Word 2013 bypassing GPO.
- 
 Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. 
- 
 @g-i-jones The quick answer is, it's not possible to completely lock people out of Internet Explorer in Windows. It's just to integrated into the system. I can think of 3 other ways right now to bypass that setting through standard windows utilities. This is going to be a case of getting management to do their jobs, and following procedure in writups/firings when these things happen. 
- 
 Users are sly creatures. They'll figure out another hole as soon as you plug this one. You may want to try a different solution, like using an ACL at the network level that closes off access to the various social media sites that you want to block. You can also do this at a DNS level (there's a lot of existing threads on this, and just as many how-to articles). While some users may be savvy enough to get around the DNS block, it wouldn't be easy for them to look up and apply all the IPs for a whole page in facebook since they use so many servers/balancers for various functions. If you go with a 2-prong approach, you could lock it all down pretty effectively by doing the network ACLs and the DNS. I believe there are also some FAQs on what IPs to block for all of the different social media sites so you could make a new network config fairly quickly. As for the DNS solution, check out https://pi-hole.net/. 
- 
 The only correct approach is via HR. IT should only be involved in reporting HR breaches, not in plugging holes. That said, a far better way to plug this hole is to block the sites on the network, not via GPO. GPO is not very useful for security and Windows itself has so many ways to work around any block. 
- 
 @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. 
- 
 @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? 
- 
 @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? I'm not and I don't. Note the bolded, and especially italicized, text above. ^ 
- 
 @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? 
- 
 @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT. 
- 
 @tim_g said in Word 2013 bypassing GPO.: @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT. In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well. 
- 
 I get that HR can't do everything, but IT need not block. HR can do whatever is necessary once it is known that people are doing it. 
- 
 @scottalanmiller said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT. In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well. I agree with you completely, but I'm talking real-world here. He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it. Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to. I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power. 
- 
 He knows the situation better than us, and now possesses the knowledge of what he "should" do. And if that doesn't work, he now has advice on how to put together a solution... by proxy server or whatever. 
- 
 @tim_g said in Word 2013 bypassing GPO.: @scottalanmiller said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT. In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well. I agree with you completely, but I'm talking real-world here. He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it. Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to. I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power. The point is... did HR request this? If so, it's done, he already has a block in place. Did HR not request this, then no need to do it. It's almost unheard of that HR asks for this kind of thing but doesn't make a policy about it. 
- 
 @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? If you're mandated by HR and the company to do user activity logging and monitoring sure. But going about doing it on your own without any direction or mandates? That doesn't make a lot of sense. 
- 
 @tim_g said in Word 2013 bypassing GPO.: @scottalanmiller said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @black3dynamite said in Word 2013 bypassing GPO.: @coliver said in Word 2013 bypassing GPO.: @tim_g said in Word 2013 bypassing GPO.: @g-i-jones said in Word 2013 bypassing GPO.: Hey guys, hope everyone enjoyed their 3 day weekend (if it applies). I've been polishing up our Group policy the best I've learned how, but I've hit a snag. I've used User Config>Administrative Templates>System>Don't run specified Windows applications, and adding iexplore.exe as well as firefox.exe in an attempt to completely lock down web access for one of our labs. We had a breach to social media, and now I'm trying to figure out how to patch that hole. Basically, when using Microsoft Word 2013, you can use the Insert Tab to insert "Online Video". Once inserted, all you have to do is right click the video, and select "open in browser" and even with the previously mentioned GPO in place, it'll open the default browser (Firefox or IE in my case). I'm looking to disable this in any way that I can, but haven't found anything within the Office 2013 admx files to the likeness of disabling it. Any experience/ideas on the matter? I'd be okay with completely disabling the insertion of media if need be. If your HR department and the users' supervisors just won't enforce the "no online games/social media" policy, the next best thing to do is to use a proxy... I've had completely excellent success using Squid Proxy. You can set up network devices to run though the proxy. Why are you enforcing something HR won't enforce? If HR and their supervisor don't care why do you? Would you still consider monitoring and logging? Or don't bother at all? Do whatever HR and supervisors can't do, that helps the company make more money that is in the scope of IT. In most cases, I'd say the opposite. It just wastes resources and encourages people to find workarounds. The actual issue is either IT trying to do something it isn't supposed to do, or being asked to do something that no one actually cares about and do not support. It's a nice theory that it saves money, but in reality I think it normally does the opposite. It makes breaking rules a fun challenge without consequences. It encourages breaking security rules, makes policies unclear, and often makes people less efficient than before. IT as part of the team with HR, great. IT as a replacement to HR, never works out well. I agree with you completely, but I'm talking real-world here. He can do what you say, tell HR no, tell his supervisor no, then get fired for not doing it. Or he can explain that it's HR's responsibility first, and then do it anyways after they don't listen and still ask him to. I don't know his job role, I'm assuming he's not a supervisor. If he is, then maybe he has some more persuasion power. No one is advocating going against HR or the company. Not sure where that came up. If the company is telling him to monitor and block certain user activity then he has the obligation to do so. 
- 
 @scottalanmiller Going to dust off our Barracuda and give that a go. It's been plugged in but not working like is should have. As far as HR and reprimanding employees for breaches against policy... my issue isn't with employees, it's with residents. My organization is an academy, so we can't have kids browsing freely during residency. While it's not exactly my job to patch holes and monitor web traffic all day, I did set these labs up by myself, and I hold great pride in things that have my name on them, so I need them to be refined for me. Anything that I can refine to be better, makes me better because I have to learn how to refine it. I'm just trying to learn all I can, guys. @Tim_G said it best, I know what needs to be done now. Thank you, gentlemen. 
- 
 Just so you know you can also prevent the usage of applications using whitelisting with SRP, but you need to make clear what you want to accomplish. Word and any Office program (Such as Note and Powerpoint) will make it to have access to Internet. 
 Are you going to use a Barracuda Web Filter appliance for this?
- 
 @dbeato yes. 
- 
 @g-i-jones I an Barracuda Spam Filtering Certified Engineer so I would recommend to get to know the Web filtering tool, make sure to have a current subscription. 







