Advice Request How to install Microsoft Teams securely?

Please provide comments and solutions that are helpful to the author of this topic.

Marana

Level 1
Thread author
Verified
Jan 21, 2018
43
I wonder how security conscious organizations (I mean, using e.g. application whitelisting) install and use Teams.

One of the basic security rules has traditionally been to install programs into "system space", i.e. under the Program Files folders which need Admin privileges to write into. However all Teams installation variants that I have come across end up in putting the executable files under the user's Appdata folders where the user has write permissions... :unsure:
 
  • Like
Reactions: Nevi and vtqhtr413

Marana

Level 1
Thread author
Verified
Jan 21, 2018
43
Well... how do you understand the following excerpt from the Teams bulk install instructions?

"How the Microsoft Teams MSI file works - - Whenever a user signs into a new Windows user profile, the installer is launched and a copy of the Teams app is installed in that user's %LocalAppData%\Microsoft\Teams folder"​
 
  • Like
Reactions: Nevi
F

ForgottenSeer 97327

Ok. I see now. It worked for Zoom.. On my wife's laptop it is installed as an Windows App (which should be safe to run with the limited Windows App rights)
 

Marana

Level 1
Thread author
Verified
Jan 21, 2018
43
To answer my own question...

At least the following configuration seems to do the trick in a default deny application whitelisting environment:
  1. Whitelist C:\Users\*\AppData\Local\Microsoft\Teams directory structure within SRP all the way down
  2. Use NVT OSArmor or similar tool and create a Custom Block rule for the same directory structure
  3. Use NVT OSArmor or similar tool and create an Exclusion for the same directory structure for files signed by Microsoft
:)(y)

However... I still find a little bit odd that I was not able to find any proper discussion of this "problem" either here in MWT forums or elsewhere in the internet. Maybe I just did not find the right keywords to search for...

I cannot believe that I'm the only person / we are the only organization who want to use Microsoft Teams securely. :unsure:
 

Andrezj

Level 6
Nov 21, 2022
248
To answer my own question...

At least the following configuration seems to do the trick in a default deny application whitelisting environment:
  1. Whitelist C:\Users\*\AppData\Local\Microsoft\Teams directory structure within SRP all the way down
  2. Use NVT OSArmor or similar tool and create a Custom Block rule for the same directory structure
  3. Use NVT OSArmor or similar tool and create an Exclusion for the same directory structure for files signed by Microsoft
:)(y)

However... I still find a little bit odd that I was not able to find any proper discussion of this "problem" either here in MWT forums or elsewhere in the internet. Maybe I just did not find the right keywords to search for...

I cannot believe that I'm the only person / we are the only organization who want to use Microsoft Teams securely. :unsure:
microsoft runs teams from user appdata, that is against microsoft's own recommendation not to run an application from user space
onedrive runs from appdata too
ntfs permissons grant user to write to their teams profile
teams appdata folder can be added to controlled folder access to prevent writes, then you create teams processes exclusion in controlled folders to write to teams profile
since you are running srp there is little chance malware will run and compromise teams directory
you do not need to whitelist entire teams directory, you whitelist only the full path to the teams processes that must run, this method blocks any malware that might get written to the teams directory
but your combo with osarmor is a good one
 

Marana

Level 1
Thread author
Verified
Jan 21, 2018
43
you do not need to whitelist entire teams directory, you whitelist only the full path to the teams processes that must run, this method blocks any malware that might get written to the teams directory
Yeah, that's the theory... but just try it yourself in practice - and you'll soon realize that you will actually want to whitelist the whole directory structure. ;)
 

Andrezj

Level 6
Nov 21, 2022
248
Yeah, that's the theory... but just try it yourself in practice - and you'll soon realize that you will actually want to whitelist the whole directory structure. ;)
no, it is easy enough to whitelist the filepath to teams.exe and then create allow exceptions using the ^ wildcard in filepaths that contain version numbers for the teams update and temp files, been running teams this way for years without a single problem that i can ever recall
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Just use the web version, safer and more secure. You get the added protection of the web browsers sandbox plus all the bug fixes that come with each browser version. I don't know much about Teams, but most web chat-based apps are just company specific skinned apps but underneath they are all electron based which has had a lot of security vulnerabilities in the past.
 

Andrezj

Level 6
Nov 21, 2022
248
Yeah, that's the theory... but just try it yourself in practice - and you'll soon realize that you will actually want to whitelist the whole directory structure. ;)
consumer teams = msteams.exe
work or school teams = teams.exe

if you want to run teams only from c:\program files, microsoft already makes this possible using the default teams that is installed with microsoft365\office for consumers

consumer version installed and runs from here,
C:\Program Files\WindowsApps\MicrosoftTeams_22308.1003.1743.8209_x64__8wekyb3d8bbwe\msteams.exe

supporting microsoft utilities for msteams.exe install and run from here,
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\<version_number>\<supporting_utility_name>.exe

updates of msteams.exe might run in appdata and you will have to create allow exceptions then

only work\school (enterprise) teams (teams.exe) version runs from appdata
standalone work or school version of teams is very buggy right now, but if you need centralized administration of teams the only option is teams for work or school
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top