Plan Protected View settings for Office 2013
Published: February 5, 2013
Summary: Explains how to configure Protected View settings in Office 2013.
Applies to: Office | Office 365 ProPlus
Audience: IT Professionals
Change how the sandbox preview feature in Office 2013 behaves by configuring Protected View settings. Protected View is a security feature in Office 2013 that helps reduce exploits to your computer by opening files in a restricted environment so they can be examined before they are opened for editing in Excel 2013, PowerPoint 2013, or Word 2013.
This article is part of the Content roadmap for Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.
Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.
In this article:
Plan Protected View settings in Office 2013
Protected View helps mitigate several kinds of exploits by opening documents, presentations, and workbooks in a sandbox environment. A sandbox is a piece of computer memory or a specific computer process that is isolated from certain operating system components and applications. Because of this isolation, programs and processes that run in a sandbox environment are considered less dangerous. Sandbox environments are frequently used to test new applications and services that might otherwise make a computer unstable or fail. Sandbox environments are also used to prevent applications and processes from harming a computer.
When a file is opened in Protected View, users can view the file content but they can’t edit, save, or print the file content, or view the details of any digital signatures in the file. Active file content, such as ActiveX controls, add-ins, database connections, hyperlinks, and Visual Basic for Applications (VBA) macros, is not enabled. Users can however, copy content from the file and paste it into another document.
Default behavior of Protected View in Office 2013
By default, Protected View is enabled in Excel 2013, PowerPoint 2013, and Word 2013, but files open in Protected View only under certain conditions. In some cases, files bypass Protected View and are opened for editing. For example, files that are opened from trusted locations and files that are trusted documents bypass several security checks and are not opened in Protected View.
By default, files open in Protected View if any one of the following conditions is true:
A file skips or fails Office File Validation Office File Validation is a security feature that scans files for file format exploits. If Office File Validation detects a possible exploit or some other unsafe file corruption, the file opens in Protected View.
AES zone information determines that a file is not safe Attachment Execution Services (AES) adds zone information to files that are downloaded by Outlook, Internet Explorer, and some other applications. If a file’s zone information indicates that the file originated from an untrusted website or the Internet, the downloaded file opens in Protected View.
A user opens a file in Protected View Users can open files in Protected View by choosing Open in Protected View in the Open dialog box, or by holding down the SHIFT key, choosing a file name, and, from its shortcut menu (right-click), choosing Open in Protected View.
A file is opened from an unsafe location By default, unsafe locations include the user’s Temporary Internet Files folder and the downloaded program files folder. But, you can use Group Policy settings to designate other unsafe locations.
In some cases, Protected View is bypassed even if one or more of the previously listed conditions are met. Specifically, files do not open in Protected View if either of the following is true:
A file is opened from a trusted location.
A file is considered a trusted document.
Change Protected View behavior in Office 2013
We recommend that you do not change the default behavior of Protected View. Protected View is an important part of the layered defense strategy in Office 2013, and is designed to work with other security features such as Office File Validation and File Block. But, we recognize that some organizations might have to change Protected View settings to suit special security requirements. Office 2013 provides several settings that let you change how the Protected View feature behaves. You can use these settings to do the following:
Prevent files that are downloaded from the Internet from opening in Protected View.
Prevent files that are stored in unsafe locations from opening in Protected View.
Prevent attachments opened in Outlook 2013 from opening in Protected View.
Add locations to the list of unsafe locations.
In addition, you can use File Block settings and Office File Validation settings to force files to open in Protected View. For more information, see Force files to open in Protected View in Office 2013 later in this article.
For detailed information about the settings that are discussed in this article, see Security policies and settings in Office 2013 (Node). For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2013 Administrative Templates, see Configure security by using OCT or Group Policy for Office 2013.
Prevent files from opening in Protected View in Office 2013
You can change Protected View settings so that certain files bypass Protected View. To do so, disable the following settings in the Trust Center:
Enable Protected View for files originating from the Internet Disable this setting to force files to bypass Protected View if the AES zone information indicates that the file was downloaded from the Internet zone. This setting applies to files that are downloaded by using Internet Explorer and Outlook.
Enable Protected View for files that are located in potentially unsafe locations Disable this setting to force files to bypass Protected View if the files are opened from an unsafe location. You can add folders to the unsafe locations list by using the Specify list of unsafe locations setting, which is discussed later in this article.
Enable Protected View Outlook attachments Disable this setting to force Excel 2013, PowerPoint 2013, and Word 2013 files that are opened as Outlook 2013 attachments to bypass Protected View.
These settings do not apply if File Block settings force the file to open in Protected View. Also, these settings do not apply if a file fails Office File Validation. You can configure each of these settings on a per-application basis for Excel 2013, PowerPoint 2013, and Word 2013.
Force files to open in Protected View in Office 2013
The File Block and Office File Validation features have settings that let you force files to open in Protected View when certain conditions are met. You can use these settings to determine the circumstances under which files open in Protected View.
Use File Block to force Office 2013 files to open in Protected View
The File Block feature lets you prevent users from opening or saving certain file types. When you use File Block settings to block a file type, you can choose one of three file block actions:
Blocked and not allowed to open.
Blocked and opened only in Protected View (users can’t enable editing).
Blocked and opened in Protected View (users can enable editing).
By selecting the second or third option, you can force blocked file types to open in Protected View. You can configure File Block settings only on a per-application basis for Excel 2013, PowerPoint 2013, and Word 2013. For more information about File Block settings, see Plan file block settings for Office 2013.
Use Office File Validation settings to force Office 2013 files to open in Protected View
Office File Validation is a security feature that scans files for file format exploits before they are opened by an Office 2013 application. By default, files that fail Office File Validation are opened in Protected View and users can enable editing after previewing the file in Protected View. But, you can use the Group Policy Protected View setting Set document behavior if file validation fails to change this default behavior. You can use this setting to select one of two possible options for files that fail Office File Validation:
Block completely Files that fail Office File Validation can’t be opened in Protected View or opened for editing.
Open in Protected View Files that fail Office File Validation are opened in Protected View but users can’t edit the files. This is the default.
By selecting the second option, you can restrict Protected View behavior for files that fail Office File Validation. You can configure this Office File Validation setting only on a per-application basis for Excel 2013, PowerPoint 2013, and Word 2013. For more information about Office File Validation settings, see Plan Office File Validation settings for Office 2013.
Add files to the list of unsafe files
You can use the Specify list of unsafe locations setting to add locations to the unsafe locations list. Files that are opened from unsafe locations are always opened in Protected View. The unsafe locations feature does not prevent users from editing a document. It only forces a document to open in Protected View before it is edited. This is a global setting that applies to Excel 2013, PowerPoint 2013, and Word 2013.
For the latest information about policy settings, refer to the Office 2013 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool article.