Overview of security in Office 2013
Published: July 16, 2012
Summary: Describes new security features of Office 2013: authentication, identity, Web app catalog and extension, escrow key, and more.
Applies to: Office 2013 | Office 365 ProPlus
Audience: IT Professionals
Office 2013 includes new authentication functionality. Now users create a profile, sign in one time, and then seamlessly work on and access local and cloud Office files without re-identifying themselves. Users can connect multiple services, such as an organization’s SkyDrive or a user’s personal SkyDrive account, to their Office profile. After that, they'll have instant access to all their files and associated storage. Users authenticate one time for all Office apps including SkyDrive. This is true regardless of the identity provider, whether the Microsoft account or the user ID that you use to access Office 365, or the authentication protocol that is used by the app. Protocols include, for example, OAuth, forms based, claims based, and Windows Integrated Authentication. From a user perspective, it all just works. From the IT perspective, these connected services can easily be managed.
This article is part of the Content roadmap for Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.
Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.
Authentication and Identity in Office 2013
Protection starts with authentication and identity. By using this release, Office makes a fundamental change from computer centered identity and authentication to user centered identity and authentication. This shift enables content, resources, most-recently-used lists, settings, links to communities, and personalization to roam seamlessly with users as they move from desktop, to tablet, to smartphone, or to a shared or public computer. For the IT admin, user audit trails and compliance are also separated by identity.
In this new environment, users sign in to Office 365 by using one of these identities:
Their Microsoft-managed, organization-owned, user ID. For Office 365 business use, where Microsoft hosted enterprise and smaller organization user IDs are stored in the cloud. This scenario also supports multiple linked user IDs and single sign on.
Their federated, org-owned user ID. For Office 365 business use, where enterprise user IDs are stored on premises).
Their Windows Live ID. Typically, users use this identity to sign in to Office 365 for non-business purposes. Users can have multiple Windows Live IDs that are linked and then sign in one time, get authenticated, and then switch from one Windows Live ID to another during the same session. They don't have to be re-authenticated.
From an IT admin’s perspective, Active Directory is at the heart of this new paradigm. IT admins can do the following:
Control user password policies across devices and services
Use Group Policies to configure the operating environment
Manage with Forefront Identity Manager (FIM) or Active Directory Federation Services (ADFS)
The cloud makes it all possible:
User accounts can be cloud-managed by using a web portal Setup is simple. You can provision users manually for greatest control. No servers are required. Microsoft manages all that for you.
Any on-premises directories are Active Directory synchronized to the web portal Provisioning can be automated and can co-exist with the cloud managed accounts.
Users have single-sign-on capability by using ADFS Provisioning can be automated, and multi-factor authentication is supported.
As shown in the following figure, when identity and authentication are handled completely in the cloud without affinity to any on-premises Active Directory store, IT admins can still provision or de-provision IDs and user access to services through a management portal or PowerShell cmdlets.
Figure: Office 365 identity and authentication managed completely in the cloud—without local Active Directory interaction.
The next figure shows identity provisioning by using the Microsoft Online Directory Synchronization service. Authentication is managed in the cloud.
Figure: Identity provisioning populated by using the Microsoft Online Directory Synchronization service. This is cloud managed authentication.
The following figure shows the addition of federated authentication through Active Directory Federation Server 2.0 for large organizations.
Figure: Identity provisioning that is populated by using the Microsoft Online Directory Synchronization service; Active Directory Federation Server 2.0 and cloud managed authentication.
In the user experience, identity is surfaced when the user signs in.
The client user interface At the start of each session, a user can choose to connect either to their personal cloud by using their Microsoft account, or to their on-premises corporate server or Microsoft-managed cloud for services such as Office 365 and for their documents, pictures, or other data.
If a user chooses to connect by using their Windows Live ID, they sign in by using their by using their Microsoft account (formerly called Passport or Windows Live ID) or they can choose to connect by using the user ID they use to access Office 365.
After they are signed in, that user is also free to switch identities at any time from the Backstage of any Office app.
