Word 2013 bypassing GPO.
-
I get that HR can't do everything, but IT need not block. HR can do whatever is necessary once it is known that people are doing it.
-
@scottalanmiller said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@black3dynamite said in Word 2013 bypassing GPO.:
@coliver said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@g-i-jones said in Word 2013 bypassing GPO.:
Hey guys, hope everyone enjoyed their 3 day weekend (if it applies).
I've been polishing up our Group policy the best I've learned how, but I've hit a snag.
I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole.
Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case).
I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it.
Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be.
If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy.
Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you?
Would you still consider monitoring and logging? Or don't bother at all?
Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT.
In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well.
I agree with you completely, but I'm talking real-world here.
He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it.
Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to.
I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power.
-
He knows the situation better than us, and now possesses the knowledge of what he "should" do. And if that doesn't work, he now has advice on how to put together a solution... by proxy server or whatever.
-
@tim_g said in Word 2013 bypassing GPO.:
@scottalanmiller said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@black3dynamite said in Word 2013 bypassing GPO.:
@coliver said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@g-i-jones said in Word 2013 bypassing GPO.:
Hey guys, hope everyone enjoyed their 3 day weekend (if it applies).
I've been polishing up our Group policy the best I've learned how, but I've hit a snag.
I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole.
Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case).
I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it.
Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be.
If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy.
Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you?
Would you still consider monitoring and logging? Or don't bother at all?
Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT.
In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well.
I agree with you completely, but I'm talking real-world here.
He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it.
Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to.
I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power.
The point is... did HR request this? If so, it's done, he already has a block in place. Did HR not request this, then no need to do it.
It's almost unheard of that HR asks for this kind of thing but doesn't make a policy about it.
-
@black3dynamite said in Word 2013 bypassing GPO.:
@coliver said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@g-i-jones said in Word 2013 bypassing GPO.:
Hey guys, hope everyone enjoyed their 3 day weekend (if it applies).
I've been polishing up our Group policy the best I've learned how, but I've hit a snag.
I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole.
Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case).
I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it.
Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be.
If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy.
Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you?
Would you still consider monitoring and logging? Or don't bother at all?
If you're mandated by HR and the company to do user activity logging and monitoring sure. But going about doing it on your own without any direction or mandates? That doesn't make a lot of sense.
-
@tim_g said in Word 2013 bypassing GPO.:
@scottalanmiller said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@black3dynamite said in Word 2013 bypassing GPO.:
@coliver said in Word 2013 bypassing GPO.:
@tim_g said in Word 2013 bypassing GPO.:
@g-i-jones said in Word 2013 bypassing GPO.:
Hey guys, hope everyone enjoyed their 3 day weekend (if it applies).
I've been polishing up our Group policy the best I've learned how, but I've hit a snag.
I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole.
Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case).
I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it.
Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be.
If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy.
Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you?
Would you still consider monitoring and logging? Or don't bother at all?
Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT.
In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well.
I agree with you completely, but I'm talking real-world here.
He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it.
Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to.
I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power.
No one is advocating going against HR or the company. Not sure where that came up. If the company is telling him to monitor and block certain user activity then he has the obligation to do so.
-
@scottalanmiller Going to dust off our Barracuda and give that a go. It's been plugged in but not working like is should have.
As far as HR and reprimanding employees for breaches against policy... my issue isn't with employees, it's with residents. My organization is an academy, so we can't have kids browsing freely during residency. While it's not exactly my job to patch holes and monitor web traffic all day, I did set these labs up by myself, and I hold great pride in things that have my name on them, so I need them to be refined for me. Anything that I can refine to be better, makes me better because I have to learn how to refine it. I'm just trying to learn all I can, guys.
@Tim_G said it best, I know what needs to be done now. Thank you, gentlemen.
-
Just so you know you can also prevent the usage of applications using whitelisting with SRP, but you need to make clear what you want to accomplish. Word and any Office program (Such as Note and Powerpoint) will make it to have access to Internet.
Are you going to use a Barracuda Web Filter appliance for this? -
@dbeato yes.
-
@g-i-jones I an Barracuda Spam Filtering Certified Engineer so I would recommend to get to know the Web filtering tool, make sure to have a current subscription.