Evaluate default security settings and privacy options for the 2007 Office system
Updated: February 12, 2009
Applies To: Office Resource Kit
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
The default security and privacy settings in the 2007 Office system can help you to mitigate six main types of security and privacy threats. Some default security settings and privacy options might not be sufficient to mitigate the threats in your organization, and other default settings and options might provide more stringent mitigation than your organization requires. In either case, you might have to modify the default settings and options to suit your organization's security needs and requirements.
To determine whether you need to modify any default settings or options, do the following:
Use your threat evaluation to identify the threats that you need to mitigate in your organization. If you have not already evaluated threats in your organization, see Evaluate security and privacy threats for the 2007 Office system.
Use the guidance provided in this article to evaluate the default settings and options for each threat that is relevant to your organization, and determine whether the default settings and options are adequate for your organization.
If the default settings and options for a given threat are not adequate for your organization, you can then move to the last step of the security planning process, in which you plan security settings and privacy options.
Evaluate default security settings for code and application threats
To determine whether the default settings for mitigating code and application threats are adequate for your organization, you need to evaluate the default settings for the following:
ActiveX controls
Add-ins
Trusted locations
Trusted publishers
Visual Basic for Applications (VBA) macros
Default settings for ActiveX controls
The default settings for ActiveX controls can cause ActiveX controls to behave in four different ways based on the characteristics of the ActiveX control itself and the characteristics of the document that contains the ActiveX control.
If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot be loaded in any circumstances. A kill bit is a feature that prevents controls that have a known exploit from being loaded.
If an ActiveX control is contained in a document that does not contain a VBA project, and the ActiveX control is marked as Safe for Initialization (SFI), the ActiveX control is loaded in safe mode with minimal restrictions (that is, with persisted values). The Message Bar does not appear, and users do not get any notifications about the presence of ActiveX controls in their documents. All ActiveX controls in the document must be marked as SFI to not generate a notification.
If an ActiveX control is contained in a document that does not contain a VBA project, and the document contains ActiveX controls that are Unsafe for Initialization (UFI), users are notified in the Message Bar that ActiveX controls have been disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user wants to enable the ActiveX controls. If the user enables the ActiveX controls, all ActiveX controls (those marked SFI and UFI) are loaded with minimal restrictions (that is, with persisted values).
If an ActiveX control is contained in a document that also contains a VBA project, a notification appears in the Message Bar informing users that ActiveX controls have been disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user wants to enable ActiveX controls. If the user enables ActiveX controls, all ActiveX controls (those marked SFI and UFI) are loaded with minimal restrictions (that is, with persisted values).
If the default settings for ActiveX controls are suitable for your organization, you do not need to plan security settings for ActiveX controls. On the other hand, you must plan security settings for ActiveX controls if you want to do any of the following:
Disable ActiveX controls.
Allow all ActiveX controls to run without notifying users.
Modify the way ActiveX controls are initialized based on SFI, UFI, and safe mode parameters.
To learn more about ActiveX control security settings, and plan security settings for ActiveX controls, see Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Default settings for add-ins
By default, any add-in that is installed and registered is allowed to run without user intervention or warning. Installed and registered add-ins can include:
Component Object Model (COM) add-ins.
Smart tags.
Automation add-ins.
RealTimeData (RTD) servers.
Application add-ins (for example, .wll, .xll, and .xlam files).
XML expansion packs.
XML style sheets.
This default behavior is equivalent to selecting the Trust all installed add-ins and templates setting, which exists in earlier versions of the Microsoft Office system.
If the default settings for add-ins are suitable for your organization, you do not need to plan security settings for add-ins. On the other hand, you must plan security settings for add-ins if you want to do any of the following:
Disable add-ins on a per-application basis.
Require that add-ins are signed by a trusted publisher.
Disable notifications for unsigned add-ins.
To learn more about add-in security settings and plan security settings for add-ins, see Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Default settings for trusted locations
Settings for trusted locations enable you to designate folders on the hard disk drives of users' computers or on a network share as trusted document sources. When a folder is designated as a trusted document source, any document that is saved in the folder is assumed to be a trusted document. When a trusted document is opened, all content is enabled and active and users are not notified about any potential risks that might be contained in the document, such as unsigned macros, ActiveX controls, or links to content on the Internet.
Note
You can configure trusted locations for only Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and Microsoft Office Word 2007.
The following list describes the default settings for trusted locations:
Trusted locations are enabled.
Users cannot designate network shares as trusted locations. However, users can change this setting.
Users can add folders to the Trusted Locations list.
You can have a mix of user-defined and policy-defined trusted locations.