The client infrastructure Behind the scenes, client authentication APIs enable users to sign in and out and switch the active user identity. More APIs keep track of roaming settings (preferences and most-recently-used documents) and the services available to each identity.
Other cloud identity services Users are automatically logged into these native services:
SkyDrive, for a Microsoft account sign on, or SharePoint Online for a corporate identity)
Roaming most-recently-used files and settings
Microsoft account activities
Users can also log on to third-party cloud services after they sign in by using a Microsoft account. For example, if they sign in to LinkedIn or Facebook, the connection will roam with that identity.
Use Group Policy settings to control desktops configurations
With more than 4,000 Group Policy control objects at your disposal, you can use Group Policy to mandate user settings for Office.This means that you can create a range of lightly-managed to highly-restricted desktop configurations for your users. Your Group Policy settings always have precedence over Office Customization Tool (OCT) settings. You can also use Group Policy settings to disable particular file formats that are not secure over the network.
A word about Microsoft Data Centers
The Microsoft Data Center Security Program is risk-based and multi-dimensional. It takes people, processes, and technology into consideration. The Privacy Program makes sure that consistent global standard “high bar” privacy practices are followed for data handling and data transfer. The Microsoft data centers are also physically secure. All 700,000+ square feet and tens of thousands of servers are guarded 24 hours a day, 7 days a week. If there is a power failure, days of ancillary power are available. These data centers are geographically redundant and located in North America, Europe, and Asia.
Office 365 never scans your email messages or documents to build analytics, mine data, advertise, or improve our own service. Your data always belongs completely to you or your company and you can remove it from our data center servers at any time
Office 365 complies with the following important and business essential industry standards:
ISO 27001 certified Office 365 meets or exceeds the rigorous set of physical, logical, process, and management controls defined by ISO/TEC 27001:2005.
EU model clauses Office 365 is compliant with and able to sign standard contractual clauses that relate to the EU model clauses and EU Safe Harbor framework.
HIPAA-Business Associate Agreement Office 365 can sign requirements for HIPAA with all customers. HIPAA governs the use, disclosure, and safeguarding of protected health information.
Catalogs and web Extensions
Office 2013 includes a new extensibility model for Office clients that enables web developers to create apps for Office, which are web extensions that use the power of the web to extend Office clients. An app for Office is a region inside an Office application that contains a web page that can interact with the document to augment content and provide new interactive content types and functionality. apps for Office can be obtained by users from the new Office marketplace or from a private catalog in the form of stand-alone apps or subcomponents of a document template solution, or a SharePoint application.
In the Trust Center, there is a new section titled “Manage Catalogs and Web Extensions.” This gives you the option to control the apps for Office. This includes the following:
Disabling all catalogs, which turns off the apps functionality in Office
Disabling the Office Marketplace catalog
Adding more catalogs to your Trusted Catalog list and to the Insert menu
Requiring catalog server verification by using HTTPS
Reset a document’s password with an escrow key and the new DocRecrypt tool
Office 2013 provides a new escrow key capability. This allows the IT admin of an organization to decrypt password-protected documents by using a private escrow key. For example, if a document was encrypted by using Word, Excel, or PowerPoint and the original owner of the document has either forgotten the password or has left the organization, it would be possible for the IT admin to retrieve the data by using the private escrow key.
The escrow key capability only works with files that are saved and encrypted by using next generation cryptography. This is the default encryption that is used in Office 2010 and Office 2013. If, for compatibility reasons, the default behavior was changed to use the legacy format, escrow key functionality will not be available. For details about this new feature, see Remove or reset file passwords in Office 2013.
Improvements to digital signatures in Office 2013 include the following:
Support for Open Document Format (ODF v1.2) file formats
Enhancements to XAdES (XML Advanced Electronic Signatures)
Support for ODF v1.2 file formats enables people to digitally sign ODF documents in Office 2013 by using invisible digital signatures. These digitally-signed documents do not support signature lines or stamps. In addition, Office 2013 provides digital signature verification of ODF documents that are signed from inside other applications but that are opened in Office 2013.
