Run only allowed Windows applications

[Guest]

I am an administrator on a fairly tightly controlled network. We use the
"Run only allowed Windows applications" option in our Group Policies and then
list all the executables which are permitted. Recently we installed Office
2003 and added, among others, WINWORD.EXE to our list of allowable
applications.

Here's the problem: When I am logged in with the above restrictions (not as
an admin) and click on a hyperlink I receive the following error: "This
Operation has been cancelled due to restrictions in effect on this computer".
This is true for all link types: URL, External Word document, and internal
bookmark. If I change the restriction to allow running any application, the
error goes away and it works fine. This leads me to believe that I need to
add an application to the allowed list.

My question: How do I find out what executable Word is trying to call so
that I can add it to the "Allowed Applications" list?

Any assistance is greatly appreciated
~Greg Price

 

[Torgeir Bakken \(MVP\)]

I am an administrator on a fairly tightly controlled network. We use the
"Run only allowed Windows applications" option in our Group Policies and then
list all the executables which are permitted. Recently we installed Office
2003 and added, among others, WINWORD.EXE to our list of allowable
applications.

Here's the problem: When I am logged in with the above restrictions (not as
an admin) and click on a hyperlink I receive the following error: "This
Operation has been cancelled due to restrictions in effect on this computer".
This is true for all link types: URL, External Word document, and internal
bookmark. If I change the restriction to allow running any application, the
error goes away and it works fine. This leads me to believe that I need to
add an application to the allowed list.

My question: How do I find out what executable Word is trying to call so
that I can add it to the "Allowed Applications" list?

Any assistance is greatly appreciated

Hi

For our Office 2000 installation, this is what we put into
the AppSec list:

%ProgramFiles%\Office\excel.exe
%ProgramFiles%\Office\winword.exe
%ProgramFiles%\Office\powerpnt.exe

%ProgramFiles%\Office\BINDER.EXE
%ProgramFiles%\Office\GRAPH9.EXE
%ProgramFiles%\Office\MSO7FTP.EXE
%ProgramFiles%\Office\MSO7FTPA.EXE
%ProgramFiles%\Office\MSO7FTPS.EXE
%ProgramFiles%\Office\MSOHTMED.EXE
%ProgramFiles%\Office\MSQRY32.EXE
%ProgramFiles%\Office\OSA9.EXE
%ProgramFiles%\Office\SETLANG.EXE
%ProgramFiles%\Office\WAVTOASF.EXE

%ProgramFiles%\Office\1033\MSOHELP.EXE
%ProgramFiles%\Office\1033\PROJWIZ.EXE
%ProgramFiles%\Office\Xlators\PPVIEW32.EXE

%ProgramFiles%\Common Files\Microsoft Shared\Artgalry\ARTGALRY.EXE
%ProgramFiles%\Common Files\Microsoft Shared\Artgalry\CAG.EXE
%ProgramFiles%\Common Files\Microsoft Shared\dasetup\dasetup.exe
%ProgramFiles%\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\MSINFO32.EXE
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE
%ProgramFiles%\Common Files\Microsoft Shared\OrgChart\ORGCHART.EXE
%ProgramFiles%\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE

%WinDir%\MSAGENT\AGENTSVR.EXE
%WinDir%\System32\PACKAGER.EXE

 

[Guest]

Well, I checked and all the files you listed are in our allowed executables
list, except for the ones that are not installed on the system, and still no
luck. Any other ideas?

~Greg

 

[Torgeir Bakken \(MVP\)]

Well, I checked and all the files you listed are in our allowed
executables list, except for the ones that are not installed on
the system, and still no luck. Any other ideas?

Hi

Enable "Failure attempts" on the Audit Policy "Audit process tracking"
and "Audit object access", and then check the event log after trying
to start Word.


You also use Filemon from Sysinternals that does a real time logging
of file accesses, and look for failed operations there.

http://www.sysinternals.com/