In addition, several folders are designated as trusted locations. The default folders for each application are listed in the following tables. (Office Visio 2007 does not have any trusted locations, by default.)
The following table lists the default trusted locations for Office Access 2007.
| Default trusted locations | Folder description | Trusted subfolders |
|---|---|---|
Program Files\Microsoft Office\Office12\ACCWIZ |
Wizard databases |
Not allowed |
The following table lists the default trusted locations for Office Excel 2007.
| Default trusted locations | Folder description | Trusted subfolders |
|---|---|---|
Program Files\Microsoft Office\Templates |
Application templates |
Allowed |
Users\username\Appdata\Roaming\Microsoft\Templates |
User templates |
Not allowed |
Program Files\Microsoft Office\Office12\XLSTART |
Excel StartUp |
Allowed |
Users\username\Appdata\Roaming \Microsoft\Excel\XLSTART |
User StartUp |
Not allowed |
Program Files\Microsoft Office\Office12\STARTUP |
Office StartUp |
Allowed |
Program Files\Microsoft Office\Office12\Library |
Add-ins |
Allowed |
The following table lists the default trusted locations for Office PowerPoint 2007.
| Default trusted locations | Folder description | Trusted subfolders |
|---|---|---|
Program Files\Microsoft Office\Templates |
Application templates |
Allowed |
Users\username\Appdata\Roaming \Microsoft\Templates |
User templates |
Allowed |
Users\username\Appdata\Roaming \Microsoft\Addins |
Add-ins |
Not allowed |
Program Files\Microsoft Office\Document Themes 12 |
Application themes |
Allowed |
The following table lists the default trusted locations for Office Word 2007.
| Default trusted locations | Folder description | Trusted subfolders |
|---|---|---|
Program Files\Microsoft Office\Templates |
Application templates |
Allowed |
Users\username\Appdata\Roaming \Microsoft\Templates |
User templates |
Not allowed |
Users\username\Appdata\Roaming \Microsoft\Word\Startup |
User StartUp |
Not allowed |
If the default settings for trusted locations are suitable for your organization, you do not need to plan security settings for trusted locations. However, you must plan security settings for trusted locations if you want to do any of the following:
Turn off trusted locations.
Add folders to the Trusted Locations list on users' computers.
Clear the Trusted Locations list on users' computers.
Allow users to designate trusted locations on network shares.
Prevent users from designating trusted locations on network shares.
Prevent users from specifying trusted locations and manage trusted locations only through Group Policy.
Modify any of the default trusted locations.
To learn more about trusted location settings and plan security settings for trusted locations, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
Default settings for trusted publishers
Like previous Office releases, the 2007 Office system enables you to create a list of trusted publishers. A publisher is any developer, software company, or organization that has created and distributed an ActiveX control, add-in, or macro. A trusted publisher is any reputable publisher that has been added to the Trusted Publishers list. By default, there are no publishers on the Trusted Publishers list. However, there are several default settings that affect the way ActiveX controls and macros behave when they are signed by a trusted publisher.
By default, ActiveX controls and macros that are signed by a publisher that is on the Trusted Publishers list are enabled and will run without any warning if the following conditions are true:
The ActiveX control or macro is signed with a digital signature.
The digital signature is valid.
This digital signature is current (not expired).
The certificate associated with the digital signature was issued by a reputable certification authority (CA).
If you do not intend to specify any trusted publishers or use the trusted publishers functionality, you do not need to plan trusted publishers settings. However, you need to plan trusted publishers settings if you want to add publishers to the list of trusted publishers. You also need to plan trusted publishers settings if you require that all add-ins be signed by a trusted publisher. This is because the 2007 Office system contains several add-ins that will not run unless you add the appropriate Microsoft certificates to the trusted publishers list. To learn more about trusted publishers settings and plan trusted publishers settings, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
Default settings for macros
By default, trusted macros are allowed to run. This includes macros in documents that are saved in a trusted location, and macros that meet the following criteria:
The macro is signed by the developer with a digital signature.
The digital signature is valid.
This digital signature is current (not expired).
The certificate associated with the digital signature was issued by a reputable certification authority (CA).
The developer who signed the macro is a trusted publisher.
Macros that are not trusted are not allowed to run until a user clicks the Message Bar and chooses to enable the macro. In previous versions of the Office system, unsigned macros were disabled and users did not have an option to enable them. In the 2007 Office system, on the other hand, users are notified when a document contains an unsigned macro, and they can enable the macro if they want to.
If the default settings for macros are suitable for your organization, you do not need to plan security settings for macros. However, you must plan security settings for macros if you want to do any of the following:
Make VBA unavailable.
