Tuesday, April 04, 2006

Block Google Desktop

Many organizations are not so keen on their employees using Google Desktop within their enterprise. I share that apprehension, and I have done a little research into what can and cannot be done to rein in this overly communicative application.

A lot of the credit for being able to control this application must go to Google. I'm not sure if this was the case when it was initially released, but the current Enterprise version of the program includes some great resources. Most importantly, it includes an Administrative Template for Windows Group Policy. If you load this template into a GPO, you can effectively curtail any behavior you deem unsuitable for your network.

For my money, the most important settings in this template are the following:
1. Prohibit Policy-Unaware versions - Prohibits installation and execution of versions of Google Desktop that are unaware of Group Policy.
2. Disable sharing and receiving of web history and documents across computers - Prevent Google Desktop from sharing the user's web history and document contents across the user's different Google Desktop installations, and will also prevent it from receiving such shared items from the user's other machines.
3. Disallow Plug-ins - Prevent installation of Google Desktop plug-ins.

If you put these three policy settings in place, you'll be much better off from a security standpoint than if you do nothing.

If you want to go further, you can take some steps to completely block Google Desktop from running at all. Some suggestions:
4. Prevent Indexing policy settings - There are about 19 different "Prevent indexing of ..." policy settings in the Administrative Template. You can enable some or all of them to prevent that category from being indexed at all. If it's not indexed, it can't be shared, copied, or transmitted to a third party.
5. Software Restriction Policies - You can enable these policies through Group Policy, and choose to disallow the application from running throughout a domain either based on a path rule (C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe) or based on a hash rule, where Windows creates a hash of the current version of the file. (Note, the hash will be rendered obsolete if the version of Google Desktop is updated, but that can be prevented with the following 2 entries)
6. Block Auto-update setting - Another Administrative Template setting; you can choose to block updates to the program. No updates = no additional functionality to worry about blocking.
7. Content Filtering - You could add desktop.google.com to whatever method you use to block access to websites. If your users can't get there, they can't download the installer in the first place.

I'm sure there are other methods that can be used to block Google Desktop, but I've found these to be pretty effective. I must admit, I would probably be doing a lot more administrative acrobatics (such as blocking things through firewall ACLs, or more group policy settings) if Google had not released their Enterprise software. I should also note that it includes an Admin Guide that explains a lot of the features of the program, including all the settings in the Administrative Template file.

While Desktop Search Engines (DSE's) such as Google Desktop do present a risk, that risk can be mitigated, as long as the software company is willing to provide the tools to do so. I think Google is setting a very good example with their Google Desktop for Enterprise option.

I intend to explore other DSE's in the near future. I will post my findings.


Post a Comment

Links to this post:

Create a Link

<< Home