Re: Disabling "Save to FTP" on OFFICE 2000?
From: Javier J (no.mail_at_please.no)
Date: Tue, 08 Feb 2005 11:05:29 +0100
Thanks for a great response to my question...
I answer your points below...
Lanwench [MVP - Exchange] wrote:
> Javier Jarava wrote:
>>The problem is, I'm not afraid of their connectig to an *specific* FTP
>>server. There are several linux servers inside the firewall (and
>>plenty of Windows ones, too), so there are potentially quite a number
>>of FTP servers out there.
> Do they permit anonymous FTP? Who manages these servers?
That's the problem. It only takes one user who is "Local Administrator"
of her computer and a copy of VMWARE to have as many servers as you
wish, with the policies you want.... I'm going to suggest to the client
that they start using Kerberos to avoid the "rogue laptop" problem (as
not all "new" computers would be on the domain), but that means quite a
lot of work on the integration front...
>>Not only that, but there is quite a big
>>number of people with Domain Admins privileges (or the "Adminitrator"
> Well, that's not a very good thing, is it.
No, it isn't. But that's the way things are. I'm trying to reduce that
number to the minimum that is _really_ necesary, but that's a political
battle that it going to take quite long. And first of all, we have to
prove to the client that we know what we're talking about...
>>And, of course, the number of those who are local administrators of
>>their computer is big (and only grows, it never goes down).
> Why on earth is this permitted??
Many reasons, some of them are reasonable (for instance, they use some
legacy apps that won't run properly as non-Admin; yes, they should phase
them out or upgrade, but it's not that easy), but many of them not (ie,
it "cures" many of the user's problems when contacting support, so if a
user is on your hair all day long, they just make him a local admin, and
then the user has no problems with his software. Problem ""solved"").
In this, I have the support of their "systems" dept, who are quite fed
up with network scanners showing up, and similar "Niceties". But it's
not going to be an easy battle.
>> So they
>>could use (for example), VMWARE to install a linux server on a VM, and
>>they'd have a FTP server to connect to.
>>Those are (some) of the reasons I'd like to be able to disable
>>"explorer-like-ftp" from a number of computers...
>>I really hope there is some way to disalbe it "elegantly" that is not
>>"get a fork on the lan card" :)
>>Thanks a lot for any and all help you might offer..
> "There are seldom good technological solutions to behavioral problems" - Ed
How true. But we've been hired to try to plug the holes. Of course,
there is a point when we just say "not possible".... but we _have_ to
show that we've done our duties. Of course, if the proposed solution is
just too cumbersome or too restrictive, they could "take the easy way
out" and just start to limit users' rights and such... Even if that
means dealing with irate users ;)
> Sorry I don't have any further help to offer - I just think you're trying to
> shovel snow during a blizzard. :(
Don't worry. Somebody sent me this link:
that shows the way... I agree with you on the "shoveling snow" alegory.
Thankfully, I only have to keep a tiny corner clean.. And then explain
_what_ should be done to try & clear the rest (or to explain why it's
not possible if they don't change their user behaviour).
Of course, first I have to "clear my corner", and that's when these
questions come in.
Thanks a lot for your time. Any further ideas will be more than
>>Lanwench [MVP - Exchange] wrote:
>>>Javier J wrote:
>>>>Am trying to find a way to disable the "save to ftp location"
>>>>feature found in the "save as" Dialog on OFFICE 2000 Apps. I've
>>>>done some testing using Gropu Policy, but the "disable custom item"
>>>>on the UI only works for the items on the "main" meu bars and such.
>>>>This "feature" is just part of a drop-down box on the main program.
>>>>I guess there has to be a way to prevent users from saving to FTP,
>>>>but I just can't figure out how to do it. Any and all help would be
>>>>more than appreciated.
>>>>Thanks a lot
>>>Perhaps an OT reply:
>>>Where's the ftp server you're afraid they'll save to? A workaround
>>>might be to block the appropriate outbound TCP/UDP ports in your
>>>firewall, so that users cannot use ftp to external servers at all.
>>>If you have an internal FTP server, don't allow anonymous FTP.