Make macros unavailable.
Allow programmatic access to the VBA project.
Modify the way users are notified about macros.
Prevent encrypted macros from being scanned for viruses in Office Open XML Formats files. By default, encrypted macros are scanned in Office Open XML Formats files.
Change the way macros run when an application is started by Automation.
To learn more about macro security settings and plan security settings for macros, see Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Evaluate default security settings for document threats
You can mitigate document threats by having users use the password protection feature to encrypt documents in Office Excel 2007, Microsoft Office OneNote 2007, Office PowerPoint 2007, and Office Word 2007. Documents are not encrypted by default in the 2007 Office system, and there are no administrative settings that enable you to force users to encrypt documents. However, there are several default settings that affect the way documents are encrypted, and you can modify those settings if the default settings do not meet your organization's needs.
Note
Information Rights Management (IRM) can also be used to help mitigate document threats.
By default, Office Excel 2007, Office PowerPoint 2007, and Office Word 2007 use the following settings when a user encrypts a document:
For documents that are saved in the Office Open XML Formats, the cryptographic service provider (CSP) is:
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype) on the Microsoft Windows XP Professional operating system.
Microsoft Enhanced RSA and AES Cryptographic Provider on the Windows Vista operating system.
In both cases, the cryptographic algorithm is AES-128, and the cryptographic key length is 128-bit.
For documents that are saved in the Office 97-2003 format, the Office 97/2000–compatible encryption method is used, which is a proprietary encryption method.
Additionally, Office OneNote 2007 uses the following default encryption settings:
Notes are encrypted by using a Triple Data Encryption Standard (DES) algorithm with a 192-bit key length. You cannot change the cryptographic algorithm or the key length that Office OneNote 2007 uses to encrypt notes.
Encrypted text that is idle for 10 minutes automatically locks and cannot be viewed until a user enters a password and unlocks the text. Text is considered to be idle if a user does not navigate to the text or edit the text.
Add-ins are allowed to access sections of text that have been unlocked by a user.
Users can create new encrypted sections of text, and they can encrypt existing sections of text.
If the default encryption settings are suitable for your organization, you do not need to plan security settings for document threats. However, you must plan security settings for document threats if you want to do any of the following:
Change the default CSP, cryptographic algorithm, or key length that is used by Office Excel 2007, Office PowerPoint 2007, and Office Word 2007.
Change the way Office OneNote 2007 behaves when sections of text are encrypted.
To learn more about document threat settings and plan security settings for document threats, see Plan document protection settings in the 2007 Office system.
Evaluate default security settings for external threats
By default, the 2007 Office system mitigates external content threats as follows:
Users are prevented from accessing external content from a document.
A notification appears on the Message Bar informing users that links to external content are blocked.
Users can unblock links to external content by clicking the Message Bar notification and enabling external content.
If users unblock a hyperlink to an Office document, the document will open within an Office application.
Note
Links to external content are unblocked (that is, enabled) in documents that are stored in trusted locations. Therefore, you need to evaluate the default settings for trusted locations to determine whether the settings are adequate for protecting external threats. See "Default settings for trusted locations" earlier in this article.
If the default external threat settings are suitable for your organization, you do not need to plan security settings for external threats. However, you must plan security settings for external threats if you want to do any of the following:
Disable hyperlink warnings.
Allow images to be downloaded automatically in Office PowerPoint 2007.
To learn more about external threat settings and plan security settings for external threats, see Plan external content settings in the 2007 Office system.
Evaluate default security settings for Internet Explorer threats
The 2007 Office system contains several settings that can help you mitigate Internet Explorer threats. These settings, known as Internet Explorer feature control settings, enable you to restrict Internet Explorer behavior on an application-by-application basis.
You can configure 15 Internet Explorer feature control settings in the 2007 Office system. For detailed descriptions of each Internet Explorer feature control setting, see Security policies and settings in the 2007 Office system.
Enabling an Internet Explorer feature control setting for an application is often referred to as opting in an application because the application adopts the more restrictive Internet Explorer behavior that is specified by the setting. Likewise, disabling an Internet Explorer feature control setting for an application is often referred to as opting out an application because the application does not adopt the more restrictive Internet Explorer behavior that is specified by the setting.
By default, Microsoft Office Groove 2007 (Groove.exe), Office Outlook 2007 (Outlook.exe), and Microsoft Office SharePoint Designer 2007 (Spdesign.exe) are opted in to all 15 Internet Explorer feature control settings. Microsoft Office InfoPath 2007 (Infopath.exe) is also opted in to these Internet Explorer feature control settings, as well as three Office InfoPath 2007 components: Document Information Panel, Workflow forms, and third-party hosting.