XAdES improvements in Office 2013 include an improved user experience when creating an XAdES digital signature. Users are given more detailed information about the signature.
Information Rights Management (IRM)
Office 2013 includes a new IRM client, which has a new UI to help simplify identity selection. It also supports automatic service discovery of Rights Management Services (RMS) servers. In addition, Office 2013 has read-only IRM support for Microsoft Office Web Application Companions (WACs). WACs can view IRM-protected documents in a SharePoint library or IRM-protected documents that are attached to messages in Outlook Web Access (OWA).
Office 2013 provides an improved protected view, a “sandbox” technology, when Office 2013 is used with Windows 2012 as the operating system. Office 2013 uses the Windows 2012 AppContainer feature, which provides stronger process isolation and also blocks network access from the sandbox. Protected view was introduced in Office 2010. Protected view helps reduce exploits to computers by opening files in a restricted environment, referred to as a lowbox, so that they can be examined before they are opened for editing in Excel, PowerPoint, or Word.
Office 2013, Designed with security top of mind—from the beginning
At Microsoft, security is considered during every step of the software life-cycle. Every employee who contributes to an Office feature or product is required to take security training and continue to learn as the industry and threats evolve. When designing a feature or product, the team is required to consider user data security and privacy from the beginning, and how threats to these can be reduced by using encryption or authentication or other methods. Their decisions are based on the environment, expected or potential exposure, and data sensitivity. The team performs multiple attack surface reviews and creates an incident response plan before an Office product is ever released.
Microsoft doesn’t just rely on employees to make sure user data is safe. It also uses tools and automated quality assurance tests. These fall into three general categories:
Functional testing where every piece of the user interface is verified to make sure that user input, output, and action is as intended and advertised.
Fuzz testing where large amounts of random or unexpected data are injected into the software to reveal security problems. Fuzz testing was a big part of the Office 2007 release and continues to be with this latest release.
For web applications dynamic or web scanning tools are used to test for potential security bugs like cross-site scripting (XSS) or SQL injection.
The testing never stops. The Microsoft Security Response Center (MSRC) is responsible for handling security issues that are uncovered after a product has released. This team can quickly mobilize and deliver swift fixes to customers.
A quick review of security progress over the last several Office releases
Security controls that were introduced in Office XP, Office 2003, Office 2007, and Office 2010 reduced attacks, improved the user experience, hardened, and reduced the attack surface, and made it easier for IT admins to build a robust defense against threats while maintaining user productivity. Here’s how:
Introduction of the following features has mitigated attacks on Office:
Document flow protection
The following features have improved the user experience:
The Trust Center and message bar, trusted locations, trusted publishers, and sticky trust decisions
Actionable security prompts
Improvements to the Encrypt with Password feature
XML file format support
Office has hardened the attack surface through the following features:
Data Execution Prevention (DEP) support
Group Policy enforcement
Trusted time-stamping support for digital signatures
Domain-based password complexity checking and enforcement
Office has reduced the attack surface through the following features:
Office file validation
Expanded file block settings
ActiveX control security
ActiveX “kill bit”
Integrity checking of encrypted files
Macro security levels
More on file fuzzing
File fuzzing is used to identify previously unknown vulnerabilities in various file formats. The Office team has fuzzed millions of files tens of millions of times and discovered, and fixed, hundreds of vulnerabilities.
More on Data Execution Prevention
This hardware and software technology, which was built into Windows and extended to all Office applications starting with Office 2010, identifies files that attempt to run code in reserved memory. This protection is always on for 64-bit versions, and is configurable by using Group Policy settings in 32-bit versions. If rogue code is detected, the affected application shuts down automatically.
More on Protected View
Protected view, which enables safe viewing of suspicious files, was introduced in Office 2010. Now, with the Windows 2012 AppContainer, which is restricted from network access, process isolation is further improved.