.yahoo.com>
> and installs the Yahoo bar or email plugin. I know that I can
> partially lock this down with file permissions, but there are
> always directories that must remain writable for the user.
> For instance, they have installed this stuff in their profile
> on the server or in the temp directory. I'm wondering if
> there's anyway to completely lock out the functionality of a
> user being able to install an application and/or plugin? Does
> anybody have any pointers to info that would specifically
> deal with the inherent security problems with publishing IE
> (seamless or desktop)?
>
> I appreciate any help and I apologize in advance if this is a
> newbie question. Please flame in private (to my email
> address, not the list) if you must.
***********************************************************************
This e-mail and its attachments are intended for the above named
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based
on them, nor must you copy or disclose them or any part of
their contents to any person or organisation; please notify the
sender immediately and delete this e-mail and its attachments from
your computer system.
Please note that Internet communications are not necessarily secure
and may be changed, intercepted or corrupted. We advise that
you understand and observe this lack of security when e-mailing us
and we will not accept any liability for any such changes,
interceptions or corruptions.
Although we have taken steps to ensure that this e-mail and its
attachments are free from any virus, we advise that in keeping
with good computing practice the recipient should ensure they
are actually virus free.
Copyright in this e-mail and attachments created by us belongs
to Littlewoods.
Littlewoods takes steps to prohibit the transmission of offensive,
obscene or discriminatory material. If this message contains
inappropriate material please forward the e-mail intact to
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated.
Statements and opinions contained in this e-mail may not
necessarily represent those of Littlewoods.
Please note that e-mail communication may be monitored.
Registered office:
Littlewoods Retail Limited,
Sir John Moores Building,
100 Old Hall Street,
Liverpool,
L70 1AB
Registered no: 421258
http://www.littlewoods.com
***********************************************************************
***************************************************************************
This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server
capacity--cost-effectively. Now you can dramatically increase the number of
users on a server by as much as 40%--and reduce the number of servers you have
to manage. By optimizing memory usage, Wyse Expedian software allows the
terminal server to support more applications and more concurrentusers. Download
your 30-day free trial today at:
http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM
****************************************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