If these default settings are adequate for your organization, you do not need to plan Internet Explorer feature control settings. However, you must plan Internet Explorer feature control settings if you want to do any of the following:
Deploy clean installations of the 2007 Office system to computers that are running an older version of the Office system.
Modify the Internet Explorer feature control settings for any of the applications that are opted in by default.
Opt in other applications in the 2007 Office system.
Modify which Office InfoPath 2007 components are opted in.
To learn more about Internet Explorer feature control settings and plan Internet Explorer feature control settings, see Plan Internet Explorer feature control settings in the 2007 Office system.
Evaluate default privacy options
The 2007 Office system contains several settings that can help you mitigate privacy threats and control the disclosure of private and personal information. The default settings are as follows:
Document Inspector is enabled. Document Inspector is a new tool that helps users mitigate privacy threats by removing metadata, revisions, comments, custom XML tags, and other potentially private and personal content from a document. Document Inspector is extensible and can be programmatically modified to suit the privacy needs of your organization.
Metadata is protected in an encrypted document. When a user encrypts a document with the password protection feature, the metadata in the document is encrypted. This setting applies only to Office Open XML Formats files.
Metadata is not protected in a rights-managed document. When a user applies restricted permissions to a document by using Information Rights Management (IRM), the permissions do not apply to the metadata and the metadata is not encrypted. This setting applies only to Office Open XML Formats files.
The option to participate in the Customer Experience Improvement Program is not selected. The Customer Experience Improvement Program allows Microsoft to automatically and anonymously collect information from a user's computer, including the error messages that are generated by the software, the kind of equipment that is installed in the computer, whether the computer is having any difficulty running Microsoft software, and whether the hardware and software responds well and performs rapidly.
The option to download a file periodically that helps determine system problems is not selected. This setting allows computers to receive updates that can help improve application reliability by detecting when a computer becomes unstable or crashes and by automatically running the Microsoft Office Diagnostics tool to help diagnose and repair the problem. This setting also allows Microsoft to ask users to send error reports for certain types of error messages that might appear.
The online content options setting is selected. This setting allows the Help system to automatically search Microsoft Office Online when users access online Help. It also allows users to see links to content that is on the Web and it allows the downloading of updated content. Note: This setting is not selected by default in the French, German, and Italian versions of the 2007 Office system.
If the default privacy options are suitable for your organization, you do not need to plan privacy options. However, you must plan privacy options if you want to do any of the following:
Make unavailable any Inspector modules that are used by Document Inspector.
Protect metadata in documents that are rights-managed.
Enforce participation in the Customer Experience Improvement Program.
Enforce the periodic downloading of updates that improve reliability.
Configure privacy options for Office PowerPoint 2007 or Office Word 2007.
Prevent users from searching Microsoft Office Online and receiving Help updates when they access the online Help.
Suppress the Privacy Options dialog box that appears the first time users run an application in the 2007 Office system.
Suppress the first-run Sign up for Microsoft Update dialog box that appears the first time users start an application in the 2007 Office system.
To learn more about privacy options and plan privacy options, see Plan privacy options in the 2007 Office system.
Evaluate default security settings for security vulnerabilities
The 2007 Office system provides several settings that can help you mitigate threats from security vulnerabilities. These settings, known as block file format settings, enable you to prevent users from opening or saving certain file types and file formats. The default settings are as follows:
Users can open beta versions of the Office Open XML Formats.
Users cannot open files that have been saved in a format that is older than the Word 6.0 format. Files that have been saved using a beta version of Word 6.0 are considered to be older than the Word 6.0 format and cannot be opened by default.
You must design security settings for blocking file formats if you want to do any of the following:
Mitigate zero-day attacks and exploits until you implement a software update. Zero-day attacks are so named because they exploit security vulnerabilities between the time that a security vulnerability becomes publicly known and the time you mitigate the potential threat by implementing a software update. Software updates for security vulnerabilities are typically distributed in Microsoft security bulletins or service packs.
Prevent users from opening beta versions of the Office Open XML Formats.
Allow users to open files that have been saved in file formats that are older than Word 6.0.
Prevent users from opening or saving specific file types, such as .htm, .rtf, and .doc files.
Prevent users from opening files that are compatible with previous versions of Office Excel 2007, Office PowerPoint 2007, and Office Word 2007.
Prevent users from opening documents through external converters, such as a WordPerfect converter that is installed with the 2007 Office system.
To learn more about block file format settings and plan security settings for blocking file formats, see Plan block file format settings in the 2007 Office system.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit.